This Data Processing Agreement (“DPA”) forms part of the agreement between:
Controller:
Party using Callsy AI solutions via Shopify app or other API integration (“Merchant”)
Processor:
Callsy AI OÜ / UAB Callsy AI
(“Processor”)
Website: www.callsy.ai
Together referred to as the “Parties”.
1. DEFINITIONS
1.1 “Personal Data” means any information relating to an identified or identifiable natural person Processed by Processor on behalf of Controller.
1.2 “Processing” means any operation performed on Personal Data, such as collection, storage, recording, transmission, or deletion.
1.3 “Data Protection Laws” means GDPR (EU 2016/679) and all applicable national laws.
1.4 “Sub-processor” means any third party engaged by Processor for Processing activities.
1.5 “Services” means the Callsy AI platform and related support.
2. SUBJECT-MATTER, DURATION, PURPOSE
2.1 Subject-Matter. Processor Processes Personal Data solely to provide the Services.
2.2 Duration. This DPA applies for the duration of the Main Agreement until all Personal Data is deleted or returned.
2.3 Purpose. Processing includes automated outbound calls, customer contact, abandoned-cart recovery, call analytics, recording (optional), transcripts, and reporting.
2.4 Nature. Storage, hosting, transmission, audio generation, metadata creation, analysis, and logging.
3. CATEGORIES OF DATA
3.1 Processor may Process the following Personal Data:
– Name
– Phone number
– Order/cart information
– Call metadata
– Call recordings (optional)
– Transcripts and summaries
– Technical logs and identifiers
3.2 Data subjects include customers, leads, and prospects of Controller.
3.3 Controller shall not submit special categories of data unless explicitly agreed in writing.
4. OBLIGATIONS OF PROCESSOR
Processor shall:
4.1 Process Personal Data only on documented instructions from Controller.
4.2 Ensure personnel are bound by confidentiality agreements.
4.3 Maintain appropriate technical and organisational measures (“TOMs”),
described in Annex 2.
4.4 Engage Sub-processors only as listed in Annex 3 and ensure equivalent data protections.
4.5 Assist Controller with Data Subject Requests, DPIAs, and supervisory authority consultations, to the extent required.
4.6 Notify Controller of any Personal Data Breach without undue delay and no later than 48 hours after becoming aware of it.
4.7 Delete or return all Personal Data after termination within 30 days unless legal retention applies.
4.8 Never sell Personal Data or use it for advertising or profiling outside the Services.
5. OBLIGATIONS OF CONTROLLER
Controller acknowledges that it is solely responsible for:
5.1 Having a lawful basis (e.g., consent) for all Personal Data submitted to Processor.
5.2 Ensuring all data provided is lawful, accurate, necessary, and collected fairly.
5.3 Ensuring all Processing instructions are lawful, technically feasible, and clearly communicated.
5.4 Securing Controller’s systems, including access rights, API keys, passwords, user administration, integrations, and data exports.
5.5 Complying with all telemarketing laws, e-privacy rules, and customer communication requirements.
5.6 Misuse of the Services or data by Controller, its employees, or third parties acting on its behalf.
5.7 Responding directly to Data Subject Requests.
Processor is not liable for any damages or non-compliance arising from Controller’s actions or omissions.
6. SUB-PROCESSORS
6.1 Controller grants general authorisation for Processor to use Sub-processors listed in Annex 3.
6.2 Processor will notify Controller of new Sub-processors, allowing a reasonable opportunity to object.
6.3 If an objection cannot be resolved, Controller may terminate only the affected part of the Services.
7. INTERNATIONAL TRANSFERS
7.1 Processor shall not transfer data outside the EEA unless adequate safeguards exist (e.g., Standard Contractual Clauses, Transfer Impact Assessments).
7.2 Processor ensures Sub-processors apply equivalent safeguards.
8. AUDIT RIGHTS
8.1 Controller may audit Processor’s compliance once per year with 14 days’ notice, provided this does not disrupt operations.
8.2 Processor may fulfill audit obligations by providing:
– security documentation,
– completed questionnaires,
– summaries of third-party assessments,
– certifications (ISO/SOC2) when available.
8.3 All audit findings are confidential.
9. LIABILITY
9.1 Processor’s total aggregate liability for all claims under this DPA is limited to the amount paid by Controller to Processor in the 12 months preceding the event.
9.2 Processor is not liable for:
– indirect, consequential, or incidental damages,
– loss of revenue or profits,
– loss or corruption of data,
– reputational harm,
– business interruption,
– telecommunication provider failures,
– third-party outages.
9.3 Processor is liable only for breaches directly caused by its proven, intentional, or grossly negligent violation of GDPR obligations specifically applicable to processors.
9.4 Processor is not liable for damages arising from:
– unlawful or incorrect instructions by Controller,
– Controller’s failure to obtain customer consent,
– inaccurate or excessive data,
– Controller-side security breaches,
– misuse of the Services,
– delays caused by third-party carriers, networks, or telephony systems.
9.5 Liability for Sub-processors is limited to the extent that Processor is able to enforce claims against them.
10. PERSONAL DATA BREACH
10.1 A Personal Data Breach does not imply Processor fault.
10.2 Processor shall:
– notify Controller within 48 hours,
– share available details,
– mitigate effects as feasible.
10.3 Controller is responsible for:
– determining whether regulatory notification is required,
– notifying affected individuals, unless breach was solely caused by Processor.
11. CONFIDENTIALITY
Both Parties shall maintain confidentiality of all information processed under this DPA.
12. TERMINATION
Upon termination:
– Controller may export data for 30 days.
– Processor deletes all Personal Data within 30 days unless legally required otherwise.
– Processor will confirm deletion upon written request.
13. GOVERNING LAW
This DPA is governed by the laws of:
Republic of Estonia
Jurisdiction of Estonia.
14. MISCELLANEOUS
14.1 If any provision is invalid, the remainder remains in force.
14.2 Amendments must be in writing.
14.3 In case of conflict, this DPA prevails over the Main Agreement regarding Personal Data.
