Data Processing Agreement
Effective Date: February 23, 2026
Last Updated: February 26, 2026
This Data Processing Agreement ("DPA") is entered into between the customer agreeing to the Talkif Terms of Service ("Controller," "Customer," or "you") and Talkif, Inc., a Delaware corporation ("Processor," "Talkif," "we," or "us"), and supplements the Talkif Terms of Service (the "Agreement").
This DPA applies where and only to the extent that Talkif processes Personal Data on behalf of Customer in the course of providing the Service, and such Personal Data is subject to applicable Data Protection Laws. This DPA is incorporated into and forms part of the Agreement.
1. Definitions
1.1 "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, KVKK, and any other data protection or privacy law applicable to the processing of Personal Data hereunder.
1.2 "Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller with respect to Contact Data.
1.3 "Contact Data" means all personal data relating to Call Recipients that Customer uploads, imports, or otherwise provides to the Service, including names, phone numbers, email addresses, physical addresses, timezones, and any data generated through the Service in relation to those individuals (call recordings, call transcripts, call metadata, AI analysis results).
1.4 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates. Under this DPA, Data Subjects are primarily Call Recipients — individuals contacted through the Service.
1.5 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.6 "UK GDPR" means the GDPR as retained in United Kingdom law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
1.7 "KVKK" means Turkey's Law No. 6698 on the Protection of Personal Data.
1.8 "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
1.9 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
1.10 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
1.11 "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Talkif is the Processor with respect to Contact Data.
1.12 "Sub-processor" means any third party engaged by Talkif to process Personal Data on behalf of the Customer.
1.13 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914.
1.14 "Service" has the meaning given in the Agreement.
2. Scope and Roles
2.1 The parties acknowledge and agree that:
- (a) Customer is the Controller of Contact Data;
- (b) Talkif is the Processor of Contact Data, processing it solely to provide the Service; and
- (c) This DPA does not apply to data for which Talkif is an independent controller (e.g., Customer account data, billing data, website analytics), which is governed by the Talkif Privacy Policy.
2.2 Nothing in this DPA relieves Customer of its obligations as Controller under Applicable Data Protection Laws, including the obligation to establish a lawful basis for processing and to provide required notices to Data Subjects.
3. Details of Processing
The following details of processing are required under GDPR Article 28(3):
| Element | Description |
|---|---|
| Subject matter | Processing of Contact Data to provide AI-powered voice calling services |
| Duration | For the term of the Agreement, plus the period until deletion of all Contact Data in accordance with Section 10 |
| Nature of processing | Storage of contact records; initiation of voice calls; real-time speech-to-text transcription; AI language model processing for conversation generation; text-to-speech synthesis; call recording (when enabled by Customer); post-call AI analysis (when enabled by Customer); call metadata generation and storage |
| Purpose | To provide the Service as described in the Agreement, strictly on Customer's documented instructions |
| Categories of Data Subjects | Call Recipients — individuals whose contact information is uploaded by Customer and who receive or make calls through the Service |
| Types of Personal Data | Names, phone numbers, email addresses, physical addresses, timezones, call recordings (audio), call transcripts, call metadata (timestamps, duration, status), AI analysis outputs (summaries, sentiment) |
4. Processor Obligations
4.1 Instructions. Talkif shall process Contact Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement (including this DPA) constitutes Customer's initial documented instructions. Customer may issue additional written instructions consistent with the Agreement.
4.2 If Talkif becomes aware that an instruction from Customer infringes Applicable Data Protection Laws, Talkif shall promptly inform Customer.
4.3 If Talkif is required by applicable law to process Contact Data for a purpose other than Customer's instructions, Talkif shall inform Customer of that legal requirement before processing, unless prohibited by law from doing so.
5. Confidentiality
5.1 Talkif shall ensure that all personnel authorized to process Contact Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
5.2 Talkif shall not disclose Contact Data to any third party except as authorized under this DPA, the Agreement, or as required by applicable law.
6. Security Measures
6.1 Talkif shall implement and maintain appropriate technical and organizational measures to protect Contact Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.
6.2 These measures include, at a minimum:
| Category | Measures |
|---|---|
| Encryption | TLS 1.2+ for all data in transit; AES-256 encryption for all data at rest |
| Access control | Role-based access control with principle of least privilege; multi-factor authentication available for all accounts |
| Account isolation | All data queries scoped by account, enforced at the application layer |
| Authentication security | Secure password storage using industry-standard adaptive hashing; short-lived, cryptographically secured tokens |
| Network security | Rate limiting on all endpoints; secure API validation |
| Audit logging | Authentication events and security-sensitive operations logged |
| Deletion safeguards | Multi-step account deletion process with confirmation and grace period |
| Sub-processor security | Sub-processors bound by contractual data protection obligations; data encrypted in transit to all sub-processors |
6.3 Talkif shall regularly assess and, where necessary, improve the security measures to maintain an appropriate level of protection.
7. Sub-processors
7.1 Authorization. Customer provides general written authorization for Talkif to engage Sub-processors to process Contact Data, subject to the requirements of this Section 7.
7.2 Current Sub-processors. The current list of Sub-processors is set forth in Annex II of this DPA.
7.3 Sub-processor Obligations. Talkif shall:
- (a) Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA;
- (b) Remain liable to Customer for the acts and omissions of its Sub-processors to the same extent Talkif would be liable under this DPA if performing the processing directly.
7.4 Changes to Sub-processors. Talkif shall notify Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor by updating the Sub-processor list and notifying Customer via email. Customer may object to a new Sub-processor by notifying Talkif in writing within 15 days of receiving notice. If Customer objects on reasonable data protection grounds:
- (a) Talkif shall work with Customer in good faith to address the objection;
- (b) If the parties cannot resolve the objection within 30 days, Customer may terminate the affected portion of the Service (or the entire Agreement) without penalty.
7.5 Flow-Configurable Sub-processors. Certain Sub-processors (LLM, Speech-to-Text, and Text-to-Speech providers) are selected by Customer on a per-flow basis. Customer's selection of a provider constitutes Customer's instruction to engage that Sub-processor for the relevant processing. Not all Sub-processors receive data for every call — only the providers selected in Customer's flow configuration receive Contact Data for that flow's calls.
8. Data Subject Rights
8.1 Talkif shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
8.2 If Talkif receives a request from a Data Subject directly regarding Contact Data, Talkif shall promptly redirect the request to Customer and shall not respond to the Data Subject directly without Customer's authorization, unless legally required to do so.
8.3 Talkif provides the following self-service capabilities to assist with Data Subject rights:
- (a) Access and export: Customer can access and export Contact Data, call records, transcripts, and recordings through the Service dashboard and API;
- (b) Rectification: Customer can update Contact Data through the Service dashboard and API;
- (c) Erasure: Customer can delete individual contacts, call recordings, and call records through the Service. Account deletion removes all associated Contact Data after the grace period described in the Agreement.
9. Personal Data Breach
9.1 Talkif shall notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Contact Data. The notification shall include:
- (a) The nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
- (b) The likely consequences of the breach;
- (c) The measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects; and
- (d) The name and contact details of Talkif's point of contact for further information.
9.2 Talkif shall cooperate with Customer and take such reasonable steps as Customer may direct to assist in the investigation, mitigation, and remediation of any Personal Data Breach.
9.3 Talkif's notification of or response to a Personal Data Breach shall not be construed as an acknowledgment of fault or liability.
10. Data Retention and Deletion
10.1 Talkif shall process Contact Data for the duration of the Agreement. Upon termination or expiration of the Agreement:
- (a) Customer may request export of Contact Data within 30 days of termination;
- (b) After the export period (or upon Customer's instruction), Talkif shall delete all Contact Data from its systems within a commercially reasonable timeframe, except where applicable law requires retention;
- (c) The account deletion process described in the Agreement applies, including the 7-day grace period and cleanup of external resources.
10.2 Talkif shall ensure that Sub-processors delete Contact Data upon termination of their engagement or upon Talkif's instruction, in accordance with the Sub-processor agreements.
10.3 Upon Customer's written request, Talkif shall provide written confirmation that Contact Data has been deleted.
11. Audits and Compliance
11.1 Talkif shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA.
11.2 Talkif shall allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to the following conditions:
- (a) Customer shall provide at least 30 days' written notice of any audit request;
- (b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt Talkif's operations;
- (c) Customer (or its auditor) shall enter into a confidentiality agreement before any audit;
- (d) Customer shall bear the costs of any audit; and
- (e) Audits shall be limited to once per twelve-month period, unless required by a supervisory authority or following a Personal Data Breach.
11.3 Where Talkif obtains relevant third-party certifications or audit reports (e.g., SOC 2), Talkif may provide such reports to satisfy Customer's audit rights under this Section, provided the reports are reasonably current and cover the relevant processing activities.
12. Data Protection Impact Assessments
12.1 Talkif shall provide reasonable assistance to Customer, at Customer's expense, with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under GDPR Article 35 or Article 36 (or equivalent provisions under other Applicable Data Protection Laws), to the extent such assessment or consultation relates to the processing of Contact Data by Talkif.
13. International Data Transfers
13.1 Customer acknowledges that the provision of the Service involves the transfer of Contact Data to the United States and other countries where Sub-processors operate, as specified in Annex II.
13.2 For transfers of Contact Data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of data protection, the parties agree to the following transfer mechanisms:
- (a) Standard Contractual Clauses (SCCs): The SCCs (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor) are incorporated by reference into this DPA. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.
- (b) UK International Data Transfer Addendum: For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as approved by the UK ICO) applies.
- (c) EU-US Data Privacy Framework: Where Talkif or its Sub-processors are certified under the EU-US Data Privacy Framework, such certification serves as an additional lawful transfer mechanism.
13.3 Talkif shall implement supplementary technical measures to protect transferred data, including encryption in transit and at rest, access controls, and pseudonymization where feasible.
13.4 For transfers involving data of Turkish residents, this DPA serves as the contractual safeguard required under KVKK Article 9, supplemented by the explicit consent obtained from Data Subjects by Customer (as Controller).
14. CCPA/CPRA-Specific Provisions (California)
14.1 Where Customer is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the following additional provisions apply.
14.2 Service Provider Status. For purposes of the CCPA/CPRA, Talkif is a "Service Provider" (Cal. Civ. Code § 1798.140(ag)). Talkif shall not:
- (a) Sell or share Personal Data;
- (b) Retain, use, or disclose Personal Data for any purpose other than providing the Service, or as otherwise permitted by the CCPA/CPRA;
- (c) Retain, use, or disclose Personal Data outside the direct business relationship with Customer; or
- (d) Combine Personal Data received from Customer with Personal Data from other sources, except as permitted by the CCPA/CPRA.
14.3 Compliance Certification. Talkif certifies that it understands the restrictions in Section 14.2 and will comply with them.
14.4 Notification. Talkif shall notify Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA.
15. Liability
15.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.
15.2 Nothing in this DPA limits or excludes either party's liability for damages resulting from violations of Applicable Data Protection Laws that cannot be limited under those laws.
16. Term and Termination
16.1 This DPA takes effect on the date Customer agrees to the Agreement and remains in effect until the Agreement terminates or expires, or until Talkif ceases to process Contact Data on behalf of Customer, whichever is later.
16.2 Customer's obligations under this DPA survive termination to the extent necessary to protect Personal Data.
17. Governing Law
17.1 This DPA is governed by the law specified in the Agreement, except to the extent overridden by mandatory provisions of Applicable Data Protection Laws.
17.2 For matters falling within the scope of the GDPR, the SCCs shall be governed by the law of the EU Member State in which Customer (as Controller) is established, or (if Customer is not established in the EU) by the law of the EU Member State in which Customer's EU representative is established, or (if neither applies) by the law of the Netherlands.
18. Conflict
18.1 In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
18.2 In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
19. Contact
For questions regarding this DPA:
| Privacy Inquiries | privacy@talkif.ai |
| Legal Department | legal@talkif.ai |
| Mailing Address | Talkif, Inc., 1111B S Governors Ave STE 23788, Dover, DE 19904 US |
Annex I: Details of Processing
This Annex forms part of the DPA and describes the processing carried out by Talkif on behalf of Customer.
A. List of Parties
Controller (Data Exporter):
| Name | The Customer as identified in the Agreement |
| Activities | Uses the Talkif platform to initiate and manage AI-powered voice calls to contacts |
| Role | Controller |
Processor (Data Importer):
| Name | Talkif, Inc. |
| Address | 1111B S Governors Ave STE 23788, Dover, DE 19904 US |
| Activities | Provides AI-powered voice calling platform including call routing, speech processing, and call management |
| Role | Processor |
B. Description of Processing
| Element | Description |
|---|---|
| Categories of Data Subjects | Call Recipients (individuals contacted by Customer through the Service) |
| Categories of Personal Data | Names, phone numbers, email addresses, physical addresses, timezones, voice recordings (audio), call transcripts, call metadata (direction, duration, status, timestamps), AI analysis outputs (summaries, sentiment, extracted topics) |
| Special categories of data | None intentionally processed. Call recordings and transcripts may incidentally contain sensitive information, the content of which is determined by Customer's call flow configuration and the Data Subject's responses. |
| Frequency of transfer | Continuous, for the duration of the Agreement |
| Nature and purpose of processing | Storage of contact records and call configuration; initiation of outbound and handling of inbound voice calls via telephony providers; real-time speech-to-text transcription; real-time AI language model processing for conversational response generation; real-time text-to-speech synthesis; storage of call recordings (when enabled by Customer); storage of call transcripts; post-call AI analysis (when enabled by Customer); billing calculation based on call usage |
| Retention period | Contact Data is retained for the duration of the Agreement and deleted upon account termination (subject to the export period and billing record retention described in Section 10). Call recordings are retained as configured by Customer. |
C. Technical and Organizational Security Measures
See Section 6 of this DPA.
Annex II: Approved Sub-processors
The following Sub-processors are authorized to process Contact Data on behalf of Customer as of the effective date of this DPA.
Infrastructure:
| Sub-processor | Purpose | Data Processed | Processing Location(s) |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud hosting, compute, storage | All Contact Data (encrypted at rest and in transit) | USA, EU |
Telephony:
| Sub-processor | Purpose | Data Processed | Processing Location(s) |
|---|---|---|---|
| Twilio, Inc. | Voice telephony, SMS | Phone numbers, call metadata, call audio | USA, Ireland, Australia |
AI Language Models (Customer-selected per flow):
| Sub-processor | Purpose | Data Processed | Processing Location(s) |
|---|---|---|---|
| Anthropic, PBC | LLM conversation processing, call analysis | Call transcripts, user prompts, conversation context | USA, Europe, Asia, Australia |
| OpenAI, LLC | LLM conversation processing, TTS, STT | Call transcripts, user prompts, raw call audio | USA, EU |
| Google LLC | LLM, TTS, STT | Call transcripts, user prompts, raw call audio | USA, EU, Asia |
| xAI Corp. | LLM conversation processing | Call transcripts, user prompts | USA, EU |
Speech Processing (Customer-selected per flow):
| Sub-processor | Purpose | Data Processed | Processing Location(s) |
|---|---|---|---|
| ElevenLabs, Inc. | Text-to-Speech, Speech-to-Text | Text content for synthesis, raw call audio | USA, EU |
| Cartesia AI, Inc. | Text-to-Speech, Speech-to-Text | Text content for synthesis, raw call audio | USA |
| Deepgram, Inc. | Speech-to-Text, Text-to-Speech | Raw call audio, generated speech | USA, EU |
| Soniox, Inc. | Speech-to-Text | Raw call audio | USA, EU, Japan |
Note: LLM, TTS, and STT providers are configurable per flow. Customer's selection of a provider in their flow configuration constitutes Customer's instruction to engage that Sub-processor. A single call uses one LLM provider, one TTS provider, and one STT provider. Not all Sub-processors receive data for every call.
Sub-processors that process only Talkif-controller data (not Contact Data) — such as Stripe (billing), Resend (transactional email), Better Stack (infrastructure monitoring), and PostHog (product analytics) — are not listed in this Annex as they do not process Contact Data on behalf of Customer.
Annex III: Standard Contractual Clauses
For transfers of Personal Data from the EEA to countries outside the EEA that have not been recognized by the European Commission as providing an adequate level of data protection, the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor) are incorporated by reference into this DPA with the following specifications:
| SCC Provision | Selection |
|---|---|
| Clause 7 — Docking clause | Included — additional Controllers may accede to the SCCs |
| Clause 9(a) — Sub-processor authorization | Option 2: General written authorization, with 30-day prior notice of changes |
| Clause 11 — Redress | The optional provision is not included |
| Clause 13 — Supervision | The supervisory authority of the EU Member State in which the Controller is established, or (where the Controller is not established in the EU) the supervisory authority of the EU Member State in which the Controller's EU representative is appointed, shall act as the competent supervisory authority |
| Clause 17 — Governing law | The law of the EU Member State in which the Controller is established, or (where the Controller is not established in the EU) the law of the Netherlands |
| Clause 18(b) — Forum | The courts of the EU Member State in which the Controller is established, or (where the Controller is not established in the EU) the courts of the Netherlands |
For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK ICO under Section 119A of the UK Data Protection Act 2018) is incorporated by reference.
This Data Processing Agreement is effective as of the date set forth above and forms part of the Talkif Terms of Service.