Data Processing Agreement

You determine the purposes and means of processing the personal data your callers provide. Dewul processes that data only to provide the service and only on your documented instructions (which include this DPA, the Terms, and your use of the product configuration).

Answering inbound calls; transcribing and classifying calls; capturing bookings and contact details; generating summaries; and sending you notifications. Processing continues for the term of your subscription.

Data subjects: your callers and the contacts they mention. Personal data: names, phone numbers, email addresses, call audio, transcripts, booking details, and any other information a caller volunteers. You agree not to use Dewul to collect special-category data (health, biometric, etc.) unless you have a lawful basis and have told us in writing.

You authorize Dewul to engage the subprocessors listed at dewul.com/subprocessors. We impose data-protection obligations on each one no less protective than this DPA and remain liable for their performance. We give at least 14 days’ notice before adding a subprocessor that handles personal data; you may object on reasonable grounds.

We maintain technical and organizational measures appropriate to the risk, including encryption in transit (TLS), bcrypt-hashed passwords, a database that is not publicly accessible, least-privilege access, and audit logging. See our security overview.

Personnel authorized to process personal data are bound by confidentiality obligations.

Taking into account the nature of the processing, we assist you in responding to requests from data subjects to exercise their rights (access, rectification, erasure, portability, restriction, objection). You can action most requests yourself in the dashboard; for help, email info@dewul.com.

We notify you without undue delay (and in any case within 72 hours) after becoming aware of a breach affecting your data, with the information you reasonably need to meet your own notification duties.

Dewul and its subprocessors operate in the United States. Where you transfer EU/UK/Swiss personal data to us, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum), which are incorporated by reference; contact us to execute a signed copy.

On termination, we delete or return your personal data within 30 days, except where retention is required by law. Routine retention periods are described in our Privacy Policy.

On reasonable written request (no more than once a year, subject to confidentiality), we provide the information necessary to demonstrate compliance with this DPA.

Accepting the Terms of Service incorporates this DPA. If your organization requires a counter-signed copy, email info@dewul.com and we’ll arrange signature.