This Data Processing Addendum ("DPA") forms part of the agreement between Attendant AI, LLC ("Attendant AI," "Processor") and the customer identified in the agreement ("Customer," "Controller") and governs the processing of personal data on the Customer's behalf in connection with the Attendant AI service.
By subscribing to the service, the Customer accepts the terms of this DPA. A countersigned copy is available on request to privacy@attendantai.net.
1. Definitions
Terms not defined below carry the meanings given in applicable law (the California Consumer Privacy Act as amended by the CPRA, the EU General Data Protection Regulation, and equivalent US state laws).
- Personal Data means any information that identifies or relates to an identifiable natural person, processed by Attendant AI under the agreement.
- Data Subject means the individual to whom Personal Data relates — typically a caller to a facility, a facility employee, or a facility owner.
- Sub-processor means a third party engaged by Attendant AI to process Personal Data on the Customer's behalf.
- Security Incident means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
Attendant AI acts as a Processor (and, under the CCPA, as a Service Provider) on the Customer's behalf. The Customer is the Controller (and CCPA Business) and is responsible for the lawfulness of the underlying data collection.
Attendant AI will process Personal Data only on documented instructions from the Customer — which are constituted by the agreement, the configuration set in the Customer dashboard, and any subsequent written instructions.
3. Subject Matter, Duration, Nature, and Purpose
- Subject matter: AI-powered phone answering for self-storage and apartment leasing facilities.
- Duration: the term of the agreement, plus any retention period required for legal or operational continuity (see Section 8).
- Nature and purpose: receiving inbound calls, conducting conversations through an AI agent, generating transcripts, sending tour confirmations and notifications by SMS, surfacing call activity in a dashboard, and supporting Customer reporting.
- Categories of Data Subjects: callers (prospective customers, existing tenants), Customer employees, Customer administrators.
- Categories of Personal Data: phone numbers, voice recordings, call transcripts, names and contact details voluntarily shared by callers, account credentials, payment metadata.
- Special category data: none required. Customers are instructed not to elicit special category data through the service.
4. Customer Obligations
The Customer represents and warrants that:
- It has a lawful basis (and, where applicable, valid consent) for processing Personal Data and instructing Attendant AI to process it.
- It has provided required notices to Data Subjects, including any call-recording disclosures required by state law. See Recording Consent Guidance.
- It will not configure the service in a way that contradicts applicable privacy law.
5. Processor Obligations
Attendant AI will:
- Process Personal Data only on the Customer's documented instructions, except where required to do so by law.
- Ensure that personnel authorized to process Personal Data are bound by confidentiality.
- Implement and maintain the security measures described in Section 7.
- Assist the Customer, to the extent reasonable, in fulfilling Data Subject rights requests, security obligations, data protection impact assessments, and regulator consultations.
- Not sell or share Personal Data, and not retain, use, or disclose Personal Data for any purpose other than the specific purpose of providing the service, including not combining Personal Data received from the Customer with data received from any other source.
6. Sub-processors
The Customer authorizes Attendant AI to engage the sub-processors listed below. Each sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Twilio, Inc. | Telephony (inbound voice routing, outbound SMS) | United States |
| ElevenLabs, Inc. | Conversational voice AI (speech-to-text, voice synthesis, agent orchestration) | United States |
| Anthropic, PBC | Large language model for post-call analysis and conversational reasoning | United States |
| Stripe, Inc. | Payment processing and subscription billing | United States |
| Supabase, Inc. | Managed Postgres database, authentication, realtime | United States (us-east) |
| Vercel, Inc. | Dashboard application hosting | United States |
| Railway Corporation | Backend API and scheduled-job hosting | United States (us-east4) |
| Google LLC (Workspace) | Operational email and document storage for internal agent automations | United States |
| Cloudflare, Inc. | Marketing site hosting, edge caching, DDoS protection | Global edge |
Attendant AI will provide at least 30 days' notice of any new sub-processor by updating this page. The Customer may object in writing for legitimate data-protection reasons; if the parties cannot agree on a resolution, the Customer may terminate the affected portion of the service without penalty.
7. Security Measures
Attendant AI implements technical and organizational measures designed to protect Personal Data from unauthorized access, disclosure, alteration, and destruction. These include:
- Encryption in transit — TLS 1.2 or higher for all client-server communication and inter-service traffic.
- Encryption at rest — managed disk encryption on database and storage backends; phone numbers field-level encrypted in the application layer.
- Access controls — role-based access in the dashboard; row-level security in the database ensuring facilities only see their own data; principle of least privilege for production secrets.
- Authentication — Supabase Auth with email/password and OAuth; service-role keys never exposed to the browser.
- Webhook authentication — Twilio signature validation; shared-secret tokens for ElevenLabs webhooks; rate limiting on all public endpoints.
- Logging and monitoring — structured application logs with PII masking; audit trail for sensitive actions retained for two years.
- Vulnerability management — dependency scanning, hosted-platform patching, periodic review of access keys and secrets inventory.
- Personnel — confidentiality obligations for all personnel with access to Personal Data; minimum-necessary access to production data.
8. Data Retention and Deletion
Personal Data is retained according to the schedule set by the Customer (within product-enforced bounds) and the defaults below:
- Call transcripts: 90 days (default), then automatically purged.
- Call records: 1 year (default).
- Audit logs: 2 years.
- Account data: retained for the duration of the agreement; deleted within 30 days of account closure on request.
On termination of the agreement, Attendant AI will, at the Customer's election, return or delete Personal Data within 30 days, except where retention is required by law. A written certification of deletion is available on request.
9. Data Subject Rights
Attendant AI will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligation to respond to requests from Data Subjects under applicable law, including the right of access, rectification, erasure, restriction, portability, and objection.
Where a Data Subject contacts Attendant AI directly with a rights request, Attendant AI will, where possible, route the request to the Customer or, if directed by the Customer, respond on the Customer's behalf.
10. International Data Transfers
Attendant AI primarily processes Personal Data in the United States. Where Personal Data originates in the European Economic Area, the United Kingdom, or Switzerland and is transferred to a jurisdiction without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor and, where applicable, Module 3: Processor-to-Processor), the UK Addendum, and the Swiss equivalent, each of which is incorporated into this DPA by reference. Customers may request a countersigned copy by emailing privacy@attendantai.net.
11. Security Incident Notification
Attendant AI will notify the Customer without undue delay, and in any case within 72 hours of confirming a Security Incident affecting the Customer's Personal Data. The notification will include, to the extent then known, the nature of the incident, the categories and approximate volume of data and Data Subjects affected, the likely consequences, and the measures taken or proposed to address it.
Attendant AI maintains a documented incident response process and will cooperate in good faith with the Customer's reasonable investigation requests.
12. Audits and Information
Attendant AI will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including its SOC 2 readiness materials when available. The Customer may, on reasonable prior written notice and no more than once in any twelve-month period, conduct an audit (directly or through a mutually agreed third-party auditor) of Attendant AI's processing activities. Audits will be conducted during normal business hours, will not unreasonably interfere with operations, and will be subject to confidentiality obligations.
13. Liability
The liability of each party under this DPA is subject to the limitations of liability set forth in the underlying agreement.
14. Order of Precedence; Modification
In the event of any conflict between this DPA and the underlying agreement, this DPA controls solely with respect to the processing of Personal Data. Attendant AI may update this DPA from time to time to reflect changes in law, sub-processors, or operational practice, and will notify Customers of material changes by email or in-dashboard notice.
15. Contact
Questions or DPA-related requests:
Attendant AI, LLC
Attn: Privacy
160 Lake Ridge Drive
Trussville, AL 35173
privacy@attendantai.net