Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between:

• Clusterlabs Ltd., incorporated in the Abu Dhabi Global Market (ADGM), United Arab Emirates. (“Processor”),
  and

• Customer, the entity using the Callab.ai services (“Controller”).

This DPA supplements the Terms of Service or other written or electronic agreement under which Processor provides Callab.ai services (“Agreement”).

1. Definitions

Unless otherwise defined herein, terms shall have the meanings given in the ADGM Data Protection Regulations 2021.

• “Data Protection Law” means all applicable data protection and privacy legislation, including ADGM Data Protection Regulations 2021, and where applicable the GDPR, UK Data Protection Act 2018, and other international laws.

• “Personal Data” means any information relating to an identified or identifiable natural person.

• “Processing” means any operation performed on Personal Data, whether automated or not.

• “Sub-Processor” means any third party engaged by the Processor to process Personal Data.

2. Roles of the Parties

• The Controller determines the purposes and means of processing.

• The Processor processes Personal Data only on behalf of the Controller in accordance with this DPA.

3. Subject Matter, Purpose, and Duration

• Subject matter: Provision of AI-powered voice assistant services (Callab.ai).

• Purpose: Handling, recording, and analyzing calls and related metadata to deliver, maintain, and improve the services.

• Duration: For the term of the Agreement, and until all Personal Data is deleted or returned to Controller.
  
  

4. Categories of Data and Data Subjects

• Data Subjects: Controller’s customers, prospects, employees, contractors, and authorized users.

• Personal Data categories:

  • Contact data (phone numbers, names where provided).

  • Call metadata (timestamps, duration, call status).

  • Audio recordings and transcriptions.

  • Interaction analytics and usage logs.
    
    

• Special categories: Not intentionally processed. Controller must not submit such data unless lawful and agreed in writing.

5. Processor’s Obligations

Processor shall:

1. Process data only on documented instructions of the Controller.

2. Ensure persons authorized to process data are bound by confidentiality.

3. Implement and maintain appropriate technical and organizational measures (TOMs) (Annex II).

4. Notify Controller without undue delay of any personal data breach.

5. Assist Controller with data subject rights requests.

6. Make available all information required to demonstrate compliance and allow audits.
   
   

6. Sub-Processing

1. Controller authorizes Processor to engage Sub-Processors (Annex III).

2. Processor shall impose on Sub-Processors data protection obligations no less protective than this DPA.

3. Processor shall provide notice of any intended changes to Sub-Processors, giving Controller the opportunity to object.
   
   

7. International Data Transfers

1. Personal Data may be transferred outside ADGM for service provision.

2. Such transfers will comply with ADGM Data Protection Regulations, using adequacy findings, Standard Contractual Clauses, or other appropriate safeguards.

3. For EU/UK data, SCCs and UK Addenda may apply.

8. Controller’s Responsibilities

The Controller is responsible for:

• Ensuring lawful collection and sharing of Personal Data.

• Providing notice and obtaining consent where required.

• Configuring Callab.ai in compliance with applicable laws.

9. Liability and Indemnity

1. Each party shall be liable for breaches of this DPA in accordance with applicable law and the Agreement.

2. Nothing in this DPA limits either party’s liability for willful misconduct or fraud.
   
   

10. Audits and Verification

1. Information Requests
   The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Law.

2. Third-Party Audits by Processor
   The Processor may appoint an independent third-party auditor to perform audits of its data protection and security practices. Summary reports of such audits may be shared with the Controller upon request.

3. Controller Audit Rights
   If the Controller requires an audit, such audit shall:

   • Be conducted by an independent third-party auditor appointed by the Controller and approved by the Processor (such approval not to be unreasonably withheld).

   • Be limited in scope to systems and processes relevant to Personal Data processed under this DPA.

   • Occur no more than once per year, unless required by a competent authority or following a confirmed data breach.

   • Be carried out during normal business hours with at least 30 days’ prior written notice.
     
     

4. Costs
   All costs and expenses related to any Controller-requested audit (including third-party auditor fees, Processor’s reasonable cooperation costs, and any associated expenses) shall be borne exclusively by the Controller.
   
   

11. Termination and Deletion

Upon termination of services, Processor shall delete or return all Personal Data, unless retention is required by law.

12. Governing Law and Jurisdiction

This DPA is governed by the laws of ADGM. Disputes shall be subject to the exclusive jurisdiction of the ADGM Courts.

Annex I – Description of Processing

Categories of Data Subjects:

• End users interacting with Callab.ai voice agents.

• Employees or representatives of Controller.

Types of Personal Data:

• Contact data (phone numbers, names if provided).

• Call metadata (timestamps, outcomes).

• Call audio and transcripts.

• Technical identifiers (IP addresses, device IDs).
  
  

Processing Operations:

• Collecting and routing calls.

• Recording and transcribing conversations.

• Storing and analyzing interaction data.

• Providing dashboards, analytics, and reporting.

Retention Period:

• For the duration of the Agreement. Data is deleted or returned upon termination, unless longer retention is required by law.
  
  

Annex II – Technical and Organizational Measures (TOMs)

1. Access Control

   • Role-based access management.

2. Data Security

   • Encryption in transit (TLS v1.2, TLS v1.3) and at rest (AES-256).

   • Regular penetration testing and vulnerability scanning.

3. Operational Security

   • Logging and monitoring of system activities.

   • Incident response and breach notification procedures.

4. Data Minimization

   • Limiting collection to necessary fields.

   • Configurable data retention periods.
     
     

5. Business Continuity

   • Regular backups and disaster recovery planning.

   • High-availability hosting infrastructure.
     
     

6. Staff Training

   • Mandatory data protection and security training.

Annex III – Sub-Processors

The Processor uses certain Sub-Processors to provide hosting, telephony, and infrastructure services in connection with Callab.ai.

The current list of authorized Sub-Processors is maintained at:

https://callab.ai/sub-processors