Data Processing Agreement
Last updated: March 20, 2026
1. Scope & Purpose
This Data Processing Agreement (“DPA”) governs the processing of “Personal Data” by Sovereign Creator Labs (“Data Processor”) on behalf of the Client (“Data Controller”). This DPA supplements our Terms of Service and applies to all personal data processed in connection with the AI Voice Receptionist services.
2. Roles & Definitions
- Data Controller: The Client, who determines the purposes and means of processing personal data.
- Data Processor: Sovereign Creator Labs, which processes personal data on behalf of and under the instruction of the Data Controller.
- Personal Data: Any information relating to an identified or identifiable natural person, including voice recordings, phone numbers, names, and appointment details.
- Sub-processor: A third party engaged by the Data Processor to process personal data.
3. Processing Instructions
The Data Processor shall process personal data only on documented instructions from the Data Controller, unless required to do so by applicable law. Processing activities include: voice call handling, transcript generation, appointment scheduling, SMS delivery, and CRM synchronization.
4. Security Measures
The Data Processor implements the following technical and organizational measures:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- SOC2 Type II certified infrastructure
- Role-based access control (RBAC) with least-privilege principle
- Regular penetration testing and vulnerability assessments
- Automated monitoring and alerting for anomalous access patterns
- Employee background checks and mandatory security training
- Incident response plan with 72-hour breach notification
5. Sub-processors
The Data Processor engages the following sub-processors, each held to the same high standards of encryption and privacy:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vapi.ai | Voice AI processing | United States |
| Google Cloud | Infrastructure & compute | United States / EU |
| Supabase | Auth & database | United States |
| Cal.com | Scheduling | United States / EU |
The Data Controller will be notified 30 days in advance of any change to sub-processors.
6. Data Subject Rights
The Data Processor will assist the Data Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, and objection) within the timeframes required by applicable data protection law. Technical mechanisms are in place to support automated deletion and export.
7. International Transfers
Where personal data is transferred outside the EEA, the Data Processor ensures compliance with GDPR Chapter V requirements, including the use of Standard Contractual Clauses (SCCs) and supplementary measures as necessary.
8. Audit Rights
The Data Controller may audit the Data Processor's compliance with this DPA upon 30 days' written notice, no more than once per calendar year. The Data Processor will also provide SOC2 audit reports upon request.
9. Term & Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, all personal data will be deleted or returned within 30 days, with certification of deletion provided upon request.
10. Contact
For DPA-related inquiries, contact contact@sovereigncreatorlab.com.