Effective Date: May 14, 2026
Mini Table of Contents
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written agreement between Customer and AnswerKit.
This DPA applies when AnswerKit processes Personal Information on behalf of Customer in connection with the Service.
“Customer Personal Data” means Personal Information processed by AnswerKit on behalf of Customer.
“Controller,” “Processor,” “Business,” “Service Provider,” “Personal Data,” “Personal Information,” “Process,” “Processing,” “Sell,” and “Share” have the meanings given under applicable privacy laws.
“Privacy Laws” means privacy and data protection laws that apply to the parties’ processing of Customer Personal Data, which may include U.S. state privacy laws, GDPR, UK GDPR, and similar laws, as applicable.
“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by AnswerKit.
Customer is the controller, business, or similar party for Customer Personal Data. AnswerKit is the processor, service provider, or similar party processing Customer Personal Data on Customer’s behalf.
For Account, billing, website, support, security, and internal business operations data, AnswerKit may act as an independent controller or business as described in the Privacy Policy.
Customer instructs AnswerKit to process Customer Personal Data to:
AnswerKit will process Customer Personal Data only according to Customer’s documented instructions unless required by law.
Customer is responsible for:
AnswerKit will:
AnswerKit will ensure that personnel who process Customer Personal Data are subject to confidentiality obligations or professional obligations of confidentiality.
AnswerKit will maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Customer Personal Data. These safeguards include encryption in transit, limited administrative access controls, production access limited to authorized personnel, logging or monitoring, backups, an incident response process, and review of core Subprocessors.
No security measure is perfect, and AnswerKit does not guarantee absolute security. AnswerKit does not claim SOC 2, HIPAA, PCI, or other certification status unless expressly stated in a separate written statement from AnswerKit.
Customer provides general authorization for AnswerKit to use Subprocessors to provide the Service.
AnswerKit’s Public Subprocessor List identifies current Subprocessors. AnswerKit will require Subprocessors to protect Customer Personal Data under obligations materially similar to this DPA where applicable to their processing.
AnswerKit will provide at least 15 days’ notice of material new Subprocessors where practical by updating the Public Subprocessor List or emailing Account contacts.
Customer may object to a new Subprocessor by contacting answerkit@pm.me with a reasonable, good-faith privacy or security basis for the objection.
AnswerKit will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data. Where feasible, AnswerKit will provide notice within 72 hours after confirmation of a Security Incident.
The notice will include available information reasonably needed for Customer to assess the incident, subject to law, security needs, and ongoing investigation.
A notice is not an admission of fault or liability.
Taking into account the nature of processing and information available to AnswerKit, AnswerKit will reasonably assist Customer in responding to requests from individuals to exercise privacy rights.
If AnswerKit receives a request directly relating to Customer Personal Data, AnswerKit may direct the requester to Customer or notify Customer, unless prohibited by law.
Upon termination or Customer’s written request, AnswerKit will delete or return Customer Personal Data within 60 days, unless retention is required or permitted for legal, security, billing, tax, backup, fraud-prevention, dispute, or compliance purposes.
Backup copies may persist for up to 90 days according to backup cycles and will be protected from active processing except for restoration, security, or legal needs.
Upon reasonable written request, AnswerKit will provide information reasonably necessary to demonstrate compliance with this DPA.
For the self-service small-business baseline, AnswerKit may provide reasonable security documentation, written summaries, and security questionnaires no more than once per year, unless required by law or following a Security Incident. No onsite, intrusive, production-system, or source-code audits are permitted unless agreed in writing.
Customer will not receive access to systems, logs, source code, third-party confidential information, or information that would compromise security or other customers.
AnswerKit is intended for U.S. customers at launch, and the Service is hosted primarily in the United States. Customer Personal Data may be processed in the United States and other countries where AnswerKit and its Subprocessors operate according to their services, configurations, and published policies.
AnswerKit does not currently offer GDPR or UK GDPR transfer mechanisms for EEA or UK customers. Use by EEA or UK customers, or use involving EEA or UK Personal Data, may require additional terms, configurations, or transfer mechanisms before the Service is used for that data.
AnswerKit may process deidentified or aggregated data for analytics, security, operations, and product improvement, provided it does not identify Customer, Callers, or individuals.
AnswerKit will not attempt to reidentify deidentified data except to test whether deidentification measures are effective or as permitted by law.
If this DPA conflicts with the Terms, this DPA controls only for processing of Customer Personal Data on behalf of Customer. The Terms control for all other matters.
| Item | Description |
|---|---|
| Subject matter | AI phone receptionist SaaS for inbound business calls |
| Duration | Term of Customer’s Account or Order, plus the retention period described in the Privacy Policy and this DPA |
| Nature of processing | Receiving, transmitting, hosting, storing, analyzing, transcribing, summarizing, routing, transferring, securing, debugging, and deleting Customer Personal Data |
| Purpose | Providing, operating, securing, supporting, and improving the Service |
| Categories of data subjects | Customer personnel, authorized users, Callers, prospective customers, customers, vendors, and other individuals who call Customer numbers handled by the Service |
| Categories of Customer Personal Data | Names, phone numbers, call metadata, business contact information, live call audio streams, transcripts, summaries, messages, call notes, routing information, Account data, support communications, technical logs |
| Sensitive data | Not intended unless expressly approved in writing. Callers may voluntarily disclose sensitive information during calls. Customer must configure the Service to avoid collecting prohibited sensitive data where required. |
| Processing frequency | Continuous or as initiated by Customer and Callers |
| Retention | Call metadata and call logs: 12 months. Transcripts and summaries: while the Account is active; after account deletion, deleted or anonymized within 60 days subject to standard exceptions. Usage logs: 12 months. Security logs: 24 months. Backup copies: up to 90 days. |
| Customer instructions | Agreement, Order, Customer configuration, support requests, and written instructions |
The current Public Subprocessor List is incorporated by reference.
AnswerKit maintains commercially reasonable administrative, technical, and organizational safeguards designed to protect Customer Personal Data, including:
These measures may change as the Service evolves, provided AnswerKit continues to maintain commercially reasonable safeguards appropriate to the nature of the Service.