Skip to legal content
Padoori Padoori
← Back to Home

Legal & Trust

  • Terms of Service
  • Privacy Policy
  • Data Processing Addendum (DPA)
Home / Legal / Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Last updated: June 6, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service between Padoori Enterprise Systems, Inc. ("Padoori") and the Customer. This DPA governs the processing of personal data ("Customer Personal Data") by Padoori on behalf of the Customer in connection with the Services.

This DPA reflects the parties' agreement with respect to the processing of personal data in accordance with the requirements of Data Protection Legislation (including GDPR, CCPA, and HIPAA privacy rules).

1. Roles of the Parties

The parties acknowledge and agree that with respect to the processing of Customer Personal Data:

  • Customer acts as the Data Controller (or "Business" under the CCPA) and determines the purpose and instructions for processing voice agent scripts, vector indexes, and caller lead metrics.
  • Padoori acts as the Data Processor (or "Service Provider" under the CCPA) and processes Caller Session Data, audio recordings, and transcripts solely on behalf of, and in accordance with, the documented instructions of the Customer.

2. Scope & Instructions for Processing

Padoori will process Customer Personal Data only to perform the Services outlined in the Terms of Service. The details of the processing are as follows:

  • Subject Matter: Real-time voice stream ingestion, speech-to-text transcription, cognitive query processing, audio synthesis, and CRM synchronization.
  • Duration: The subscription term plus the period between the expiration of the term and the deletion of all data in accordance with our retention policies (typically within 30 days of account termination).
  • Categories of Data Subjects: Callers, prospective clients submitting inbound leads, dispatch personnel, and employees of the Customer.
  • Categories of Personal Data: Voice audio, text transcripts, caller telephone numbers, time stamps, and custom metadata collected via the Agent playbook (such as case names, addresses, or medical summaries).

3. Subprocessor Management

Customer provides general authorization for Padoori to engage third-party subprocessors (such as telephony carriers, speech recognition engines, and host infrastructures) to deliver the Services.

3.1 Subprocessor Standards

Padoori will impose data protection obligations on each subprocessor that are no less protective than those imposed on Padoori under this DPA. We remain fully liable to the Customer for the performance of each subprocessor's obligations.

3.2 Notification of Changes

Padoori will maintain an up-to-date list of subprocessors on our platform portal and will notify the Customer at least 15 days in advance of engaging any new subprocessor. The Customer may object to the engagement of a new subprocessor on reasonable data protection grounds.

4. Technical & Organizational Security Measures

Padoori will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption: Standard encryption of data in transit using TLS 1.3 and at rest using AES-256.
  • Access Control: Restricting access to production environments using multi-factor authentication (MFA) and Role-Based Access Control (RBAC).
  • Isolation: Logical database separation and vector store access controls.
  • Audits: Annual third-party security assessments and SOC 2 Type II compliance reviews.

5. Security Incident Notification

In the event that Padoori confirms a security incident resulting in the unauthorized access, disclosure, or loss of Customer Personal Data stored on our servers ("Security Incident"), Padoori will:

  1. Notify the Customer without undue delay, and in any event within 48 hours of confirming the incident.
  2. Provide the Customer with detailed information regarding the nature of the breach, the categories of data affected, and the remediation steps being taken.
  3. Take immediate, reasonable steps to mitigate the effects and secure the data.

6. Data Transfers

If the processing of Customer Personal Data involves a transfer of personal data outside the European Economic Area (EEA) or Switzerland to a country not recognized as providing an adequate level of data protection, the parties agree to enter into the European Commission's Standard Contractual Clauses (SCCs) to ensure appropriate safeguards are active.

© 2026 Padoori Inc. All rights reserved.

Secure, low-latency, deterministic enterprise voice agents.