Data Processing Agreement
Data Processing Addendum (DPA) for enterprise customers.
Last updated: June 23, 2026
This Data Processing Addendum ("DPA") forms part of the CallMissed Terms of Service between CallMissed Technologies Pvt. Ltd. ("Processor") and the customer ("Controller"). It applies when CallMissed processes personal data on behalf of the Controller under applicable data protection laws, including India's Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules").
Note: This web version is provided for transparency. Enterprise customers may request a countersigned PDF and the current sub-processor schedule via karan@callmissed.com.
1. Definitions
- Personal Data — Any information relating to an identified or identifiable natural person processed via CallMissed services.
- Processing — Any operation performed on Personal Data, including collection, storage, transmission, and deletion.
- Sub-processor — A third party engaged by CallMissed to process Personal Data on our instructions.
2. Scope and roles
The Controller determines the purposes and means of processing customer end-user data. CallMissed processes such data only on documented instructions from the Controller, as configured in the dashboard, API, or a signed order form.
For account and billing data relating to the Controller's organisation, CallMissed acts as an independent Data Fiduciary. For end-user data processed through the Controller's bots and integrations, CallMissed acts as a Data Processor.
Controller warranties.The Controller warrants that it has a valid legal basis to collect and share the end-user Personal Data it submits, that it has provided all notices and obtained all consents required under applicable law (including from data principals whose data is processed through the Service), and that its instructions to CallMissed are lawful. CallMissed processes Personal Data only on the Controller's documented instructions and will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
3. Details of Processing
- Subject matter: Provision of CallMissed's AI communication, messaging, voice, and developer-API services.
- Duration: For the term of the Controller's subscription, plus any legally required retention period.
- Nature and purpose: Hosting, storage, transmission, automated AI processing (LLM, speech-to-text, text-to-speech, embeddings), analytics, and deletion, solely to provide the Service as configured by the Controller.
- Categories of data principals: The Controller's end-customers and contacts, the Controller's authorised users and team members, and any individuals referenced in content the Controller submits.
- Categories of Personal Data: Contact identifiers (name, phone, email), message and conversation content, voice audio and transcripts, uploaded documents and knowledge-base content, usage metadata, and any other Personal Data the Controller chooses to submit.
- Special / sensitive data: The Controller decides whether to submit sensitive data (for example, health or financial information). If it does, it is responsible for ensuring an appropriate lawful basis and safeguards.
4. Data location and cross-border transfers
CallMissed hosts primary production systems on Microsoft Azure data centres in India (Central India region). Customer personal data and service content are ordinarily stored and processed within India unless we notify you otherwise in writing or applicable law requires a different approach.
We store and process customer personal data primarily within India. Certain service-partner categories (for example, some AI inference, search, analytics, and global messaging or identity services) may process limited data outside India. Where this occurs we rely on contractual safeguards with each partner and transfer personal data only to jurisdictions not restricted by the Government of India, consistent with Section 16 of the DPDPA. Enterprise customers may request transfer details and the sub-processor schedule under our Data Processing Agreement.
5. Sub-processors
We engage vetted service partners who process personal data on our instructions and only for specified purposes. We do not publish partner or sub-processor names on public marketing or legal pages; enterprise customers may request the current sub-processor schedule via karan@callmissed.com or our Data Processing Agreement.
We maintain a written sub-processor register available to enterprise Controllers on request, organised by processing category (for example, cloud hosting, AI inference, speech services, messaging platform, payment gateway, email, identity, analytics, and CDN).
All sub-processors are bound by contracts requiring: (a) processing only on our instructions; (b) confidentiality; (c) security safeguards consistent with DPDP Rules Rule 6; (d) assistance with data principal requests; and (e) prompt breach notification.
We will notify Controllers of material sub-processor changes via email or dashboard notice at least 30 days in advance. Controllers may object on reasonable grounds relating to data protection.
6. Security measures
CallMissed implements technical and organizational measures summarised on our Security and Trust Center pages, including encryption in transit and at rest, access controls, tenant isolation, logging, and backups within India. Personnel with access to Personal Data are bound by confidentiality obligations. Detailed control evidence is available to enterprise Controllers on request.
7. Data subject / data principal rights
CallMissed will assist the Controller in responding to data principal requests (access, correction, erasure, grievance) where technically feasible, via API and dashboard tools or manual support within timelines prescribed under applicable law.
8. Breach notification
CallMissed will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data. Where required, we will also notify affected data principals and the Data Protection Board of India in accordance with DPDP Rules Rule 7 (including a detailed report within 72 hours where applicable).
9. Termination and data return
Upon termination, CallMissed will delete or return Personal Data within 30 days unless retention is required by law. A deletion confirmation is available to enterprise Controllers on request. See Account Deletion for self-service deletion steps.
10. Audits
Upon reasonable notice and subject to confidentiality, enterprise Controllers may request summaries of our security controls or completed audit reports where available. Onsite audits may be conducted no more than once per year unless required by regulators.
11. Precedence and Contact
For the processing of end-user Personal Data, this DPA prevails over any conflicting term in the Terms of Service. A signed enterprise agreement or order form, where it exists, prevails over this web version.
Privacy inquiries: support@callmissed.com
Legal / DPA countersignature: karan@callmissed.com
Grievance Officer: karan@callmissed.com