Data Processing Addendum

Last updated: 2026-04-26 · Version: 2026-04-26

1. Background and definitions

This Data Processing Addendum ("DPA") supplements the AI FrontDesk Terms of Service (the "Agreement") between Republic Publishing LLC, a Florida limited liability company doing business as "AI FrontDesk" ("we", "us", or "Processor") and the business customer that signs up for the AI FrontDesk service ("you", "your", or "Controller"). It applies whenever we process personal data about your callers, customers, or other third parties on your behalf in connection with the Service.

In this DPA the following terms have the meanings given:

• Personal Data — any information relating to an identified or identifiable natural person, as defined in the applicable data-protection laws (including the EU General Data Protection Regulation 2016/679, the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act, and the Florida Information Protection Act, FL Stat. § 501.171).
• Caller Personal Data — Personal Data relating to individuals who call, text, or otherwise communicate with the phone line you connect to the Service. This is the principal category of Personal Data we process under this DPA.
• Sub-processor — any third party engaged by us to process Personal Data on your behalf in connection with the Service. Our current Sub-processor list is available at aifrontdesk.org/subprocessors.
• Security Incident — any unauthorized acquisition, access, use, disclosure, modification, or destruction of Personal Data while in our custody or control.

2. Roles of the parties

You are the Controller of Caller Personal Data — you decide why and how callers' data is collected and used in your business. We are the Processor — we collect, store, and process Caller Personal Data only on your documented instructions (which include the configuration choices you make in the AI FrontDesk dashboard, mobile app, and API).

For Personal Data about you yourself (your business contact details, billing information, dashboard activity), we act as an independent Controller. That processing is governed by our Privacy Policy, not this DPA.

3. Scope, subject matter, and duration

We will process Caller Personal Data solely for the purpose of providing the Service to you under the Agreement: answering inbound calls and SMS to your business line, transcribing and summarizing conversations, scheduling appointments to your connected calendar, sending booking confirmations, escalating calls that fall outside the AI's scope, and operating the dashboard and mobile app you use to review the work.

Processing continues for the duration of the Agreement and until we have returned or deleted all Caller Personal Data in accordance with Section 11 (Return and deletion).

4. Categories of Personal Data and data subjects

The categories of Caller Personal Data we process include:

• Caller phone number and (when offered) name
• Service address, gate codes, pet warnings, and similar scheduling-relevant facts the caller volunteers
• Audio recording of the call
• AI-generated transcript of the call
• Structured insights extracted from the transcript (intent, sentiment, urgency, summary)
• SMS message content sent to and received from the caller
• Booking metadata (date, time, service type, price quote)

The categories of data subjects are: the natural persons who call, text, or are referred to in conversations on the phone line you connect to the Service.

5. Our obligations as Processor

1. Documented instructions only. We will process Caller Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by applicable law (in which case we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
2. Confidentiality. Every member of our personnel authorized to access Caller Personal Data is bound by a written confidentiality obligation that survives termination of their engagement with us.
3. Security. We have implemented and will maintain the technical and organizational measures described in Annex 1 to ensure a level of security appropriate to the risk, including the pseudonymization and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore the availability of and access to Personal Data in a timely manner in the event of an incident, and a process for regularly testing and evaluating the effectiveness of those measures.
4. Sub-processors. You authorize the use of the Sub-processors listed at aifrontdesk.org/subprocessors as of the effective date of this DPA. We will give you at least 30 days' notice (by email to your account contact and by updating that page) before adding or replacing a Sub-processor that processes Caller Personal Data. You may object in writing during the notice window; if we and you cannot resolve your objection in good faith within 15 days, you may terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid fees.
5. Assistance with data-subject rights. Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfil your obligation to respond to requests from data subjects exercising rights of access, correction, deletion, restriction, portability, or objection. You may submit requests via privacy@aifrontdesk.org; we will acknowledge within 5 business days and complete within 30 calendar days, except where applicable law allows or requires a longer period.
6. Assistance with controller obligations. We will assist you in ensuring compliance with your obligations under applicable data-protection laws to (a) maintain security of processing, (b) notify Personal-Data breaches, (c) carry out data-protection impact assessments, and (d) consult with supervisory authorities, taking into account the nature of the processing and the information available to us.
7. Records of processing. We maintain a written record of all categories of processing activities carried out on your behalf, available to you on request.

6. Your obligations as Controller

1. You are responsible for the lawfulness of the Caller Personal Data you instruct us to process — including obtaining any consents or providing any notices that applicable law requires you to obtain or provide before forwarding calls to the Service.
2. You will not configure the AI FrontDesk Service in a way that disables, mutes, or alters the recording-disclosure utterance the AI agent plays at the start of every recorded call (which is required for compliance with Florida's two-party-consent statute, FL § 934.03, and similar laws elsewhere). Disabling that disclosure is a material breach of this DPA and the Agreement.
3. You will keep your AI FrontDesk account credentials confidential and will notify us promptly of any suspected unauthorized access.

7. Sub-processor list and notification of changes

The current Sub-processors are listed at aifrontdesk.org/subprocessors. That page identifies, for each Sub-processor: (a) name and corporate address, (b) the processing activity entrusted to it, (c) the location where it processes Personal Data, and (d) the safeguards it provides for international transfers (where applicable). To receive email notification of Sub-processor changes, contact privacy@aifrontdesk.org.

8. International transfers

The Service is operated from the United States. If you are located outside the United States, or if Caller Personal Data relates to individuals located outside the United States, transfers to us occur on the basis of the appropriate transfer mechanism for your jurisdiction. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we incorporate the European Commission's 2021 Standard Contractual Clauses (Module 2: Controller to Processor) by reference, and you and we agree to be bound by them. The optional clauses are not adopted; the choice of forum is the courts of Ireland; the supervisory authority is the Irish Data Protection Commission.

9. Security Incident notification

We will notify you of a Security Incident affecting Caller Personal Data without undue delay after becoming aware of it, and in any event no later than:

• Within 72 hours of our determination that a Security Incident has occurred, when the Incident is likely to result in a risk to the rights and freedoms of natural persons (this aligns with GDPR Article 33 controller-side timing so that you can meet your own notification deadlines).
• Within the timing required by law if shorter (for example, the Florida Information Protection Act, FL Stat. § 501.171, requires notification to affected individuals no later than 30 days after determination of a breach, and to the Florida Department of Legal Affairs no later than 30 days for breaches affecting 500 or more Florida residents).

Notification will include: a description of the nature of the Incident, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we are taking or have taken to address the Incident and mitigate its effects. Where complete information is not yet available we will provide it in phases as it becomes known. Notification of a Security Incident is not, by itself, an admission of fault or liability.

10. Audits

We make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA. On reasonable written request and no more than once per twelve-month period (except following a Security Incident, where additional audits are permitted), you may instruct an independent third-party auditor — subject to written confidentiality undertakings reasonably acceptable to us — to audit our compliance with this DPA. The audit will be conducted during business hours, on at least 30 days' written notice, and in a manner that does not unreasonably interfere with our business. You will bear the cost of the audit unless it identifies material non-compliance with this DPA, in which case we will bear our own internal costs of the audit.

11. Return and deletion

On termination of the Agreement, you may export your Caller Personal Data via the dashboard or by written request to privacy@aifrontdesk.org for up to 60 days after termination. After that 60-day window — or earlier on your written instruction — we will delete all Caller Personal Data from our active systems within 30 days. Caller Personal Data may persist in encrypted backups for up to an additional 90 days before automatic backup expiry; during that retention window the data is not accessed and is used only for disaster-recovery purposes.

12. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability where it cannot lawfully be limited or excluded.

13. Order of precedence

In the event of a conflict between this DPA and the Agreement on matters relating to the processing of Personal Data, this DPA controls. In the event of a conflict between this DPA and any applicable Standard Contractual Clauses, the Standard Contractual Clauses control.

14. Changes to this DPA

We may update this DPA from time to time to reflect changes in applicable law, the Service, or our security practices. We will notify you of material changes at least 30 days before they take effect, by email to your account contact and by updating the "Last updated" date above. Continued use of the Service after the effective date of an update constitutes acceptance.

Annex 1 — Technical and organizational security measures

• Encryption. All Caller Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 (or equivalent) provided by our infrastructure providers (Nhost managed Postgres, AWS S3, Telnyx Storage).
• Access control. Tenant isolation is enforced via row-level Hasura permission filters keyed to a JWT custom claim (x-hasura-business-id); no application path can return data belonging to a different tenant. Owner-side biometric gate is available on the mobile app for billing and business-profile screens.
• Auditability. An append-only audit log records every administrative action and webhook event. Owners can read their own business's audit rows at any time.
• Backup and recovery. Nightly snapshots are written to an off-platform storage system (a private GitHub repository owned by us) and verified via a quarterly restore drill. Last verified: 2026-04-26.
• Retention controls. Per-business retention windows are enforced by a daily cron that deletes recordings older than the window, redacts or removes transcripts where the caller declined recording, and prunes unused webhook payloads.
• Incident response. Production errors fire alerts into our internal Slack #alerts channel within 60 seconds of occurrence; an on-call escalation tree is documented in our internal Operational Runbook.
• Staff confidentiality. All personnel with access to Caller Personal Data are bound by written confidentiality obligations that survive termination of their engagement.

Contact

Republic Publishing LLC, doing business as AI FrontDesk
Data-protection contact: privacy@aifrontdesk.org
Postal address: as listed in the email footer of any communication from us