Data Processing Addendum (DPA)

• Terms not defined here have the meanings given in the Terms and Conditions or the GDPR.

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

• "Personal Data" has the meaning given in GDPR Article 4(1).

• "Processing" has the meaning given in GDPR Article 4(2).

• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

• "Sub-processor" means any third party engaged by iConvo to process Personal Data on behalf of the Client.

• "Supervisory Authority" means the Swedish Authority for Privacy Protection (IMY) or any other competent data protection authority.

• The Client is the data controller and determines the purposes and means of processing Personal Data uploaded to the Service. iConvo is the data processor and processes Personal Data only on behalf of and under the instructions of the Client.

Subject Matter

iConvo processes Personal Data uploaded by the Client to the iConvo.AI platform, including call recordings, transcripts, and associated metadata containing personal data of third parties (e.g. contact centre customers, callers).

​

Nature of Processing

The processing activities include: storage, transcription (speech-to-text), AI-powered analysis, quality management scoring, report generation, and any other processing necessary to provide the Service.'

​

Duration

Processing continues for the duration of the Client's subscription and for 90 days following termination, after which all Client Data is permanently deleted unless the Client requests earlier deletion.

​

Categories of Personal Data

Voice recordings of callers and agents

Transcribed speech content

Names, phone numbers, and identifiers mentioned in calls

Any other personal data contained within call recordings uploaded by the Client

Categories of Data Subjects

Contact centre customers and callers

Contact centre agents and employees

Any other individuals whose personal data is contained in uploaded recordings

​​

Purpose of Processing

​iConvo processes Personal Data solely for the purpose of providing the Service to the Client, including transcription, analysis, quality management, and reporting.

iConvo shall:

Process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law.

Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.

Implement appropriate technical and organisational security measures as required by GDPR Article 32.

Assist the Client in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR.

Assist the Client in ensuring compliance with obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments).

At the Client's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless EU or Member State law requires storage.

Make available to the Client all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Client or a mandated auditor, with reasonable notice.

Notify the Client without undue delay if iConvo believes an instruction violates applicable data protection law.

Client shall:

Ensure it has a lawful basis under GDPR Article 6 (and Article 9 where applicable) for all Personal Data uploaded to the Service.

Ensure all necessary consents, notices, and disclosures have been provided to Data Subjects regarding call recording and AI processing.

Comply with all applicable data protection laws in its capacity as data controller.

Only instruct iConvo to process Personal Data in accordance with applicable law.

Be responsible for the accuracy, quality, and legality of Personal Data uploaded to the Service.

Authorisation

The Client grants iConvo general authorisation to engage the following sub-processors to assist in providing the Service:

Supabase Inc. — Database storage and authentication. Data stored in EU (Ireland, AWS eu-west-1).

Deepgram Inc. — Speech-to-text transcription. Data processed transiently; not retained after transcription.

Anthropic PBC — AI analysis of transcripts. Data processed transiently; not used for model training.

Vercel Inc. — Cloud hosting and content delivery. EU edge network used.

Stripe Inc. — Payment processing. Billing data only; no Client Data processed.

​

Changes to Sub-processors

iConvo will provide at least 30 days' prior written notice of any intended changes to sub-processors. The Client may object to a new sub-processor within 14 days by providing written notice. If the Client objects and the parties cannot resolve the objection, the Client may terminate the relevant Service with 30 days' written notice.

​

Sub-processor Obligations

iConvo shall impose data protection obligations on all sub-processors equivalent to those in this DPA. iConvo remains liable to the Client for the performance of sub-processors' obligations.

• Where Personal Data is transferred outside the EU/EEA to sub-processors in the United States (Deepgram, Anthropic, Vercel), such transfers are governed by Standard Contractual Clauses (Module 3: Processor-to-Processor) as approved by the European Commission. The Client, as data controller, authorises iConvo to enter into SCCs with sub-processors on the Client's behalf.

•  

• Primary data storage (Supabase) is located within the EU (Ireland) and does not involve international transfers.

• iConvo implements and maintains the following technical and organisational measures pursuant to GDPR Article 32:

• Encryption of data in transit using TLS 1.2 or higher

• Encryption of data at rest using AES-256

• Row-level security and access controls in the database

• API key authentication for all Service requests

• Role-based access controls and least-privilege principles

• Regular security reviews and vulnerability assessments

• Logical separation of Client data (multi-tenant isolation)

•  

• iConvo will review and update these measures as necessary to address evolving risks.

• In the event of a Personal Data breach, iConvo shall:

• Notify the Client without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

• Provide sufficient information to allow the Client to meet its own notification obligations under GDPR Article 33 (to Supervisory Authority) and Article 34 (to Data Subjects).

• Co-operate with the Client and take such reasonable commercial steps as directed by the Client to investigate, remediate, and mitigate the effects of the breach.

•  

• The Client is responsible for determining whether notification to Supervisory Authorities or Data Subjects is required.

• iConvo shall, taking into account the nature of processing, assist the Client by appropriate technical and organisational measures in fulfilling the Client's obligation to respond to requests from Data Subjects exercising their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).

• ​

• iConvo will promptly forward any Data Subject requests received directly to the Client and shall not respond to such requests without the Client's prior authorisation.

• iConvo shall provide reasonable assistance to the Client in carrying out data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities where required under GDPR Articles 35 and 36, to the extent such assessments relate to iConvo's processing activities.

The Client may, upon giving iConvo at least 30 days' written notice, conduct an audit of iConvo's processing activities to verify compliance with this DPA, no more than once per calendar year unless a breach has occurred. Any audit shall be conducted during normal business hours, at the Client's cost, and shall not unreasonably disrupt iConvo's operations.

In lieu of an on-site audit, iConvo may provide the Client with a current third-party audit report (such as SOC 2 or ISO 27001 certification, when available) as evidence of

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms and Conditions. Nothing in this DPA limits either party's liability to Data Subjects or Supervisory Authorities under applicable data protection law.

This DPA is effective for the duration of the Terms and Conditions. Upon termination, the provisions of Section (deletion/return of data) shall continue to apply until all Personal Data has been deleted or returned.

This DPA is governed by the laws of Sweden. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms and Conditions.

This DPA does not require a separate signature — it is incorporated into and forms part of the Terms and Conditions accepted by the Client upon registration or use of the Service.

For data protection enquiries:

• iConvo AB — Data Protection

• Email: sk@iconvo.ai

• General: info@iconvo.ai

• Website: www.iconvo.ai/dpa