Legal

Data Processing Addendum

A sample GDPR Article 28 processor agreement, published so your privacy and compliance teams can review our data-protection terms before contracting. It reflects how Fractal Signals LLC processes personal data when you use Callweave.

Last updated 29 May 2026
This is a sample for review only. The Data Processing Addendum executed as part of your engagement, attached to your Order Form and Master Agreement, is the operative document and prevails over this sample. Specific terms (including Annex contents, sub-processors, and security commitments) are confirmed in the executed version.

1. Parties and roles

This Data Processing Addendum (the "DPA") forms part of the agreement (the "Principal Agreement") between the customer (the "Customer") and Fractal Signals LLC, a Delaware limited liability company (file no. 10258703), which provides the Callweave product ("Callweave", "we", "us").

For the personal data processed through the Services, the Customer acts as controller and Callweave acts as processor. Where the Customer itself acts as a processor on behalf of a third-party controller, Callweave acts as a sub-processor, and references to the Customer's instructions are construed accordingly. Callweave may engage sub-processors as permitted in Section 8.

2. Definitions

Terms used in this DPA have the meanings given in the GDPR and the UK GDPR. In particular:

3. Scope and instructions

This DPA applies to the processing of personal data by Callweave on behalf of the Customer in connection with the Services. The subject matter, duration, nature, and purpose of the processing, together with the types of personal data and categories of data subjects, are set out in Annex I.

Callweave will process personal data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (or applicable UK law) to which Callweave is subject; in that case, Callweave will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Principal Agreement, this DPA, and the Customer's configuration and use of the Services constitute the Customer's complete documented instructions. Callweave will inform the Customer if, in its opinion, an instruction infringes Data Protection Law.

4. Annex I — Processing details

ItemDetail
Subject matterProcessing of personal data contained in voice calls and related records in order to provide the Callweave voice AI services: automating routine calls, assisting agents during live calls, and auditing calls to produce flagged transcripts, structured evidence, and actions into the Customer's connected systems.
DurationFor the term of the Principal Agreement, plus any limited period required for deletion or return of data under Section 9.
Nature and purposeReceipt, transcription, analysis, redaction, flagging, storage, and transmission of call content and metadata; generation of structured outputs and actions into CRM, KYC, AML, and case-management systems as configured by the Customer.
Types of personal dataCall audio recordings; transcripts derived from those recordings; contact and account identifiers (such as name, phone number, account or reference numbers); identity-verification and KYC/AML context provided or surfaced during calls; case and interaction data; agent identifiers and call-handling metadata. May include special-category or other sensitive data only where the Customer chooses to process it through the Services.
Categories of data subjectsThe Customer's end customers, players, merchants, or debtors who participate in calls; the Customer's agents and other personnel who handle or are referenced in calls; other individuals whose personal data is incidentally contained in call content.
FrequencyContinuous, for the duration of the Services.

5. Processor obligations (Article 28(3))

Callweave will, in respect of personal data processed on behalf of the Customer:

  1. (a) Documented instructions. Process the personal data only on the Customer's documented instructions, as described in Section 3, including as to international transfers.
  2. (b) Confidentiality. Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations and process it only as instructed.
  3. (c) Security. Implement and maintain the technical and organisational measures required by Article 32, described in Annex II.
  4. (d) Sub-processors. Engage sub-processors only in accordance with Section 8, including flowing down data-protection obligations no less protective than this DPA.
  5. (e) Data-subject requests. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects exercising their rights under Chapter III GDPR. Where Callweave receives such a request directly, it will not respond except on the Customer's documented instructions, and will promptly forward the request to the Customer.
  6. (f) Assistance with Articles 32–36. Assist the Customer in ensuring compliance with its obligations relating to security of processing (Art. 32), personal data breach notification (Arts. 33–34), data protection impact assessments (Art. 35), and prior consultation (Art. 36), taking into account the nature of processing and the information available to Callweave.
  7. (g) Deletion or return. At the Customer's choice, delete or return all personal data at the end of the provision of the Services, and delete existing copies, as set out in Section 9.
  8. (h) Audits and information. Make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28, and allow for and contribute to audits, including inspections, as set out in Section 10.

6. No model training on customer data

Callweave does not use Customer personal data to train, fine-tune, or otherwise develop machine-learning models, whether its own or those of any third party, except where strictly necessary to provide the Services to that Customer and only on the Customer's documented instructions. Customer data is processed solely to deliver the Services to the Customer and is not pooled or repurposed for general model development.

7. Personal data breach

Callweave will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data. The notification will, to the extent then known and as further information becomes available, describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact. Callweave will reasonably cooperate with the Customer in investigating, mitigating, and remediating the breach. Callweave will not make any public statement attributing a breach to the Customer without prior coordination, save where required by law.

8. Sub-processors

The Customer provides Callweave with a general written authorisation to engage sub-processors to support the provision of the Services. A current list of sub-processors is maintained at callweave.ai/subprocessors.html.

Callweave will impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Customer for the performance of each sub-processor's obligations. Callweave will give the Customer prior notice of any intended addition or replacement of a sub-processor (a notice period of at least thirty (30) days applies unless the Principal Agreement states otherwise), allowing the Customer to object on reasonable data-protection grounds. If the parties cannot resolve a timely objection, the Customer may terminate the affected Services as set out in the Principal Agreement.

9. Deletion and return of data

On termination or expiry of the Services, Callweave will, at the Customer's election, delete or return the Customer's personal data and delete existing copies, within the timeframe set out in the Principal Agreement, unless EU, Member State, or applicable UK law requires continued storage. Call samples submitted for an evaluation review are deleted after the review is delivered, unless retention is separately agreed in writing.

10. Audits

Callweave will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28, which may include security documentation, summaries of certifications and reports, and responses to reasonable security questionnaires. The Customer may, on reasonable prior written notice, no more than once per year (unless required by a supervisory authority or following a personal data breach), conduct or appoint an independent auditor to conduct an audit of Callweave's relevant processing, subject to reasonable confidentiality and security conditions and during normal business hours, in a manner that does not unreasonably disrupt Callweave's operations.

11. International transfers

EU hosting is available on request. Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to Callweave or its sub-processors in the United States or another country not subject to an adequacy decision, the transfer is made under the SCCs (for EEA and Swiss data) and the UK IDTA (for UK data), which are incorporated by reference and completed in the executed DPA. The parties will implement any supplementary measures reasonably required to ensure an essentially equivalent level of protection.

12. Annex II — Technical and organisational measures (Article 32)

Callweave maintains the following measures, as further described and confirmed in the executed DPA and on our Security page. Roadmap items are marked as planned or in progress and are not represented as completed.

13. Liability and relationship to the Principal Agreement

This DPA is incorporated into and forms part of the Principal Agreement. The liability provisions and limitations of the Principal Agreement apply to claims arising under this DPA, except to the extent Data Protection Law requires otherwise. In the event of a conflict between this DPA and the Principal Agreement regarding the processing of personal data, this DPA prevails. The mandatory provisions of the SCCs prevail over any conflicting terms of this DPA.

14. Governing law

This DPA is governed by the law specified in the Principal Agreement (in the absence of a specified law, the laws of the State of Delaware, USA), provided that the SCCs and UK IDTA are governed and interpreted in accordance with their own terms and the law they specify. For questions about this DPA, contact privacy@callweave.ai or legal@callweave.ai.

Subprocessors list Security measures Sample only. The executed DPA prevails for your engagement.