Skip to main content
Legal Center

Legal Documents & Policies

Transparency and trust are at the core of everything we do. Review our policies to understand how we protect your data and ensure compliance.

Data Processing Agreement

Last updated: October 24, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between Akol, Inc. ("Processor") and you ("Controller") for the provision of our AI voice services.

1

Definitions

"Data Protection Laws"GDPR, CCPA, and other applicable data protection laws
"Personal Data"Any information relating to an identified or identifiable person
"Processing"Any operation performed on Personal Data
"Sub-processor"Any third party engaged by us to process Personal Data
"Data Subject"The individual to whom Personal Data relates
2

Scope and Roles

Processing Activities

This DPA applies to our processing of Personal Data on your behalf when providing:

AI voice receptionist services
Call recording and transcription
Analytics and reporting
Calendar and CRM integrations

You (Controller)

You determine the purposes and means of processing Personal Data.

We (Processor)

We act on your behalf and according to your instructions.

3

Data Processing Terms

Processing Instructions

We will only process Personal Data:

According to your documented instructions
As necessary to provide the Service
As required by applicable law (with prior notice where permitted)

Categories of Data

The following categories of Personal Data may be processed:

Contact information (names, phone numbers, email addresses)
Call content (voice recordings, transcripts)
Appointment information
Communication preferences
Other data you configure to collect

Data Subjects

Your customers and callersYour employees and representatives
4

Security Measures

Technical Measures

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Access control and authentication systems
  • Intrusion detection and prevention
  • Regular vulnerability scanning and penetration testing
  • Secure software development practices
  • Backup and recovery systems

Organizational Measures

  • Employee background checks and training
  • Confidentiality agreements
  • Access on need-to-know basis
  • Documented security policies and procedures
  • Regular security assessments
  • Incident response procedures
5

Sub-Processors

Authorization

You authorize us to engage sub-processors listed at akol.ai/legal/subprocessors. We will notify you of any changes to sub-processors 30 days before engagement.

Sub-processor Obligations

We ensure all sub-processors:

Are bound by written agreements with equivalent data protection obligations
Provide sufficient guarantees of security measures
Are subject to our ongoing monitoring

Objection to Sub-processors

If you object to a new sub-processor on reasonable data protection grounds, we will work with you to find an alternative. If none is available, you may terminate the affected Service.

6

Data Subject Rights

We will assist you in responding to Data Subject requests for:

Access to their Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability
Objection to processing

We will respond to such requests within 10 business days and provide tools in the dashboard for you to manage data subject requests.

7

Data Breach Notification

Notification Timeline

Within 24 hours of discovery

We will notify you of any Personal Data breach without undue delay and within 24 hours of becoming aware of the breach.

Notification Content

Breach notification will include:

Description of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures taken or proposed to address the breach

Assistance: We will provide reasonable assistance with your obligations regarding breach notification to supervisory authorities and Data Subjects.

8

International Transfers

Transfer Mechanisms

For transfers outside the EEA, we rely on:

EU-U.S. Data Privacy Framework (where applicable)
Standard Contractual Clauses (2021 version)
Adequacy decisions

Supplementary Measures: We implement additional safeguards including encryption and access controls to protect data during international transfers.

9

Audits

Audit Rights

You may audit our compliance with this DPA, subject to reasonable notice and confidentiality obligations. You may use a qualified third-party auditor.

Audit Reports

We will make available our SOC 2 Type II reports and other relevant audit reports upon request.

10

Data Retention & Deletion

Retention

We retain Personal Data only for as long as necessary to provide the Service and in accordance with your retention settings.

Deletion

Upon termination, we will delete or return all Personal Data within 30 days, except where retention is required by law.

11

CCPA Provisions

For California Personal Information:

We process data only for the business purposes specified
Compliant
We do not sell Personal Information
Compliant
We do not retain, use, or disclose data for other purposes
Compliant
We will notify you if we can no longer meet obligations
Compliant
12

General Provisions

Liability

Each party's liability is subject to the limitations in the main Agreement.

Duration

This DPA remains in effect for the duration of our processing on your behalf.

Conflicts

In conflicts with the main Agreement, this DPA prevails for data protection matters.

13

Contact

For questions about this DPA or to request a signed copy, contact us:

Data Protection Officer

[email protected]