Data Processing Addendum.

This Data Processing Addendum (“DPA”) forms part of the agreement between Receptic AI, Inc. (“Receptic,” “Processor”) and the customer (“Controller”) for use of the Receptic AI receptionist platform.

It applies whenever Receptic processes personal data on behalf of the customer in connection with the services and is incorporated by reference into the Master Subscription Agreement.

• Personal Data — any information relating to an identified or identifiable natural person processed via the services.
• Controller / Processor — as defined under GDPR, UK GDPR, and analogous laws.
• Sub-processor— any third party engaged by Receptic to process Personal Data on the Controller's behalf.
• Data Subject— the individual to whom the Personal Data relates (typically the Controller's callers and customers).

The Controller determines the purposes and means of processing. Receptic acts as a Processor for Personal Data submitted to or generated by the services, including call audio, transcripts, summaries, and caller contact information.

For account data (billing, authentication, support), Receptic acts as an independent Controller in accordance with our Privacy Policy.

• Process Personal Data only on documented instructions from the Controller.
• Ensure personnel are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures (see Security).
• Assist the Controller with data subject requests, DPIAs, and regulator inquiries.
• Notify the Controller without undue delay (and within 72 hours) of a personal data breach.
• Delete or return Personal Data at the end of the services, subject to legal retention.

The Controller authorizes Receptic to engage sub-processors for the provision of the services, including AI model providers, cloud infrastructure, telephony, and observability vendors. A current list is available on request from legal@receptic.ai.

Receptic gives at least 30 days' notice of any new sub-processor and remains liable for their acts and omissions under this DPA.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the parties rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as applicable. Transfer Impact Assessments are available on request.

Receptic maintains the technical and organizational measures described on our Security page, including encryption in transit and at rest, SSO with hardware-key 2FA, audit logging, and an annual SOC 2 Type II audit.

The Controller acknowledges these measures provide a level of security appropriate to the risks of processing under the services.

Receptic provides tooling within the dashboard and an API for the Controller to honor data subject access, correction, deletion, and portability requests. For requests we cannot fulfill via the product, we will provide reasonable assistance within statutory timelines.

The Controller may verify Receptic's compliance with this DPA through our SOC 2 Type II report, security questionnaires, and documentation reviews. On-site audits are available for enterprise customers under NDA, no more than once per year, on 30 days' notice.

This DPA remains in effect for as long as Receptic processes Personal Data on the Controller's behalf. On termination, Personal Data is deleted within 30 days unless retention is required by law.

The terms above apply automatically to all paid customers via the Master Subscription Agreement. If you need a counter-signed copy for procurement, email legal@receptic.ai and we'll send one within two business days.