Data Processing Agreement
Agreement on the processing of personal data pursuant to Art. 28 of EU Regulation 2016/679 (GDPR), forming an integral part of the Terms of Service.
1. Roles of the parties
The Swavo customer (the business user) acts as Data Controller for its end customers' data. Swavo acts as Data Processor and processes such data solely on behalf of the Controller and according to its documented instructions.
2. Subject matter and duration
Processing covers the personal data managed through the Swavo platform (Giulia voice agent, WhatsApp AI, portal, brain) and lasts for the term of the service contract, subject to statutory retention obligations.
3. Types of data and categories of data subjects
Identity and contact data, conversational content (calls, chats), appointment and billing data. Categories of data subjects: end customers, contacts and suppliers of the business user.
4. Controller's instructions
Swavo processes data only on the documented instruction of the Controller, including platform use and chosen configurations. Swavo informs the Controller if an instruction infringes the GDPR or other applicable law.
5. Confidentiality
Swavo's authorized personnel are bound by confidentiality and access data only to the extent necessary to provide the service.
6. Security measures (Art. 32)
Encryption in transit and at rest, role-based access control, multi-tenant isolation, audit logs, periodic backups and recovery procedures. Servers are located in the European Union (Supabase EU, Vercel EU, Hetzner Germany).
7. Sub-processors
Swavo uses sub-processors (including Supabase, Vercel, Hetzner, OpenAI, Anthropic, ElevenLabs, Deepgram, Twilio, Meta WhatsApp Business, Stripe), all bound by GDPR-compliant agreements. The Controller authorizes such use and will be informed of changes, with the right to object on reasonable grounds.
8. Assistance to the Controller
Swavo assists the Controller in responding to data subject rights requests and in complying with obligations under Arts. 32-36 GDPR (security, breach notification, impact assessments), as far as technically possible.
9. Data breaches
Swavo notifies the Controller without undue delay, and in any case within 48 hours of becoming aware, of any personal data breach affecting it, providing the information needed for legal compliance.
10. Return and deletion
Upon termination of the contract, at the Controller's choice, Swavo returns or deletes the personal data processed and deletes existing copies, unless retention is required by law.
11. Audit
Swavo makes available to the Controller the information needed to demonstrate compliance with GDPR Art. 28 and allows for audits, including by a mandated party, with reasonable notice and without compromising other customers' security.
12. Non-EU transfers
Any transfers to non-EU sub-processors take place on the basis of the Standard Contractual Clauses approved by the EU Commission and, where applicable, the Data Privacy Framework.