ANNEX 1: DETAILS OF PROCESSING
A. LIST OF PARTIES
1. Controller
Name: The “Merchant” (Party using Callsy AI solutions via Shopify app or other integration)
Address: As set out in the Main Agreement or invoice.
Contact Person: As set out in the Main Agreement or user account details.
Role: Controller
2. Processor
Name: Callsy AI OÜ / UAB Callsy AI
Address: As set out in the Main Agreement.
Role: Processor
B. DESCRIPTION OF TRANSFER
1. Categories of Data Subjects The personal data transferred concern the following categories of data subjects:
Customers of the Controller
Leads and prospects of the Controller
2. Categories of Personal Data The personal data transferred concern the following categories of data:
Name and contact details (Phone number, Email)
Order and cart information (e.g., value, items, status)
Any relevant business merchants information (lead status)
Call metadata (e.g., duration, timestamps, call status)
Call recordings and transcripts
Voice inputs (biometric data is not typically processed for ID purposes, but voice audio is processed for communication)
3. Special Categories of Data (if appropriate) The personal data transferred concern the following special categories of data:
None. The Controller shall not submit special categories of data (e.g., health data, political opinions) unless explicitly agreed in writing.
4. Nature of the Processing The nature of the processing includes:
Storage, hosting, and transmission of data.
Text-to-Speech (TTS) and Speech-to-Text (STT) conversion.
AI-driven conversation management and automation.
Telephony connection, routing, and SMS transmission.
5. Purpose(s) of the Data Transfer and Further Processing The processing is necessary for the following purposes:
Providing the Callsy AI Services (automated calling).
Recovering abandoned carts via outbound calls.
Customer support automation.
Analytics, logging, and service improvement.
6. Duration of Processing
The processing will continue for the duration of the Main Agreement. Personal Data is retained only as long as necessary for the provision of services or as required by law.
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)
As referenced in Section 4.3 of the DPA, the Processor implements the following measures to ensure an appropriate level of security:
1. Confidentiality
Access Control: Access to production servers and customer data is restricted to authorized personnel via unique IDs and Multi-Factor Authentication (MFA).
Encryption: Data is encrypted in transit (using TLS 1.2+) and at rest (using AES-256 standards) within the cloud infrastructure.
Logical Separation: Customer data is logically separated within the multi-tenant database environment to prevent unauthorized cross-client access.
2. Integrity
Change Management: All code changes and updates undergo testing and code review processes before deployment to production.
Input Validation: Application inputs are validated to prevent SQL injection, Cross-Site Scripting (XSS), and other common vulnerabilities.
3. Availability and Resilience
Cloud Infrastructure: The Service is hosted on top-tier cloud providers ensuring high availability and redundancy across multiple availability zones.
Backups: Automated daily backups of databases are performed to enable data restoration in the event of corruption or loss.
Disaster Recovery: A business continuity strategy is in place to recover critical services in the event of a major outage.
4. Testing and Evaluation
Security Scans: Regular automated vulnerability scanning is performed on the infrastructure.
Incident Response: A documented incident response plan exists to handle and notify the Controller of any data breaches in accordance with GDPR timelines.
ANNEX 3: LIST OF SUB-PROCESSORS
As referenced in Section 4.4 and 6.1 of the DPA. The Controller authorizes the engagement of the following sub-processors:
1. Amazon Web Services, Inc. (AWS)
Location: USA / Global
Processing Activity: Cloud Infrastructure Provider.
Description: Hosting of the application, database storage, and computing resources.
Compliance reporting: https://aws.amazon.com/compliance/
2. Bland AI Inc.
Location: USA
Processing Activity: AI Telephony Provider.
Description: Processing of audio for conversational AI, speech-to-text, and text-to-speech generation.
Compliance reporting: https://trust.platform.delve.co/blandai
3. Twilio Inc.
Location: USA / Global
Processing Activity: Telephony & SMS Infrastructure.
Description: Facilitating PSTN connectivity, call routing, phone number provisioning, and SMS delivery.
Compliance reporting: https://security.twilio.com/
