Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the CalvyxDial Terms of Service. It governs the processing of personal data by DevSource.DEV (“Processor”) on behalf of the customer (“Controller”) where the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, or any equivalent law applies.

By executing the Terms of Service, Controllers established in or transferring data from the EEA, the UK, or Switzerland enter into this DPA with us. Controllers in other jurisdictions may also rely on this DPA where they wish to do so.

1. Definitions

Terms not defined here have the meaning set out in Article 4 GDPR. “Personal Data”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” carry their GDPR meanings. “Customer Data” means Personal Data uploaded to or generated within the Service by Controller or its Authorized Users.

2. Roles and Scope

Controller is the controller, Processor is the processor, with respect to Customer Data. Processor processes Customer Data only on documented instructions from Controller, which are set out in the Terms of Service, this DPA, and the Service’s configuration.

3. Processing Particulars (Annex I)

• Subject matter: Provision of the CalvyxDial outbound and inbound communications platform.
• Duration: The term of the Terms of Service plus the data-retention periods stated in our Privacy Policy.
• Nature and purpose: Storing, organizing, transmitting, and analyzing Customer Data to provide voice, SMS, and related communications services to Controller. Customer Data is held in Processor’s self-hosted database and recording storage; voice and SMS traffic is carried by the telephony subprocessor identified at /subprocessors.
• Categories of Data Subjects: Controller’s contacts, leads, customers, agents, and other individuals whose data Controller chooses to upload or generate within the Service.
• Categories of Personal Data: Names, phone numbers, email addresses, business affiliations, call detail records, recordings, message content, dispositions, notes.
• Special Category Data: Not intentionally collected. Controller agrees not to upload special-category data without prior written consent from us.

4. Processor Obligations

Processor will:

• Process Customer Data only on Controller’s documented instructions.
• Ensure persons authorized to process Customer Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures (Annex II) to ensure a level of security appropriate to the risk.
• Engage Subprocessors only under written agreements imposing data-protection obligations equivalent to those in this DPA. A current list of Subprocessors is published at /subprocessors.
• Assist Controller, taking into account the nature of processing, in fulfilling Controller’s obligation to respond to Data Subject requests under Articles 12–23 GDPR.
• Assist Controller in ensuring compliance with its obligations under Articles 32–36 GDPR.
• Notify Controller without undue delay (and in any event within 72 hours where feasible) after becoming aware of a personal data breach.
• At Controller’s choice, delete or return all Customer Data after the end of the provision of services, save where retention is required by applicable law.
• Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

5. Security Measures (Annex II)

• Encryption in transit (TLS) at the edge proxy and over the telephony carrier trunk.
• Encrypted, off-site backups of the database and recordings, taken nightly.
• Tenant isolation enforced in the database by PostgreSQL row-level security: the application connects as a non-superuser role, and a query scoped to one tenant cannot read another tenant’s data.
• Per-tenant data scoping and role-based access within the Service, on a least-privilege basis.
• Authentication credentials stored hashed with bcrypt; plaintext credentials are never stored.
• Self-hosted core infrastructure (database, telephony engine, recording storage) under Processor’s own operational control rather than a third-party cloud database.
• Documented incident response and breach notification procedures.

6. International Transfers

Where transfers of Personal Data are made from the EEA, the UK, or Switzerland to a country not benefiting from an adequacy decision, the parties rely on the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) or the UK International Data Transfer Addendum, as applicable. The Standard Contractual Clauses are deemed incorporated into this DPA by reference and form an integral part of it.

7. Subprocessors

Controller authorizes Processor to engage the Subprocessors listed at /subprocessors. Processor will give Controller reasonable advance notice of any intended addition or replacement of a Subprocessor and will give Controller the opportunity to object on reasonable data-protection grounds.

8. Data Subject Requests

Processor will, taking into account the nature of the processing, provide reasonable assistance to Controller in responding to Data Subject requests. Where a Data Subject contacts Processor directly, Processor will promptly forward the request to Controller.

9. Liability

Each party’s liability under this DPA is governed by the limitation-of-liability provisions in the Terms of Service, except that nothing in this DPA limits any party’s liability to Data Subjects to the extent such limitation is prohibited by GDPR.

10. Termination of DPA

This DPA terminates automatically upon termination of the Terms of Service. Sections 4 (Processor Obligations — deletion/return), 6 (International Transfers), and 9 (Liability) survive termination.

11. Contact

All notices under this DPA should be sent to info@devsource.dev.