Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AutEvo AI ("Processor") and you ("Controller"). This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the Service.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service
"Processing" means any operation performed on Personal Data (collecting, storing, using, transmitting, deleting)
"Data Subject" means the identified or identifiable person to whom the Personal Data relates
"Sub-processor" means a third party engaged by the Processor to process Personal Data

3. Scope of Processing

The Processor processes Personal Data solely to provide the Service as described in the Terms of Service. Categories of data processed include:

Contact information (names, emails, phone numbers, addresses)
Business records (jobs, invoices, quotes, schedules)
Files and media (photos, documents uploaded to the Service)
Voice recordings (AI Voice Receptionist calls)
Usage data (login activity, feature usage)

4. Controller Obligations

The Controller shall:

Ensure a lawful basis exists for all Personal Data processed using the Service
Provide required notices and obtain necessary consents from Data Subjects
Respond to Data Subject rights requests (with Processor's reasonable assistance)

5. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller
Ensure persons authorized to process Personal Data are under confidentiality obligations
Implement appropriate technical and organizational security measures (see Section 7)
Assist the Controller with Data Subject rights requests
Delete or return all Personal Data upon termination (subject to the 90-day retention period)
Make available information necessary to demonstrate compliance

6. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services	Cloud hosting, database	US
Stripe	Payment processing	US
Twilio	SMS, voice communications	US
Google	Calendar sync, email integration	US
OpenAI	AI features (text generation, vision)	US

The Processor will notify the Controller of any new Sub-processors at least 30 days before engagement. The Controller may object in writing within 14 days.

7. Security Measures

The Processor implements the following technical and organizational measures:

AES-256 encryption at rest for all stored data
TLS 1.2+ encryption in transit
Tenant isolation (separate database schemas per customer)
Role-based access control
Multi-factor authentication support
Regular automated backups with encryption
Intrusion detection and monitoring
Annual security reviews and vulnerability assessments
Employee access limited to those with legitimate business need

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware
Provide details of the breach: nature, categories of data affected, likely consequences, and measures taken
Cooperate with the Controller in notifying affected Data Subjects and supervisory authorities

9. International Transfers

Personal Data is processed primarily in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. Copies of the applicable SCCs are available upon request.

10. Audits

The Controller may audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (at least 30 days), during business hours, and no more than once per year unless a data breach has occurred.

11. Duration and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination, the Processor will delete all Personal Data within 90 days, except as required by law.

12. Contact

For DPA-related inquiries: dpa@AutEvo AI.com