picIntroducing IVR for smoother call routing. Guide customers to the right support with clear, customizable menu options.

Current as of 1 Dec 2024

Calilio Data Processing Agreements

Download PDF

Data Processing Agreements

This Data Processing Agreement (DPA) acts as an addendum, along with its Exhibits and Appendices, to the Subscription Agreements or Terms of Use between Calilio and the customer concerning the purchase of services, including any relevant number purchase, member additions, and the related documents (the “DPA”).

Calilio may process Personal Data on behalf of the Customer in delivering these services under the Agreement. This DPA establishes the understanding between both parties (Calilio and Customer) regarding effectively handling personal details.

Both parties adhere to this DPA's provisions and act reasonably and in good faith. The DPA governs personal details' collection, use, transfer, and sharing, primarily concerning security and privacy. Calilio is committed to complying with the European General Data Protection Regulation (GDPR) by effectively managing, identifying, safeguarding, and auditing user data.

1. Data Protection Laws

1.1 Compliance with Data Protection Laws

The customer declares that this DPA complies with all the relevant data protection laws to the best of their knowledge. The customer acknowledges that the processing of personal data may be subject to various laws, depending on their usage of Calilio’s services in different jurisdictions. Additionally, the customer is responsible for instantly informing Calilio of any inconsistencies between this DPA and applicable Data Protection Laws.

1.2 EEA Data Protection

Both parties recognize that the GDPR applies to the processing of personal data when conditions are met, which are specified in Article 3 of the GDPR. Moreover, the Federal Act on Data Protection (FADP) applies when the relevant conditions are satisfied.  Both must agree to the obligations under these laws, ensuring the processing complies with the respective regulations.

1.3 Australian Data Protection Laws

Both parties comply with Australian Data Protection Laws for any Personal Data collected from or stored within Australia, ensuring data handling that aligns with the standards set by Australian regulatory authorities.

1.4 Federal Trade Commission (FTC) Enforcement

Calilio and the customer agree to follow FTC regulations and guidelines on data protection and consumer privacy for any data collected or processed within the United States. We ensure compliance with:

  • FTC regulations for consumer data privacy ensure secure data transmission and prompt breach responses.
  • Children’s Online Privacy Protection Act (COPPA) to protect the privacy of children under 13 when applicable.
  • EU-U.S. Privacy Shield Framework is for accurate, secure cross-border data handling.
  • National Do Not Call Registry, avoiding telemarketing to individuals who have opted out.

2. Roles and Responsibilities

2.1 Customer’s Processing of Personal Data

The Customer determines the purposes and means of processing Personal Data under this DPA and instructs Calilio to process it as necessary to provide services. Customer instructions must comply with applicable data protection laws and align with the Agreement.

2.2 Processing of Personal Data

Calilio acts as a processor for customer data and an independent controller for data such as account and usage information required for CRM, security monitoring, and others. Some purposes are:

  • Managing strong customer relationship,
  • Conducting strong consumer relationship,
  • Verifying identities to enhance data security,
  • Fulfilling legal data retention obligations,
  • Undertaking other lawful data processing activities.

2.3 Purpose Limitation

We only process customer data to provide the agreed-upon services as described in the Agreement and do not use data for any other purpose unless instructed by the Customer.

2.4 Customer’s Liability

The customer is completely responsible for the legality, quality, and accuracy of the Personal Data it provides to Calilio. Where required, the Customer must ensure that data subjects are informed of their rights and consent as per requirements. Plus, the customer must verify that Calilio is authorized to process the data per this DPA.

2.5 Customer Instructions

The customer instructed Calilio to process and handle it as outlined in the Agreement. If additional instructions are required, a separate written agreement is needed. This applies to tasks like investigating security incidents, addressing spam and fraud, and handling breaches of Calilio’s terms of service.

2.6 Confidentiality

Calilio agrees to maintain strict confidentiality regarding Personal Data and to restrict access to only authorized personnel. All individuals processing Personal data are subject to binding confidentiality obligations. It also provides reasonable assistance to Customers regarding security and confidentiality as described in this DPA.

3. Data Subject Rights

Calilio will provide reasonable assistance in responding to data subject requests, including the rights to access, rectify, delete, or restrict processing. We agree to notify the customer within 24 hours if it receives any direct request from data subjects regarding their data under GDPR, CCPA, or similar laws.

Here, you have the following rights with respect to personal details:

3.1 Right to Know

Data subjects have the right to understand what data Calilio has collected about them. Calilio supports this right by:

  • Provide reports on types/categories of Personal data collected and processed.
  • Describe the source, whether directly from the data subject, third parties, or the Customer system.
  • Also, identify the categories of third parties with whom data has been shared or disclosed.

3.2 Right to Access

Customers have the right to access their personal information. At the customer’s request, Calilio provides:

  • Access to a copy of the personal data collected and processed, including basic information on how it is being used.
  • Details on the purposes for processing and the categories of data used.
  • Information about the duration of the data retention/ criteria used to determine that period.
  • Explanations to help customers to understand how their data is being used.

3.3 Right to Rectify 

We allow customers to correct inaccurate or incomplete personal data. For this, we will:

  • Provide mechanisms for the Customers to correct personal data stored within the platform.
  • Assist in updating user's details, contact information, or other data fields as requested.
  • Ensure all the updates are instantly applied across our system to avoid incorrect information.

3.4 Right to Report

If you think your data rights are compromised, you can report concerns or file complaints with data protection authorities.

3.5 Right to Delete

Customers are entitled to suspend their personal accounts if data is inaccurate. If you believe any collected information is unlawful or poses a risk to your personal identity or reputation, you can instantly delete the call/SMS recordings and history. It also provides a structured process for effectively handling deletion requests.

For account deletion, you must provide a written application and email it to support@calilio.com. The Calilio team will verify the e-mail or application to proceed with the account closure/ data deletion. This procedure will be completed successfully within 15 days.

3.6 Regulatory Action

If Calilio receives any complaints, requests, or actions from regulatory authorities regarding Personal Data processed under this agreement, Calilio will:

  • Notify the Customer via email to their designated contact, providing relevant details to enable an appropriate response.
  • Provide reasonable assistance and support to the customer in handling the regulatory action.
  • Avoid responding to the regulatory action unless legally required or with written authorization from the customer.

4. Sub-Processer

The customer understands that Calilio may work with subprocessors to assist in providing its services. A full list of the current subprocessors used by Calilio is available here: link. By agreeing to this DPA, the customer consents to Calilio’s use of the subprocessors listed.

4.1 Authorization to Engage Subprocessors

Throughout accepting this Data Processing Agreement (DPA), the customer further authorizes Calilio to add or replace subprocessors on the list as needed. We will promptly inform the customer of any changes regarding sub-processor arrangements.

4.2 Right to Object to Subprocessor Change

The customer can object to Calilio’s choice or replacement of the sub-processor if the objection is submitted in writing and is based on legitimate data protection concerns. If an objection arises, both parties collaborate with genuine intent to find a manually agreeable alternative. If an acceptable solution cannot be reached after 18 days, the Customer may discontinue the affected Calilio services by providing written notice, which does not impact any fees the customer incurred before Calilio adds or replaces a sub-processor. If the object before Calilio adds or replaces a sub-processor, the new one will be considered authorized by the customer.

5. International Data Transfer Policies

5.1 Data Processing Location:

Calilio confirms that all Personal Data processing under the DPA will occur within Calilio’s primary country of operation and in the specified locations listed in the Sub-Processor section.

Data transfer may extend beyond the European Economic Area (EEA), the UK, and Switzerland to countries where data protection regulations differ. Calilio acknowledges that certain international locations, referred to as “Locations Subject to Appropriate Safeguards”, may not meet European Data Protection Law standards. In these cases, Calilio commits to implementing mandatory measures to ensure full compliance before transferring any personal data. 

5.2 EU Standard Contractual Clauses

For personal data transfer from customers governed by EU GDPR or Swiss FADP, Calilio applies the EU Standard Contractual Clauses for Data Transfers to Third Countries. This ensures that the data protection standards remain the same, even if Calilio operates under different regional data protection frameworks.

The applicable modules for transfers under the EU Standard Contractual Clauses include:

  • Module One (Controller to Controller): Applicable to customers handling account usage data.
  • Module Tow (Controller to Processor): This applies when the customer acts as the controller of their content.
  • Module Three (Processor to Processor): This applies when the customer processes their content as a processor.
  • Module Four (Processor to Controller): Applicable when the customer processes usage data as a processor.


Each relevant Module includes specific clauses to ensure data protection:

  • Clause 7 (Ducking Clause): Allows additional parties to join the Standard Contractual Clauses (SCCs).
  • Clause 9 (Sub-processor Changes): 10-business-day notice for sub-processor changes.
  • Clause 11 (Redress): Optional languages on data subject redress are excluded.
  • Clause 12 (Liability): No cap on liability for data subject rights.
  • Clause 17 (Governing Law): Governed by Singaporean Law.
  • Clause 18(b): The dispute will be resolved in Singapore courts.


The SCCs include several annexes where detailed information about the data transfer, security, measures, and sub-processors is provided:

  • Annex I, Part A: Contact information from the data exporter (Customer) and the data importer (Calilio), with Calilio’s contact as legal@calilio.com.
  • Annex I, Part B: Details the type of the data subjects involved (employees and users), purposes of the data transfer, and retention periods. It specifies why the data is collected, to whom it pertains, and how long it will be kept.
  • Annex I, Part C: Identifies the Singapore Data Protection Commission as the “Competent Supervisory Authority” to oversee Calilio’s compliance.
  • Annex II: Calilio employs to protect data, including encryption, access control, voice security, and other regular security audits, as discussed in Section B of the Agreement.
  • Annex III: List authorized sub-processors (third parties Calilio engages for data processing), as specified in the DPA.

5.3 UK Data Transfer

Here, we will explain how the UK International Data Transfer Addendum applies when personal details are transferred from a Customer subject to the UK GDPR to Calilio, which operates in a region with adequate safeguards but not governed by the UK GDPR.

In accordance with Clause 17 of the information, both the Customer and Calilio have agreed to adjust the format of part 1 as follows:

  • Party information in Table 1 of the UK Data Transfer Addendum is considered and is completely based on the details referenced in the Agreement, including Section 5.2 of this DPA.
  • For Table 2, the UK International Data Transfer Addendum is attached to the EU Standard Contractual Clauses for Data Transfers as outlined in Section 5.2 of this Data Processing Agreement.
  • The information in Table 3 is regarded as complete, as shown by the data referenced in Section 5.2 of this DPA.
  • Either the data importer or data exporter may terminate this agreement, as set out in Clause 19, which provides an option for either party to initiate termination.

5.4 Singapore Data Transfer

Calilio will manage the personal data in strict compliance with the Personal Data Protection Act 2012 (PDPA), with high standards of data security and privacy. This commitment involves implementing technical and organizational safeguards as required under Section 11 of the PADA and closely following the Agreement’s stipulated conditions.

5.5 Australian Data Transfers

Section 5.1 may include locations outside Australia where data protection measures do not meet the requirements of Australian Data Protection Laws. Accordingly, Calilio and its partners are restricted from transferring personal information governed by these laws outside Australia unless they reasonably assure that the recipient complies with a legal framework offering protections comparable to the Australian Privacy Principles.

5.6 US Data Transfers

Calilio is fully committed to adhering to US State Privacy Laws, including key legislations like the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act. We prioritize the safeguarding of personal data in every process.

Under the CCPA, Calilio regards “personal information” as defined by the law. Here’s how we ensure compliance:

  • Purpose-Limited Data Processing: Calilio processes personal information strictly for business purposes specified within the service agreement. We do not use customer data for any unrelated commercial activities.
  • Privacy Standards Maintenance: As a service provider, Calilio upholds the privacy standards mandated by the CCPA, delivering robust protection aligned with regulatory expectations.
  • Transparency and Assurance: Our customers can trust that Calilio handles personal information in line with their privacy responsibilities. Should we encounter challenges in maintaining these standards, we promptly inform our customers.
  • Unauthorized Use Prevention: We empower customers to safeguard personal information and prevent unauthorized usage. Calilio supports customers with compliance, including efficiently managing consumer requests.
  • Sub-processor Compliance: Calilio verifies that any engaged sub-processors adhere to CCPA requirements, maintaining stringent standards throughout our data management ecosystem.
  • Data Integration Limits: We do not merge Customer Content with other personal information unless it is essential for permitted business purposes, as outlined by the CCPA.

5.7 Governing Law

Calilio aligns its data practices with all relevant data protection laws and acknowledges that these laws may have mandatory precedence. This Data Processing Addendum (DPA) will be governed and interpreted according to the governing law outlined in the main service agreement. Both parties agree to recognize the jurisdiction specified in the Agreement for any claims or issues arising under this DPA.

5.8 Conflict Resolution

If any inconsistencies arise between the terms of this DPA and the EU Standard Contractual Clauses for Data Transfers to Third Countries, the EU Standard Contractual Clauses will prevail. For any disputes regarding the interpretation, execution, or termination of this DPA, Calilio and its customers commit to good-faith negotiations. Should a settlement not be reached within 30 days of receiving a dispute notification, the matter will be escalated to the appropriate court with jurisdiction, as specified in the Agreement. 

 

6. Notification of Data Breach

If a personal data breach occurs, Calilio will actively support the Customer in meeting their responsibilities under Articles 33 and 34 of the GDPR and Article 24 of the FADP, adapting our assistance to the processing context and available data insights.

Calilio will instantly inform the Customer of any identified Data Breach. If European Data Protection Laws apply, we commit to notifying the Customer within 24 hours of detection. Our team is prepared to provide full cooperation, sharing all pertinent details and support to ensure a transparent response.

The Customer, in turn, agrees to offer Calilio the necessary cooperation and relevant information about the breach, facilitating our compliance with Data Protection Laws and supporting an effective breach response process. This collaboration allows both parties to navigate data breach obligations efficiently and clearly.

7. Updates 

This Data Processing Addendum (DPA) remains effective for the duration of the main Agreement. The Customer understands that Calilio may revise this DPA as needed to reflect changes in the main Agreement. Calilio reserves the right to update terms and policies, providing the Customer with notice of such modifications.

Section A: Data Processing Details

Nature and Purpose Processing
Calilio processes personal data strictly to deliver the services outlined in the Agreement. We do not sell or share customer or end-user data for third-party business interests or compensation. Processing follows the guidelines in this DPA to maintain privacy and security.

Processing Activities
We engage in specific data processing activities to ensure service quality and functionality. All the activities are performed with a focus on data protection and regulatory compliance:

  1. Data Transfer: Calilio enables data transfer between the Public Switched Telephone Network (PSTN) and Voice over Internet Protocol (VoIP) networks, facilitating seamless communication.

  2. Data Storage: Personal data is securely stored in Calilio’s backend systems, protected by stringent security protocols.

  3. Data Processing: Calilio processes data to deliver a customized and user-friendly experience, including personalization and visualization options.

  4. Data Monitoring: Real-time monitoring of data streams helps Calilio quickly identify and address any issues, ensuring high reliability.

  5. Statistical Insights: Usage data is analyzed to generate valuable statistics displayed on user dashboards, helping users understand communication patterns.

  6. User Account Management: Calilio manages user accounts, including phone number assignments, for effective identity management.

  7. Identity Verification: When necessary, Calilio verifies identities for regulatory compliance by providing phone numbers and ensuring future number availability.

  8. Call Routing and Quality Assurance: Calilio conducts call routing, monitors call logs, and analyzes them to maintain service quality.

  9. Issue Resolution: Data from API sources aids in identifying and resolving any system issues, enhancing stability.

  10. Communication Analysis: Calilio analyzes call content for subscribers with AI features, providing deeper conversation insights.

  11. Third-party Integrations: Calilio integrates with authorized third-party tools such as Zapier, limiting data sharing to essential processing within the Calilio environment.


Categories of Data Subjects

Calilio processes personal data from several data subject categories, including representatives of customers, end-users, their contacts, communication participants (e.g., callers, recipients), and Calilio employees and agents.


Data Classification


1. Customer Information:

  • Contact Details (name, phone number, and email address).
  • Identification (distinct ID, company name, and billing details).
  • Contract Information (subscription details, order forms, and pricing plans).
     

2.  Contact List:

  • Names, phone numbers, contact owners, and profile picture.
     

3.  User Information:

  • User Data (unique ID, role, usage history)
  • Communication Data (name, contact details, and device information)
     

4. Call/SMS Content and Metadata:

  • Content (recordings, SMS, and voice transcriptions).
  • Metadata (call duration, call status, time, date, and participation)
     

5. Identity Verification Data:

  • Personal details, such as address, date of birth, and ID information, in compliance with regulatory requirements.
     

6. Customer Document Verification:

  • Scans of IDs, passports, and proof of business documentation for verification purposes.


Data Retention Duration

Data processing is based on legal, regulatory, and operational needs:

  1. Data processed on behalf of the customer is retained for the duration of the DPA unless otherwise requested.

  2. Phone number-related data is kept for 20 days post-termination.

  3. During termination, all customer-specific data is deleted following the return/deletion period.


Legal Basis for Processing


Processing is necessary for Calilio’s legitimate interests, including secure service provision, fraud prevention, and response to claims against Calilio. Data processing is also essential for enhancing customer experience, improving and refining Calilio’s products, and facilitating efficient service management.

Moreover, the processing is necessary to manage payments and fulfill customer service agreements, aligning with operational and regulatory requirements.

Section B

Security and Compliance

At Calilio, ensuring the security and compliance of our platform is a foundational commitment. We prioritize the protection of your data, constantly enhancing our security measures to stay ahead of potential risks. Your data and VoIP services are housed within secure, state-of-the-art data centers monitored around the clock, so you can trust that your information is safe with us. We adhere to the highest security standards, designed to detect threats and deploy necessary security updates proactively.

Plus, We follow high standards like the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) to keep your data secure. We only store your personal information with your permission, and you can ask us to remove it anytime. We never share your data with anyone else unless the law requires it.

Calilio’s Security Measures

Data Encryption

To prevent unauthorized access and misuse, Calilio encrypts all data transfers, utilizing secure encryption keys accessible only to authorized parties involved. Additionally, Calilio encrypts phone calls, ensuring secure, confidential communication over the network.

Firewall

Calilio has implemented advanced firewalls to monitor and control data traffic across private networks, adding an extra level of security to both inbound and outbound web data. This protection ensures that data moving through our systems is rigorously filtered and secure.

Multi-Factor Authentication (MFA)

To enhance security, Calilio enforces Multi-Factor Authentication, requiring multiple verification steps for account access. MFA significantly reduces the risk of unauthorized access and protects accounts from potential cyber threats.

Anti-Virus Protection

Calilio has strong anti-virus and malware defenses to detect, prevent, and eliminate risks like ransomware, Trojans, and other threats. This layer of protection is essential to maintain a secure environment for our users.

Data Backup and Recovery

Calilio provides reliable backup and recovery options with solid failover protection. User data is backed up across multiple operational zones, ensuring service continuity and data security even in the event of a system failure.

Voice Security

Calilio allows businesses to specify the countries where agents can make calls, limiting access to only the necessary regions. This step strengthens overall security by reducing exposure to potentially risky international regions.

Permissions

Each agent at Calilio is assigned unique credentials, which helps prevent the sharing of login details and minimizes the risk of unauthorized access. Role-based access controls ensure that agents can only access information relevant to their responsibilities.

Audit Rights

Calilio and the Customer agree that the Customer should have the ability to assess Calilio’s compliance with relevant Data Protection Laws and this Addendum, especially where Calilio acts as a data processor. The Customer may request an audit of Calilio’s data processing activities if:

  • There are reasonable grounds to suspect a breach of the DPA or applicable law by Calilio.
  • A regulatory authority formally requests an audit.
  • Applicable law grants the Customer a direct right to audit. 


Audits may be conducted by an independent, qualified third-party auditor who is not a competitor of Calilio. Unless Data Protection Laws require more frequent audits, the Customer may conduct an audit once every twelve months.

The Customer is required to provide at least thirty days' notice before any audit unless a shorter period is mandated by law or a relevant data protection authority. Each Party will bear its own costs for audits conducted under this agreement.

Cookie Management

As the users, you can dictate the accessibility and usability of your cookie information on your website visit. You cannot forego or disable deploying essential/strictly necessary cookies, as doing so may result in lagging, flawed functionality.

However, you can customize other cookies to fit your desire, mood, and preferences. As essential/strictly necessary cookies are mandatory for efficient, systematic functioning, you must not disable them. However, you may disable other cookies like functional, performance, and tracking per your need. Disabling/blocking of the cookies can be conveniently accessed via ‘cookie preference’ on the browser/App settings menu. Our websites also allow you to control and manage website cookies when you land on our landing pages. You must remember that cookie blocking/disabling can lead to issues like system malfunction, delayed processing, system hang-up, etc.

Empowering Businesses with Seamless Communication

Join thousand of businesses already using Calilio to communicate better with their customers.

International Number

Get International Numbers

USA FlagUS Phone Number
UK FlagUK Phone Number
Australia FlagAustralia Phone Number
Canada FlagCanada Phone Number
Company
Resources
Products
Compare
Policies
Solutions
    shd
    Copyright © 2025 Calilio