Legal
Data Processing Addendum
Last updated: May 29, 2026
This Data Processing Addendum ('DPA') supplements the Relay Terms of Service and applies where Relay processes Personal Data on behalf of Customer subject to the GDPR, UK GDPR, or comparable laws.
1. Roles
Customer is the 'controller' of Personal Data submitted to the Service. Relay acts as 'processor' and processes Personal Data only on documented instructions from Customer, which include the Terms and use of the Service.
2. Subject matter and duration
Subject matter: provision of the AI receptionist Service. Duration: the term of the Customer's subscription plus any retention period required to return or delete data.
3. Nature and purpose of processing
Handling inbound calls and messages, scheduling appointments, sending follow-ups, and storing related records.
4. Categories of data subjects and Personal Data
- End callers and message recipients of the Customer.
- Customer's staff members who use the Control Center.
- Data: name, phone number, email, call audio, transcripts, appointment details, and any other information the data subject chooses to provide.
5. Sub-processors
Customer authorizes Relay to use sub-processors including Twilio (telephony/SMS), Stripe (payments), Supabase/hosting providers, and AI model providers. We will give at least 30 days' notice of any new sub-processor and allow Customer to object on reasonable grounds.
6. Security
Relay implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, logging, employee training, and an incident response process.
7. Personal data breaches
Relay will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Data, with the information reasonably required to meet Customer's own notification obligations.
8. Data subject requests
Relay will assist Customer in responding to data subject requests, including providing reasonable tools to access, correct, export, or delete Personal Data through the Control Center or upon request.
9. International transfers
Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree to rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK Addendum, incorporated by reference.
10. Audits
Relay will make available information necessary to demonstrate compliance with this DPA and, on reasonable request, allow for audits no more than once per year, subject to confidentiality and reasonable scheduling.
11. Return or deletion
On termination of the Service, Customer may export its data for up to 30 days, after which Relay will delete Customer Data from production systems within a reasonable period, except as required by law.
12. Conflict
In the event of any conflict between this DPA and the Terms, this DPA prevails with respect to processing of Personal Data.
This page is provided for general informational purposes and does not constitute legal advice. Please consult an attorney to tailor these documents to your jurisdiction and business.