Data Processing Addendum
Last Updated: 10 July 2026
This document is provided for transparency and does not constitute legal advice. It is a general description of our practices and may be updated. If you have questions, contact legal@tsunamiautomation.com. A Spanish-language version of this Addendum is available on request.
This Data Processing Addendum ("DPA") describes how Tsunami Automation Global LLC ("Tsunami Automation", "we", "us", or "our") processes personal information about a Customer's inbound callers ("Caller Data") when the Customer uses the Recepcionista AI 24/7 service and related products. For Caller Data, Tsunami Automation acts as a service providerunder the California Consumer Privacy Act ("CCPA") and as a processorunder the Texas Data Privacy and Security Act ("TDPSA", Tex. Bus. & Com. Code § 541.104), acting on the Customer's behalf and on its documented instructions.
This DPA supplements and is incorporated into the Terms of Serviceor other written agreement between the Customer and Tsunami Automation (the "Agreement"). This page is a readable description of the terms; a Customer may request a countersigned copy as described in Section 14.
1. Definitions & Roles
Capitalized privacy terms (for example, "personal information", "business", "service provider", "controller", "processor", "sell", and "share") have the meanings given under applicable data protection law, including the CCPA and the TDPSA.
- Customer is the business that uses the service. For Caller Data, the Customer is the business / controller that determines the purposes and means of processing.
- Tsunami Automation is the service provider / processorthat processes Caller Data only on the Customer's behalf and on its documented instructions.
- Caller Datais personal information about the Customer's inbound callers that our service captures to operate, such as name, phone number, reason for calling, call audio recording, and transcript.
- Subprocessor is a third party we engage to process Caller Data on our behalf.
2. Details of the Processing (Annex)
The following describes the subject matter, duration, nature, purpose, and scope of the processing of Caller Data.
- Subject matter: operation of an AI voice receptionist and related messaging and scheduling for the Customer.
- Duration: for the term of the Agreement, plus the retention and deletion periods described in the Privacy Policy and Section 10.
- Nature and purpose: answering, recording, and transcribing inbound calls; understanding the caller; booking appointments; sending confirmations and notices; logging calls; and routing urgent matters, all to deliver the service to the Customer.
| Category of data subject | Types of personal data |
|---|---|
| Inbound callers to the Customer's phone line | Name; phone number; reason for calling; call audio recording; transcript; appointment and scheduling details; and other information the caller provides during the call. |
| Customer's authorized users (where captured on a call) | Name; business contact details; and call handling or routing preferences. |
We record and transcribe calls; we do not create voiceprints to identify callers. See the Call Recording & Consent Notice.
3. Processing Only on Documented Instructions
We process Caller Data only for the specific business purposes set out in this DPA and the Agreement, and only on the Customer's documented instructions, including the Agreement, the service configuration, and any written directions the Customer gives. These business purposes are described specifically and are not stated in generic terms.
We will inform the Customer if, in our reasonable opinion, an instruction violates applicable data protection law, unless the law prohibits us from doing so.
4. Confidentiality
We ensure that personnel authorized to process Caller Data are bound by a duty of confidentiality and process Caller Data only as needed to perform the service. We limit access to Caller Data to personnel and subprocessors who need it to deliver the service.
5. Security Measures
We implement and maintain reasonable and appropriate technical and organizational measures designed to protect Caller Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access. Depending on the service, these include:
- Encryption of data in transit and at rest;
- Role-based access controls and the principle of least privilege;
- Audit logging and monitoring;
- Scheduled deletion aligned with the retention periods we disclose;
- Suppression or pause of recording during payment-card entry so card verification values are never recorded or stored.
6. Subprocessors
The Customer authorizes us to engage subprocessors to process Caller Data in connection with the service. Our current subprocessors are listed on our Subprocessors page, which is incorporated into this DPA by reference.
We will give the Customer at least thirty (30) days' advance notice before adding or replacing a subprocessor that processes Caller Data. The Customer may object to a new subprocessor on reasonable, data-protection-related grounds within that notice period; if the parties cannot resolve the objection, the Customer may terminate the affected service as its remedy.
We enter into a written contract with each subprocessor that imposes data protection obligations substantially the sameas those in this DPA, and we remain responsible for each subprocessor's performance of those obligations.
7. Data-Subject & Consumer Request Assistance
Taking into account the nature of the processing, we provide reasonable assistance to help the Customer respond to verifiable requests from individuals to exercise their rights (for example, to access, correct, or delete their personal information). If we receive such a request directly from a caller regarding Caller Data, we will not respond except to acknowledge and refer the individual to the Customer, unless the Customer or applicable law directs otherwise.
8. Breach Notification
We will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Caller Data. The notice will describe, to the extent known, the nature of the incident, the likely consequences, and the measures taken or proposed to address it, and we will provide reasonable cooperation to help the Customer meet its own notification obligations.
9. Audit & Demonstrating Compliance
We make available to the Customer information reasonably necessary to demonstrate our compliance with this DPA, and we allow for and cooperate with reasonable assessments and audits of our processing of Caller Data. Audits are conducted on reasonable prior written notice, no more than once every twelve (12) months (except where required by a regulator or following a confirmed incident), during business hours, and subject to confidentiality and to not unreasonably disrupting our operations. We may satisfy an audit request by providing relevant third-party reports or certifications where available.
10. Deletion or Return on Termination
At the Customer's choice, on termination or expiry of the service we delete or return Caller Data, and delete existing copies, unless applicable law requires us to retain it. Deletion follows the retention schedule described in our Privacy Policy, subject to any legal hold.
11. CCPA Service-Provider Terms
With respect to personal information that is subject to the CCPA, Tsunami Automation, as a service provider, agrees that it will:
- Not sell or share the personal information;
- Process the personal information only for the specific business purposes set out in this DPA and the Agreement, which are not described in generic terms;
- Not retain, use, or disclose the personal information for any purpose other than those business purposes, including retaining, using, or disclosing it for a commercial purpose other than providing the service;
- Not use the personal information outside the direct business relationship with the Customer;
- Not combine the personal information with personal information received from, or on behalf of, another person, or collected from its own interactions, except as permitted by the CCPA;
- Comply with the applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses by the CCPA;
- Grant the Customer the right to take reasonable and appropriate steps to help ensure that we use the personal information consistent with the Customer's obligations under the CCPA, including through monitoring and audit rights (see Section 9);
- Notify the Customer if we determine that we can no longer meet our obligations under the CCPA;
- Grant the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of the personal information; and
- Flow down these restrictions, and require the same level of privacy protection, to any subprocessor we engage.
We also provide reasonable assistance so the Customer can comply with consumer requests under the CCPA, as described in Section 7.
12. Texas TDPSA Processor Duties
With respect to personal data subject to the Texas Data Privacy and Security Act, this DPA sets forth the processing instructions, the nature and purpose of the processing, the type of data processed, the duration of the processing, and the rights and obligations of both parties. As a processor, Tsunami Automation will:
- Ensure that each person processing the personal data is subject to a duty of confidentiality;
- At the Customer's direction, delete or return all personal data to the Customer at the end of the provision of services, unless retention is required by law;
- Make available to the Customer, on reasonable request, information necessary to demonstrate our compliance with our obligations;
- Allow for, and cooperate with, reasonable assessments and audits by the Customer or its designated assessor, or arrange an independent assessment where appropriate;
- Engage any subcontractor only under a written contract that requires the subcontractor to meet the same obligations that apply to us with respect to the personal data; and
- Follow the Customer's instructions and, taking into account the nature of the processing, assist the Customer in meeting its obligations, including responding to consumer rights requests, maintaining appropriate security, and conducting data protection assessments.
13. Order of Precedence
This DPA forms part of the Agreement. In the event of a conflict between this DPA and the rest of the Agreement regarding the processing of Caller Data, this DPA controls. With respect to personal information subject to the CCPA, the CCPA service-provider terms in Section 11 control; with respect to personal data subject to the TDPSA, the processor duties in Section 12 control. In all other respects, the Agreement remains in full force and effect.
14. How to Execute This DPA
A Customer does not need to take any separate action for these terms to apply: this DPA is incorporated into the Agreement and applies automatically when the Customer uses the service to process Caller Data.
A Customer that requires a countersigned copy (for example, for its own compliance records or a vendor-management process) may request one by contacting us at legal@tsunamiautomation.com. We can also accommodate reasonable, customer-specific data processing terms on request.
Tsunami Automation Global LLC
Legal & privacy notices: legal@tsunamiautomation.com · privacy@tsunamiautomation.com
Phone: (844) 953-3545
Registered mailing address: 5900 Balcones Drive STE 100, Austin, TX 78731, United States.
Related: Privacy Policy · Subprocessors · Terms of Service