This Data Processing Agreement ("DPA") forms part of the Terms of Service between Callmama Limited ("CallMama", "Processor") and the business customer that agrees to it ("Customer", "Controller"). It applies where CallMama processes personal data on the Customer's behalf — in practice, where a business Customer uses the CallMama web portal to route, store, or record communications with its own callers and contacts.
1. Roles
For the personal data the Customer processes through the Service about its own callers and contacts ("Customer Personal Data"), the Customer is the controller and CallMama is the processor. CallMama processes Customer Personal Data only on the Customer's documented instructions, which include the Terms of Service, this DPA, and the Customer's use of the Service's features.
2. Subject matter and details of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the CallMama calling, messaging, number, routing, and (web portal) recording service |
| Duration | The term of the Terms of Service |
| Nature and purpose | To provide the Services to the Customer and its end-users, including hosting, transmitting, routing, storing, and (where the Customer enables it) recording the Customer's communications; and to maintain the security and integrity of the Service |
| Types of personal data | Contact numbers, names, call and message metadata and content, voicemail, call recordings, and other data the Customer chooses to process |
| Categories of data subjects | The Customer's callers, contacts, customers, and staff |
Retention periods: Call Detail Records are retained for the periods required by applicable telecommunications and tax law (typically 90 days to 12 months depending on jurisdiction). All other Customer Personal Data is retained until the Customer requests deletion, the DPA terminates, or the applicable retention period expires, whichever is earliest.
3. CallMama's obligations
- Process Customer Personal Data only on the Customer's documented instructions, unless required otherwise by law (in which case CallMama will inform the Customer unless the law forbids it).
- Ensure people authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Annex below).
- Assist the Customer, taking into account the nature of processing, with data subject requests, security, breach notification, and data protection impact assessments.
- Within 30 days of termination of the Terms of Service or written request, delete or return all Customer Personal Data and confirm deletion in writing, except to the extent applicable law requires continued retention, in which case CallMama will inform the Customer of the legal basis and expected deletion date.
- Make available information needed to demonstrate compliance with this DPA, and permit audits and inspections by the Customer or its authorised auditor, subject to: (i) 60 business days' prior written notice; (ii) conduct during business hours without undue disruption; (iii) auditor bound by confidentiality; (iv) Customer bears cost unless audit reveals a material breach. CallMama may provide an ISO 27001 or SOC 2 report in lieu of a direct audit.
- Records of processing: CallMama maintains records of all processing categories carried out on behalf of the Customer under GDPR Article 30(2), available on written request.
- DPIA assistance: Where call recording or other processing requires a DPIA under GDPR Article 35, CallMama will provide reasonable assistance including information about security measures, sub-processors, and processing activities.
4. Customer's obligations
- The Customer is responsible for having a lawful basis for the processing and for the lawfulness of its instructions.
- If the Customer uses the web portal's call-recording feature, the Customer must give its callers the notices and obtain the consents the law requires — see the Call Recording Notice.
- The Customer must not send CallMama special-category data or sensitive data beyond what the Service is designed to handle.
5. Sub-processors
The Customer grants general written authorisation for CallMama to engage sub-processors, including those listed in the Sub-processor List published at callmama.com. CallMama imposes data-protection obligations on each sub-processor equivalent to those imposed on CallMama by this DPA, including confidentiality obligations. CallMama remains responsible for the performance of its sub-processors. CallMama will notify the Customer at least 14 days before adding or replacing a sub-processor. The Customer may object to a new or replacement sub-processor on reasonable, documented data-protection grounds by notifying CallMama in writing within 14 days of receiving the notice. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service on written notice. Continued use of the Service after the 14 day objection period constitutes acceptance of the new sub-processor.
6. International transfers
Where Customer Personal Data is transferred from the EEA or the UK to a country without an adequacy decision, the transfer is governed by EU SCCs (Commission Implementing Decision 2021/914), Module 2 (Controller-to-Processor) for EEA transfers, and by the UK IDTA 2022 for UK transfers. Both are incorporated by reference and completed with the details in Section 2. CallMama has conducted Transfer Impact Assessments for all third-country sub-processors.
7. Personal data breach
CallMama will notify the Customer without undue delay, and where feasible no later than 24 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. This timeline is intended to allow the Customer to assess the breach and, where required, notify the competent supervisory authority within the 72-hour period required by GDPR Article 33 and UK GDPR Article 33. The notification will include, to the extent known at the time: (a) a description of the nature of the breach including categories and approximate number of data subjects and records affected; (b) the likely consequences of the breach; and (c) the measures taken or proposed to address the breach. Where information is not immediately available, CallMama will provide it in phases without further undue delay.
8. Liability and term
This DPA supplements and is subject to the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on any matter relating to the processing of personal data, this DPA prevails. This DPA is governed by the laws of the Hong Kong Special Administrative Region. However, for disputes arising under the EU SCCs, the governing law and courts are as specified in the applicable SCCs (Clause 17 and Clause 18 of Commission Implementing Decision 2021/914). This DPA takes effect when the Customer accepts the Terms of Service (or, for customers requiring a countersigned DPA, on the date last signed by both parties) and continues for as long as CallMama processes Customer Personal Data.
Annex — Security measures
CallMama implements the following technical and organisational measures, as required by GDPR Article 32 and as further detailed in the EU SCCs Annex II:
A. Encryption and data in transit
- Encryption in transit: all personal data transmitted between the Service and end-user devices is encrypted using TLS 1.2 or higher. Unencrypted transmission of personal data is prohibited.
- Encryption at rest: sensitive personal data (including call recordings and voicemails) is encrypted at rest using AES-256 or equivalent. All backup media is encrypted.
B. Access controls and authentication
- Multi-factor authentication: required for all staff accessing systems containing Customer Personal Data, including remote access.
- Role-based access control: access to Customer Personal Data is limited to staff whose role requires it. Access rights are reviewed quarterly and revoked immediately on termination or role change.
- Unique user accounts: each staff member has a unique identifier. Shared accounts are prohibited. Password complexity requirements enforced.
- Session management: inactive sessions time out automatically. Maximum failed login attempts trigger account lockout.
C. Monitoring, logging and incident response
- Security monitoring: systems are monitored continuously for security events. Intrusion detection and prevention systems are deployed.
- Audit logging: all access to and modification of Customer Personal Data is logged. Logs are retained for a minimum of 12 months and are tamper-evident.
- Incident response: a documented incident response plan is maintained and tested at least annually. Incidents are classified, contained, and reported in accordance with this DPA.
D. Physical and infrastructure security
- Data centre security: Customer Personal Data is hosted in ISO 27001 certified data centres (Hetzner) with physical access controls, CCTV, environmental controls, and uninterruptible power supply.
- Backup and recovery: regular backups are taken and stored securely. Disaster recovery procedures are documented and tested. Recovery time objectives are defined and reviewed.
E. Personnel and vendor controls
- Staff confidentiality: all staff and contractors with access to Customer Personal Data are bound by contractual confidentiality obligations. Background checks are conducted where permitted by applicable law.
- Security training: all staff with access to personal data receive data protection and security awareness training on engagement and annually.
- Vendor due diligence: all sub-processors are assessed for data protection and security compliance before engagement and monitored on an ongoing basis.
F. Development and change management
- Secure development: security is incorporated into the software development lifecycle. Code reviews include security assessment. Vulnerability management and patch management procedures are in place.
- Penetration testing: independent penetration testing is conducted at least annually. Critical vulnerabilities are remediated within 30 days.
- Data minimisation: systems are designed to minimise the personal data processed. Pseudonymisation is used where appropriate.
How to execute this DPA
A business Customer that needs a signed DPA should contact legal@callmama.com. Acceptance of the Terms of Service by a business Customer that processes its own end-users' data through the Service also constitutes acceptance of this DPA.
9. Additional provisions for specific jurisdictions
United States — CCPA / CPRA
Where Customer Personal Data includes personal information of California residents, CallMama is a "service provider" under CCPA/CPRA, not a "third party." CallMama will not sell or share Customer Personal Data, will not retain, use, or disclose it outside the direct business relationship, and certifies compliance with CCPA/CPRA restrictions. Sub-processors handling California personal information are bound by equivalent service provider restrictions.
Canada — PIPEDA and Quebec Law 25
Where Customer Personal Data includes personal information of Canadian residents:
- PIPEDA: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires CallMama to implement security safeguards consistent with Principle 7 (Safeguards). The Customer remains responsible for obtaining meaningful consent and responding to access and correction requests.
- Quebec Law 25: For Quebec residents, Law 25 (effective September 2023) imposes a 72-hour breach notification obligation to the Commission d'accès à l'information (CAI). CallMama will notify the Customer within 24 hours of awareness of a breach affecting Quebec residents' data.
This page is part of CallMama's compliance documentation. See also our Privacy Policy, Terms of Service, and contact options.