Data Processing Agreement
This Data Processing Agreement (this "DPA") is entered into between 2 Acre Studios (d/b/a 2 Acre AI), a Pennsylvania sole proprietorship of Marc Shade ("Provider" or "Processor"), and the customer identified in the Order Form ("Customer" or "Controller"), and forms an integral part of the Master Service Agreement between the parties.
This DPA describes the terms under which Provider, acting as a Processor, processes personal information on behalf of Customer, acting as a Controller, in connection with the Services.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given to them in the Master Service Agreement.
"Personal Information" means information processed by Provider on behalf of Customer in connection with the Services that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual.
"Data Subject" means an identified or identifiable natural person whose Personal Information is processed.
"Process" or "Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, restriction, deletion, or destruction.
"Subprocessor" means a third party engaged by Provider to Process Personal Information on Provider's behalf.
2. Scope of processing
2.1 Categories of Data Subjects
The Personal Information Processed under this DPA relates to:
- Customer's individual end-customers (callers) who contact Customer's business through the AI receptionist
- Customer's authorized employees and contractors who use the Services on Customer's behalf
- Customer's owners and primary contacts identified in the Order Form
2.2 Categories of Personal Information
- Identifiers: name, telephone number, email address, postal address
- Customer service information: description of service request, urgency level, equipment make/model
- Audio recordings: full audio of inbound calls answered by the AI receptionist
- Transcripts: text transcription of audio recordings
- Communications metadata: call timestamps, durations, outcomes, SMS message metadata
- Booking metadata: appointment dates, times, technician assignments
2.3 Purpose of Processing
Provider Processes Personal Information solely to:
- Deliver the Services described in the Master Service Agreement and SOW
- Respond to Customer's documented written instructions
- Comply with applicable law
Provider will not Process Personal Information for any other purpose without Customer's prior written instruction.
3. Roles and responsibilities
3.1 Customer as Controller
Customer is the Controller of Personal Information. Customer is responsible for:
- Determining the lawful basis for the Processing of Personal Information
- Providing required notices to Data Subjects (e.g., notice that calls are recorded — Provider includes a recording-disclosure announcement at the start of each call to support compliance, but Customer is ultimately responsible)
- Responding to Data Subject rights requests (with Provider's reasonable assistance — see Section 7)
- Ensuring Customer has the right to share Personal Information with Provider for the purposes set forth in this DPA
3.2 Provider as Processor
Provider, acting as Processor:
- Processes Personal Information only on documented instructions from Customer
- Ensures persons authorized to Process Personal Information are bound by confidentiality obligations
- Implements appropriate technical and organizational security measures (Section 5)
- Does not engage Subprocessors except as permitted under Section 4
- Assists Customer with Data Subject rights requests, security incidents, and impact assessments where reasonably required
- Returns or deletes Personal Information at the end of the engagement (Section 8)
- Makes available information necessary to demonstrate compliance and allows for and contributes to reasonable audits (Section 9)
4. Subprocessors
4.1 General authorization
Customer grants Provider general authorization to engage Subprocessors as necessary to deliver the Services, subject to the conditions in this Section 4.
4.2 Current Subprocessors
| Subprocessor | Purpose | Location of Processing |
|---|---|---|
| Vapi Inc. | Telephony orchestration, call routing, audio capture | United States |
| Anthropic, PBC | Conversational AI inference (Claude Haiku 4.5) | United States |
| Deepgram, Inc. | Speech-to-text transcription | United States |
| ElevenLabs, Inc. | Text-to-speech voice synthesis | United States |
| Twilio Inc. | Inbound and outbound telephony, SMS messaging | United States |
| Cloudflare, Inc. | Website hosting, DNS, CDN, edge security, D1 database | United States |
| Stripe, Inc. | Payment processing, subscription billing | United States |
| Resend, Inc. | Transactional email delivery | United States |
4.3 Subprocessor obligations
Provider will impose contractual obligations on each Subprocessor that are no less protective than the obligations in this DPA. Provider remains liable to Customer for the acts and omissions of its Subprocessors with respect to the Processing of Personal Information.
4.4 New Subprocessors
Provider will give Customer at least thirty (30) days' written notice (which may be by email to Customer's primary contact) before adding a new Subprocessor that will Process Personal Information. If Customer reasonably objects on data-protection grounds, Provider will work in good faith to find a mutually acceptable resolution; if no resolution is found, Customer may terminate the affected Services and receive a pro-rated refund of pre-paid recurring Fees.
5. Security measures
Provider implements and maintains the following security measures:
- Encryption in transit: TLS 1.2 or higher for all Personal Information transmitted between Provider, Customer, and Subprocessors
- Encryption at rest: AES-256 encryption for Personal Information stored in Provider's database (Cloudflare D1) and in Subprocessor systems where supported
- Access controls: role-based access; production-system access limited to Provider's personnel with a documented need; multi-factor authentication required for all administrative accounts
- Audit logging: mutating actions on production systems are logged with actor, timestamp, and target identifiers
- Network security: Cloudflare-managed DDoS protection, rate limiting, and IP-level controls; webhook endpoints verified via shared secret signature
- Vulnerability management: dependency scanning, monthly review of subprocessor security posture, prompt patching of identified vulnerabilities
- Personnel: all personnel with access to Personal Information are bound by written confidentiality obligations and have completed security awareness training
- Backups: automated daily backups of database state, retained for thirty (30) days
- Incident response: documented incident-response procedure with seventy-two (72) hour external notification commitments
Provider will update its security measures as technology and threat landscape evolve. Material reductions in safeguards require thirty (30) days' notice to Customer.
6. Personal data breach notification
6.1 Notification to Customer
Provider will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a confirmed Personal Information breach affecting Customer's Personal Information.
6.2 Contents of notification
The notification will, to the extent known at the time, include:
(a) The nature of the breach, including the categories and approximate number of Data Subjects and records affected
(b) The likely consequences of the breach
(c) The measures taken or proposed by Provider to address the breach and mitigate its adverse effects
(d) A point of contact for further information
Provider will supplement the initial notification with additional information as the investigation progresses.
6.3 Cooperation
Provider will reasonably cooperate with Customer's investigation, mitigation, and required notifications to Data Subjects or regulators.
7. Data subject rights
Provider will, upon Customer's written request and at Customer's reasonable expense, assist Customer in responding to Data Subject rights requests, including requests for access, correction, deletion, restriction, portability, and objection. Provider will not respond directly to Data Subject requests except to direct the Data Subject to Customer; provided that, where Provider is required by law to respond, Provider will notify Customer to the extent legally permitted.
8. Return or deletion of Personal Information
Upon termination of the Master Service Agreement, Provider will, at Customer's election:
(a) Return Personal Information to Customer in a commonly used machine-readable format within thirty (30) days, or
(b) Delete Personal Information from Provider's systems and instruct Subprocessors to do the same within ninety (90) days
Notwithstanding the foregoing, Provider may retain Personal Information to the extent required by law (including tax-record retention requirements) and may retain de-identified information that cannot reasonably be used to identify Customer or Data Subjects.
Audio recordings are deleted ninety (90) days after the date of the underlying call as a default retention setting; transcripts are deleted twelve (12) months after the date of the underlying call. Customer may request shorter retention periods by written request.
9. Audits
9.1 Audit reports
Upon Customer's written request, Provider will provide:
(a) Provider's most recent security policy summary
(b) Subprocessor compliance attestations to the extent Provider is permitted to share them
(c) Provider's incident-response runbook on a redacted basis
9.2 On-site audits
Customer may conduct an on-site audit of Provider's data-protection practices no more than once per calendar year, with at least thirty (30) days' written notice, during normal business hours, at Customer's expense, and subject to Provider's reasonable confidentiality and operational requirements. The auditor must be a mutually acceptable independent third party (not a competitor of Provider).
10. International transfers
The Services are operated entirely in the United States. Provider does not transfer Personal Information outside the United States in connection with the Services. If Customer is located outside the United States, Customer represents that it has the legal basis to transfer Personal Information to the United States for Processing under this DPA.
11. Term and order of precedence
This DPA is effective as of the Effective Date of the Order Form and continues for the term of the Master Service Agreement. Where this DPA conflicts with the Master Service Agreement on the subject of Personal Information processing, this DPA controls.
By electronically accepting an Order Form that references this DPA, Customer acknowledges and agrees to be bound by the terms of this Data Processing Agreement.