Data Processing Agreement

Last updated: 16 May 2026

This Data Processing Agreement ("DPA") forms part of the Retail Commerce OS Terms of Service and applies where we process personal data on your behalf as a data processor under applicable data protection laws (including the DPDP Act 2023 and GDPR where applicable).

1. Definitions

Controller: the Retail Commerce OS customer. Processor: Retail Commerce OS. Personal Data: any information relating to an identified or identifiable natural person.

2. Processing instructions

We process personal data only on your documented instructions, including for service delivery, support, and security purposes.

3. Security

We maintain appropriate technical and organisational measures including: encryption in transit and at rest, access controls, regular security assessments, and incident response procedures.

4. Sub-processors

We use the following categories of sub-processors to deliver our services:

• Cloud hosting & storage — infrastructure and object storage for files and call recordings.
• Payment processors — Stripe / Razorpay for subscription billing.
• Email delivery — transactional and marketing email delivery.
• CDN & edge — static asset delivery and edge caching.
• Telephony providers (optional — only if Calling is configured) — Twilio, Exotel, Knowlarity, or Aircall for routing inbound and outbound voice calls, IVR, and call recording. Only the telephony provider(s) you connect in your workspace settings are engaged. Call metadata (duration, direction, participant phone numbers) and recordings are processed by these providers and stored in your configured S3 bucket.
• AI transcription (optional) — Deepgram for speech-to-text transcription of call recordings, only when configured by you. Transcript data is processed by Deepgram and stored in your workspace.
• AI analysis (optional) — Anthropic (Claude) for call summary, sentiment analysis, and quality scoring derived from transcripts.

We will notify you 30 days before adding new sub-processors that process personal data.

4a. Call recording & voice data

Where you enable the Calling module, call recordings constitute personal data under applicable law. You are the data controller for these recordings. We process them on your instructions to provide transcription, AI analysis, and quality scoring features. Recordings are stored in your workspace's configured S3 bucket and subject to the retention period you configure (default 365 days). You may reduce retention or disable recording at any time in workspace settings.

5. Data subject rights

We will assist you in responding to data subject requests (access, rectification, erasure) within 72 hours of notification.

6. Breach notification

We will notify you of any personal data breach without undue delay, and no later than 72 hours after becoming aware.

7. Return and deletion

Upon termination of your subscription we will, at your choice, return all personal data in machine-readable format or delete it within 30 days, except where retention is required by law.

8. Audits

You may audit our compliance with this DPA once per year, with 30 days notice. We may satisfy this through our SOC 2 Type II report.

9. Contact

DPO contact: privacy@retailcommerceos.com