Sign In Book a Demo

Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms the integral part of BYVOICE Sp. z o.o. 30-554 Krakow, ul. Zamknięta, nr 10, Poland (hereinafter referred as “BYVOICE”) Terms of Service (as defined below) entered into by and between Customer as described in Annex 1 and BYVOICE that governs Customer’s use and BYVOICE’s provision of Services.

Customer and BYVOICE are hereinafter jointly referred to as the “Parties” and individually as the “Party”. The details of Parties are set out in the Annex 1.

In case of any conflict or inconsistency with the terms of BYVOICE Terms of Service, this DPA will take precedence over other terms in BYVOICE Terms of Service to the extent of such conflict or inconsistency. 

Capitalized terms not otherwise defined herein shall have the meaning given to them in BYVOICE Terms of Service. 

BACKGROUND

The DPA, including all Annexes, specifies the data protection obligations of the Parties regarding to the Personal Data Processed by BYVOICE on behalf of the Customer as described in Annex 1 to this DPA in accordance with Applicable Data Protection Laws.

  • DEFINITIONS 

The terms shall have the following meaning:

“Applicable Data Protection Laws” means GDPR together with any applicable implementing legislation or regulations;

“BYVOICE Terms of Service” means BYVOICE Terms of Service, as published at https://www.byvoice.io/terms-of-service and Order form entered by the Parties or similar agreement (including any exhibits, appendices, annexes, terms, orders or policies referenced therein);

“Business Days” means a day (other than a Saturday or Sunday or public or bank holiday) on which the commercial banks are ordinarily open for the transaction of normal banking business in the country of residence of the Party to whose actions it applies;

“Controller” means the natural person or entity that determines the purposes and means of the Processing of Personal Data or otherwise is in charge of making decisions regarding the processing of Personal Data;

“Data Subject Request” shall have the meaning given in clause 3.2 of this DPA;

“Effective Date” as of the effective date of the BYVOICE Terms of Service;

GDPR” means Regulation of the European Parliament and the Council of the EU No. 2016/679 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC;

“Personal Data Breach” shall have the meaning given in clause 6.1 of this DPA;

Personal Data” means any information that relates to an identified or identifiable natural person and is protected under Applicable Data Protection Laws and Processed by BYVOICE in the provision of its Services pursuant to the BYVOICE Terms of Service;

Processing” means any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor” means a natural or legal person, or other body which Processes Personal Data on behalf of the Controller;

“Standard Contract Clauses” means the standard contractual clauses as approved by the European Commission (as updated, amended, replaced, or superseded from time to time by the European Commission.). If the European Commission replaces the Standard Contract Clauses with amended or new standard contractual clauses, then, to the extent the relevant supervisory authority approves of the use of such amended or new standard contractual clauses, the references herein to “Standard Contract Clauses” will be read to refer to such amended or new standard contractual clauses;

“Sub-Processor Change Notice” shall have the meaning given in clause 4.1 of this DPA; 

Sub-Processor” means any Processor appointed by or on behalf of BYVOICE to Process Personal Data on behalf of the Customer in connection with the BYVOICE Terms of Service.

  • SUBJECT MATTER
  • Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and BYVOICE is the Processor. 
  • Processing. BYVOICE shall not Process Personal Data other than on the Customer’s documented reasonable and customary instructions, as specified in the BYVOICE Terms of Service (including Insertion Order) or this DPA, unless such Processing is required by applicable laws to which BYVOICE is subject. 
  • The Customer’s instructions. The Customer’s instructions for the Processing of Personal Data shall comply with the Applicable Data Protection Laws. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data. Without limitation, Customer shall be solely responsible for ensuring it has an appropriate lawful basis and right to enable the Processing of Personal Data pursuant to the terms of the BYVOICE Terms of Service and this DPA. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject.
  • Details of the Processing. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 to this DPA.
  • RIGHTS OF DATA SUBJECTS
  • Responds to Data Subject Requests. The Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws. The Parties agree and acknowledge that BYVOICE does not have an ability to respond to Data Subject Requests. 
  • Data Subject’s Requests. BYVOICE will, to the extent legally permitted, promptly notify the Customer if it receives any requests from a Data Subject to exercise the following Data Subject rights in relation to their Personal Data: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). 
  • The cooperation in the implementation of the Data Subject’s rights. BYVOICE will provide reasonable and timely assistance (including by appropriate technical and organizational measures) to the Customer to enable the Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Laws; and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third-party in connection with the Processing of Personal Data. 

If the Customer requests BYVOICE to assist to respond to the any request, then BYVOICE will, to the extent possible, provide commercially reasonable efforts to assist the Customer in responding to such request, to the extent BYVOICE is legally permitted to do so and the response to such request is required under the Applicable Data Protection Laws. 

  • Costs. To the extent legally permitted, the Customer shall be responsible for any costs arising from BYVOICE’s provision of such assistance, including any fees associated with provision of additional functionality. In such cases BYVOICE will notify you of these costs in advance.
  • SUB-PROCESSOR
  • Appointment of the Sub-Processor. Customer authorizes BYVOICE to appoint Sub-Processors in accordance with this section 4 and any restrictions in the DPA. The Customer acknowledges and agrees that BYVOICE may engage Sub-Processors without prior consent of the Customer. As a condition to permitting a third-party Sub-Processor to process Personal Data, BYVOICE will enter into an agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA. BYVOICE will notify the Customer in written of any intended changes concerning the addition or replacement of Sub-Processors before such changes of Sub-Processors (the “Sub-Processor Change Notice”). The Customer may object to such changes of the Sub-Processor under the clause 4.2 of this DPA. 
  • Objection right for Sub-Processors. The Customer may reasonably object to BYVOICE of any intended changes concerning the addition or replacement of Sub-Processor (e.g., if making personal data available to the Sub-Processor may violate the Applicable Data Protection Laws or weaken the protections for such personal data) by notifying BYVOICE promptly in writing within ten (10) Business Days after receipt of the Sub-Processor change notice. Such Customer’s notice shall explain the reasonable grounds for the objection. 

If the Customer do notify BYVOICE of such an objection, the Parties will discuss the issue in good faith with a view to achieving a commercially reasonable resolution. If such objections cannot be resolved within fifteen (15) Business Days, as the Processing cannot continue in proper way without the engagement of such Sub-Processor, BYVOICE has a right to refuse further Processing under this DPA and terminate BYVOICE Terms of Service without liability for such termination. 

  • Current list of Sub-Processors. Current list of Sub-Processors BYVOICE engage in Processing is provided in Annex 3 to this DPA. Within ten (10) Business Days of any changes concerning the addition or replacement of Sub-Processor, the Parties undertake to amend the Annex 3 to this DPA.
  • Liability. With respect to each Sub-Processor, BYVOICE shall: (i) take reasonable steps to ensure that the Sub-Processor is committed to provide the level of protection for Personal Data required by the DPA and (ii) remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations where the Sub-Processor fails to fulfill such obligations.
  • DATA TRANSFERS
  • Data storage and Processing facilities. The Customer agrees that BYVOICE may, subject to clause 5.2 of this DPA, store and process Personal Data in any other country in which BYVOICE or any of its Sub-Processors maintains facilities.
  • Mechanism of transfer of Personal Data. For transfers of the Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland or the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing territories Standard Contract Clauses shall be entered into, unless they are referring to alternate lawful cross-border transfer mechanism.
  • Execution of Standard Contract Clauses. Relevant information from Annex 1 to this DPA will be used, as necessary, to complete the appendices to the Standard Contract Clauses. If the Parties rely on Standard Contract Clauses, the Parties hereby enter into the Standard Contract Clauses, as necessary and as modified herein, which are incorporated herein by reference and deemed signed upon execution of this DPA. If there is any conflict between this DPA and Standard Contract Clauses, the applicable Standard Contractual Clauses will prevail.
  • SECURITY
  • Technical and organization measures. BYVOICE shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity of the Personal Data, including as appropriate and applicable, the measures referred to in Article 32 of the GDPR, as set out in Annex 2 to this DPA to protect Personal Data from:
  1. accidental or unlawful destruction, and 
  2. loss, alteration, unauthorised disclosure of, or access to Personal Data 

(each referred to as the “Personal Data Breach”).

  • Compliance control. BYVOICE regularly monitors compliance with the measures provided in Annex 2 to this DPA.
  • Assistance in ensuring compliance. Taking into account the nature of Processing and the Personal Data available to BYVOICE, BYVOICE assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR.
  • PERSONAL DATA BREACH
  • Notification of Personal Data Breach. If BYVOICE becomes aware of a Personal Data Breach, BYVOICE shall, to the extent permitted by law, notify the Customer without undue delay via e-mail upon BYVOICE or any Sub-Processor becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, and shall provide reasonable information (to the extent in BYVOICE’s reasonable possession and/or control). 
  • Cooperation. BYVOICE shall provide cooperation taking into account the nature of the Processing and the information available to BYVOICE to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Data Protection Laws. BYVOICE shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of all material developments in connection with the Personal Data Breach.
  • AUDIT
  • Customer’s right to conduct an audit. BYVOICE makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in relation to the performance of obligations under this DPA.
  • BYVOICE’s cooperation on conducting audit. BYVOICE shall make available to the Customer all information, systems and staff reasonably necessary for the Customer or its third-party auditors to conduct such audit, provided that the Customer: 
  1. gives thirty (30) Business Days’ prior notices of audits; and
  2. conducts its audit during normal business hours; and 
  3. takes all reasonable measures to prevent unnecessary disruption to BYVOICE’s operations. Such audit shall be strictly within the scope of information that is related to the Processing of the Personal Data. 
  • Parameters of audit. The Parties shall mutually agree upon the scope, timing and duration of the audit or inspection.
  • Confidentiality. All audits under this DPA shall be subject to confidentiality obligations. Customer shall share the full audit report with BYVOICE and shall not share it with any third-party except its accountants and legal advisors who are bound to confidentiality. Customer shall not use such audit report for any other purpose than to assess BYVOICE’s compliance with this DPA.
  • Costs. Customer will bear the costs of such an audit unless otherwise agreed by the Parties. 
  • Audit frequency. The Customer shall not exercise its audit rights more than once in any twelve (12) calendar month period, except: 
  1. if and when required by instruction of a competent data protection authority; or 
  2. if it is necessary due to a Personal Data Breach suffered by BYVOICE and (or) Sub-Processors. 
  • CONFIDENTIALITY
  • BYVOICE shall take all reasonable steps to ensure the reliability of any staff authorised to Process Personal Data and ensure such staff is subject to appropriate obligations of confidentiality and at all times act in compliance with the Applicable Data Protection Laws.
  • DURATION
  • This DPA shall enter into force upon the Effective Date and is concluded and is valid for the entire term of the Processing unless terminated earlier by agreement of the Parties. 
  • DELETION OR RETURN OF PERSONAL DATA
  • Upon (i) termination of this DPA, or (ii) written request by Customer, or (iii) BYVOICE no longer being required to Process Personal Data in order to fulfill its obligations under BYVOICE Terms of Service and this DPA, or (iv) BYVOICE’s refusal Processing under the clause 4.2 of this DPA, BYVOICE shall, at the Customer’s discretion, either delete, destroy or return all Personal Data to the Customer and destroy or return any existing copies except to the extent that BYVOICE is required under Applicable Data Protection Laws to keep a copy of Personal Data for a specified period of time. Upon expiration of such retention period, BYVOICE shall immediately delete or destroy all remaining Personal Data.
  • In the event that Personal Data has been processed by any Sub-Processors, BYVOICE shall ensure that in specified cases such Sub-Processors will also return, delete, or destroy all Personal Data they hold, in accordance with the terms set forth in this section 11. 
  • MISCELLANEOUS
  • This DPA (including the Annexes referred to herein) constitutes the entire DPA and understanding between the Parties with respect to the subject matter hereof and supersedes all prior oral or written DPAs, representations or understandings between the Parties relating to the subject matter hereof. 
  • No purported amendment, modification or discharge of this DPA shall be valid or binding unless set forth in writing and duly executed by each Party.
  • The illegality, invalidity or unenforceability of any clause or part of this DPA will not affect the legality, validity or enforceability of the remainder. If any such clause or part is found by any competent court or authority to be illegal, invalid or unenforceable the Parties agree that they will substitute provisions in a form as similar to the offending provisions as is possible without thereby rendering them illegal, invalid or unenforceable.
  • In the event an ambiguity or question of intent or interpretation arises, the DPA shall be construed as if drafted jointly by the Parties and no presumption or burden of proof shall arise favoring or disfavoring any Party by virtue of the authorship of any of the provisions of the DPA.
  • This DPA may be executed in any number of counterparts, each of which, when executed and delivered, shall constitute an original of that DPA, but all the counterparts shall together constitute the same DPA. No counterpart shall be effective until each Party has executed at least one counterpart. The DPA can be concluded by exchanging documents. The Parties have agreed that the DPA concluded through the exchange of documents using email communication in scanned form or other electronic form is made in a proper written form.

Annex 1

Processing of Personal Data 

BYVOICE may process the following categories of Personal Data of the following Data Subjects:

Controller’s Details The Customer’s Company, identified in the ByVoice Terms of Service, during the registration or on a separate Service Order

legal address: The Customer’s address identified during the registration or on a separate Service Order

e-mail: The Customer’s e-mail identified during the registration or on a separate Service Order.
Processor’s Details BYVOICE Sp. z o.o., registered under the laws of Poland under the registration number: 389688182, 

legal address: 30-554 Krakow, ul. Zamknięta, nr 10, Poland

e-mail: [•]
Data Subject End-users of Platform specified in the Service Order.
Type of Personal Data Personal Data processed under DPA:

  • contact and identification data;
  • technical data;
  • location data (if required and available);
  • communication content data;
  • usage data.

Special categories of data 

The Processing of the sensitive Personal Data: [N/A].
The subject-matter of the Processing The subject matter of the Processing of Personal Data is to provide Services, as are further described in the BYVOICE Terms of Service.
The purpose of Processing  Personal Data may be processed only for the following purposes: provision of Services pursuant BYVOICE Terms of Service. 

BYVOICE will not sell Personal Data of the Customer.
The nature of Processing (scope of Processing activities) BYVOICE may perform the following Personal Data Processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means), each and every one only in the case and to the extent necessary for the provision of the Services under the BYVOICE Terms of Service.
Term of Processing activities Personal data may be processed throughout the duration of the BYVOICE Terms of Service, unless the Customer withdraws their instructions to process Personal Data at an earlier time.

 

Annex 2

Technical and organizational measures

BYVOICE will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data provided by the Customer: 

  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • Measures for user identification and authorisation; 
  • Measures for the protection of data during transmission;
  • Measures for the protection of data during storage;
  • Measures for ensuring physical security of locations at which personal data are processed;
  • Measures for ensuring system configuration, including default configuration;
  • Measures for ensuring data quality;
  • Measures for ensuring limited data retention;
  • Measures for ensuring accountability;
  • Measures for allowing data portability and ensuring erasure;
  • When processing and transmitting data, the HTTPS protocol is used. To ensure the security of data storage and processing, SSL certificates and other information protection tools are used. When processing data, caching may be performed

 

Annex 3

List of Sub-Processors

Current list of Sub-Processors BYVOICE engage is below:

Name Purpose of the engagement
Stripe (Stripe Inc., USA) Third party that provide us payment services
Google Analytics (Google Inc., USA).

Google Search Console (Google Inc., USA).

Hotjar (Hotjar Ltd., Malta).

 Third parties that provide us analytic services 
Zoho (Zoho Corporation Pvt. Ltd., India).

Instantly (Foo Monk LLC, USA).

Google Workspace (Google Inc., USA)

Microsoft 365 (Microsoft Inc., USA)

Sendgrid (Twilio Inc., USA).

 Third party companies that do marketing mailings 
Cyber_Folks S.A. (Cyber Folks, Inc., Poland).

Wix (Wix.com Ltd., Israel).

GoogleDrive (Google Inc., USA).

Confluence (Atlassian Inc., USA).

Google Cloud (Google Inc., USA).

 Third party companies and their partners that provide us data hosting services
Google Speech (Google Inc., USA).

Deepgram (Deepgram Inc., USA).

ElevenLabs (Eleven Labs Inc., USA). Cloud (Direct Cursus Technology LLC, UAE).

 Third party companies and their partners that provide us speech-to-text and text-to-speech conversion services
ChatGPT (OpenAI OpCo LLC, USA).

Google Gemini (Google Inc., USA).

Anthropic (Anthropic PBC, USA).

Groq (Groq Inc., USA).

Deepseek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd., China).

Yandex Cloud (Direct Cursus Technology LLC, UAE).

 Third party companies and their partners that provide us LLM-based data processing services