Data Processing Agreement
Template — April 2026
🟡 This document is a template — requires completion before signing
⚠️ This document is an operational template and does not constitute legal advice.
Verification by a DPO / legal counsel required before signing.
Fields marked [IN BRACKETS] require completion.
This document is an operational template and does not constitute legal advice. It requires adaptation to the specific client, process and jurisdiction by a DPO / legal counsel.
As a general rule, the client is the data controller and CallWise (AwesomeWorks) is the processor. If the client uses AI scoring or analysis for employee evaluation, a separate HR analysis and DPIA is recommended.
Parties
Concluded on [DATE] between:
[FULL CLIENT NAME], registered at
[ADDRESS], VAT ID [VAT ID], represented by
[NAME, TITLE], hereinafter referred to as the Controller
and
[FULL AWESOMEWORKS COMPANY NAME], registered at
[ADDRESS], VAT ID [VAT ID], represented by
[NAME, TITLE], hereinafter referred to as the Processor or CallWise.
1. Subject Matter
- The Controller entrusts the Processor with processing personal data in connection with the use of the CallWise service — a SaaS platform for recording, transcription, analysis and reporting of business calls and meetings.
- The Processor shall process data exclusively on behalf of and on documented instructions from the Controller, subject to obligations under EU or Polish law.
- This Agreement constitutes a data processing agreement within the meaning of Art. 28 GDPR.
2. Nature and Purpose of Processing
The nature of processing includes in particular:
- recording telephone calls and/or online meetings,
- storing audio files and, where applicable, video files,
- creating transcriptions,
- analysing call content using AI / LLM tools,
- generating summaries, tags, insights and quality metrics,
- displaying results in the Controller's dashboard,
- storing audit logs and service configuration logs.
The purpose of processing is to perform the main agreement and enable the Controller to use CallWise features.
The Processor shall not use entrusted data for its own purposes, in particular for training its own models, cross-client benchmarking or marketing, unless the parties enter into separate arrangements with clearly defined legal roles.
3. Duration and Retention
- Data will be processed for the duration of the main agreement.
-
Upon termination of services, the Processor shall, at the Controller's election,
either return the data in an agreed export format, or delete all personal data and
copies thereof, except where further retention is required by law or technically
justified within limited backup copies for a period of
[PERIOD].
Default retention periods (unless otherwise agreed):
| Data type | Retention |
|---|---|
| Audio | [__] days |
| Transcriptions | [__] days |
| Summaries / insights | [__] days |
| Video | [__] hours / days |
| Audit trail | [__] years |
4. Categories of Data Subjects and Data
4.1 Categories of data subjects
- employees, associates and agents of the Controller,
- customers, leads, contractors and meeting participants,
- other individuals whose data may incidentally appear in call content.
4.2 Categories of personal data
- identification and contact data,
- voice and speech content,
- audio recordings and, where applicable, video,
- transcriptions,
- call and meeting metadata,
- analysis results, summaries and activity metrics,
- system and audit logs.
5. Controller's Obligations
The Controller is responsible for:
- having an appropriate legal basis for processing,
- fulfilling information obligations to data subjects,
- lawful implementation of employee and caller monitoring,
- determining whether DPIA, employee consultations, work regulations updates, additional consent or other documents are required,
- issuing lawful instructions to the Processor,
- not submitting data to the system where processing is not necessary for the business purpose.
6. Processor's Obligations
The Processor undertakes to:
- process data solely on documented instructions from the Controller,
- ensure confidentiality of persons authorised to process data,
- implement appropriate technical and organisational measures under Art. 32 GDPR,
- comply with conditions for engaging sub-processors,
- assist the Controller in responding to data subject rights requests,
- assist the Controller with DPIA and supervisory authority consultations,
- notify the Controller of data breaches without undue delay,
- make available information necessary to demonstrate compliance with Art. 28 GDPR.
7. Technical and Organisational Measures
The Processor implements, proportionate to the risk, at minimum:
- transmission encryption (TLS),
- access control and MFA for administrative accounts,
- tenant separation,
- administrative event and compliance operation logging,
- backup / restore procedures,
- data retention and deletion policies,
- role-based access control (RBAC),
- incident response procedures.
8. Sub-processors
- The Controller grants general consent for the Processor to engage sub-processors listed in Annex 2.
- The Processor will notify the Controller of planned additions or replacements of sub-processors with
[14/30]days prior notice. - The Controller may raise a reasoned objection within
[14]days. - The Processor will ensure that equivalent obligations are imposed on each sub-processor.
9. International Transfers
- Where processing involves transfers outside the EEA, the Processor shall ensure an appropriate transfer mechanism under Chapter V GDPR (adequacy decision, SCCs or other permitted mechanism) is in place.
- As of the date of this agreement, transfers may involve in particular: Twilio (telephony / recording), AssemblyAI (transcription), OpenAI (AI / LLM analysis), Resend (transactional email).
10. Data Subject Rights, Notifications and Breaches
- The Processor shall assist the Controller in responding to data subject rights requests to the extent technically and organisationally feasible.
- If a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay, unless law requires otherwise.
- The Processor shall notify the Controller of a confirmed breach without undue delay and no later than
[24/48/72]hours after confirming the incident.
11. Audit
- The Controller may conduct, no more than
[1]time per year, a compliance audit of the Processor with[14/30]days prior notice. - Audits should be conducted in documentary or remote form as a first preference.
- On-site audits may be limited to situations justified by high risk, incident or regulatory requirement.
12. Scoring and AI Provisions
If the Controller activates scoring, classification or qualitative assessment features for employees / agents, it acknowledges that:
- it is using a decision-support tool (not an autonomous decision-maker),
- HR decisions should not be based solely on the automated analysis result,
- a human must have a genuine ability to review and contest the assessment,
- DPIA and additional information and employment obligations may apply.
The Processor does not warrant that AI analysis results are free from errors, biases or inaccuracies, and bears no liability for their use as the sole basis for decisions affecting individuals.
Annex 2 — Sub-processor List
Full sub-processor register available at sub-processors.
| Vendor | Role | Location | Data scope | Transfer mechanism |
|---|---|---|---|---|
| Twilio | sub-processor | USA / global | phone numbers, metadata, recordings | [DPF/SCC/other] |
| AssemblyAI | sub-processor | USA | audio, content fragments | [DPF/SCC/other] |
| OpenAI | sub-processor | USA | transcripts, prompts, outputs | [DPF/SCC/other] |
| Hetzner | sub-processor | DE / EU | storage, DB | n/a (EEA) |
| Resend | conditional sub-processor | USA | email addresses, message content | [SCC/other] |
Contact
For DPA and data compliance inquiries, please contact:
hello@awesomeworks.ai