CostCare AI

Data Processing Addendum template

Legal entity: CostCare AI Limited • Address: 2301, 23/F BAYFIELD BLDG 99
HENNESSY RD WAN CHAI
HONG KONG

Contact: support@costcare.ai • Privacy: privacy@costcare.ai

1. Definitions

Terms such as “personal data”, “processing”, “controller”, and “processor” have the meanings given in the GDPR (and equivalent laws). “Customer Content” means the data Controller provides to the Service or that is collected via Controller’s configured integrations.

2. Subject matter, nature, and purpose

• Subject matter: processing of Customer Content to provide the Service.
• Nature of processing: hosting, storing, transmitting, organizing, analyzing, and generating AI-assisted communications as configured by Controller.
• Purpose: enable CRM messaging, call handling, automation, reporting, and support.
• Duration: for the term of the Services, plus deletion/return period.

3. Categories of data subjects and personal data

• Data subjects: Controller’s end-customers, prospects, contacts, and users.
• Personal data: identifiers (names, usernames, phone numbers), message content, call recordings/transcripts (if enabled), CRM notes and related metadata.
• Special categories: not intended. Controller should avoid providing special categories unless strictly necessary and lawful.

4. Controller obligations

• Controller is responsible for providing required notices and obtaining consents (including for WhatsApp/messaging and call recording), and for having a lawful basis for processing.
• Controller will not instruct Processor to process data in violation of applicable law.

5. Processor obligations

• Process personal data only on documented instructions from Controller (including configurations in the Service), unless required by law.
• Ensure personnel are bound by confidentiality.
• Implement appropriate technical and organizational measures to protect data.
• Assist Controller with data subject requests and compliance obligations, taking into account the nature of processing.

6. Security measures

Processor uses measures such as encryption in transit (TLS), access controls, logging, and secure infrastructure practices. More detail may be provided on request and may evolve over time.

7. Subprocessors

Controller authorizes Processor to use subprocessors to provide the Service, including categories such as:

• Cloud infrastructure (e.g., AWS, DigitalOcean)
• Database (e.g., MongoDB Atlas)
• Telephony/voice (e.g., Twilio; LiveKit)
• AI providers (e.g., OpenAI, Anthropic, Google/Gemini, ElevenLabs or similar)
• Messaging platforms (Meta: Instagram, WhatsApp Business Platform)

Processor will ensure subprocessors are bound by data protection obligations no less protective than this DPA. Processor will provide an updated subprocessor list upon request via privacy@costcare.ai.

8. International transfers

Processor hosts primary infrastructure in the EU (Frankfurt, Germany). If personal data is transferred outside the EEA/UK/Switzerland, Processor will use appropriate safeguards (e.g., Standard Contractual Clauses) where required.

9. Personal data breach

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Content and will provide information reasonably required for Controller’s notifications.

10. Deletion or return

Upon termination, Processor will delete or return Customer Content as instructed by Controller. Unless otherwise agreed, Processor will delete Customer Content within a reasonable period (typically within 90 days), subject to backup retention and legal obligations.

11. Audits

Upon reasonable written request, Processor will provide information necessary to demonstrate compliance and will allow audits under reasonable confidentiality and security conditions.

12. Liability

Liability under this DPA is subject to the limitations set out in the main Terms/Agreement, except to the extent prohibited by applicable law.