CallMissed
Back to home

Data Processing Agreement

Data Processing Addendum (DPA) for enterprise customers.

Last updated: May 26, 2026

This Data Processing Addendum ("DPA") forms part of the CallMissed Terms of Service between CallMissed Technologies Pvt. Ltd. ("Processor") and the customer ("Controller"). It applies when CallMissed processes personal data on behalf of the Controller under applicable data protection laws including the EU GDPR and India's Digital Personal Data Protection Act, 2023 (DPDPA).

Note: This web version is provided for transparency. Enterprise customers may request a countersigned PDF via legal@callmissed.com.

1. Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person processed via CallMissed services.
  • Processing — Any operation performed on Personal Data, including collection, storage, transmission, and deletion.
  • Sub-processor — A third party engaged by CallMissed to process Personal Data.

2. Scope and roles

The Controller determines the purposes and means of processing customer end-user data. CallMissed processes such data only on documented instructions from the Controller, as configured in the dashboard, API, or a signed order form.

3. Sub-processors

CallMissed uses the following categories of sub-processors to deliver the service:

  • Amazon Web Services (AWS) — Cloud infrastructure and database (ap-south-1, Mumbai)
  • Cloudflare — CDN, DNS, and edge security for web properties
  • Meta Platforms — WhatsApp Business Cloud API message delivery
  • Sarvam AI — Indic speech and language model inference
  • Clarifai / OpenRouter — LLM routing for supported model families
  • Cashfree — Payment processing (PCI-DSS)
  • Brevo — Transactional email delivery
  • LiveKit — Real-time voice WebRTC infrastructure (self-hosted on AWS)

We will notify Controllers of material sub-processor changes via email or dashboard notice at least 30 days in advance. Controllers may object on reasonable grounds relating to data protection.

4. Security measures

CallMissed implements technical and organizational measures described in our Security and Trust Center pages, including encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, tenant isolation, and regular backups.

5. Data subject rights

CallMissed will assist the Controller in responding to data subject requests (access, correction, deletion, portability) where technically feasible, via API and dashboard tools or manual support within 30 days.

6. Breach notification

CallMissed will notify the Controller without undue delay (and within 72 hours where required by law) after becoming aware of a personal data breach affecting Controller data.

7. International transfers

Primary processing occurs in India (AWS ap-south-1). Where data is transferred internationally for AI inference or messaging delivery, CallMissed applies appropriate safeguards including standard contractual clauses and vendor DPAs.

8. Termination and data return

Upon termination, CallMissed will delete or return Personal Data within 30 days unless retention is required by law. See Account Deletion for self-service deletion steps.

9. Contact

Data protection inquiries: privacy@callmissed.com
Legal / DPA countersignature: legal@callmissed.com