Legal
Data Processing Addendum
Last updated: May 2026
This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement (“MSA”) or applicable Service Agreement between Magnex AI (“Company” or “Processor”) and the client (“Client” or “Controller”). This DPA governs Company’s processing of personal data on behalf of Client in connection with the services described in the MSA and applicable Statements of Work.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person processed by Company on behalf of Client under this DPA |
| Processing | Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion |
| Controller | The Client, who determines the purposes and means of processing Personal Data |
| Processor | Magnex AI, who processes Personal Data on behalf of and under the instructions of Client |
| Sub-processor | Any third party engaged by Company to assist in processing Personal Data |
| Data Subject | The individual whose Personal Data is being processed |
| Applicable Data Law | All laws and regulations applicable to the processing of Personal Data, including CCPA/CPRA, TCPA, and applicable state privacy laws |
2. Scope and Roles
In providing the services, Company will process Personal Data as a Processor acting on behalf of Client as Controller. Client determines the purposes for which Personal Data is processed. Company will process Personal Data only in accordance with Client’s documented instructions and as necessary to deliver the services described in the MSA and applicable SOWs.
3. Categories of Personal Data Processed
| Category | Examples | Processing Context |
|---|---|---|
| Contact Identifiers | Names, phone numbers, email addresses | Lead capture, follow-up, CRM |
| Call Data | Call recordings, transcripts, call metadata | AI voice agent, QA, summaries |
| SMS Content | Text message content, opt-out status | Automated follow-up sequences |
| Appointment Data | Dates, times, service details | Calendar integrations, booking workflows |
| CRM Records | Lead status, notes, pipeline stage | Lead scoring, CRM updates |
| Business Data | Job details, service descriptions, addresses | Vertical-specific automations |
| Behavioral Data | Lead score, engagement signals | AI lead qualification |
4. Processing Instructions
Company will process Personal Data only on documented instructions from Client, as set out in the MSA, applicable SOWs, and this DPA. If Company is required by applicable law to process Personal Data for other purposes, Company will notify Client to the extent permitted by law.
5. Company Obligations
5.1 Confidentiality. Company will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
5.2 Security. Company will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, destruction, loss, alteration, or disclosure. Measures include: encryption of data in transit (TLS) and at rest; access controls and authentication; regular security assessments; and incident response procedures.
5.3 AI Training Restriction. Company will not use Client’s Personal Data, customer data, call recordings, transcripts, CRM records, SMS content, or workflow data to train, fine-tune, or improve public or shared AI models. Company may use limited operational logs to monitor, troubleshoot, secure, and improve its own internal service delivery systems, subject to appropriate safeguards.
5.4 Data Subject Requests. Company will promptly notify Client of any Data Subject requests received that relate to Client’s Personal Data, and will cooperate with Client in fulfilling such requests as required by applicable law. Client is responsible for determining the appropriate response to Data Subject requests.
5.5 Breach Notification. Company will notify Client without undue delay and no later than 72 hours after becoming aware of a confirmed breach affecting Client’s Personal Data. Notification will include a description of the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.
5.6 Audit Rights. Upon reasonable written notice and no more than once per year, Company will provide Client with information reasonably necessary to demonstrate compliance with this DPA. Client may conduct or commission an audit subject to reasonable confidentiality protections and at Client’s cost.
5.7 Deletion. Upon termination of the applicable Service Agreement, Company will securely delete or return Client’s Personal Data within 90 days, unless longer retention is required by applicable law. Company will provide written confirmation of deletion upon request.
6. Sub-processors
Client grants Company general authorization to engage sub-processors to process Personal Data in connection with the services. Company maintains a current list of sub-processor categories used in service delivery, available upon request. Company will impose data protection obligations on sub-processors substantially equivalent to those in this DPA.
Company will notify Client of any material changes to sub-processors (additions or replacements) with at least 14 days’ advance notice. Client may object to a new sub-processor within that period by providing written notice with reasons. If the Parties cannot resolve the objection, Client may terminate the affected SOW without penalty.
Current sub-processor categories include: AI model providers, voice communications platforms, SMS gateways, CRM integration platforms, calendar integration platforms, cloud hosting providers, email delivery services, and security monitoring services.
7. International Data Transfers
All Personal Data processed by Company is processed in the United States. Where Client is subject to GDPR or similar international data transfer restrictions, Company will cooperate with Client to implement appropriate transfer mechanisms (such as Standard Contractual Clauses) as required by applicable law.
8. Client Obligations
Client, as Controller, is responsible for:
- Having a valid legal basis for processing Personal Data provided to Company
- Providing required notices and obtaining required consents from Data Subjects before providing data to Company
- Ensuring the accuracy of Personal Data provided to Company
- Compliance with applicable data protection laws as Controller
- Providing Company with lawful processing instructions
9. Compliance with Communications Laws
Where services include SMS messaging, AI voice calls, or automated outreach:
- Client is responsible for obtaining and documenting all required TCPA, FCC, and applicable state-law consents before any communication is initiated through Company’s systems
- Client will maintain records of consents sufficient to demonstrate compliance
- Client will configure opt-out handling in accordance with applicable law, including honoring revocation requests within legally required timeframes
- Company will support Client in implementing technical opt-out mechanisms within deployed systems but does not verify the legal sufficiency of Client’s consent records
10. Call Recording
Where call recording or transcription is enabled, Client is responsible for: providing legally required disclosure to callers in the applicable jurisdictions; obtaining legally required consents; and ensuring recordings are handled in accordance with applicable wiretapping, privacy, and consumer protection laws. Company will support Client in configuring technically required disclosure mechanisms but is not responsible for the legal sufficiency of Client’s disclosures.
11. Retention Schedule
| Data Type | Default Retention | Notes |
|---|---|---|
| Contact form submissions | 24 months | From date of submission |
| Call recordings | 90 days | Configurable per client in SOW |
| Call transcripts | 90 days | Configurable per client in SOW |
| SMS logs | 90 days | Configurable per client in SOW |
| CRM sync data | Active contract + 90 days | Post-termination export window |
| Lead and pipeline records | Active contract + 90 days | Post-termination export window |
| Owner daily summaries | 90 days | Configurable per client in SOW |
| Legal and compliance records | As required by law | May extend beyond contract term |
12. Liability
Each Party’s liability under this DPA is subject to the limitations set out in the MSA. Nothing in this DPA reduces or limits either Party’s liability to Data Subjects or supervisory authorities under applicable data protection law.
13. Order of Precedence
In the event of any conflict between this DPA and the MSA, this DPA will prevail with respect to data protection matters. In all other matters, the MSA prevails.
14. Termination
This DPA terminates automatically upon termination of the applicable MSA or SOW. Company’s obligations with respect to data deletion, breach notification, and confidentiality survive termination of this DPA.
15. Governing Law
This DPA is governed by and construed in accordance with the laws of the United States, without regard to conflict-of-law principles. Any dispute arising under this DPA shall be subject to the exclusive jurisdiction of the applicable federal courts of the United States, consistent with the MSA.
Questions about this DPA should be sent to hello@magnexai.com.