Data Processing Addendum | CallFlows AI
Legal

Data Processing Addendum

Data protection terms for processing personal data on behalf of clients.

This Data Processing Addendum ("DPA") applies to any Client ("Client" or "Controller") that has agreed to the CallFlows Terms of Service ("Agreement"), and is entered into by and between such Client and Call Flows LTD., a company incorporated in Bulgaria with registered number BG207810941 and registered address at Bulgaria, Sofia, blvd Vitosha 1A ("Call Flows LTD" or "Processor").

This DPA is incorporated into and forms an integral part of the Agreement between Call Flows LTD and the Client for the provision of CallFlows' Services.

1. Definitions

For the purposes of this DPA:

  • "Agreement" refers to the CallFlows Terms of Service agreed to by the Client.
  • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the GDPR, the UK GDPR, the CCPA/CPRA, and any other national, state, or local data protection laws.
  • "Client Personal Data" means any Personal Data Processed by Processor on behalf of Controller in connection with the provision of the Services under the Agreement. Depending on which Service lane the Client uses, this may include data originating from the Client's Shopify store (Shopify App lane), data originating from third-party business systems connected by the Client to the Enterprise Services via Enterprise Connectors, the CallFlows API, or other Client-authorised interfaces (Enterprise Services lane), and, in both lanes, data generated by the interactions of End-Users with the Services (including call audio, transcripts, AI-generated outputs and related metadata).
  • "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Client is the Controller of Client Personal Data.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. This includes End-Users interacting with the Services (e.g. callers to the Client's phone numbers) and, where applicable, individuals whose Personal Data is accessed by the Services within the Client's Shopify store or within third-party business systems connected to the Enterprise Services.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • "Personal Data" means any information relating to a Data Subject which is subject to Applicable Data Protection Law.
  • "Processing" (and its cognates like "Process") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Processor" means the entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Call Flows LTD is the Processor.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise Processed by Processor or its Sub-processors.
  • "Services" means the AI-powered voice agent platform and related functionalities provided by CallFlows to the Client under the Agreement, including (i) the CallFlows AI Shopify Application distributed via the Shopify App Store and integrated with the Client's Shopify store via the Shopify Admin API (the "Shopify App"), (ii) the Enterprise AI voice agents, the Enterprise Portal and the Enterprise Connectors (collectively the "Enterprise Services"), and (iii) the CallFlows REST API, where made available for the applicable plan, to Clients with an active subscription in either lane.
  • "Sub-processor" means any third-party data processor engaged by Processor to Process Client Personal Data.
  • "UK GDPR" means the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Scope and Purpose of Processing

2.1. This DPA applies when Client Personal Data is Processed by Call Flows LTD as part of its provision of the Services to the Client.

2.2. Nature and Purpose of Processing: Call Flows LTD will Process Client Personal Data for the purpose of providing the Services as described in the Agreement and this DPA. Depending on the Service lane(s) selected by the Client, this includes, but is not limited to: enabling AI-powered voice agent interactions with Client's End-Users (inbound and, where enabled, outbound); integrating with the Client's Shopify store via the Shopify Admin API to look up, read, create or update products, orders, customers, draft orders and related records; integrating with the Client's third-party business systems (such as CRMs, helpdesks, knowledge bases, scheduling systems and telephony stacks) via the Enterprise Connectors, the CallFlows API, or other Client-authorised interfaces; processing and managing orders and cases; providing product information and knowledge-base answers; offering shipping and delivery support; analysing service usage (including call analytics, sentiment and outcomes) to operate and improve the Services for the Client; and fulfilling other instructions from the Client in accordance with the Agreement.

2.3. Duration of Processing: Call Flows LTD will Process Client Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing or as required by Applicable Data Protection Law.

2.4. Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be Processed include, but are not limited to:

  • End-Users interacting with the Services (e.g., customers calling the Client's phone numbers to make inquiries, place orders, obtain support or access other automated interactions).
  • Individuals whose Personal Data is held in the Client's Shopify store (Shopify App lane) or in third-party business systems connected by the Client to the Enterprise Services (Enterprise Services lane), to the extent that data is accessed or updated by the Services on the Client's instructions.
  • Client's employees, contractors or representatives who interact with or administer the Services (including Shopify merchant admins, Enterprise Portal users, and CallFlows API operators).

2.5. Types of Personal Data: The types of Client Personal Data that may be Processed include, but are not limited to:

  • Shopify Store Data (Shopify App lane). Information accessed via the Shopify Admin API as authorised by the Client, such as product details, order information (including items, value, status), customer contact information (name, email, phone, shipping/billing address), customer purchase history, store policies and pages.
  • Integrated System Data (Enterprise Services lane). Information accessed from third-party business systems connected by the Client to the Enterprise Services via Enterprise Connectors, the CallFlows API, or other Client-authorised interfaces, such as CRM contacts, helpdesk tickets, case or order records, knowledge base content, calendar events and similar business-system data that the Client instructs Call Flows LTD to retrieve, create or update.
  • End-User Interaction Data (both lanes). Voice recordings and transcripts of interactions between End-Users and the AI voice agent, AI-generated summaries, sentiment and analytics signals, caller identifiers (masked in certain email notifications as described in the Privacy Policy), session identifiers, call metadata (duration, time, end reason, transfers to human, etc.), and outcomes.
  • Technical Data (both lanes). IP addresses, device information, browser type, audit and usage logs related to interactions with the Services and with the Enterprise Portal.

3. Obligations of the Processor (Call Flows LTD)

3.1. Instructions: Call Flows LTD shall only Process Client Personal Data on behalf of and in accordance with Client's documented instructions, including with regard to transfers of Client Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Call Flows LTD is subject; in such a case, Call Flows LTD shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA) constitutes Client's complete and final instructions to Call Flows LTD for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon in writing by both parties.

3.2. Confidentiality: Call Flows LTD shall ensure that its personnel authorized to Process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security: Call Flows LTD shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures are further detailed in Annex 2 (Technical and Organizational Security Measures) to this DPA. Call Flows LTD may update these measures from time to time, provided such updates do not materially decrease the overall security of the Services.

3.4. Sub-processing:

3.4.1. Client provides a general written authorization for Call Flows LTD to engage Sub-processors to Process Client Personal Data. Call Flows LTD shall make available to Client a current list of Sub-processors. Such list is provided in Annex 3 to this DPA and will be updated by Call Flows LTD providing notice to the Client of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Client the opportunity to object to such changes in accordance with the terms of this DPA.

3.4.2. Where Call Flows LTD engages a Sub-processor, it shall do so by way of a written contract which imposes on the Sub-processor data protection obligations that are at least as protective as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Law.

3.4.3. Call Flows LTD shall remain fully liable to Client for the performance of that Sub-processor's data protection obligations. A current list of Call Flows LTD's Sub-processors and their locations is available in Annex 3 and will be maintained by Call Flows LTD at callflows.ai/subprocessors.

3.5. Data Subject Rights: Taking into account the nature of the Processing, Call Flows LTD shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client's obligation to respond to requests for exercising Data Subject rights laid down in Applicable Data Protection Law. If Call Flows LTD receives a request directly from a Data Subject, Call Flows LTD will promptly notify Client and will not respond to the request itself, except to inform the Data Subject that the request should be directed to Client.

3.6. Assistance to Controller: Taking into account the nature of Processing and the information available to Call Flows LTD, Call Flows LTD shall assist Client in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Notification of a Personal Data Breach to the supervisory authority, Communication of a Personal Data Breach to the Data Subject, Data Protection Impact Assessment, and Prior Consultation), where applicable.

3.7. Deletion or Return of Client Personal Data: Upon termination of the Agreement or at Client's request, Call Flows LTD shall, at Client's choice, delete or return all Client Personal Data to Client, and delete existing copies unless Union or Member State law requires storage of the Personal Data. The specific terms for data deletion or return may be further detailed in the Agreement.

3.8. Audits and Inspections: Call Flows LTD shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, upon reasonable prior notice and subject to appropriate confidentiality obligations. Such audits shall be conducted no more than once annually, during Call Flows LTD's normal business hours, and in a manner that does not unreasonably interfere with Call Flows LTD's business operations.

4. Obligations of the Controller (Client)

4.1. Lawful Basis: Client warrants that it has a lawful basis for the Processing of all Client Personal Data transferred to or accessed by Call Flows LTD under the Agreement and this DPA (e.g., consent, performance of a contract, legitimate interest).

4.2. Instructions: Client shall ensure that its instructions to Call Flows LTD for the Processing of Client Personal Data comply with Applicable Data Protection Law. Client is responsible for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired it.

4.3. Data Subject Notifications and Consents: Client is responsible for providing all necessary privacy notices to Data Subjects and obtaining any required consents from Data Subjects regarding the Processing of their Personal Data by Call Flows LTD as contemplated by the Agreement and this DPA.

5. Data Transfers

5.1. Client Personal Data may be Processed by Call Flows LTD and its authorized Sub-processors in various locations globally, including the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and the United States (US). Call Flows LTD's primary data storage and processing locations for Client Personal Data include servers in the EU (Frankfurt, Germany) and the US (Ohio and Oregon). All transfers of Client Personal Data will be made in compliance with Applicable Data Protection Law.

5.2. For transfers of Client Personal Data from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection by the European Commission or relevant UK/Swiss authorities (such as the United States), Call Flows LTD shall ensure such transfers are safeguarded by appropriate transfer mechanisms. This primarily includes reliance on the Standard Contractual Clauses (SCCs) as approved by the European Commission (and the UK Addendum thereto, where applicable). By entering into this DPA, Client and Call Flows LTD are deemed to have executed the applicable SCCs, which are incorporated herein by reference. The relevant modules of the SCCs will apply as determined by legal counsel to be appropriate for the transfers contemplated herein. Further details regarding the SCCs, including the selection of optional clauses and relevant annexes, will be completed as required and made available to the Client upon request.

5.3. Call Flows LTD is a Bulgarian company and is not itself self-certified under the EU–U.S. Data Privacy Framework (DPF), the UK Extension thereto, or the Swiss–U.S. DPF. Where a Sub-processor of Call Flows LTD is so certified, Call Flows LTD may rely on that certification as a supplementary transfer mechanism with respect to transfers to that Sub-processor, in addition to (and without derogating from) the SCCs and the UK IDTA referenced in Section 5.2.

6. Security Incident Notification

In the event of a Security Incident, Call Flows LTD shall notify Client without undue delay after becoming aware of the Security Incident. The notification shall, as far as possible, describe the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the Security Incident, and the measures taken or proposed to be taken by Call Flows LTD to address the Security Incident and mitigate its possible adverse effects. Call Flows LTD shall provide reasonable cooperation to Client in dealing with the Security Incident and in complying with Client's notification obligations under Applicable Data Protection Law.

7. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit a party's liability towards Data Subjects under Applicable Data Protection Law.

8. General Provisions

8.1. Precedence: In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail with regard to the Processing of Client Personal Data.

8.2. Amendments: This DPA may only be amended by a written agreement signed by both parties, or as otherwise permitted for updates to the Agreement.

8.3. Governing Law and Jurisdiction: This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by Applicable Data Protection Law.

(Acceptance of this DPA is made through acceptance of the CallFlows Terms of Service, into which this DPA is incorporated.)

Annex 1: Details of Processing (as required by Article 28(3) GDPR)

This Annex forms part of the DPA and describes the Processing of Client Personal Data.

A. List of Parties

Data exporter (Controller):

  • Name: The Client, as defined in the CallFlows Terms of Service.
  • Address: As provided by Client during account registration or Shopify store integration.
  • Contact person's name, title and contact details: As provided by Client via their account information.
  • Activities relevant to the data transferred under these Clauses: Using CallFlows' Services to operate AI voice agents for customer interactions, order management and support — whether via the Shopify App integrated with the Client's Shopify store, via the Enterprise Services integrated with the Client's third-party business systems, or via the CallFlows API.
  • Role (controller/processor): Controller

Data importer (Processor):

  • Name: Call Flows LTD.
  • Address: Bulgaria, Sofia, blvd Vitosha 1A
  • Contact person's name, title and contact details: For DPA queries, please contact: contact@callflows.ai
  • Activities relevant to the data transferred under these Clauses: Provision of the AI-powered voice agent Services, including (as applicable) the Shopify App, the Enterprise Services (Enterprise AI agents, Enterprise Portal, Enterprise Connectors) and the CallFlows API, as further described in the Agreement.
  • Role (controller/processor): Processor

B. Description of Transfer

  • Categories of data subjects whose personal data is transferred: As described in Section 2.4 of this DPA (End-Users interacting with the Services, individuals whose Personal Data is held in the Client's Shopify store or in third-party business systems connected to the Enterprise Services, and Client's employees/representatives administering the Services).
  • Categories of personal data transferred: As described in Section 2.5 of this DPA (Shopify Store Data, Integrated System Data, End-User Interaction Data including voice recordings and transcripts, and Technical Data).
  • Sensitive data transferred (if applicable) and applied restrictions or safeguards: Call Flows LTD does not intend to Process special categories of data as defined by GDPR Article 9 unless explicitly agreed with the Client and subject to appropriate safeguards. Voice recordings are Processed for the purpose of service provision; Clients are responsible for ensuring they have a lawful basis for the recording and Processing of such voice data, including obtaining End-User consent where required by applicable law.
  • The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis, as End-Users interact with the Services and as data is retrieved from, or written back to, the Client's Shopify store and/or connected third-party business systems.
  • Nature of the processing: As described in Section 2.2 of this DPA.
  • Purpose(s) of the data transfer and further processing: Provision, maintenance, and improvement of the Services as per the Agreement.
  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: For the duration of the Agreement, or as per Client's instructions for deletion, or as required by law. Specific retention periods for certain data types (e.g., voice recordings) may be configurable by the Client where such functionality is provided by the Services, or otherwise will be retained as per CallFlows service policies, which are designed to retain data no longer than necessary for the provision of Services or as required by law.
  • For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: To be detailed in the list of Sub-processors in Annex 3. Sub-processors are engaged for purposes such as cloud hosting, AI model provision (e.g., OpenAI for speech processing, response generation and sentiment analysis), telecommunications / voice carriage (e.g., Voip.ms), email delivery (e.g., Mailjet), and shipment and logistics lookup (e.g., USPS, UPS and TWBGO, where enabled). Duration is typically for as long as Call Flows LTD uses their services for the provision of Services to the Client, or as per the Sub-processor agreement. Payment processors such as Stripe (for Enterprise Services) and Shopify (for Shopify App billing) are addressed separately as independent controllers / third-party platforms below because they do not process Client Personal Data on Call Flows LTD's behalf under this DPA.

C. Competent Supervisory Authority

In accordance with Clause 13 of the Standard Contractual Clauses (where applicable), the competent supervisory authority will be: For matters related to the processing of personal data of individuals in the European Union, and where the Client is established in the EU, the supervisory authority of the EU Member State in which the Client is established. Where the Client is not established in the EU but is subject to GDPR, the supervisory authority will be determined as per GDPR Article 27 or by mutual agreement. For Call Flows LTD, as a Bulgarian entity, the primary supervisory authority is the Commission for Personal Data Protection, Bulgaria. For data subjects in the UK, the competent supervisory authority is the Information Commissioner's Office (ICO).

Annex 2: Technical and Organizational Security Measures

This Annex forms part of the DPA and describes the technical and organizational security measures implemented by Call Flows LTD. Call Flows LTD commits to maintaining robust security measures, recognizing its responsibilities even when utilizing third-party infrastructure like AWS.

  • 1. Infrastructure and Network Security:
    • Services are hosted on Amazon Web Services (AWS) infrastructure. Call Flows LTD leverages AWS security features for the underlying infrastructure, including but not limited to:
    • Use of Virtual Private Clouds (VPCs) for network isolation of processing environments.
    • Implementation of Security Groups and Network Access Control Lists (ACLs) to act as firewalls, restricting traffic to and from servers to only necessary ports and protocols.
    • Leveraging AWS Shield or similar services for Distributed Denial of Service (DDoS) mitigation.
    • Firewalls are implemented at network and host levels as appropriate.
  • 2. Data Encryption:
    • All Client Personal Data is encrypted in transit using industry-standard protocols such as SSL/TLS (HTTPS) for web application traffic, REST APIs, and WebSocket communications. Voice call signaling (e.g., SIP over TLS) and media (e.g., SRTP) are encrypted.
    • Client Personal Data is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256). This is applied to data stored in databases (e.g., AWS RDS encryption), object storage (e.g., AWS S3 server-side encryption), and on server volumes (e.g., AWS EBS volume encryption).
    • Encryption key management is handled via AWS Key Management Service (KMS) or an equivalent robust key management system.
  • 3. Access Control:
    • Role-Based Access Control (RBAC) is implemented for Call Flows LTD personnel (e.g., distinct roles for support, sales, administration) to ensure access to Client Personal Data is strictly limited to those who require it for their job functions, adhering to the principle of least privilege.
    • Multi-Factor Authentication (MFA) is enforced for all Call Flows LTD administrative access to production systems, sensitive data, and underlying AWS accounts.
    • AWS Identity and Access Management (IAM) is utilized to manage and control access to AWS resources, enforcing the principle of least privilege for users and services.
    • Strong password policies (complexity, length, rotation where appropriate) are enforced for all accounts with access to systems processing Client Personal Data.
    • Access to production environments, applications, and data is logged and monitored for unauthorized attempts or suspicious activity.
    • Client access to the Services is authenticated, for the Shopify App, via Shopify OAuth and the Client's credentials managed within Shopify; and, for the Enterprise Portal and the CallFlows API, via Call Flows LTD's own authenticated accounts and per-Client API keys or tokens.
    • Physical access to Call Flows LTD offices is controlled. No Client Personal Data is stored at physical office locations; all processing occurs within secure cloud environments (AWS data centers). AWS maintains robust and certified physical security for their data centers.
  • 4. Application Security:
    • Secure software development lifecycle (SSDLC) practices are integrated into the development process. This includes following secure coding guidelines (e.g., based on OWASP recommendations) and conducting security-focused code reviews.
    • Regular automated vulnerability scanning of applications is performed.
    • Periodic penetration testing by independent third parties is conducted to identify and remediate potential vulnerabilities.
    • The application is designed to protect against common web vulnerabilities, including those listed in the OWASP Top 10.
  • 5. Logging and Monitoring:
    • Comprehensive logging of system activity, application events, access attempts, and security events is implemented (e.g., using AWS CloudTrail for API activity and AWS CloudWatch for application logs and performance metrics).
    • Logs are securely stored and regularly reviewed. Automated alerting mechanisms are in place for suspicious activity and critical security events.
  • 6. Availability and Resilience (Business Continuity & Disaster Recovery):
    • Use of multiple AWS Availability Zones (AZs) within primary regions (EU Frankfurt, US Ohio, US Oregon) for high availability and fault tolerance of critical service components.
    • Regular automated backups of critical Client Personal Data are performed. Backup procedures include encryption of backup data and secure storage in a separate AWS region from the primary processing region.
    • Backup and restoration procedures are periodically tested to ensure their effectiveness and timeliness.
    • A disaster recovery (DR) plan is maintained and periodically reviewed and tested. The DR plan outlines procedures for recovering services and data in the event of a major outage or disaster affecting a primary processing region.
  • 7. Data Minimization and Separation:
    • Call Flows LTD processes only the Client Personal Data necessary to provide and improve the Services as described in the Agreement and this DPA.
    • Client data is logically separated within multi-tenant systems to prevent unauthorized access or disclosure between different clients.
  • 8. Incident Management:
    • A documented incident response plan is in place to address Security Incidents. This plan includes procedures for:
      • Detection and Reporting: Systems and processes for identifying, monitoring, and reporting potential security incidents.
      • Containment: Actions to limit the scope and impact of an ongoing incident.
      • Investigation and Analysis: Determining the root cause, nature, and extent of an incident.
      • Eradication and Recovery: Removing the cause of the incident and restoring affected systems and data securely.
      • Notification: Complying with notification obligations to Clients (as per Section 6 of this DPA) and relevant data protection authorities, where required by Applicable Data Protection Law.
      • Post-Incident Review (Lessons Learned): Analyzing the incident handling process to identify areas for improvement in security measures and incident response procedures.
  • 9. Personnel Security:
    • Employees and contractors with access to Client Personal Data are subject to confidentiality obligations.
    • Regular security awareness training is provided to personnel.
  • 10. Sub-processor Management:
    • Due diligence is performed on Sub-processors to assess their security and data protection practices before engagement.
    • DPAs are in place with Sub-processors imposing data protection obligations consistent with this DPA.

Call Flows LTD may update these security measures from time to time, provided that such updates do not materially decrease the overall security of the Services. Client acknowledges that security requires shared responsibility, and Client is responsible for configuring and using the Services securely, including managing its own user access credentials (for Shopify OAuth, the Enterprise Portal, and the CallFlows API), safeguarding any API keys issued to it, and ensuring the security of its Shopify store integration and any third-party business systems it connects to the Enterprise Services.

Annex 3: List of Sub-processors

This Annex forms part of the DPA. Call Flows LTD is authorised to engage the following Sub-processors to Process Client Personal Data for the provision of the Services. Call Flows LTD will maintain an up-to-date list and will notify Clients of intended changes (additions or replacements) in accordance with Section 3.4.1. The current list is:

Sub-processor Service Provided Location of Processing (Primary)
Amazon Web Services, Inc. / Amazon Web Services EMEA SARL (AWS) Cloud hosting, infrastructure, database, object and block storage, network services, and key management for the Platform (both lanes). EU (Frankfurt, Germany), US (Ohio), US (Oregon)
OpenAI, L.L.C. / OpenAI Ireland Ltd. AI model provider for speech-to-text transcription, natural-language understanding, response generation, and sentiment analysis. Integration is configured so that Client-Owned Data is not used by OpenAI to train or improve its general-purpose models. United States (and other locations as per OpenAI policy)
Voip.ms (a service of FNOBOX Inc.) Telecommunications carrier for VoIP origination and termination (voice signalling and media are encrypted in transit to/from Call Flows LTD infrastructure). Canada, with points of presence used by Call Flows LTD in France (Paris) and the United States (San Jose).
Mailjet SAS (a Sinch company) Transactional and service email delivery (e.g., call notifications, subscription-status emails, password-reset and security emails). European Union (France)
United States Postal Service (USPS), United Parcel Service (UPS) tracking APIs, and TWBGO Real-time shipment / tracking lookups invoked by the voice agent when an End-User enquires about order or parcel status. United States, Taiwan / global carrier network locations where applicable

Annex 4: Independent Controllers and Third-Party Platforms

The following third parties are not Sub-processors under this DPA for Client Personal Data. They process certain data as independent controllers or as third-party platforms under their own agreements and privacy notices:

  • Shopify Inc. and its affiliates. For Clients using the Shopify App, Shopify acts as an independent controller with respect to Shopify Billing and as a separate platform provider for data the Client stores and processes within Shopify. Shopify's processing is governed by the Client's own agreement(s) with Shopify and is not covered by this DPA.
  • Stripe, Inc. / Stripe Payments Europe, Limited. For Clients using the Enterprise Services, Stripe processes payment card data and related payment information via Stripe Checkout and the Stripe Customer (Billing) Portal as an independent controller under Stripe's own privacy policy and services agreement. Call Flows LTD receives only the subscription and transaction metadata described in Section 7 of the Privacy Policy. Stripe is not used for Shopify App billing.