title: Data Processing Agreement description: GDPR Art. 28 Data Processing Agreement between Davinci Tech Solutions and D Line customers. lastUpdated: 2026-06-05

Data Processing Agreement

Effective Date: June 5, 2026

This Data Processing Agreement ("DPA") is entered into between Davinci Tech Solutions ("Processor," "we," "us," "our") and the customer entity that has accepted the Davinci Tech Solutions Terms of Service ("Controller," "you"). This DPA is incorporated by reference into the Terms of Service and governs the processing of personal data in connection with D Line.

This DPA takes effect automatically when the Controller accepts the Terms of Service. Customers requiring a countersigned version may request one at support@davincitechsolutions.com.

Support Contact: support@davincitechsolutions.com

1. Preamble

Davinci Tech Solutions acts as a Processor within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR") when it processes personal data on behalf of the Controller in the course of providing the D Line Service as defined in the Terms of Service.

The Controller determines the purposes and means of processing of personal data belonging to the Controller's end users, employees, and customers. The Processor processes that data solely on the Controller's documented instructions and for no other purpose.

This DPA reflects the parties' agreement with respect to the terms governing such processing, as required by GDPR Article 28.

2. Definitions

For the purposes of this DPA, the following terms have the meanings assigned to them:

• "Personal Data": Any information relating to an identified or identifiable natural person ("data subject"), as defined in GDPR Art. 4(1).
• "Processing": Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction — as defined in GDPR Art. 4(2).
• "Data Subject": An identified or identifiable natural person whose personal data is processed — GDPR Art. 4(1).
• "Controller": The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data — GDPR Art. 4(7).
• "Processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller — GDPR Art. 4(8).
• "Sub-processor": Any Processor engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• "Supervisory Authority": An independent public authority established under GDPR Art. 51.
• "Service": The D Line VoIP softphone application and associated infrastructure operated by Davinci Tech Solutions, as described in the Terms of Service.
• "Terms of Service" or "ToS": The Davinci Tech Solutions Terms of Service at davincitechsolutions.com/terms, as amended from time to time.

3. Scope and Purpose

3.1 Instructions

The Processor shall process Personal Data only on documented instructions from the Controller. The Controller's acceptance of the Terms of Service and its configuration of the Service (including enablement of modules, user roles, and feature settings) constitutes documented instructions for the purposes of this DPA.

The Processor will promptly inform the Controller if it believes any instruction infringes GDPR or other applicable data protection law, in which case the Processor is entitled to refuse processing until the instruction is clarified.

3.2 Purpose Limitation

The Processor processes Personal Data solely for the purpose of providing the D Line Service as defined in the ToS, including operating VoIP infrastructure, delivering push notifications, generating call records, providing customer support, and maintaining platform security.

The Processor shall not process Personal Data for its own commercial purposes, for profiling data subjects for advertising, or for any purpose not expressly authorized by the Controller.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of data subjects:

• End users of the Controller's D Line deployment (employees, contractors, agents)
• The Controller's customers or contacts when they appear in call records, voicemails, or SMS messages
• Individuals whose contact information is stored in optional CRM or Tasks modules if those modules are enabled by the Controller

5. Categories of Personal Data

The following categories of Personal Data are processed as part of the Service:

5.1 Account and Identity Data

Name, email address, phone number, user role, organization affiliation, and hashed password (bcrypt).

5.2 Telephony Data

Call Detail Records (CDR) including timestamp, duration, calling party, called party, and call status; call recordings (only if the Controller enables recording); voicemail audio and transcription; SMS/MMS message body and media URLs (only if messaging is enabled).

5.3 Device and Technical Data

Device type, operating system version, app version, locale setting, IP address, push notification tokens (APNs/FCM), and SIP session metadata (SDP signaling information for call setup).

5.4 Module-Conditional Data

If the Controller enables optional modules, the following additional data is processed:

• CRM module: Contact names, companies, deal information, and pipeline data entered by the Controller's users.
• Tasks module: Task titles, descriptions, assignees, and project metadata.
• AI module: Text or audio snippets passed to AI inference providers (Anthropic, ElevenLabs) as configured by the Controller.

No module-conditional data is processed unless the Controller explicitly enables the relevant module.

6. Duration

The Processor will process Personal Data for the duration of the Terms of Service. Upon expiry or termination of the ToS, processing will cease except to the extent required by applicable law.

Retention periods for specific data categories are defined in the Privacy Policy at davincitechsolutions.com/privacy and are incorporated into this DPA by reference. Notably, Call Detail Records are retained for a minimum of 18 months and up to 7 years where required by U.S. telecommunications regulations or enterprise contracts.

7. Sub-processors

7.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following sub-processors to carry out specific processing activities:

| Sub-processor | Country | Purpose | |---|---|---| | Twilio Inc. | USA | PSTN voice routing, SMS delivery, DID management, E911 | | Telnyx LLC | USA | PSTN voice routing, SMS delivery, DID management | | SignalWire Inc. | USA | PSTN messaging | | Hetzner Online GmbH | Germany (EU) | Primary database hosting and compute infrastructure | | Cloudflare R2 (Cloudflare Inc.) | USA / EU | Call recording and media file storage | | Apple Inc. (APNs) | USA | iOS push notification delivery | | Google LLC (Firebase Cloud Messaging) | USA | Android and web push notification delivery | | Stripe Inc. | USA | Payment processing and subscription billing | | Functional Software Inc. (Sentry) | USA | Crash reporting and error diagnostics | | Anthropic PBC | USA | AI inference (only when AI module is enabled) | | ElevenLabs Inc. | USA | Voice synthesis (only when AI voice features are enabled) |

Each sub-processor is bound by data processing terms no less protective than the obligations set out in this DPA.

7.2 Objection to Sub-processors

The Controller may object in writing to the engagement of a new sub-processor by emailing support@davincitechsolutions.com within 14 days of receiving the notice described in section 7.3. If the Processor cannot reasonably accommodate the objection, either party may terminate the ToS on 30 days' written notice without penalty for the Controller.

7.3 New Sub-processors

The Processor will provide at least 30 days' prior written notice (via email or in-app notification) before engaging a new sub-processor that will have access to Personal Data. The current sub-processor list will be maintained at davincitechsolutions.com/dpa.

8. Security Measures

The Processor maintains technical and organizational measures appropriate to the risks of the processing, including:

8.1 Encryption

• In transit: TLS 1.2 or higher for all signaling (SIP, HTTPS API, and web portal)
• Media: SRTP/DTLS-SRTP for real-time audio streams where supported by the endpoint device
• At rest: AES-256 encryption for stored recordings and encrypted database volumes via infrastructure provider

8.2 Access Controls

• Passwords stored using bcrypt hashing with salt; no plaintext passwords stored
• Role-based access control (RBAC) enforcing least-privilege across all system roles
• Multi-factor authentication available for administrative accounts
• Audit logs for privileged operations and data access events

8.3 Operational Security

• Regular third-party security audits
• Intrusion detection and threat monitoring
• Automatic encrypted backups with offsite redundancy
• Vulnerability disclosure program and patch management process

8.4 Breach Notification

In the event of a Personal Data breach as defined in GDPR Art. 4(12), the Processor will:

1. Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.
2. Provide, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
3. Assist the Controller in fulfilling any breach notification obligations to supervisory authorities or data subjects.

Notification will be sent to the primary account email address on record.

9. International Transfers

9.1 Standard Contractual Clauses

Where Personal Data is transferred from the European Economic Area (EEA) or the United Kingdom to a country not recognized as providing an adequate level of protection (including the United States), the parties agree that such transfers are subject to the Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, specifically Module 2 (Controller to Processor), which are incorporated into this DPA by reference.

The Processor will ensure that equivalent SCCs or other appropriate transfer mechanisms are in place with each sub-processor located in a third country.

9.2 UK Addendum

For transfers from the United Kingdom, the International Data Transfer Addendum (UK Addendum) to the EU SCCs, as issued by the UK Information Commissioner's Office under s.119A of the Data Protection Act 2018, applies and is incorporated into this DPA by reference.

9.3 Copies

You may request a copy of the applicable SCCs or UK Addendum by emailing support@davincitechsolutions.com.

10. Data Subject Rights

The Processor will assist the Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III, which include:

• Art. 15 — Right of access
• Art. 16 — Right to rectification
• Art. 17 — Right to erasure ("right to be forgotten")
• Art. 18 — Right to restriction of processing
• Art. 20 — Right to data portability
• Art. 21 — Right to object

Upon receiving a data subject request that is clearly addressed to the Processor rather than the Controller, the Processor will promptly forward it to the Controller. The Processor will provide technical assistance (e.g., data exports, deletion tools) necessary for the Controller to fulfill the request within the GDPR-mandated timeframes.

The Controller remains the primary point of contact for data subjects and is responsible for responding to requests. The Processor will fulfill documented assistance requests within a reasonable time, generally within 15 business days.

11. Audit Rights

11.1 Controller Audit

The Controller has the right to audit the Processor's compliance with this DPA once per 12-month period. The Controller must provide at least 30 days' prior written notice to support@davincitechsolutions.com, specifying the scope of the audit.

Audits will be conducted remotely (document review, questionnaire, or virtual interview) unless the Controller provides reasonable justification for an on-site inspection, in which case parties will agree on timing, scope, and cost allocation in advance.

11.2 Third-Party Audits

In lieu of a direct audit, the Controller may request copies of third-party security audit reports, penetration test summaries, or applicable compliance certifications (e.g., SOC 2, ISO 27001 where obtained) subject to confidentiality obligations.

11.3 Confidentiality

All information shared during an audit is confidential and may only be used to assess compliance with this DPA.

12. Return and Deletion of Personal Data

12.1 On Termination

Upon expiry or termination of the Terms of Service, the Processor will, at the Controller's election:

• Return a machine-readable export of the Controller's Personal Data, or
• Securely delete all copies of Personal Data from active systems

Either option will be completed within 30 days of the termination date.

12.2 Backup Purge

Encrypted backups containing Personal Data will be purged within 180 days of termination, subject to the overwrite schedule of the Processor's backup rotation policy.

12.3 Legal Retention

Where the Processor is required by applicable law to retain certain Personal Data beyond the termination date (for example, CDR retention under FCC regulations), the Processor will inform the Controller in writing, retain only the minimum data required, and delete it as soon as the legal obligation expires.

12.4 Certification

Upon request, the Processor will provide written certification that deletion has been completed.

13. Liability

The liability of each party under this DPA is governed by and subject to the limitation of liability provisions set out in the Terms of Service, including the liability cap and exclusion of consequential damages. Nothing in this DPA is intended to override or extend the liability limitations in the ToS.

Where both parties are at fault for a data protection breach, liability will be apportioned between them in accordance with applicable law.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, without regard to conflict of law provisions, unless a mandatory provision of the GDPR or UK GDPR requires the application of a different law in respect of the SCCs or UK Addendum, in which case that mandatory law applies to that specific provision.

Any dispute arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

15. Acceptance

By accepting the Davinci Tech Solutions Terms of Service, the Controller agrees to the terms of this DPA. No separate signature is required for the standard form.

Customers who require a countersigned paper or PDF version of this DPA — for example, to satisfy their own procurement or compliance processes — may request one by emailing support@davincitechsolutions.com. We will respond within 5 business days.

Davinci Tech Solutions Email: support@davincitechsolutions.com

Last Updated: June 5, 2026