This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy between RealSalesOS ("Processor") and the customer ("Controller"). It applies whenever RealSalesOS processes personal data on behalf of the Controller in connection with the Service.

1. Roles

The Controller determines the purposes and means of processing personal data. RealSalesOS acts as the Processor, processing data only on the Controller's documented instructions, including those reflected in our standard configuration of the Service.

2. Subprocessors

The current authorized subprocessors are:

Retell AI — voice agent orchestration (US)
Twilio — telephony, SMS (US)
Cal.com — appointment scheduling (US)
Cloudflare — edge networking, DDoS protection (global)
Major US cloud provider — application hosting and storage (US-East/West regions)

We will give Controllers 30 days' notice before adding or replacing a subprocessor that processes personal data. Notices are sent to the billing email on file.

3. Data residency

Customer call recordings, transcripts, and account data are stored in US-based data centers. We do not transfer this data outside the United States in the ordinary course of operations. EU/UK Controllers may request Standard Contractual Clauses (SCCs) for any cross-border transfers.

4. Security measures

We maintain a written information security program including: encryption in transit and at rest, role-based access controls, audit logging, vulnerability scanning, annual penetration testing, background checks for employees with production access, and a documented incident response plan.

5. Breach notification

We will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Controller data. Notifications include the nature of the incident, categories of data and approximate number of records affected, likely consequences, and mitigation measures.

6. Customer rights & data subject requests

We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) within a reasonable time. Tools for self-service export and deletion are available in the customer dashboard.

7. Audits

On reasonable written notice and no more than once per year, the Controller (or a mutually agreed third-party auditor under NDA) may audit our compliance with this DPA. We will provide our most recent security questionnaire (e.g., SOC2-aligned controls summary) on request to satisfy most audit needs.

8. Termination

On termination of the Service, we will delete or return Controller personal data within 30 days, except where retention is required by law. Backups containing Controller data are purged on the regular backup rotation schedule (no longer than 90 days).

9. Contact

Need a signed copy or have a security question? security@realsalesos.com