Data Processing Agreement (DPA) — Version 1.0
Effective Date: This online DPA applies when accepted during onboarding. Version: v1.0-2026-05-12 Parties:
- Controller: The customer legal entity that accepts this DPA during onboarding ("Customer" or "Controller")
- Processor: AutoShop Voice AI, Inc., a Delaware corporation ("AutoShop Voice AI" or "Processor")
The Customer legal name, signer name, signer title, signer email, acceptance timestamp, source IP address, and DPA version are captured in the Customer workspace acceptance record.
This Data Processing Agreement ("DPA") forms part of and supplements the Master Services Agreement, Order Form, or other written agreement between the Parties (the "Agreement") under which AutoShop Voice AI provides its AI-powered phone receptionist service (the "Service") to Customer. In the event of a conflict between this DPA and the Agreement on data- protection matters, this DPA controls.
1. Definitions
For purposes of this DPA:
- "Applicable Law" means all U.S. federal and state laws that apply to the Processing of Personal Information under this DPA, including but not limited to the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), and the Telephone Consumer Protection Act ("TCPA"). AutoShop Voice AI's Service is U.S.-only at launch; if a Customer has EU/UK callers, the Parties will execute an addendum incorporating GDPR Article 28 and the EU Standard Contractual Clauses before processing begins.
- "Authorized Personnel" means AutoShop Voice AI employees and contractors who require access to Personal Information to provide the Service and who are bound by written confidentiality obligations.
- "Data Subject" means a natural person whose Personal Information is Processed under this DPA — typically a caller to Customer's phone line.
- "Personal Information" means information that identifies, relates to, or could reasonably be linked to a Data Subject, Processed by AutoShop Voice AI on Customer's behalf under the Agreement.
- "Process" or "Processing" has the meaning given in Applicable Law and includes collection, recording, storage, retrieval, use, disclosure, and deletion.
- "Security Incident" means a confirmed breach of security leading to the unauthorized acquisition, disclosure, or loss of Personal Information.
- "Sub-processor" means a third party engaged by AutoShop Voice AI to Process Personal Information on Customer's behalf.
2. Roles and Subject Matter
- 2.1 Roles. Customer is the Controller (or "Business" under CCPA) of the Personal Information. AutoShop Voice AI acts solely as the Processor (or "Service Provider" under CCPA) and Processes Personal Information only on Customer's documented instructions, including the instructions embedded in the Service's configuration (call routing, recording disclosure, retention windows).
- 2.2 Subject Matter and Purpose. The subject matter is the operation of an AI-powered phone receptionist on Customer's inbound calls. The purpose is limited to: (a) answering, transcribing, and summarizing calls; (b) booking appointments, creating appointment requests, or creating service tickets in Customer's DMS where configured, authorized, and technically supported; (c) sending transactional SMS messages related to caller-initiated calls or service interactions, including confirmations, callback notices, service-status messages, and satisfaction requests; (d) generating call analytics for Customer's dashboard.
- 2.3 No Independent Use. AutoShop Voice AI will not Sell, Share, or use Personal Information for cross-context behavioral advertising, will not combine Personal Information with data received from any other source for any purpose other than to provide the Service to Customer, and will not use Personal Information to train, fine-tune, or evaluate any general-purpose AI model.
- 2.4 Duration. This DPA remains in effect for as long as AutoShop Voice AI Processes Personal Information under the Agreement, and for any period thereafter required by Section 9 (Return or Deletion).
3. Categories of Data and Data Subjects
- 3.1 Data Subjects. Callers to Customer's phone lines, Customer's employees who interact with the Service, and any third parties whose contact information is incidentally captured during a call.
- 3.2 Categories of Personal Information. Caller phone number; caller name (if disclosed); vehicle identifiers (VIN, plate, make/model/year); service request descriptions; appointment details; call audio recording (when enabled by Customer); call transcript; SMS message content; customer service history references retrieved from Customer's DMS.
- 3.3 Sensitive Personal Information. AutoShop Voice AI does not intentionally collect CCPA Sensitive Personal Information such as government identifiers, financial credentials, precise geolocation, health information, biometric identifiers, or similar categories. Callers may voluntarily disclose sensitive information during calls or SMS interactions. If so, AutoShop Voice AI Processes it only to provide the Service on Customer's behalf and does not separately index, enrich, Sell, Share, use it for advertising, or use it for general-purpose model training.
4. Customer Instructions and Compliance
- 4.1 Customer Obligations. Customer represents that (a) it has a lawful basis under Applicable Law to collect the Personal Information it shares with the Service; (b) it has provided the notices and obtained the consents required of a Controller for call recording, AI call handling, and SMS follow-up, including prior express consent or prior express written consent where required by Applicable Law; and (c) its instructions to AutoShop Voice AI comply with Applicable Law.
- 4.2 Processor Obligations. AutoShop Voice AI will (a) Process Personal Information only as instructed by Customer through the Service and the Agreement; (b) immediately inform Customer if, in AutoShop Voice AI's opinion, an instruction violates Applicable Law (without obligation to monitor for legality); and (c) make available to Customer the information reasonably necessary to demonstrate compliance with this DPA.
5. Security
- 5.1 Technical and Organizational Measures. AutoShop Voice AI will
maintain a written information-security program designed to protect
Personal Information against Security Incidents. The program includes,
at minimum:
- Encryption of Personal Information in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Role-based access controls; least-privilege provisioning for Authorized Personnel; multi-factor authentication for production administrative access.
- Network segmentation between development, staging, and production environments.
- Logging and monitoring of access to Personal Information.
- Annual review of the security program; remediation of identified gaps.
- Background checks (including criminal history where permitted by Applicable Law for the role) and confidentiality agreements for Authorized Personnel.
- 5.2 Sub-processor Diligence. Before engaging a Sub-processor, AutoShop Voice AI will vet the Sub-processor's security practices and bind it to obligations no less protective than those in this DPA.
6. Sub-processors
- 6.1 Authorized Sub-processors. Customer authorizes AutoShop Voice AI
to engage the Sub-processors listed in Schedule A. AutoShop Voice AI
maintains Schedule A as an up-to-date list at
/legal/sub-processors. - 6.2 New Sub-processors. AutoShop Voice AI will give Customer at least thirty (30) days' notice (by email or in-product notification) of any new Sub-processor. Customer may object on reasonable data-protection grounds within fifteen (15) days. If the Parties cannot resolve the objection, Customer may terminate the affected portion of the Service for convenience without further charge.
7. Data Subject Rights
- 7.1 Customer-Facing Requests. When AutoShop Voice AI receives a request from a Data Subject directed at Customer's data, AutoShop Voice AI will, without responding directly, forward the request to Customer within five (5) business days.
- 7.2 Cooperation. AutoShop Voice AI will provide reasonable cooperation, at Customer's expense for non-trivial efforts, to enable Customer to fulfill verified Data Subject requests for access, correction, deletion, opt-out of Sale/Sharing, or limitation of use of Sensitive Personal Information under Applicable Law.
8. Security Incidents
- 8.1 Notification. AutoShop Voice AI will notify Customer of a confirmed Security Incident affecting Customer's Personal Information without undue delay and, where feasible, within seventy-two (72) hours of confirming the Incident.
- 8.2 Content of Notice. The notice will include, to the extent then known: a description of the Incident, the categories and approximate number of Data Subjects affected, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to mitigate the Incident.
- 8.3 Cooperation. AutoShop Voice AI will cooperate in good faith with Customer's reasonable investigation and remediation efforts.
9. Return or Deletion of Personal Information
- 9.1 On Termination. Within thirty (30) days after termination or expiration of the Agreement, AutoShop Voice AI will, at Customer's written election, return to Customer or securely delete all Personal Information in its possession or control, except to the extent retention is required by Applicable Law or for the limited internal purposes permitted in Section 9.2.
- 9.2 Permitted Retention. AutoShop Voice AI may retain (a) backups pending normal expiration of the backup retention window not exceeding ninety (90) days, after which Personal Information is destroyed in the ordinary course; and (b) aggregated, de-identified data that no longer identifies any Data Subject and that AutoShop Voice AI commits not to re-identify.
10. Audits
- 10.1 Self-Audit. AutoShop Voice AI will perform an annual review of its information-security program and remediate identified deficiencies.
- 10.2 Third-Party Reports. Upon reasonable written request, AutoShop Voice AI will provide Customer with summaries of any third-party audit or certification reports (for example, SOC 2 Type II) that AutoShop Voice AI obtains and is permitted to share under confidentiality obligations with the auditor.
- 10.3 On-Site Audits. Customer may conduct on-site audits no more than once per calendar year, on reasonable notice, during normal business hours, and at Customer's cost, provided the audit does not disrupt the operation of the Service.
11. International Transfers
- 11.1 Processing Locations. AutoShop Voice AI's primary production processing is configured in the United States. Some Sub-processors listed in Schedule A operate global edge networks for security, routing, or email delivery. AutoShop Voice AI will not knowingly onboard a Customer that requires GDPR/UK GDPR restricted-transfer terms without first executing an addendum incorporating an appropriate cross-border transfer mechanism (such as the EU Standard Contractual Clauses or the UK International Data Transfer Agreement).
12. Liability and Term
- 12.1 Liability. Each Party's liability under or in connection with this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either Party's liability to the extent such limitation is prohibited by Applicable Law (including, where applicable, statutory damages or private rights of action available under CCPA/CPRA or similar state privacy laws).
- 12.2 Term. This DPA enters into effect on the Effective Date and remains in force until the earlier of (a) expiration or termination of the Agreement and completion of Section 9, or (b) a successor DPA signed by both Parties.
13. Miscellaneous
- 13.1 Order of Precedence. This DPA controls over the Agreement on data-protection matters. The Agreement controls over this DPA on all other matters.
- 13.2 Governing Law. This DPA is governed by the law specified in the Agreement.
- 13.3 Counterparts and Electronic Signature. This DPA may be executed electronically and in counterparts, each of which is an original.
Schedule A — Authorized Sub-processors
The current authoritative list is published at
/legal/sub-processors and updated under
Section 6.2 of this DPA. Last reviewed: 2026-05-15. Change notice method:
email or in-product notification. As of 2026-05-15:
| Sub-processor | Service | Region | Categories of Data |
|---|---|---|---|
| Google LLC | AI processing for call handling and post-call summaries | United States | Call audio (transient, not retained by Sub-processor), transcripts, call context |
| Twilio Inc. | Phone and SMS communications | United States | Caller phone numbers, call audio, call recordings, SMS content |
| Stripe, Inc. | Subscription billing | United States | Customer (Controller) billing data only — no caller Personal Information |
| Akamai Technologies, Inc. | Secure cloud hosting and storage | United States | Service data listed in §3.2, including recordings when enabled |
| Cloudflare, Inc. | DNS, security services, and inbound email routing | Global edge network | HTTP request metadata, security telemetry, and business email routed to AutoShop Voice aliases |
| Brevo | Transactional email delivery to Customer | United States / EU edge (delivery only) | Customer email address and message content only — no caller Personal Information |
Authentication. Primary shop sign-in uses first-party secure session cookies issued by AutoShop Voice; there is no separate Sub-processor solely for customer identity beyond the email provider used for password reset and notices.
Implementation details. This Schedule names legal entities and high-level processing purposes. Customer-directed systems receive data only when the Customer configures that sync.
Schedule B — Customer Acceptance Block
By accepting this DPA in the AutoShop Voice AI onboarding flow, Customer warrants that the individual accepting has authority to bind Customer.
| Field | Captured at acceptance |
|---|---|
| DPA Version | v1.0-2026-05-12 (this document) |
| Acceptance timestamp | UTC server time at acceptance |
| Signer name | Provided by signer |
| Signer title | Provided by signer |
| Signer email | Tied to authenticated AutoShop Voice AI account |
| IP address | Source IP of the acceptance request |
Electronic acceptance. Customer's acceptance through the AutoShop Voice AI in-product flow (authenticated account, designated checkbox, captured UTC timestamp, and source IP address) constitutes Customer's agreement to this DPA and constitutes an electronic signature where permitted by the Agreement and Applicable Law, including the U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN) and the Uniform Electronic Transactions Act (UETA) as adopted in the governing jurisdiction.