Effective 2026-05-01

Data Processing Agreement

Standard DPA for paid customers. Counter-signed copies are available on request.

Processor relationship

Cualify processes personal data on your instruction in connection with the Services. The data subjects are your end-customers; the categories are limited to phone numbers, names, and conversation content.

Sub-processors

The current sub-processor list is at /security#sub-processors. We provide 30 days' notice before adding or replacing a sub-processor. You may object to a change in writing.

Security measures

We maintain technical and organisational measures aligned with ISO 27001 controls. Specific measures are detailed in Annex II (available on request).

Audits

Customers on Growth and above may request a SOC 2 Type II report once issued (target: Q1 2027). Customer-conducted audits are subject to a written audit plan and standard confidentiality.

Sub-processor liability

Cualify remains responsible for the acts and omissions of its sub-processors as if they were our own.

Phase 2 placeholder. The final wording is reviewed by counsel before public launch — not legal advice.