Disclaimer: This Data Processing Agreement ("DPA") template is provided by Delve Technologies Inc. to Bland.ai strictly on an "as-is" basis. Delve Technologies Inc. makes no representations or warranties regarding this template's legal sufficiency, accuracy, or compliance with applicable laws. This template should be reviewed by Bland.ai's legal counsel prior to use or implementation. Delve Technologies Inc. shall not be liable for any damages arising from the use of this template. By using this template, Bland.ai acknowledges that it is solely responsible for ensuring the DPA meets its specific business needs and complies with all applicable privacy regulations.
This Data Processing Agreement ("Agreement") will form part of the Service Agreement between Bland.ai ("Data Processor") and the customer entity that accepts this Agreement ("Company" or "Data Controller"). By using Bland.ai's services, the Company agrees to be bound by the terms of this Data Processing Agreement.
For questions regarding this Data Processing Agreement or to exercise any rights hereunder, please contact privacy@bland.ai.
1. Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person.
- "Customer Personal Data": Any Personal Data processed by the Data Processor or its Sub-processor on behalf of the Company to perform the Services under the Service Agreement.
- "Processing": Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- "Data Subject": An individual whose Personal Data is processed.
- "Sub-processor": Any third party engaged by the Data Processor to process Personal Data on behalf of the Company.
- "Data Protection Laws": EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country including U.S. Privacy Laws.
- "EU Data Protection Laws": EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- "GDPR": EU General Data Protection Regulation 2016/679.
- "CCPA": The California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder. When used in the context of the CCPA, the terms "business," "business purpose," "commercial purpose," "contractor," "sell," "service provider," and "share" shall have the respective meanings given thereto in the CCPA.
- "U.S. Privacy Laws": The collective privacy, data protection, and data security laws and regulations issued by a governmental authority of any US state jurisdiction applicable to the Processing of Customer Personal Data under this Agreement, including the CCPA.
- "Data Transfer": (a) A transfer of Company Personal Data from the Company to a Contracted Processor; or (b) an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws.
- "EU SCCs": The standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
- "UK SCCs": The EU SCCs, as amended by the UK Addendum.
- "UK Addendum": The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.
- "ex-EEA Transfer": The transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
- "ex-UK Transfer": The transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
- "Personal Data Breach": A breach of the Data Processor's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in the Data Processor's possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
- "Service Data": Any data relating to the use, support and/or operation of the Services, which is collected directly by the Data Processor from and/or about users of the Services and/or the Company's use of the Service for use for the Data Processor's own purposes.
2. Subject Matter and Duration
The Data Processor shall process Personal Data on behalf of the Company as necessary to perform the services defined in the Service Agreement. This Agreement shall remain in effect for the duration of the Service Agreement.
2.1 Service-Specific Data Retention
The Data Processor shall retain Voice AI Service Customer Data transmitted through the Service for a maximum of thirty (30) days, after which it will be deleted, except where the Data Processor is required to retain copies under applicable laws, in which case the Data Processor will isolate and protect that Customer Data from any further processing except to the extent required by applicable laws. Data retention periods for other services shall be as specified in the applicable Service Description or Order Form.
3. Nature and Purpose of Processing
3.1 General Processing Activities
The processing involves managing and facilitating AI-driven phone communications, including recording, transcribing, and analyzing voice data to enhance communication services.
3.2 Processing Relationship
It is the parties' intent that:
- The Company determines the means and processing of Customer Personal Data subject to this Agreement
- For EU Personal Data, the Company acts as a controller and the Data Processor acts as a processor
- For US Personal Data, the Company acts as a "business" and the Data Processor acts as a "service provider" and/or "contractor" as defined by the CCPA
3.3 US Privacy Law Compliance
To the extent the Data Processor's Processing of Customer Personal Data under the Agreement is subject to U.S. Privacy Laws:
(a) The Parties acknowledge that the Data Processor's retention, use and disclosure of personal information authorized by the Company's instructions stated in this Agreement are integral to the Services and the business relationship between the Parties.
(b) The Data Processor:
- Acknowledges that personal information is disclosed by the Company only for limited and specified purposes
- Shall comply with applicable obligations under U.S. Privacy Laws and shall provide the same level of privacy protection to personal information as may be required by such laws
- Acknowledges that the Company may take reasonable and appropriate steps designed to ensure that the Data Processor's use of personal information is consistent with the Company's obligations under U.S. Privacy Laws
- Shall notify the Company if the Data Processor determines it cannot meet its obligations under U.S. Privacy Laws
- Acknowledges that the Company may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information
(c) The Data Processor shall not:
- Sell or share any personal information
- Retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by U.S. Privacy Laws
- Retain, use or disclose the personal information outside of the direct business relationship between the Data Processor and the Company
- Combine the personal information received from the Company with personal information received from or on behalf another person, or personal information the Data Processor collects from its own interaction with the consumer, except as otherwise permitted by U.S. Privacy Laws
The Data Processor hereby certifies that it understands its obligations under this Section 3.3 and will comply with them.
4. Types of Personal Data and Categories of Data Subjects
Types of Personal Data: Voice recordings, transcriptions, contact information, and any other data provided during phone communications.
Categories of Data Subjects: Individuals participating in phone communications facilitated by the Company, including customers and end-users.
5. Obligations of the Data Processor
The Data Processor agrees to:
a. Process Personal Data only on documented instructions from the Company, including with regard to international data transfers, unless required by law.
b. Not provide the Company with remuneration in exchange for Personal Data from the Company. The parties acknowledge and agree that the Company has not "sold" (as such term is defined by applicable Data Protection Laws) Personal Data to the Data Processor.
c. Not "sell" (as such term is defined by U.S. Privacy Laws) or "share" (as such term is defined by the CCPA) Personal Data.
d. Not combine any Personal Data with personal data that the Data Processor receives from or on behalf of any other third party or collects from the Data Processor's own interactions with individuals, provided that the Data Processor may combine Personal Data for a purpose permitted under applicable Data Protection Laws if directed to do so by the Company or as otherwise permitted by applicable Data Protection Laws.
e. Ensure that individuals authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
f. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:
- Pseudonymization and encryption of Personal Data.
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Procedures for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
g. Assist the Company in fulfilling its obligation to respond to Data Subjects' requests to exercise their rights under the GDPR and other applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, objection, and automated decision-making. The Data Processor shall:
- Promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data
- Ensure that it does not respond to that request except on the documented instructions of the Company or as required by applicable laws
- Provide the Company with commercially reasonable assistance to facilitate the handling of such requests within 15 calendar days of receiving the request
h. Assist the Company in ensuring compliance with obligations concerning the security of processing, notification of Personal Data breaches, data protection impact assessments, and prior consultation with supervisory authorities.
i. Upon termination of this Agreement and at the choice of the Company, delete or return all Personal Data to the Company and delete existing copies, unless applicable law requires storage of the Personal Data, in accordance with Section 10 of this Agreement.
j. Make available to the Company all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company.
6. Data Breach Notification
a. The Data Processor shall notify the Company without undue delay and no later than 72 hours after becoming aware of a Personal Data breach. Such notification shall include, at a minimum:
- The nature of the breach.
- The categories and approximate number of Data Subjects concerned.
- The categories and approximate number of Personal Data records concerned.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach.
- Contact details of the data protection officer or other contact point.
b. The Data Processor shall cooperate with the Company and take reasonable commercial steps as are directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
c. The Data Processor shall document all Personal Data Breaches, including the facts of the breach, its effects, and the remedial action taken.
d. The Data Processor's notification of or response to a Personal Data Breach shall not be construed as the Data Processor's acknowledgement of any fault or liability with respect to the Personal Data Breach.
e. If the Company determines to notify any governmental entity, Data Subject(s), the public or others of a Personal Data Breach, to the extent such notice directly or indirectly refers to or identifies the Data Processor, where permitted by applicable laws, the Company agrees to:
- Notify the Data Processor in writing in advance; and
- In good faith, consult with the Data Processor and consider any clarifications or corrections the Data Processor may reasonably recommend or request to any such notification, which: (i) relate to the Data Processor's involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
7. Sub-processing
a. The Data Processor shall not engage another processor (Sub-processor) without prior specific or general written authorization of the Company. In the case of general written authorization, the Data Processor shall inform the Company of any intended changes concerning the addition or replacement of other processors, giving the Company at least 14 days to object to such changes.
b. The Data Processor may continue to use those Sub-processors already engaged by the Data Processor as of the date of this Agreement.
c. The Data Processor maintains an up-to-date list of all Sub-processors engaged in processing Personal Data at https://www.bland.ai/subprocessors (the "Sub-processor List"). This list is updated at least annually.
d. In the event that the Company does not wish to consent to the use of a new Sub-processor, the Company may notify the Data Processor that the Company does not consent within fourteen (14) days on reasonable grounds relating to the protection of Personal Data by contacting privacy@bland.ai. In such case, the Company and the Data Processor shall work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Company may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to the Data Processor and receive a refund of any prepaid fees under the Agreement.
e. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the Company, the same data protection obligations as set out in this Agreement shall be imposed on that other processor by way of a contract.
f. Where that other processor fails to fulfill its data protection obligations, the Data Processor shall remain fully liable to the Company for the performance of that other processor's obligations.
8. International Data Transfers
a. The Data Processor shall not transfer Personal Data to a third country or international organization unless:
- The transfer is to a country or organization that has been deemed to provide an adequate level of protection by the European Commission or applicable regulatory authority;
- The transfer is covered by appropriate safeguards such as binding corporate rules, standard data protection clauses, approved codes of conduct, or certification mechanisms; or
- The Company has given its explicit consent to the transfer after having been informed of the potential risks.
b. For ex-EEA Transfers, the parties agree that such transfers are made pursuant to the EU SCCs, which are deemed incorporated into this Agreement by reference and completed as follows:
- Module Two (Controller to Processor) of the EU SCCs apply when the Company is a controller and the Data Processor is processing Personal Data for the Company as a processor.
- Module Three (Processor to Sub-Processor) of the EU SCCs apply when the Company is a processor and the Data Processor is processing Personal Data on behalf of the Company as a sub-processor.
c. For ex-UK Transfers, the parties agree that such transfers are made pursuant to the UK SCCs, which are deemed incorporated into this Agreement by reference, and amended and completed in accordance with the UK Addendum.
d. The Data Processor represents and warrants that:
- As of the date of this Agreement, it has not received any formal legal requests from any government intelligence or security service for access to Company Personal Data ("Government Agency Requests");
- If, after the date of this Agreement, the Data Processor receives any Government Agency Requests, it shall attempt to redirect the law enforcement or government agency to request that data directly from the Company and shall give the Company reasonable notice of the demand unless legally prohibited from doing so.
9. Audit Rights
a. Upon reasonable notice of at least 14 days, the Data Processor shall allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company regarding the processing of the Company's Personal Data by the Data Processor.
b. The Company shall conduct audits in a manner designed to minimize disruption to the Data Processor's business operations and may be conducted no more than once per year, unless required by a regulatory authority or following a Personal Data Breach.
c. The Data Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in this Agreement and shall allow for and contribute to such audits, including inspections.
d. If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2 or similar audit report performed by a qualified third-party auditor within twelve (12) months of the Company's audit request ("Audit Report") and the Data Processor has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), the Company agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
e. The Data Processor need not give access to its premises for the purposes of such an audit:
- Where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 9(d);
- To any individual unless they produce reasonable evidence of their identity;
- To any auditor whom the Data Processor has not approved in advance (acting reasonably);
- To any individual who has not entered into a non-disclosure agreement with the Data Processor on terms acceptable to the Data Processor;
- Outside normal business hours at those premises; or
- On more than one occasion in any calendar year during the term of the Agreement.
f. The Company shall bear its own costs in relation to conducting the audit. The Data Processor is entitled to request a reasonable fee for any assistance that exceeds its routine obligations in this Agreement.
10. Return and Deletion
Upon the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), the Data Processor shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this Agreement. Within 14 days of the Cessation Date, the Company shall instruct the Data Processor to delete or return all Customer Personal Data to the Company, unless retention of the Customer Personal Data is required by applicable Data Protection Laws. The Data Processor shall comply with such Company instruction as soon as reasonably practicable and no later than 180 days after such instructions unless applicable Data Protection Laws require storage.
11. Governing Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of California, and any disputes arising from or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of California.
12. Company Obligations
a. The Company represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Personal Data to the Data Processor and to authorize the Data Processor to use, disclose, retain and otherwise process Personal Data as contemplated by this Agreement, the Service Agreement and/or other processing instructions provided to the Data Processor.
b. The Company shall comply with all applicable Data Protection Laws.
c. The Company shall reasonably cooperate with the Data Processor to assist the Data Processor in performing any of its obligations with regard to any requests from the Company's data subjects.
d. Without prejudice to the Data Processor's security obligations in this Agreement, the Company acknowledges and agrees that it, rather than the Data Processor, is responsible for certain configurations and design decisions for the services and that the Company, and not the Data Processor, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws.
e. The Company shall not provide Personal Data to the Data Processor except through agreed mechanisms. For example, the Company shall not include Personal Data other than technical contact information in technical support tickets or transmit Personal Data to the Data Processor by email, except where expressly authorized. Without limitation to the foregoing, the Company represents, warrants and covenants that it shall only transfer Personal Data to the Data Processor using secure, reasonable and appropriate mechanisms, to the extent such mechanisms are within the Company's control.
f. The Company shall not take any action that would (i) render the provision of Personal Data to the Data Processor a "sale" under U.S. Privacy Laws or a "share" under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render the Data Processor not a "service provider" under the CCPA or "processor" under U.S. Privacy Laws.
g. The Company agrees that, without limiting the Data Processor's obligations under Section 5 (Obligations of the Data Processor), the Company is solely responsible for its use of the Services, including:
- Making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data
- Securing the account authentication credentials, systems and devices the Company uses to access the Services
- Securing the Company's systems and devices that the Data Processor uses to provide the Services
- Backing up Customer Personal Data
h. The Company agrees that the Service, the Security Measures described in Exhibit B, and the Data Processor's commitments under this Agreement are adequate to meet the Company's needs, including with respect to any security obligations of the Company under applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
13. Service Data
a. The Company acknowledges that the Data Processor may collect, use and disclose Service Data for its own business purposes, such as for accounting, tax, billing, audit, and compliance purposes; to provide, improve, develop, optimize and maintain the Services; to investigate fraud, spam, wrongful or unlawful use of the Services; and/or as otherwise permitted or required by applicable law.
b. In respect of any such Processing described in Section 13(a), the Data Processor:
- Independently determines the purposes and means of such Processing
- Shall comply with applicable Data Protection Laws (if and as applicable in the context)
- Where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures
c. For the avoidance of doubt, this Agreement shall not apply to the Data Processor's collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.
14. Miscellaneous
a. In the event of inconsistencies between the provisions of this Agreement and the Service Agreement, the provisions of this Agreement shall prevail.
b. Should any provision of this Agreement be invalid or unenforceable, the remainder of this Agreement shall remain valid and in force.
c. No amendment or modification of this Agreement shall be valid or binding unless made in writing and duly executed by authorized representatives of both Parties.
d. The Parties agree that this Agreement constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior agreements or understandings, whether written or oral.
e. The exchange of Customer Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
f. The Data Processor may on notice vary this Agreement to the extent that (acting reasonably) it considers necessary to address the requirements of applicable Data Protection Laws from time to time.
g. The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this Agreement will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Service Agreement.
EXHIBIT A: DETAILS OF PROCESSING
Nature and Purpose of Processing: The Data Processor will process Personal Data as necessary to perform the Services under the Service Agreement, specifically for managing and facilitating AI-driven phone communications, including recording, transcribing, and analyzing voice data to enhance communication services.
Duration of Processing: For the duration of the Service Agreement and for a period as specified in Section 10 following termination to allow for secure deletion or return of data, unless longer retention is required by law.
Categories of Data Subjects:
- Customers of the Company
- End-users of the Company's services
- Employees, contractors, and agents of the Company who use the services
- Third-party individuals who communicate with the above categories of persons
Categories of Personal Data:
- Voice recordings and transcriptions
- Contact information (phone numbers, email addresses)
- Communication metadata (time, date, duration of calls)
- Account information (user IDs, preferences)
- Any other data provided during phone communications
Special Categories of Data (if applicable): As determined by the Company's use of the Services
Processing Operations: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
Frequency of transfer: Ongoing – as initiated by the Company in and through its use, or use on its behalf, of the Services.
EXHIBIT B: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Processor shall implement the following technical and organizational security measures:
1. Measures for pseudonymization and encryption of personal data
- Encryption of all Personal Data at rest using AES-256 encryption
- TLS 1.2 or higher for all data in transit
- Pseudonymization of datasets where feasible for processing purposes
2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Role-based access control systems with least privilege principles
- Multi-factor authentication for all administrative access
- Redundant infrastructure with high availability configurations
- Regular security assessments and penetration testing
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Daily backups of all production datastores
- Regular testing of backup restoration procedures
- Geographically distributed redundancy for critical systems
- Documented and tested disaster recovery procedures
4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures
- Annual third-party security audits
- Regular internal security reviews
- Continuous monitoring of security systems and logs
- Ongoing vulnerability scanning and management
5. Measures for user identification and authorization
- Unique user IDs for all personnel
- Multi-factor authentication for system access
- Regular access rights review process
- Automated provisioning/de-provisioning procedures
6. Measures for protecting data during transmission
- TLS 1.2 or higher for all data transmission
- Secure file transfer protocols
- VPN for remote administrative access
- API security with strong authentication
7. Measures for protecting data during storage
- Database encryption
- Secure storage architecture
- Data segregation controls
- Secure deletion procedures
8. Measures for ensuring physical security
- Data center security controls
- Physical access restrictions
- Environmental controls (fire, water, temperature)
- Surveillance systems
9. Measures for events logging
- Centralized logging of all system events
- Tamper-proof audit logs
- Monitoring of security-relevant events
- Log retention policies aligned with compliance requirements
10. Measures for ensuring data minimization
- Data collection limited to specified purposes
- Regular data cleansing procedures
- Automated data retention enforcement
- Privacy by design principles in system development
11. Organizational management
- Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Data Processor's information security program
- Audit and risk assessment procedures for periodic review and assessment of risks
- Operational procedures and controls for configuration, monitoring and maintenance
- Change management procedures and tracking mechanisms
- Incident management procedures
- Network security controls
- Vulnerability assessment and threat protection technologies
- Business resiliency/continuity and disaster recovery procedures
By using Bland.ai's services, the Company agrees to be bound by the terms of this Data Processing Agreement.