Data Processing Addendum
How handlo.ai processes personal data on behalf of its customers under GDPR Article 28.
Handlo AI, Inc. · Last Updated: June 9, 2026 · Effective Date: June 9, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Handlo AI, Inc. ("Handlo" or "Processor") and the customer that accepts Handlo's Terms of Use or another written agreement (the "Agreement") with Handlo (the "Customer" or "Controller"). It applies where Handlo processes Personal Data on behalf of the Customer in connection with the Service and takes effect upon the Customer's acceptance of the Agreement.
In the event of a conflict between this DPA and the main Agreement, this DPA controls with respect to data protection matters.
1. Definitions
- "GDPR" means the EU General Data Protection Regulation 2016/679, and where applicable the UK GDPR as incorporated into UK law and the Swiss Federal Act on Data Protection (FADP).
- "Personal Data" has the meaning given in the GDPR: any information relating to an identified or identifiable natural person.
- "Processing" has the meaning given in the GDPR and includes any operation performed on Personal Data.
- "Data Subject" means the natural person to whom Personal Data relates (e.g., callers, contacts in the CRM).
- "Sub-processor" means any third party engaged by Handlo to process Personal Data on behalf of the Controller.
- "Standard Contractual Clauses (SCCs)" means the clauses adopted by the European Commission for transfers of personal data to third countries (Commission Implementing Decision (EU) 2021/914).
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Role of the Parties
2.1 Roles of the Parties
The Controller determines the purposes and means of processing Personal Data. Handlo processes Personal Data solely on the Controller's behalf and in accordance with the Controller's documented instructions. Where the Customer itself acts as a processor on behalf of its own customers, Handlo acts as a sub-processor, SCC Module 3 applies to that relationship, and the Customer is responsible for having the relevant controller's authorization.
2.2 Nature of Processing
Handlo processes Personal Data to provide the Service, including:
- Receiving and handling inbound phone calls via AI voice agent
- Generating call transcripts, summaries, and lead scores
- Storing caller contact records (CRM)
- Sending notifications (email, WhatsApp, Telegram)
- Providing analytics on call and lead data
- Facilitating integrations with third-party services enabled by the Controller
2.3 Categories of Personal Data
| Category | Examples |
|---|---|
| Contact identifiers | Caller phone number, name, email |
| Call data | Recording, transcript, duration, outcome |
| Voice data | Call audio recordings (not used to create a voiceprint or biometric identifier) |
| AI-generated data | Lead score, summary, follow-up draft |
| Account data | Customer account, business-profile, and team-member data |
| Knowledge-base data | Files, URLs, and FAQ content uploaded by the Controller |
| Integration data | Calendar events and CRM contact/deal data (when enabled) |
| Device/usage data | IP address, browser type |
| Widget data | Pre-call name, phone, email from embedded widget |
The parties do not intend for special-category data to be processed; if the Controller's instructions cause special-category or sensitive data to be processed, the Controller is responsible for any additional safeguards required by law.
2.4 Categories of Data Subjects
- Callers who contact the Controller's AI phone agent
- Contacts stored in the Controller's CRM
- The Controller's team members with Service accounts
- Visitors who interact with the Controller's embedded widget
2.5 Duration
Processing continues for the duration of the Agreement and until all Personal Data is deleted or returned per Section 8.
3. Controller Instructions
3.1 Compliance with Instructions
Handlo shall process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Agreement. If Handlo is required to process Personal Data under applicable law, it will inform the Controller before processing unless prohibited by law. Handlo will promptly inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law (though Handlo is not obliged to monitor the legality of the Controller's instructions generally).
3.2 Controller Compliance
The Controller is responsible for ensuring that its instructions to Handlo comply with applicable data protection law, including establishing a legal basis and obtaining any required consents from Data Subjects (including recording consent).
4. Handlo's Obligations
Handlo shall:
(a) Confidentiality: Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
(b) Security: Implement and maintain the technical and organizational measures described in Section 5.
(c) Sub-processors: Only engage Sub-processors in accordance with Section 6.
(d) Data Subject Rights: Assist the Controller in responding to Data Subject requests under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). Given the nature of the Service, Handlo will provide reasonable technical assistance without undue delay and, where feasible, within 10 business days of a written request.
(e) Compliance Assistance: Taking into account the nature of processing and the information available to Handlo, assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, including security of processing (Art. 32), notification of a Personal Data Breach to the supervisory authority and communication to affected Data Subjects (Arts. 33–34), data protection impact assessments (Art. 35), and prior consultation with supervisory authorities (Art. 36).
(f) Records: Maintain records of processing activities as required by Article 30(2) GDPR.
(g) No Sale: Not sell, rent, or otherwise transfer Personal Data to third parties for their own commercial purposes.
(h) No AI Training: Not use Personal Data (including call recordings or transcripts) to train general-purpose AI models without the Controller's prior written consent.
5. Security Measures
Handlo implements the following technical and organizational security measures, which also serve as Annex II to the SCCs:
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.2+ for all data in transit |
| Encryption at rest | AES-256 encryption for stored data via Supabase |
| Access controls | Role-based access; least-privilege principle; multi-factor authentication for administrative access |
| Recording access | Signed, time-limited URLs (1-hour expiry) |
| Pseudonymization / minimization | PII one-way-hashed in logs; lead PII pseudonymized on retention expiry; data minimization in analytics |
| Resilience and backup | Managed, geographically resilient infrastructure with regular backups and restore procedures |
| Personnel security | Confidentiality obligations and security awareness for personnel with data access |
| Vulnerability management | Dependency and platform monitoring; security patching; periodic testing of the effectiveness of measures |
| Secure deletion | Deletion of Personal Data and associated storage objects on retention expiry and on erasure requests |
| Monitoring | Error tracking (Sentry), audit logging of administrative and support access |
| Incident response | Personal Data Breach notification process (see Section 9) |
These measures may be updated from time to time. Handlo will not reduce the overall level of security.
6. Sub-processors
6.1 Authorization
The Controller authorizes Handlo to engage the Sub-processors listed in Handlo's Sub-processor Register, which is maintained as a current register of the third parties engaged to process Personal Data on the Controller's behalf (vendor, purpose, data categories, hosting location, and transfer mechanism) and forms Annex III to the SCCs.
6.2 New Sub-processors
Handlo will notify the Controller at least 30 days before adding a new Sub-processor that processes Personal Data. The Controller may object in writing within 14 days. If the parties cannot resolve the objection, the Controller may terminate the Agreement for cause without penalty.
6.3 Sub-processor Obligations
Handlo imposes data protection obligations on Sub-processors that are equivalent to those in this DPA, and remains liable to the Controller for a Sub-processor's performance of those obligations.
7. International Data Transfers
The primary infrastructure used by the Service (database and file storage, background worker, caching, and product analytics) is hosted in the European Union. Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing adequate protection (including the United States), such transfers are made under:
- Standard Contractual Clauses (SCCs): The SCCs are incorporated by reference. Module 2 (Controller-to-Processor) applies to transfers from the Controller to Handlo where the Controller is a controller; Module 3 (Processor-to-Processor) applies to transfers from Handlo to onward Sub-processors and where the Customer is itself a processor. The optional docking clause applies; the governing-law and forum options follow Section 12; and the Annexes below complete the SCCs.
- UK Transfers: The International Data Transfer Addendum issued by the UK Information Commissioner's Office applies to transfers subject to the UK GDPR.
- Swiss Transfers: The SCCs apply as amended by the Swiss Federal Data Protection and Information Commissioner's guidance for transfers subject to the FADP.
By accepting the Agreement, the Controller and Handlo are deemed to have executed the applicable SCCs and the UK Addendum, which are incorporated by reference into this DPA and completed by the Annexes below.
8. Data Return and Deletion
Upon termination of the Agreement, Handlo will:
(a) Make Personal Data available for export in a machine-readable format for 30 days; and
(b) After 30 days, delete or anonymize all Personal Data, including associated storage objects, except where retention is required by applicable law (for example, billing records retained for tax and financial-record purposes) or where Personal Data resides in routine backups, which are purged on their normal rotation cycle.
Upon request, Handlo will provide written confirmation of deletion.
9. Personal Data Breach
Handlo will notify the Controller without undue delay after becoming aware of a Personal Data Breach involving Personal Data, so that the Controller can meet its own obligation to notify the competent supervisory authority within 72 hours under Article 33 GDPR where applicable. The notification will include, to the extent available:
- Nature of the incident and categories of Personal Data involved
- Approximate number of Data Subjects affected
- Likely consequences of the incident
- Measures taken or proposed to address it
Handlo will assist the Controller with its Article 33 and 34 obligations as set out in Section 4(e).
10. Audit Rights
Upon 30 days' written notice and no more than once per year, the Controller may audit Handlo's data processing activities relevant to this DPA. Audits shall be conducted during normal business hours, in a manner that minimizes disruption to Handlo's operations, and at the Controller's expense. Handlo may require the Controller and its auditors to sign a confidentiality agreement before the audit.
In lieu of an on-site audit, Handlo will make available documentation of its security measures (such as a completed security questionnaire or its technical and organizational measures), and will provide a third-party security assessment or SOC 2 report when available.
11. Liability
Each party's liability arising out of or related to this DPA and the SCCs is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent such limitation is not permitted by the SCCs or applicable data protection law.
12. Governing Law
This DPA is governed by the same law as the Agreement (the laws of the State of Delaware), except where the SCCs or mandatory provisions of EU, UK, or Swiss data protection law require otherwise.
13. Order of Precedence
In the event of a conflict: the SCCs control over this DPA; this DPA controls over the main Agreement with respect to data protection matters; and the GDPR and applicable data protection law control over all of the foregoing.
14. Parties and Execution
The parties to this DPA are the Controller (the Customer accepting the Agreement) and the Processor (Handlo AI, Inc., 131 Continental Drive, Suite 305, Newark, DE 19713, USA). The Customer's acceptance of the Agreement constitutes execution of this DPA and the incorporated SCCs and UK Addendum on behalf of the Customer and its authorized affiliates. A counter-signed copy is available on request at legal@handlo.ai.
15. Contact
For data protection inquiries:
Handlo AI, Inc. Attn: Data Protection 131 Continental Drive, Suite 305 Newark, DE 19713 USA
Email: privacy@handlo.ai Website: handlo.ai
Annex I — Details of Processing
A. List of Parties. Data exporter: the Controller (the Customer accepting the Agreement), whose contact details are held in its account. Data importer: Handlo AI, Inc., 131 Continental Drive, Suite 305, Newark, DE 19713, USA; contact privacy@handlo.ai.
B. Description of Transfer. The categories of Data Subjects and Personal Data, the nature and purpose of processing, and the duration are as set out in Section 2 above. Personal Data is retained for the periods described in the Privacy Policy and Section 8.
C. Competent Supervisory Authority. The supervisory authority of the EEA member state in which the Controller (or its EU representative) is established; for UK transfers, the UK Information Commissioner's Office; for Swiss transfers, the FDPIC.
Annex II — Technical and Organizational Measures
The technical and organizational security measures are those set out in Section 5 above.
Annex III — List of Sub-processors
The authorized Sub-processors are those listed in the Sub-processor Register, as updated from time to time in accordance with Section 6.