Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between AIVO Technologies ("Processor," "we," "us," or "our") and you, the customer ("Controller," "you," or "your"), and governs the processing of personal data by AIVO Technologies on your behalf in connection with the AIVO Connect and AIVO AI services (the "Service").

This DPA applies where and to the extent AIVO processes personal data on your behalf in the course of providing the Service. It supplements our Terms of Service and Privacy Policy.

• "Controller" means the customer who determines the purposes and means of processing personal data through the Service. For the purposes of this DPA, you (the customer) are the Controller.
• "Processor" means the entity that processes personal data on behalf of the Controller. For the purposes of this DPA, AIVO Technologies is the Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Service on your behalf.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates, including your End Users and callers.
• "Sub-Processor" means any third party engaged by AIVO Technologies to process personal data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

AIVO Technologies processes personal data solely for the purpose of providing the Service as described in the Agreement. The scope of processing includes:

• Call recordings: Audio recordings of inbound and outbound calls handled by the Service
• Transcripts: Text transcriptions generated from call audio using AI speech-to-text processing
• Contact data: Phone numbers, names, email addresses, and other contact information stored in your account
• Appointment data: Scheduling information, booking details, and calendar entries managed through the Service
• Call metadata: Call duration, timestamps, direction, status codes, and routing information
• AI-generated content: Call summaries, sentiment analysis, and other outputs produced by the AI voice assistant

The following categories of personal data may be processed under this DPA:

4.1 Data Subjects

• Your End Users (callers and message recipients)
• Your employees and authorised users of the Service
• Contacts stored in your account

4.2 Types of Personal Data

• Caller phone numbers (originating and destination)
• Names and contact details (where provided by you or the caller)
• Voice recordings of telephone conversations
• Call metadata (timestamps, duration, call direction, status)
• Transcribed text from voice conversations
• Appointment and scheduling details
• AI-generated summaries and analytics
• IP addresses and device information of Service users

4.3 Special Categories

AIVO Technologies does not intentionally process special categories of personal data (e.g., health data, biometric data, political opinions). However, callers may voluntarily disclose such information during calls. As the Controller, you are responsible for configuring appropriate disclosures and handling obligations for any sensitive data that may be captured incidentally.

Personal data is processed exclusively for the following purposes:

• AI voice assistant operation: Processing caller audio in real-time to understand intent, generate responses, and conduct conversations on your behalf
• Transcription and analytics: Converting call audio to text and generating call summaries, sentiment scores, and usage reports for your account
• Contact management: Storing and organising caller information, appointment records, and interaction history within your account
• Billing and usage metering: Tracking call minutes, message counts, and other usage metrics for subscription billing and plan enforcement
• Service improvement: Maintaining, debugging, and improving the Service (using aggregated and anonymised data only; your data is never used to train general-purpose AI models)

AIVO Technologies shall:

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorised to process personal data have committed to confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7)
• Assist the Controller in responding to Data Subject requests (see Section 10)
• Assist the Controller in ensuring compliance with breach notification obligations (see Section 11)
• At the choice of the Controller, delete or return all personal data upon termination of the Service, unless retention is required by applicable law
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 13)
• Not process personal data for any purpose other than providing the Service as described in the Agreement

AIVO Technologies implements the following technical and organisational security measures to protect personal data:

7.1 Encryption

• At rest: AES-256 encryption for all stored data, including call recordings, transcripts, and database records
• In transit: TLS 1.2+ encryption for all data transmitted between clients, servers, and third-party services

7.2 Access Controls

• Application-enforced row-level security (RLS) ensuring strict tenant isolation — all database queries are scoped to the authenticated business
• Role-based access control for administrative functions
• Two-factor authentication (TOTP) with backup codes for all account holders
• Secure password hashing using bcrypt with adaptive work factors
• Account lockout protection after repeated failed login attempts
• API key authentication with scoped permissions for programmatic access

7.3 Infrastructure Security

• Security headers (CSP, HSTS, X-Frame-Options) on all responses
• CSRF protection and rate limiting on all endpoints
• Automated security scanning and dependency vulnerability monitoring
• Comprehensive audit logging for all administrative and data-modifying actions
• Graceful shutdown procedures ensuring clean disconnection of database and cache connections

7.4 SOC 2 Readiness

AIVO Technologies maintains security controls aligned with SOC 2 Type II requirements. We are committed to achieving formal SOC 2 certification and can provide details on our compliance programme upon request.

AIVO Technologies engages the following categories of Sub-Processors to deliver the Service. Each Sub-Processor is bound by data processing terms no less protective than this DPA.

We will notify you at least 14 days before engaging a new Sub-Processor or making material changes to an existing one. If you object to a new Sub-Processor, you may terminate the affected portion of the Service by providing written notice within 14 days of our notification.

Personal data is retained only for as long as necessary to fulfil the purposes described in this DPA, unless a longer period is required by law.

• Call recordings: Retained according to your configurable retention settings. The default retention period is 90 days. You may set shorter or longer periods through your dashboard.
• Transcripts and analytics: Retained for the life of your account unless you request earlier deletion
• Contact data: Retained for the life of your account; you may delete individual contacts at any time
• Account data: Retained for 30 days after account deletion, then permanently purged
• Billing records: Retained for 7 years as required by applicable financial regulations
• Server and API logs: Automatically purged after 90 days and 30 days respectively

A daily automated data retention cleanup process runs to enforce these policies. You may request earlier deletion of specific data by contacting us.

AIVO Technologies will assist you in fulfilling your obligations to respond to Data Subject requests, including:

• Right of access: You may export all data associated with your account, including call logs, contacts, and knowledge base content, via the dashboard data export feature
• Right to deletion: You may delete your account and all associated data via the account deletion feature in your dashboard settings. Upon request, we will confirm deletion in writing.
• Right to portability: Data exports are provided in standard, machine-readable formats (CSV, JSON)
• Right to rectification: You may update or correct contact data and account information directly through the dashboard
• Right to restriction: You may request that processing be restricted while a dispute is resolved

If we receive a Data Subject request directly, we will promptly inform you and await your instructions unless legally required to respond directly. We will not independently respond to Data Subject requests without your authorisation except to direct the requestor to you.

In the event of a Data Breach affecting personal data processed under this DPA, AIVO Technologies shall:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide sufficient information to enable you to meet your own notification obligations to supervisory authorities and Data Subjects
• Take reasonable steps to contain, investigate, and mitigate the effects of the breach
• Cooperate with you and provide all information and assistance reasonably required in connection with the breach investigation and response

Breach Notification Content

Breach notifications will include, to the extent available:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

AIVO Technologies is based in Belize. Personal data processed under this DPA is primarily stored and processed in the United States, where our infrastructure providers operate.

Where personal data is transferred to jurisdictions that may not provide an equivalent level of data protection, AIVO Technologies ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable for transfers involving EU/EEA data
• Data processing agreements with all Sub-Processors requiring them to maintain equivalent data protection standards
• Technical measures (encryption, access controls, tenant isolation) that provide effective protection regardless of jurisdiction

By using the Service, you authorise the transfer of personal data to the United States and any other jurisdiction where our Sub-Processors operate, subject to the safeguards described in this DPA.

Upon reasonable request and subject to appropriate confidentiality obligations, AIVO Technologies will make available information necessary to demonstrate compliance with this DPA. This may include:

• Providing existing security certifications, audit reports, or compliance documentation
• Responding to written security questionnaires
• Permitting and contributing to audits conducted by you or a mutually agreed third-party auditor, at your expense, with reasonable advance notice (minimum 30 days)

Audits shall be conducted during normal business hours, shall not unreasonably interfere with our operations, and shall be limited to once per twelve-month period unless required by a supervisory authority or following a Data Breach.

This DPA is co-terminous with the Agreement. It takes effect upon your acceptance of the Terms of Service and remains in force for the duration of the Service agreement.

Upon termination of the Agreement:

• AIVO Technologies will cease processing personal data on your behalf, except as required to comply with applicable law
• At your election, we will either delete or return all personal data within 30 days of termination. You may request a data export during this period.
• After the 30-day post-termination retention period, all personal data will be permanently and irrecoverably deleted from our systems, including backups, within a reasonable timeframe
• Billing records may be retained for up to 7 years as required by financial regulations

This DPA is governed by the laws of Belize, consistent with the governing law provision of the Agreement. Where GDPR applies to the processing of personal data, the GDPR provisions shall take precedence over any conflicting provisions of this DPA to the extent necessary to ensure compliance.

For questions about this Data Processing Agreement, data processing inquiries, or to exercise your rights under this DPA, contact us at:

DPA Inquiries: [email protected]

General Contact: [email protected]

AIVO Technologies
Belize City, Belize