VoiceLayer Legal
Dashboard

Data & privacy

Data Processing Addendum

VoiceLayer is operated by Hastkari LLC. · Effective June 7, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween you (“Customer”) and Hastkari LLCand applies where we process personal data contained in Customer Data on your behalf. It reflects the requirements of the GDPR, UK GDPR, the CCPA, the Texas Data Privacy and Security Act, and similar laws (“Data Protection Laws”).

1. Roles of the parties

  • For Customer Data (call audio, recordings, transcripts, captured fields, and call metadata), Customer is the controller (or a processor acting for a third-party controller) and VoiceLayer is the processor (or sub-processor).
  • For our own website, account, billing, and marketing data, we act as an independent controller under our Privacy Policy.
  • Under U.S. state laws, VoiceLayer is a “service provider” / “processor” and will not sell or share Customer Data, retain, use, or disclose it except to provide the Services or as permitted by law, or combine it with data from other sources except as permitted.

2. Processing on documented instructions

We will process Customer Data only on Customer’s documented instructions — including as set out in the Terms, the Services’ configuration and features, and the Customer’s use of them — and as required by law (in which case we will inform Customer unless prohibited). We will ensure personnel authorized to process Customer Data are bound by confidentiality.

3. Customer responsibilities and consent representation

Customer represents, warrants, and covenants that it has provided all required notices and has obtained and will maintain all rights, consents, and authorizations — including for call recording, transcription, monitoring, and any biometric or voice processing — necessary for VoiceLayer to process Customer Data and to provide the Services lawfully. Customer is responsible for the accuracy and legality of its processing instructions and for its compliance with Data Protection Laws as controller, and with the Telephony & Recording Compliance Addendum.

4. Use limitation and no training

We will not use Customer Data to train or fine-tune our own or any third party’s models, consistent with Section 6.2 of the Terms of Service. Any exception requires Customer’s explicit, written, scope-limited, and revocable opt-in; absent that opt-in, no such use occurs. Where Customer configures a BYOK Provider, that provider processes data under its own policies and is not engaged by us as a sub-processor; Customer is responsible for the terms it accepts with that provider.

5. Security measures

We implement and maintain appropriate technical and organizational measures to protect Customer Data, including encryption in transit, access controls and least-privilege, tenant isolation, logging and monitoring, and secure software-development practices, taking into account the state of the art and the risks of processing.

6. Sub-processors

Customer authorizes VoiceLayer to engage the sub-processors listed on our Sub-processor List to process Customer Data. We impose data-protection obligations on each sub-processor that are no less protective than this DPA and remain responsible for their performance.

  • We will give at least 30 days’ notice before adding or replacing a sub-processor that processes Customer Data.
  • Customer may object on reasonable data-protection grounds within 10 days of notice; if we cannot reasonably accommodate the objection, Customer may terminate the affected Services. Non-objection within the window is deemed acceptance.
  • BYOK Providers and telecommunications carriers are not our sub-processors; they act for Customer or independently. See the carve-out on the Sub-processor List.

7. International data transfers

Customer Data is hosted in the United States. For transfers of personal data from the EEA, UK, or Switzerland, the parties incorporate by reference the European Commission’s Standard Contractual Clauses (Modules Two and Three), the UK International Data Transfer Addendum, and the Swiss amendments, which apply to such transfers and prevail in case of conflict. We will pursue Data Privacy Framework self-certification where applicable.

8. Data-subject requests

Taking into account the nature of the processing, we will assist Customer by appropriate technical and organizational measures, and through the Services’ functionality, to respond to requests from data subjects to exercise their rights. If we receive a request directly from a data subject regarding Customer Data, we will refer them to Customer.

9. Personal-data breach notification

We will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data, and will provide information reasonably available to help Customer meet its breach-notification obligations.

10. Return and deletion of Customer Data

  • On termination, Customer may export Customer Data for 30 days.
  • We will delete stored Customer Data within 30 days of termination or a deletion request, and purge it from backups within 60 days, except as required by law.
  • Customer may enable a Zero Data Retention (ZDR) mode in which call audio, transcripts, and Output are not stored at rest, other than voice samples Customer expressly provides for a voice feature.

11. Sensitive and biometric data

Call recordings and voiceprints may constitute sensitive or biometric data. We process such data only on Customer’s instruction and with restricted access. Customer is responsible for the notices and consents required under biometric laws, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington’s biometric statute. Features that compute biometric identifiers (such as voiceprint-based speaker identification) are available only under our Biometric Data Addendum and are gated on Customer’s compliance; where such features are used, speaker embeddings are computed per-recording and are not retained after the related analysis is delivered.

12. Audits

We will make available information necessary to demonstrate compliance with this DPA, including third-party certifications and reports where available, and will allow for and contribute to audits on reasonable prior notice, subject to confidentiality and not more than once per year absent a regulator requirement or incident.

13. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of Service, including the security and privacy super-cap. Neither party is liable for regulatory fines levied against the other party, and any regulatory fine counts toward the liability cap of the party against whom it is levied.

Contact

Questions about this document? Reach us at [email protected] or write to Hastkari LLC, [Hastkari LLC — registered address, Texas, USA].