Processor terms for personal data.

Drafting status: This page is a publication-ready content framework, not an executed legal agreement. It must be completed and approved by qualified counsel before use.

This Data Processing Addendum (“DPA”) is intended to govern Vovance Inc.’s processing of personal data on behalf of a customer through Rumbe AI, where applicable data-protection law requires processor terms.

1. Parties and scope

The customer agreement should identify:

• —The customer as controller, business, or equivalent role
• —Vovance Inc. as processor, service provider, or equivalent role
• —Rumbe AI as the product through which processing occurs
• —The services and order form covered by the DPA
• —The effective date and precedence rules

2. Processing instructions

Vovance Inc. processes personal data only to provide, secure, support, and improve the contracted service according to documented customer instructions, unless law requires otherwise.

The customer is responsible for lawful instructions, appropriate notices, legal basis, account permissions, and the data submitted to Rumbe AI.

3. Processing details

Subject matter: AI-assisted customer support, ticketing, knowledge retrieval, agent operations, and related administration.

Duration: The subscription term plus the agreed return, deletion, backup, and legal-retention period.

Data subjects: Customers, prospects, end users, agents, administrators, employees, contractors, and other individuals whose data is submitted.

Data categories: Identity, contact, account, conversation, ticket, attachment, activity, device, authentication, support, billing-reference, and potentially sensitive data approved for the use case.

Processing activities: Collection, storage, organization, retrieval, redaction, transmission to configured providers, generation, summarization, routing, logging, export, deletion, and support.

4. Confidentiality and access

Personnel with access to customer personal data must be bound by confidentiality and authorized according to role and business need.

5. Security measures

• —Tenant-aware access controls
• —Encryption of sensitive fields and secrets
• —Secure authentication and SSO
• —API validation
• —PHI and agent activity logging
• —AI transaction hashing
• —Domain-restricted widget controls
• —Tenant-isolated vector retrieval
• —Backup, monitoring, and incident procedures
• —Secure transport and email configuration

6. Subprocessors

Vovance Inc. may use authorized subprocessors according to the published list and notice process. Subprocessors must be bound by data-protection obligations appropriate to their processing.

7. Data subject requests

Vovance Inc. will provide reasonable assistance, taking into account the nature of processing, so the customer can respond to verified access, correction, deletion, restriction, objection, and portability requests.

8. Security incidents

The executed DPA must define the meaning of a personal-data breach, notification channel, timing, required information, ongoing updates, and cooperation obligations. Do not publish an unsupported notification deadline.

9. Return and deletion

At termination or customer instruction, Vovance Inc. will return or delete personal data according to the agreed process, subject to backup cycles, legal retention, security logs, and documented exceptions.

10. International transfers

Where required, the parties will use an approved transfer mechanism and applicable supplementary measures. The completed DPA should identify the relevant regions and legal framework.

11. Audit and information rights

The DPA should define the security information, attestations, questionnaires, audit limitations, confidentiality obligations, frequency, and cost allocation available to the customer.

12. Liability and precedence

Liability, indemnity, and conflict terms should align with the master agreement and applicable law.