1. Parties and scope
The DPA is entered into by the customer (“Controller”) and BKB Voice (“Processor”). It applies whenever BKB Voice processes personal data on behalf of the customer under the Terms of Service. It forms an integral part of that agreement and supersedes any earlier processing terms.
2. Roles and processing instructions
BKB Voice processes personal data only on the customer’s documented instructions, as reflected in the Terms of Service, the customer’s account configuration and the features the customer activates (voice generation, lead qualification, audit log access).
3. Nature, purpose and duration
Purpose: provision of the BKB Voice platform (authentication, text-to-speech delivery, lead capture and qualification, audit logging, customer support). Duration: for the term of the underlying agreement plus any retention window expressly agreed in writing. Categories of data subjects include the customer’s staff and end users; categories of data include contact details, content submitted to the voice generator and structured lead information.
4. Security measures
BKB Voice implements the technical and organisational measures described in the Security page and the SOC 2 Readinesspage, including encryption in transit and at rest, access controls, immutable audit logging, rate limiting, vulnerability management and incident response.
5. Subprocessors
BKB Voice uses the subprocessors listed on theSubprocessorspage. BKB Voice remains liable for each subprocessor’s performance of its data protection obligations and notifies customers at least thirty (30) days before any material addition.
6. International transfers
Where personal data is transferred out of the European Economic Area or the United Kingdom, BKB Voice relies on the European Commission’s Standard Contractual Clauses (Module Two) and the UK Addendum, which are incorporated into the DPA by reference.
7. Data subject rights
BKB Voice assists the customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) via the workflow described on thePrivacy Requestpage. The default response-time target is thirty (30) days from verified request.
8. Personal data breaches
BKB Voice will notify the customer of a confirmed personal data breach affecting the customer’s data without undue delay and in any event within seventy-two (72) hours, in accordance with theIncident Responsepolicy.
9. Audits
Customers may satisfy their audit rights by reviewing BKB Voice’s SOC 2 attestation report and the Security / SOC 2 Readiness pages. Additional on-site audits may be conducted by prior written agreement, with at least thirty (30) days’ notice, during normal business hours and at the customer’s expense.
10. Return or deletion
On termination, BKB Voice will return or delete all customer personal data within ninety (90) days, subject to legal retention obligations. Backups inherit the same retention window and are overwritten on the scheduled rotation.
11. Contact
Privacy operations: [email protected].
Trust & compliance: [email protected].