1. Scope and roles
This DPA applies whenever Cualify processes personal data on your behalf as part of the Services. You are the Data Fiduciary; Cualify is the Data Processor. Subject matter and duration of processing are defined by the Master Agreement (Terms of Service).
2. Categories of data and data subjects
- Data subjects — your end-recipients (call recipients), uploaded contacts, and your own staff using the dashboard
- Categories — phone numbers, names, email addresses where supplied, voice recordings, transcripts, conversation outcomes, sentiment markers
- Sensitive personal data — only if you upload it (we do not require any), and only with your explicit instruction
3. Processor obligations
Cualify shall:
- Process personal data only on documented instructions from you, including international transfers
- Ensure persons authorised to process the data are bound by confidentiality obligations
- Implement the technical and organisational measures set out in Annex II (security)
- Assist you in responding to data principal rights requests within reasonable time
- Assist you with data protection impact assessments and prior consultation with the Board, where required
- At your choice on termination, delete or return all personal data unless storage is required by Indian law
- Make available all information necessary to demonstrate compliance with this DPA
4. Sub-processors
You authorise Cualify to engage the sub-processors listed at /security#sub-processors. We give 30 days' written notice (via email and dashboard banner) before adding or replacing a sub-processor. You may object in writing within that 30-day window; if we cannot accommodate the objection, you may terminate the affected Services and receive a pro-rated refund of pre-paid fees.
We remain fully liable to you for the acts and omissions of every sub-processor as if performed by Cualify.
5. Security measures (Annex II)
- Confidentiality — encryption at rest (AES-256) and in transit (TLS 1.3); least-privilege access; SSO + MFA; quarterly access reviews
- Integrity — Postgres Row-Level Security; immutable audit logs; signed deploy artefacts
- Availability — Mumbai region with multi-AZ replication; automated backups with 30-day retention; tested disaster-recovery runbook
- Resilience — DDoS mitigation at the edge; rate limiting on all public APIs
- Process — change-management workflow with peer review; vulnerability scanning in CI; annual third-party penetration test from ₹10 lakh MRR
6. Personal-data breach
Cualify will notify you of any personal-data breach affecting your data within 72 hours of confirmed detection, including (to the extent known): nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed, and a point of contact at the DPO. We assist you in any further notification you must make to the Data Protection Board or affected data principals.
7. Audits
Once issued (target Q1 2027), Customers on Growth and Scale plans may request the most recent SOC 2 Type II report under standard confidentiality. Customer-conducted on-site audits are available to Scale customers at reasonable frequency, subject to a written audit plan, signed NDAs, and reimbursement of reasonable Cualify staff time.
8. International transfers
All personal data of end-recipients is stored within India (Mumbai region) and does not leave Indian soil. Limited operational metadata of Customer accounts (transactional email logs, cookieless product analytics) may be processed in the EU under sub-processor contracts that include appropriate safeguards.
9. Term and termination
This DPA continues for as long as Cualify processes personal data on your behalf. On termination of the Master Agreement, we delete or return personal data within 90 days unless retention is required by law. Provisions relating to confidentiality, audit, and security survive termination.
10. Order of precedence
If there is any conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal-data processing.
Related documents
Have a question?
General queries — [email protected]. Privacy and DPDP rights — [email protected]. Abuse reports — [email protected].