Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Crixin ("Processor") and you ("Controller") and governs the processing of personal data in connection with the AI phone assistant service.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion
• Controller: The entity that determines the purposes and means of processing personal data (you)
• Processor: The entity that processes personal data on behalf of the Controller (Crixin)
• Sub-processor: Any third party engaged by the Processor to process personal data

3. Scope and Purpose

Crixin will process personal data only for the purpose of providing the AI phone assistant service as described in the Terms of Service, including:

• Answering phone calls on behalf of your business
• Transcribing and analyzing call content
• Storing call records and metadata
• Providing analytics and insights

4. Data Subject Rights

Crixin will assist you in responding to data subject requests, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

5. Security Measures

Crixin implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication
• Employee training on data protection
• Incident response procedures

6. Sub-processors

Crixin engages the following sub-processors to provide the service:

• Deepgram: Speech-to-text processing
• Azure Speech Services: Speech-to-text and text-to-speech
• ElevenLabs: Text-to-speech processing
• OpenAI: AI language processing
• Twilio: Telephony services
• Neon: Database hosting
• Pinecone: Vector database
• Firebase: Authentication services

We will notify you of any changes to sub-processors with at least 30 days' notice.

7. Data Breach Notification

In the event of a personal data breach, Crixin will notify you without undue delay and no later than 72 hours after becoming aware of the breach.

8. Data Retention and Deletion

Crixin will retain personal data only for as long as necessary to provide the service or as required by law. Upon termination of the service, Crixin will delete or return all personal data within 30 days, unless legally required to retain it.

9. International Data Transfers

Personal data may be transferred to and processed in countries outside your jurisdiction. Crixin ensures that appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where applicable.

10. Audit Rights

Upon reasonable notice, you may audit Crixin's compliance with this DPA, subject to confidentiality obligations and reasonable limitations.

11. Contact Information

For questions about this DPA or data processing practices, contact our Data Protection Officer at dpo@crixin.com