This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service or other written or electronic agreement (the "Agreement") between Arbol Artificial Intelligence, Inc. ("Arbol AI," "Processor," "we," "us," or "our") and the entity or person agreeing to these terms ("Customer," "Controller," or "you") for the provision of AI-powered voice communication services (the "Services").
This DPA sets forth the terms and conditions under which Arbol AI will process Personal Data on behalf of Customer in connection with the Services.
1. Definitions
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Delaware Personal Data Privacy Act (DPDPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other applicable U.S. state privacy laws.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data.
"Customer Data" means any Personal Data that Customer uploads, transmits, or otherwise provides to Arbol AI through the Services, including contact information, call recordings, transcripts, and related data.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, modification, or deletion.
"Processor" means an entity that processes Personal Data on behalf of a Controller.
"Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
"Sub-Processor" means any third party engaged by Arbol AI to process Personal Data on behalf of Customer.
2. Scope and Applicability
2.1 Scope
This DPA applies to the processing of Customer Data by Arbol AI in connection with the provision of the Services. This DPA supplements the Agreement and does not replace or modify any terms of the Agreement except as expressly stated herein.
2.2 Applicability
This DPA applies when Arbol AI processes Personal Data:
On behalf of Customer as a Processor
Subject to Applicable Data Protection Laws
2.3 Conflict
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
3. Roles and Responsibilities
3.1 Roles
Data Type | Customer's Role | Arbol AI's Role |
|---|---|---|
Customer Data (contacts, recordings, transcripts) | Controller | Processor |
Account Information | Data Subject | Controller |
Usage/Analytics Data | — | Controller |
3.2 Customer Responsibilities
Customer represents and warrants that:
It has the legal authority to provide Customer Data to Arbol AI
It has obtained all necessary consents and provided all required notices to Data Subjects
Its instructions to Arbol AI comply with Applicable Data Protection Laws
It will not provide any Personal Data that Arbol AI is not authorized to process
3.3 Arbol AI Responsibilities
Arbol AI agrees to:
Process Customer Data only in accordance with Customer's documented instructions
Ensure personnel processing Customer Data are subject to confidentiality obligations
Implement appropriate technical and organizational security measures
Assist Customer in responding to Data Subject requests
Notify Customer of any Security Incidents
Delete or return Customer Data upon termination
4. Processing of Personal Data
4.1 Purpose Limitation
Arbol AI shall process Customer Data only:
To provide the Services as described in the Agreement
In accordance with Customer's documented instructions
As required by applicable law
4.2 Processing Details
Element | Description |
|---|---|
Subject Matter | Provision of AI-powered voice communication services |
Duration | Duration of the Agreement plus any retention period |
Nature and Purpose | Voice call processing, transcription, AI responses, analytics |
Categories of Data Subjects | Customer's contacts, employees, end users |
Categories of Personal Data | Names, phone numbers, email addresses, voice recordings, call transcripts, call metadata |
4.3 Customer Instructions
Customer instructs Arbol AI to process Customer Data for the following purposes:
Operating AI Employees to conduct voice communications
Recording and transcribing calls (as configured by Customer)
Generating summaries and analytics
Storing and managing contact information
Improving AI Employee performance within Customer's organization
Providing the features and functionality of the Services
4.4 Prohibited Data
Customer shall not provide to Arbol AI, and Arbol AI is not authorized to process:
Protected Health Information (PHI) subject to HIPAA (without a signed BAA)
Complete payment card numbers (PCI DSS data)
Social Security numbers
Government-issued identification numbers
Biometric data for identification purposes
Data of children under 18
5. Sub-Processors
5.1 Authorization
Customer authorizes Arbol AI to engage Sub-Processors to process Customer Data in connection with the Services.
5.2 Sub-Processor Obligations
Arbol AI shall:
Enter into written agreements with Sub-Processors imposing data protection obligations no less protective than this DPA
Remain liable for Sub-Processor compliance with this DPA
Conduct appropriate due diligence on Sub-Processors
5.3 Changes to Sub-Processors
Arbol AI shall:
Maintain an up-to-date list of Sub-Processors
Notify Customer at least 30 days before engaging a new Sub-Processor
Provide Customer an opportunity to object to new Sub-Processors
5.4 Objection to Sub-Processors
If Customer has a legitimate objection to a new Sub-Processor:
Customer shall notify Arbol AI within 30 days of receiving notice
Customer shall provide specific, documented reasons for the objection
Arbol AI shall work with Customer to address concerns
If concerns cannot be addressed, Customer may terminate the affected Services
6. Data Security
6.1 Security Measures
Arbol AI shall implement and maintain appropriate technical and organizational measures to protect Customer Data, including:
Technical Measures:
Encryption of data in transit (TLS 1.2+)
Encryption of data at rest (AES-256)
Secure password hashing
Multi-factor authentication
Network security (firewalls, intrusion detection)
Regular vulnerability scanning and penetration testing
Organizational Measures:
Access controls based on least privilege
Employee background checks
Security awareness training
Incident response procedures
Business continuity and disaster recovery
6.2 Security Standards
Arbol AI maintains the following security standards:
SOC 2 Type II certification (in progress, target Q2 2026)
Annual third-party penetration testing
Regular security assessments
6.3 Confidentiality
Arbol AI shall ensure that personnel authorized to process Customer Data:
Are subject to confidentiality obligations
Process Customer Data only as instructed
Have received appropriate training
7. Data Subject Rights
7.1 Assistance with Requests
Arbol AI shall assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including:
Right to access
Right to correction
Right to deletion
Right to data portability
Right to opt-out
7.2 Notification
If Arbol AI receives a request from a Data Subject regarding Customer Data, Arbol AI shall:
Promptly notify Customer of the request
Not respond directly unless authorized by Customer or required by law
7.3 Self-Service
Customer may fulfill many Data Subject requests through self-service features in the Services dashboard, including data access, correction, and deletion.
8. Data Breach Notification
8.1 Notification Timeline
Arbol AI shall notify Customer of any Security Incident affecting Customer Data without undue delay and in any event within 72 hours of becoming aware of the incident.
8.2 Notification Contents
The notification shall include, to the extent known:
Description of the nature of the Security Incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the Security Incident
Measures taken or proposed to address the incident
Contact information for further inquiries
8.3 Cooperation
Arbol AI shall:
Cooperate with Customer in investigating the Security Incident
Take reasonable steps to mitigate harm
Preserve evidence related to the incident
Assist Customer in fulfilling notification obligations
8.4 Exclusions
This Section does not apply to incidents that do not affect Customer Data or that affect only data for which Arbol AI is the Controller.
9. Data Transfers
9.1 Data Location
All Customer Data is processed and stored exclusively in the United States. Arbol AI does not transfer Customer Data outside the United States.
9.2 U.S.-Based Processing
All Sub-Processors engaged by Arbol AI process Customer Data within the United States.
9.3 No International Transfers
Arbol AI shall not transfer Customer Data to any country outside the United States without Customer's prior written consent.
10. Audit Rights
10.1 Audit Reports
Upon Customer's written request (no more than once per year), Arbol AI shall provide:
SOC 2 Type II audit report (or equivalent)
Summary of penetration testing results
Responses to reasonable security questionnaires
10.2 On-Site Audits
If audit reports are insufficient to verify compliance, Customer may request an on-site audit, subject to:
Reasonable advance notice (at least 30 days)
Mutually agreed-upon scope and timing
Confidentiality obligations
Customer bearing the cost of the audit
Audit not unreasonably interfering with operations
10.3 Regulatory Audits
Arbol AI shall allow and contribute to audits conducted by regulatory authorities as required by Applicable Data Protection Laws.
11. Data Retention and Deletion
11.1 Retention
Arbol AI shall retain Customer Data only for as long as necessary to provide the Services and as configured by Customer.
11.2 Deletion Upon Termination
Upon termination of the Agreement, Arbol AI shall:
Delete or return all Customer Data within 90 days
Provide Customer an opportunity to export Customer Data before deletion
Certify deletion upon Customer's request
11.3 Exceptions
Arbol AI may retain Customer Data as required by applicable law or for legitimate business purposes (e.g., billing records), provided such data is protected and not used for other purposes.
11.4 Customer Self-Service
Customer may delete Customer Data at any time through the Services dashboard. Deleted data is removed from active systems within 30 days and from backups within 90 days.
12. Liability
12.1 Limitation
Each party's liability under this DPA shall be subject to the limitations set forth in the Agreement.
12.2 Indemnification
Each party shall indemnify the other for losses arising from the indemnifying party's breach of this DPA, subject to the limitations in the Agreement.
13. Term and Termination
13.1 Term
This DPA shall remain in effect for the duration of the Agreement.
13.2 Survival
The provisions of this DPA that by their nature should survive termination shall survive, including Sections 6 (Data Security), 8 (Data Breach Notification), 11 (Data Retention and Deletion), and 12 (Liability).
14. General Provisions
14.1 Governing Law
This DPA shall be governed by the laws of the State of Delaware, without regard to conflict of law principles.
14.2 Amendments
This DPA may be amended only by a written agreement signed by both parties, except that Arbol AI may update this DPA to reflect changes in Applicable Data Protection Laws with 30 days' notice.
14.3 Severability
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
14.4 Entire Agreement
This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the subject matter hereof.
14.5 Contact
For questions about this DPA, contact:
Arbol Artificial Intelligence, Inc. Attn: Legal / Data Protection 131 Continental Dr, Suite 305 Newark, DE 19713 United States
Email: legal@getarbol.com
Exhibit A: Technical and Organizational Security Measures
A.1 Access Control
Role-based access control (RBAC)
Unique user identification
Multi-factor authentication for production systems
Automatic session timeout
Regular access reviews
A.2 Encryption
Data in transit: TLS 1.2 or higher
Data at rest: AES-256 encryption
Key management through AWS KMS / GCP KMS
Secure password hashing (bcrypt or equivalent)
A.3 Network Security
Firewalls and network segmentation
Web Application Firewall (WAF)
DDoS protection (Cloudflare)
Intrusion detection and prevention
VPN for administrative access
A.4 Application Security
Secure development lifecycle (SDLC)
Code review requirements
Static and dynamic security testing
Dependency vulnerability scanning
Regular penetration testing
A.5 Physical Security
SOC 2 Type II certified data centers
24/7 security monitoring
Biometric and badge access controls
Environmental controls
A.6 Incident Response
Documented incident response plan
24/7 on-call security team
Regular incident response testing
Post-incident review process
A.7 Business Continuity
Multi-availability zone deployment
Regular backups (encrypted)
Disaster recovery procedures
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour