VoiceLab
Sign inTalk to sales

Data Processing Addendum

The processor-controller terms that supplement the Master Service Agreement.

Version 1.0.0Effective 2026-05-14DRAFT — pending NY attorney review

Data Processing Addendum

Version 1.0.0 — Effective 2026-05-14 (DRAFT — pending NY attorney review)

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Terms of Service, or other written agreement (the "Agreement") between Modern Approach USA LLC, a New York limited liability company ("VoiceLab," "Processor"), and the customer identified in the Agreement ("Customer," "Controller"), governing VoiceLab's processing of Personal Data on behalf of Customer in connection with the Service. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Laws.

  • "Controller" means the natural or legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
  • "Processor" means a natural or legal person which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that Customer (or its end users) submits to or processes through the Service.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third-party processor engaged by VoiceLab to process Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 of 4 June 2021, as amended.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the United Kingdom Information Commissioner's Office.
  • "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other equivalent state, federal, or international laws.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Roles of the parties

The parties acknowledge that, with respect to Customer Personal Data submitted to or processed through the Service:

  • Customer is the Controller (or, where Customer is itself a processor for a third-party controller, an authorized processor) and VoiceLab is the Processor.
  • For Personal Data that VoiceLab collects independently for its own business purposes — such as Customer account-administration metadata, billing records, security logs, and aggregated/de-identified service-improvement metrics — VoiceLab acts as Controller, and processing is governed by the VoiceLab Privacy Policy at voicelabnyc.com/privacy rather than this DPA.

3. Subject matter and duration of processing

The subject matter of processing is VoiceLab's provision of the Service to Customer pursuant to the Agreement. Processing continues for the term of the Agreement and any wind-down period required by Section 13 below.

4. Nature and purpose of processing

The nature and purpose of processing are described in Exhibit A (Description of Processing) and are limited to operating the AI voice receptionist, outbound calling, SMS messaging, customer-relationship-management, and related communications functionality of the Service for Customer.

5. Categories of Personal Data and Data Subjects

  • Categories of Personal Data: identifiers (name, phone number, email, account credentials), call audio recordings, transcripts of voice conversations, SMS message content, scheduling and intake information voluntarily provided by callers, IP addresses, device and usage metadata, and any additional categories Customer chooses to submit through the Service.
  • Categories of Data Subjects: Customer's personnel and authorized users; Customer's end customers, callers, message recipients, leads, and prospects; and other natural persons whose Personal Data is contained in communications routed through the Service.
  • Special categories of data: the Service is not intended for processing of special-category data (e.g., health, biometric for unique identification, genetic, racial/ethnic origin) other than incidental disclosures by callers, except where Customer has separately enabled HIPAA Mode and executed a Business Associate Agreement.

6. Documented instructions

VoiceLab shall process Personal Data only on Customer's documented instructions, including the instructions set out in (a) the Agreement, (b) this DPA, (c) Customer's configuration of the Service, and (d) any further written instructions agreed by the parties. VoiceLab will inform Customer if, in VoiceLab's opinion, an instruction infringes Data Protection Laws, except where prohibited by law from doing so.

7. Confidentiality of personnel

VoiceLab shall ensure that personnel authorized to process Personal Data are bound by appropriate written obligations of confidentiality (whether by contract or statute) and have received appropriate training on their data-protection obligations.

8. Security measures

VoiceLab has implemented and will maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Exhibit B (Technical and Organizational Measures). At a minimum these include:

  • Encryption in transit using TLS 1.3 for all Service endpoints.
  • Encryption at rest using AES-256 for databases, object storage, and backups.
  • Multi-tenant data isolation enforced by Postgres row-level security (RLS).
  • Role-based access control with least-privilege scoping; production access limited to a documented list of personnel.
  • Mandatory multi-factor authentication (MFA) on all administrative and infrastructure accounts.
  • Audit logging of administrative actions and access to Personal Data.
  • Regular vulnerability scanning, dependency review, and an annual third-party penetration test.

9. Sub-processors

Customer provides general written authorization for VoiceLab to engage Sub-processors to process Personal Data, subject to this Section. The current list of VoiceLab Sub-processors is maintained at voicelabnyc.com/privacy (Subprocessors section), incorporated here by reference. VoiceLab will provide Customer with at least 30 days' prior notice of the addition or replacement of any Sub-processor by updating that page and, at Customer's request, by email subscription. Customer may object to a new Sub-processor on reasonable, documented data-protection grounds within the 30-day notice period; if the parties cannot in good faith resolve the objection, Customer may terminate the affected portion of the Service for cause without penalty for the unused portion of any prepaid fees. VoiceLab shall impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and VoiceLab remains liable for the acts and omissions of its Sub-processors.

10. Data Subject rights

Taking into account the nature of the processing, VoiceLab shall assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights of access, rectification, erasure, restriction, portability, and objection. If VoiceLab receives a request directly from a Data Subject relating to Customer's Personal Data, VoiceLab will, unless legally prohibited, promptly forward the request to Customer and not respond directly except to confirm receipt and direct the Data Subject to Customer.

11. Personal Data Breach

VoiceLab shall notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of VoiceLab becoming aware of the Breach. The notification will include, to the extent then known: (a) the nature of the Breach, including categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the Breach and mitigate its adverse effects; and (d) what is not yet known and the timeline for further information. VoiceLab shall cooperate reasonably with Customer's investigation and any regulator or Data Subject notifications Customer is required to make. [ATTORNEY REVIEW REQUIRED — confirm 72-hour trigger and scope of "awareness" definition for FL/US context]

12. Audits

VoiceLab shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing on request its most recent SOC 2 Type II report (when available) or equivalent independent third-party audit summary. Customer may, on reasonable prior written notice (no less than 30 days), no more than once per 12-month period (and additionally following a Personal Data Breach affecting Customer's data), conduct an audit of VoiceLab's relevant controls, conducted during normal business hours, in a manner that does not disrupt the Service, and subject to commercially reasonable confidentiality undertakings. Customer shall reimburse VoiceLab for reasonable costs of the audit at VoiceLab's then-standard time-and-materials rates, except where the audit reveals material non-compliance, in which case VoiceLab bears the reasonable cost.

13. International transfers

For transfers of Personal Data from the European Economic Area, Switzerland, or the United Kingdom to a country not benefiting from an adequacy decision, the parties agree that the EU Standard Contractual Clauses, Module Two (Controller to Processor) are incorporated by reference and entered into between the parties. Customer is the data exporter and VoiceLab is the data importer. Where the UK GDPR applies, the UK International Data Transfer Addendum is incorporated by reference. The optional docking clause is selected; option 2 of Clause 9(a) (general authorization) is selected with the 30-day prior-notice period set out in Section 9; Clause 17 governing law is the law of Ireland; Clause 18 forum is the courts of Ireland (or the courts of England and Wales for UK transfers, as applicable). Annex I.A and I.B are populated by Exhibit A; Annex II by Exhibit B; Annex III by Exhibit C.

14. Return or deletion of Personal Data

Upon termination or expiry of the Agreement, VoiceLab shall, at Customer's election, return Customer Personal Data in a structured, commonly used machine-readable format, or delete all copies of Customer Personal Data within 30 days of the effective date of termination (subject to longer retention required by law for backups, security logs, or financial records, which VoiceLab will continue to protect in accordance with this DPA until deletion in the ordinary course).

15. Liability

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law. [ATTORNEY REVIEW REQUIRED — confirm aggregate liability cap reference and treatment of statutory damages claims under Data Protection Laws]

16. Governing law

This DPA is governed by the laws of the State of New York, except to the extent that EU SCCs or UK Addendum mandate other governing law for the cross-border transfer mechanism in Section 13.

17. Order of precedence

In the event of any conflict, the order of precedence is: (1) the SCCs and UK Addendum, where applicable; (2) this DPA; (3) the Agreement.

Exhibit A — Description of Processing

Subject matter: provision of the VoiceLab AI voice receptionist and communications Service.

Duration: the term of the Agreement plus any wind-down period under Section 13.

Nature and purpose of processing: receiving and placing voice calls; transcribing voice audio; generating AI responses; synthesizing voice replies; sending and receiving SMS messages; storing call recordings, transcripts, and message history; surfacing this content to Customer in dashboards, exports, and webhooks; supporting Customer's operation of the Service.

Type of Personal Data: identifiers, contact data, voice recordings, transcripts, SMS content, scheduling/intake data, IP and device metadata, and any additional content Customer submits.

Categories of Data Subjects: Customer's authorized users; Customer's end customers, callers, message recipients, leads, and prospects; and other persons whose data is contained in communications.

Frequency of transfer: continuous, on demand of Customer's configured Service usage.

Retention: as set out in the VoiceLab Privacy Policy, Section 6 (Data Retention).

Exhibit B — Technical and Organizational Measures (TOMs)

  1. Encryption. TLS 1.3 in transit; AES-256 at rest for databases, object storage, and backups.
  2. Tenant isolation. Postgres row-level security policies on every table containing Customer Data; tenant scoping enforced at the application layer.
  3. Access control. Role-based access; production access restricted to a documented list of personnel; quarterly access review.
  4. Authentication. Mandatory multi-factor authentication on administrative consoles, version-control, cloud-provider, and database accounts.
  5. Audit logging. Append-only audit log of administrative actions, configuration changes, and access to Personal Data, retained for at least 12 months.
  6. Network security. Private networking for inter-service traffic; managed firewalls; DDoS protection at the edge; least-privilege IAM roles.
  7. Vulnerability management. Continuous dependency scanning; routine patching; annual third-party penetration test; documented vulnerability-disclosure process at security@voicelabnyc.com.
  8. Backups. Daily encrypted backups with point-in-time recovery; restore tested at least annually.
  9. Personnel. Background checks where permitted; confidentiality obligations; periodic security and privacy training.
  10. Incident response. Documented incident-response plan with on-call rotation and a 72-hour Personal Data Breach notification target (Section 11).
  11. Vendor management. Written agreements with Sub-processors that impose materially equivalent data-protection obligations; periodic vendor reviews.
  12. Physical security. Production infrastructure hosted in SOC 2-attested data centers operated by VoiceLab's cloud and Sub-processors; VoiceLab does not operate its own data centers.

Exhibit C — Sub-processors

The current list of Sub-processors is maintained at voicelabnyc.com/privacy (Subprocessors section). The list is updated at least 30 days before a new Sub-processor is engaged, in accordance with Section 9 of this DPA.