LegalLast updated: April 14, 2026Version 2.3Effective immediately

Data Processing Addendum.

How we handle your customer data when AIVA processes it on your behalf — written for compliance teams and engineering security reviewers. Standard Contractual Clauses included for EU transfers. Last updated April 2026.

Read the TL;DR Download as PDF Email DPO

TL;DR · in plain English

If you don't want to read 10 sections, here's what matters:

You're the data controller for your customer data. We're the data processor. We act on your instructions.
We use a short list of sub-processors (AWS, Stripe, Twilio, OpenAI/Anthropic) — all named, all under DPA themselves.
We notify you of any security breach within 72 hours of discovery — usually faster.
EU data stays in the EU region (Frankfurt) by default. SCCs are signed for any cross-border transfer.
You can request a SOC 2 report or audit once a year, or any time we change a sub-processor.

Scope & roles.

This Data Processing Addendum (DPA) is part of your AIVA Terms of Service. It governs how we process personal data on your behalf when you use AIVA.

For the purposes of GDPR (and equivalent privacy laws):

You are the data controller — your customers' personal data is your responsibility.
AIVA is the data processor — we handle your customers' data only to provide the service you've signed up for.
We don't decide why your customers' data is being processed. You do. We just do what you tell us.

This DPA applies automatically to all enterprise customers. Growth-tier customers can opt in by signing the standalone version (request via dpo@aivachat.io).

What we process.

We process the following categories of personal data only as needed to provide AIVA:

Category	Purpose
Customer identifiers	Name, email, phone — to route conversations to the right person
Conversation content	Transcripts, audio, attachments — to deliver the conversation
Behavioral metadata	Page-views, channel selection — to route customers to the right assistant
Voice recordings	If you enable voice — for transcription and quality monitoring
Custom fields	Anything you pass to us via the API — for use in conversation context

We don't process sensitive special categories of data (health, religion, political views, biometric IDs) unless you've explicitly configured AIVA to handle them, and only with appropriate safeguards.

Your instructions.

We process your customers' data only on your documented instructions. The following count as your instructions:

Configuration choices in your AIVA dashboard.
Workflows you build using the visual builder.
API calls you make.
Email instructions sent to dpo@aivachat.io.

If we believe one of your instructions violates the law, we'll tell you immediately and stop processing pending discussion. We won't act on instructions that ask us to break GDPR, CCPA, or equivalent laws.

Need to formalize an instruction in writing?

Email our DPO ›

Sub-processors.

We use the following sub-processors. All have signed DPAs with us. We update this list at aivachat.io/sub-processors and notify enterprise customers 30 days in advance of any addition.

Provider	Purpose & location
Amazon Web Services	Hosting & storage · Mumbai, Frankfurt, N. Virginia
Stripe	Billing · Ireland (EU customers)
Twilio	Voice & SMS routing · varies by region
OpenAI	AI inference · zero-data-retention enabled
Anthropic	AI inference · zero-data-retention enabled
Plausible Analytics	Anonymous usage analytics · EU
Cloudflare	CDN & DDoS protection · global

You can object to a new sub-processor within 30 days of notification. If we can't accommodate you, you may terminate without penalty.

Security measures.

We implement the following technical and organisational measures (Article 32 GDPR):

Technical

Encryption in transit — TLS 1.3 minimum on all endpoints.
Encryption at rest — AES-256 on all storage layers.
Network isolation — VPC-isolated production, no public-facing databases.
Authentication — bcrypt hashed passwords, optional 2FA, SSO/SAML on Enterprise.
Audit logging — every admin action logged with retention of 365 days.
Penetration testing — annual external pentests, results available under NDA.

Organisational

Background checks on all employees with production access.
Mandatory annual security training for all staff.
Role-based access control with quarterly access reviews.
Incident response plan with 24/7 on-call rotation.
SOC 2 Type II in progress (target completion Q3 2026).

Breach notification.

If we discover a personal data breach, we notify you without undue delay and within 72 hours of discovery. The notification will include:

Nature and scope of the breach.
Categories and approximate number of affected data subjects.
Likely consequences.
Measures taken or proposed to address the breach.

We help you fulfill your own GDPR Article 33 / 34 notification obligations. For enterprise customers, this includes support drafting customer-facing notifications.

Internal target: our incident response team aims to confirm breach scope within 4 hours of detection — usually well before the 72-hour wire.

International transfers.

Customer data is stored in the region you select. Default regions:

India customers → Mumbai (ap-south-1).
EU customers → Frankfurt (eu-central-1).
US customers → N. Virginia (us-east-1).

For cross-border transfers (e.g., EU data accessed by our Rajkot ops team for support), we use the Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary technical measures.

UK customers can request the UK International Data Transfer Addendum at no extra cost.

Your audit rights.

You can audit our compliance with this DPA. Specifically:

Request our SOC 2 Type II report (when available) or ISO 27001 certificate at no charge.
Request answers to your security questionnaire — usually within 5 business days.
Conduct an on-site audit once per year, with 30 days' notice and at your cost (we don't bill our time).
Engage a third-party auditor (mutually agreed) to verify our controls.

Data return & deletion.

On termination of your AIVA agreement, we will:

Provide you with a complete export of your data within 30 days, in JSON or CSV format.
Permanently delete all your data from our systems and sub-processors within 90 days of termination — unless you've requested otherwise.
Provide written confirmation that deletion is complete.

Backup copies are deleted on the next backup rotation cycle (max 35 days). After deletion, anonymized aggregate metrics may persist in our analytics, but no individual data remains.

How to reach us.

Our Data Protection Officer is Priya Sharma. Email dpo@aivachat.io for any DPA, GDPR, or compliance question. EU customers can also reach our EU representative at eu-rep@aivachat.io.

AIVA Technologies Pvt. Ltd.
Attn: Data Protection Officer
3rd Floor, Race Course Road
Rajkot, Gujarat 360001 · India

Legal documents

Data Processing Addendum.

Read the TL;DR Download as PDF Email DPO

TL;DR · in plain English

If you don't want to read 10 sections, here's what matters:

You're the data controller for your customer data. We're the data processor. We act on your instructions.
We use a short list of sub-processors (AWS, Stripe, Twilio, OpenAI/Anthropic) — all named, all under DPA themselves.
We notify you of any security breach within 72 hours of discovery — usually faster.
EU data stays in the EU region (Frankfurt) by default. SCCs are signed for any cross-border transfer.
You can request a SOC 2 report or audit once a year, or any time we change a sub-processor.

Scope & roles.

This Data Processing Addendum (DPA) is part of your AIVA Terms of Service. It governs how we process personal data on your behalf when you use AIVA.

For the purposes of GDPR (and equivalent privacy laws):

You are the data controller — your customers' personal data is your responsibility.
AIVA is the data processor — we handle your customers' data only to provide the service you've signed up for.
We don't decide why your customers' data is being processed. You do. We just do what you tell us.

This DPA applies automatically to all enterprise customers. Growth-tier customers can opt in by signing the standalone version (request via dpo@aivachat.io).

What we process.

We process the following categories of personal data only as needed to provide AIVA:

Category	Purpose
Customer identifiers	Name, email, phone — to route conversations to the right person
Conversation content	Transcripts, audio, attachments — to deliver the conversation
Behavioral metadata	Page-views, channel selection — to route customers to the right assistant
Voice recordings	If you enable voice — for transcription and quality monitoring
Custom fields	Anything you pass to us via the API — for use in conversation context

Your instructions.

We process your customers' data only on your documented instructions. The following count as your instructions:

Configuration choices in your AIVA dashboard.
Workflows you build using the visual builder.
API calls you make.
Email instructions sent to dpo@aivachat.io.

Need to formalize an instruction in writing?

Email our DPO ›

Sub-processors.

We use the following sub-processors. All have signed DPAs with us. We update this list at aivachat.io/sub-processors and notify enterprise customers 30 days in advance of any addition.

Provider	Purpose & location
Amazon Web Services	Hosting & storage · Mumbai, Frankfurt, N. Virginia
Stripe	Billing · Ireland (EU customers)
Twilio	Voice & SMS routing · varies by region
OpenAI	AI inference · zero-data-retention enabled
Anthropic	AI inference · zero-data-retention enabled
Plausible Analytics	Anonymous usage analytics · EU
Cloudflare	CDN & DDoS protection · global

You can object to a new sub-processor within 30 days of notification. If we can't accommodate you, you may terminate without penalty.

Security measures.

We implement the following technical and organisational measures (Article 32 GDPR):

Technical

Encryption in transit — TLS 1.3 minimum on all endpoints.
Encryption at rest — AES-256 on all storage layers.
Network isolation — VPC-isolated production, no public-facing databases.
Authentication — bcrypt hashed passwords, optional 2FA, SSO/SAML on Enterprise.
Audit logging — every admin action logged with retention of 365 days.
Penetration testing — annual external pentests, results available under NDA.

Organisational

Background checks on all employees with production access.
Mandatory annual security training for all staff.
Role-based access control with quarterly access reviews.
Incident response plan with 24/7 on-call rotation.
SOC 2 Type II in progress (target completion Q3 2026).

Breach notification.

If we discover a personal data breach, we notify you without undue delay and within 72 hours of discovery. The notification will include:

Nature and scope of the breach.
Categories and approximate number of affected data subjects.
Likely consequences.
Measures taken or proposed to address the breach.

We help you fulfill your own GDPR Article 33 / 34 notification obligations. For enterprise customers, this includes support drafting customer-facing notifications.

Internal target: our incident response team aims to confirm breach scope within 4 hours of detection — usually well before the 72-hour wire.

International transfers.

Customer data is stored in the region you select. Default regions:

India customers → Mumbai (ap-south-1).
EU customers → Frankfurt (eu-central-1).
US customers → N. Virginia (us-east-1).

UK customers can request the UK International Data Transfer Addendum at no extra cost.

Your audit rights.

You can audit our compliance with this DPA. Specifically:

Request our SOC 2 Type II report (when available) or ISO 27001 certificate at no charge.
Request answers to your security questionnaire — usually within 5 business days.
Conduct an on-site audit once per year, with 30 days' notice and at your cost (we don't bill our time).
Engage a third-party auditor (mutually agreed) to verify our controls.

Data return & deletion.

On termination of your AIVA agreement, we will:

Provide you with a complete export of your data within 30 days, in JSON or CSV format.
Permanently delete all your data from our systems and sub-processors within 90 days of termination — unless you've requested otherwise.
Provide written confirmation that deletion is complete.

Backup copies are deleted on the next backup rotation cycle (max 35 days). After deletion, anonymized aggregate metrics may persist in our analytics, but no individual data remains.

How to reach us.

Our Data Protection Officer is Priya Sharma. Email dpo@aivachat.io for any DPA, GDPR, or compliance question. EU customers can also reach our EU representative at eu-rep@aivachat.io.

AIVA Technologies Pvt. Ltd.
Attn: Data Protection Officer
3rd Floor, Race Course Road
Rajkot, Gujarat 360001 · India

Legal documents

Data Processing Addendum.

If you don't want to read 10 sections, here's what matters:

Scope & roles.

What we process.

Your instructions.

Sub-processors.

Security measures.

Technical

Organisational

Breach notification.

International transfers.

Your audit rights.

Data return & deletion.

How to reach us.

Other things to read.

Data Processing Addendum.

If you don't want to read 10 sections, here's what matters:

Scope & roles.

What we process.

Your instructions.

Sub-processors.

Security measures.

Technical

Organisational

Breach notification.

International transfers.

Your audit rights.

Data return & deletion.

How to reach us.

Other things to read.