Overview
This Data Processing Addendum (“DPA”) forms part of the agreement between Vantax AI, Inc. (“Vantax,” “Processor”) and the customer (“Controller”) for use of the Vantax AI agent platform.
It applies whenever Vantax processes personal data on behalf of the customer in connection with the services and is incorporated by reference into the Master Subscription Agreement.
Definitions
- Personal Data — any information relating to an identified or identifiable natural person processed via the services.
- Controller / Processor — as defined under GDPR, UK GDPR, and analogous laws.
- Sub-processor— any third party engaged by Vantax to process Personal Data on the Controller's behalf.
- Data Subject— the individual to whom the Personal Data relates (typically the Controller's callers and customers).
Roles & scope
The Controller determines the purposes and means of processing. Vantax acts as a Processor for Personal Data submitted to or generated by the services, including call audio, transcripts, summaries, and caller contact information.
For account data (billing, authentication, support), Vantax acts as an independent Controller in accordance with our Privacy Policy.
Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures (see Security).
- Assist the Controller with data subject requests, DPIAs, and regulator inquiries.
- Notify the Controller without undue delay (and within 72 hours) of a personal data breach.
- Delete or return Personal Data at the end of the services, subject to legal retention.
Sub-processors
The Controller authorizes Vantax to engage sub-processors for the provision of the services, including AI model providers, cloud infrastructure, telephony, and observability vendors. A current list is available on request from legal@vantax.ai.
Vantax gives at least 30 days' notice of any new sub-processor and remains liable for their acts and omissions under this DPA.
International transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland, the parties rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as applicable. Transfer Impact Assessments are available on request.
Security measures
Vantax maintains the technical and organizational measures described on our Security page, including encryption in transit and at rest, SSO with hardware-key 2FA, audit logging, and an annual SOC 2 Type II audit.
The Controller acknowledges these measures provide a level of security appropriate to the risks of processing under the services.
Data subject rights
Vantax provides tooling within the dashboard and an API for the Controller to honor data subject access, correction, deletion, and portability requests. For requests we cannot fulfill via the product, we will provide reasonable assistance within statutory timelines.
Audits
The Controller may verify Vantax's compliance with this DPA through our SOC 2 Type II report, security questionnaires, and documentation reviews. On-site audits are available for enterprise customers under NDA, no more than once per year, on 30 days' notice.
Term & termination
This DPA remains in effect for as long as Vantax processes Personal Data on the Controller's behalf. On termination, Personal Data is deleted within 30 days unless retention is required by law.
Executing this DPA
The terms above apply automatically to all paid customers via the Master Subscription Agreement. If you need a counter-signed copy for procurement, email legal@vantax.ai and we'll send one within two business days.
