Legal
Data Processing Addendum
Version 1.0 · Effective Date: January 1, 2026 · Last Updated: March 27, 2026
This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Terms of Service between Fuentes Digital Ventures LLC, a Wyoming limited liability company operating under the commercial brand Callengo ("Callengo," "Processor"), and the Customer identified in the associated Callengo account ("Customer," "Controller"). By accepting the Terms of Service or by using the Callengo Service, Customer agrees to the terms of this DPA.
01Definitions
For the purposes of this DPA, the following definitions apply in addition to those in the Terms of Service:
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including without limitation: the GDPR; the UK GDPR and UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (FADP); the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); and any other applicable national or state privacy or data protection law.
"Controller" means the party that determines the purposes and means of processing Personal Data. For purposes of this DPA, Customer is the Controller with respect to Contact Data.
"Contact Data" means Personal Data relating to the individuals (Contacts) whose personal data Customer uploads to, imports into, or generates within the Service for use in calling campaigns.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"GDPR" means the General Data Protection Regulation (EU) 2016/679, as implemented and supplemented by applicable national law.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processor" means the party that processes Personal Data on behalf of the Controller. For purposes of this DPA, Callengo is the Processor with respect to Contact Data.
"Restricted Transfer" means a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country or territory not recognized as providing an adequate level of protection for Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
"Sub-processor" means any third party engaged by Callengo to process Personal Data on behalf of Customer in connection with the Service.
02Subject Matter, Duration, and Nature of Processing
2.1
Subject Matter. This DPA governs Callengo's processing of Personal Data on behalf of Customer in connection with the provision of the Callengo AI voice automation platform and all associated services (the "Service").
2.2
Duration. This DPA commences on the date Customer accepts the Terms of Service and continues until the termination or expiration of the Terms of Service, subject to the post-termination obligations set out in Section 10.
2.3
Nature of Processing. Callengo processes Contact Data on Customer's behalf for the following purposes:
- ▸Executing outbound AI Voice Agent calls to Contacts using the phone numbers and call parameters configured by Customer;
- ▸Recording calls and generating transcripts of conversations between the AI Voice Agent and Contacts;
- ▸Performing automated AI analysis of call transcripts to extract structured outcomes (including lead qualification results, appointment confirmation status, contact data validation, and sentiment analysis);
- ▸Synchronizing call outcomes and Contact data updates to Customer-connected third-party CRM and calendar systems, as configured by Customer;
- ▸Delivering call outcome event data to Customer-configured webhook endpoints;
- ▸Storing Contact records, call logs, transcripts, and analysis results within Customer's account; and
- ▸Enabling Customer to export, review, and manage Contact Data through the Application interface.
2.4
Categories of Personal Data. The Personal Data processed under this DPA may include: identification data (full name, company name, job title); contact data (telephone number, email address, postal address); call content (audio recordings, text transcripts, spoken statements and disclosures made during the call); AI-derived data (call outcome classifications, intent scores, sentiment scores, interest level assessments); custom fields configured by Customer; and metadata (call duration, timestamp, status, call attempts, disposition).
2.5
Categories of Data Subjects. The Data Subjects whose Personal Data is processed under this DPA are the individuals (Contacts) whose phone numbers and personal information have been uploaded to or imported into the Service by Customer for use in calling campaigns.
2.6
Processing Instructions. Callengo processes Personal Data only on documented instructions from Customer. Customer's instructions are given through: the configuration of AI Voice Agent scripts, campaign parameters, and contact fields in the Application; the enabling and configuration of integration connections; the configuration of webhook endpoints; and other settings and controls available within the Application interface. This DPA and the Terms of Service constitute Customer's documented processing instructions as of the effective date.
03Customer Obligations as Controller
3.1
Lawful Basis. Customer represents and warrants that it has established a lawful basis under Applicable Data Protection Law for processing each category of Personal Data it provides to Callengo for processing under this DPA.
3.2
TCPA and Calling Consent. Customer represents and warrants that it has obtained all legally required consents from each Contact prior to initiating any AI Voice Agent call, including without limitation prior express written consent where required under the Telephone Consumer Protection Act or equivalent applicable law.
3.3
Data Subject Notices. Customer is solely responsible for providing all required notices and disclosures to Data Subjects (Contacts) regarding the collection and use of their Personal Data, including any disclosures required by GDPR Articles 13 and 14, CCPA, or equivalent applicable law.
3.4
Accuracy. Customer is responsible for the accuracy, completeness, and lawfulness of the Personal Data it provides to Callengo for processing.
3.5
Data Subject Rights. Customer is responsible for receiving, evaluating, and responding to Data Subject rights requests submitted by Contacts. Callengo will assist Customer in responding to such requests as described in Section 6.
04Callengo's Obligations as Processor
4.1
Processing Only on Instructions. Callengo shall process Personal Data only on documented instructions from Customer, as described in Section 2.6, unless required to do so by Applicable Data Protection Law. In such a case, Callengo shall inform Customer of that legal requirement before processing, unless the law prohibits such notification.
4.2
Confidentiality. Callengo shall ensure that persons authorized to process Personal Data on behalf of Customer are subject to appropriate confidentiality obligations with respect to such Personal Data.
4.3
Security. Callengo shall implement and maintain the technical and organizational security measures described in Annex II of this DPA, designed to ensure a level of security appropriate to the risk of the processing.
4.4
Sub-processors. Callengo shall engage Sub-processors only in accordance with Section 5 of this DPA and shall impose on Sub-processors the same data protection obligations as those set out in this DPA, by contract or other legal act under Applicable Data Protection Law.
4.5
Data Subject Assistance. Callengo shall assist Customer in fulfilling Customer's obligations to respond to Data Subject rights requests, taking into account the nature of the processing and the information available to Callengo, as described in Section 6.
4.6
Security and Breach Assistance. Callengo shall assist Customer in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security of processing, notification of Personal Data Breaches to supervisory authorities and Data Subjects, data protection impact assessments, and prior consultations with supervisory authorities.
4.7
Deletion or Return. Upon termination or expiration of the Terms of Service, or upon Customer's written request, Callengo shall delete or return all Personal Data processed under this DPA in accordance with Section 10.
4.8
Audit Cooperation. Callengo shall make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow for and contribute to audits, subject to the conditions set out in Section 8.
05Sub-processors
5.1
Authorization. Customer generally authorizes Callengo to engage Sub-processors to process Personal Data on Customer's behalf in connection with the Service. Customer's acceptance of this DPA constitutes general written authorization for Callengo to engage the Sub-processors listed in the Callengo Sub-processor List, available at callengo.com/legal/sub-processors.
5.2
Notice of New Sub-processors. Callengo shall maintain the Sub-processor List and shall provide at least 30 days' advance notice of any addition of a new Sub-processor or material change to an existing Sub-processor by updating the Sub-processor List page and notifying Customer by email to the primary account email address.
5.3
Right to Object. Customer may object to a new or changed Sub-processor by notifying Callengo in writing at legal@callengo.com within 14 days of receiving notice. Customer's objection must include the specific reasons for the objection. If the parties cannot resolve the objection within 30 days, Customer may, as its sole remedy, terminate the affected portion of the Service by written notice, without penalty, upon 30 days' notice to Callengo.
5.4
Sub-processor Obligations. Callengo shall impose on each Sub-processor, by written contract, data protection obligations equivalent to those imposed on Callengo under this DPA, including obligations relating to confidentiality, security, and restrictions on further sub-processing.
5.5
Callengo Liability. Where a Sub-processor fails to fulfil its data protection obligations, Callengo shall remain fully liable to Customer for the Sub-processor's performance of those obligations, to the extent that Callengo itself is liable under this DPA.
06Data Subject Rights
6.1
Forwarding Requests. Callengo shall promptly forward to Customer any Data Subject rights request received directly from a Contact, to the extent Callengo can identify the relevant Customer from the request.
6.2
Assistance. Callengo shall assist Customer in responding to verifiable Data Subject rights requests by providing Customer with the ability to: access, review, and export Contact Data through the Application interface; delete individual Contact records through the Application interface; restrict further processing of specific Contact records by removing them from active campaigns; and request that Callengo provide information about the processing of specific Contact Data where not directly accessible through the Application interface.
6.3
Timeline. Callengo shall respond to Customer's requests for assistance within a reasonable time and in any event within the time necessary to allow Customer to meet its own legal response deadlines.
07Personal Data Breach Notification
7.1
Notification Timeline. In the event of a Security Incident affecting Personal Data processed under this DPA, Callengo shall notify Customer without undue delay, and in any event within 72 hours of Callengo becoming aware of the Security Incident, by email to the primary account email address.
7.2
Notification Content. The notification shall include, to the extent then known: a description of the nature of the Security Incident; the name and contact details of Callengo's data protection contact; a description of the likely consequences; and a description of the measures taken or proposed to address the Security Incident.
7.3
Cooperation. Callengo shall cooperate with Customer and take reasonable steps to assist Customer in investigating, mitigating, and remediating the Security Incident.
7.4
Customer Notification Obligations. Customer is solely responsible for determining whether and how to notify affected Data Subjects and relevant supervisory authorities of any Security Incident, in accordance with Applicable Data Protection Law. Callengo's notification to Customer under this Section 7 does not constitute an acknowledgment of fault or liability.
08Audit Rights
8.1
Information and Documentation. Callengo shall make available to Customer, upon written request, reasonable documentation necessary to demonstrate Callengo's compliance with this DPA, including relevant security certifications and audit reports where available (such as SOC 2 Type II reports, where obtained).
8.2
Audit Rights. Customer may conduct one (1) documentary audit per 12-month period by engaging a reputable third-party auditor, at Customer's cost, subject to the following conditions: Customer shall provide at least 30 days' advance written notice; the auditor must execute a reasonable confidentiality agreement with Callengo; audits shall be conducted during normal business hours without unreasonably disrupting Callengo's operations; the scope of the audit shall be limited to Callengo's processing of Customer's Personal Data under this DPA; and any audit report shall be treated as Callengo's Confidential Information.
09International Data Transfers
9.1
Transfers to Sub-processors. Customer acknowledges that Callengo and its Sub-processors are located in the United States and that processing of Contact Data under this DPA constitutes a Restricted Transfer from the EEA, UK, or Switzerland to the United States.
9.2
Standard Contractual Clauses. To the extent the processing involves Restricted Transfers subject to GDPR Chapter V, the parties agree that such transfers are made pursuant to the Standard Contractual Clauses (Module Two: Transfer controller to processor), which are incorporated into this DPA by reference and set out in Annex III. In the event of a conflict between the SCCs and the other provisions of this DPA or the Terms of Service, the SCCs shall prevail with respect to Restricted Transfers.
9.3
UK Transfers. For Restricted Transfers subject to UK GDPR, the parties shall rely on the UK International Data Transfer Addendum to the EU Commission SCCs (Version B1.0, issued 21 March 2022, and updated as of 21 August 2022) as the transfer mechanism, which is incorporated into this DPA by reference as Annex IV.
9.4
Swiss Transfers. For Restricted Transfers subject to the Swiss FADP, the parties shall rely on the SCCs as supplemented to address the specific requirements of the FADP, including references to the FDPIC as supervisory authority where applicable.
10Deletion and Return of Data
10.1
Deletion Upon Termination. Within 90 days of the termination or expiration of the Terms of Service, Callengo shall delete all Personal Data processed under this DPA from its production systems, subject to Section 10.2. Callengo shall confirm in writing to Customer, upon Customer's written request, that deletion has been completed.
10.2
Exceptions. Callengo may retain Personal Data to the extent and for the duration required by Applicable Data Protection Law, including for financial record retention, legal hold obligations, and compliance with applicable retention obligations. Any data retained under this Section 10.2 shall continue to be subject to the confidentiality and security obligations of this DPA.
10.3
Backup Retention. Automated database backups may retain copies of Personal Data for up to 30 days following deletion from production systems, after which backup data is permanently purged.
11CCPA Service Provider Terms
11.1
Service Provider Classification. To the extent Callengo processes "personal information" (as defined under the CCPA) on behalf of Customer, Callengo agrees to the following terms required for Callengo to be classified as a "service provider" under the CCPA:
11.2
Restricted Use. Callengo shall not retain, use, or disclose Contact Data for any purpose other than for the specific business purpose of performing the Service specified in the Terms of Service. Callengo shall not retain, use, or disclose Contact Data outside of the direct business relationship between Customer and Callengo.
11.3
No Sale or Sharing. Callengo shall not sell or share Contact Data (as those terms are defined under the CCPA/CPRA).
11.4
No Combination. Callengo shall not combine Contact Data received from Customer with personal information received from other sources or collected from Callengo's own interactions with California consumers, except as permitted by the CCPA and regulations thereunder.
11.5
Certification. Callengo certifies that it understands and will comply with the restrictions set out in this Section 11.
12Limitation of Liability
The liability of each party under this DPA (including the SCCs incorporated herein) shall be subject to the limitations and exclusions of liability set out in the Terms of Service, to the maximum extent permitted by Applicable Data Protection Law. Where the SCCs impose obligations that cannot be limited by contract under Applicable Data Protection Law, those obligations shall apply as stated in the SCCs.
Annexes
ANNEX I
Description of Processing
| Element | Details |
|---|---|
| Controller | Customer (Callengo account holder) |
| Processor | Fuentes Digital Ventures LLC (Callengo) |
| Subject matter | AI-powered outbound voice calling campaigns |
| Duration | Term of the Terms of Service |
| Nature | Automated processing: call dispatch, recording, transcription, AI analysis, CRM sync, webhook delivery, data storage |
| Purpose | Executing Customer's outbound calling campaigns for lead qualification, appointment confirmation, data validation, and other lawful business purposes defined by Customer |
| Data categories | Names, telephone numbers, email addresses, postal addresses, call recordings, call transcripts, AI-derived outcome data, custom fields |
| Data subjects | Individuals (Contacts) whose personal data Customer has uploaded for use in calling campaigns |
| Special categories | Not intentionally processed; however, call conversations may incidentally contain special category data (such as health information) disclosed by the Contact during a call |
| Transfer mechanisms | SCCs (Module Two); UK IDTA; Swiss FADP supplementation; EU-US Data Privacy Framework (where applicable) |
ANNEX II
Technical and Organizational Security Measures
Callengo implements the following technical and organizational measures:
Encryption. All data in transit is encrypted using TLS 1.2 or higher. HSTS is enforced with a one-year max-age. OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM with a 256-bit key.
Access Control. Row-level security (RLS) is enforced on all application database tables. Service-level credentials are stored as protected environment variables, never exposed to client-side code. Role-based access control limits data access by user role.
Authentication. Passwords are hashed using bcrypt and never stored in plaintext. Session tokens are stored in HTTP-only, Secure, SameSite cookies. TOTP-based MFA is available to all users.
Infrastructure Security. Platform hosted on enterprise cloud infrastructure with SOC 2 Type II certification. Infrastructure access is restricted to authorized personnel on a least-privilege basis.
Network and Application Security. All inbound webhooks verified using HMAC-SHA256. Outbound webhook deliveries include HMAC-SHA256 signatures. Webhook URLs validated against SSRF protections. API endpoints protected by rate limiting.
Security Headers. All responses enforce: Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, and HSTS.
Monitoring and Auditing. All administrative actions are logged to an audit log recording the action, the performing user, the timestamp, and the IP address and user agent of the request.
Incident Response. Callengo maintains an incident response process for identifying, containing, and remediating Security Incidents.
ANNEX III
Standard Contractual Clauses Reference
The Standard Contractual Clauses applicable to Restricted Transfers under this DPA are Module Two (Controller to Processor) of the Standard Contractual Clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
| SCC Field | Value |
|---|---|
| Data exporter | Customer (Controller), identified by the Callengo account details |
| Data importer | Fuentes Digital Ventures LLC (Callengo), 5830 E 2nd St, Ste 7000 #20312, Casper, WY 82609, United States |
| Competent supervisory authority (Clause 13) | Agencia Española de Protección de Datos (AEPD), Spain |
| Governing law (Clause 17) | Law of Spain |
| Choice of forum (Clause 18) | Courts of Spain |
The full text of the EU SCCs is available at: European Commission SCC page. Customers who require the executed SCCs as a standalone document for their own records should contact legal@callengo.com.
ANNEX IV
UK International Data Transfer Addendum
For Restricted Transfers subject to UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (IDTA), issued by the UK Information Commissioner's Office and in force as of 21 March 2022 (as updated on 21 August 2022), is incorporated into this DPA as the applicable transfer mechanism.
| UK IDTA Field | Value |
|---|---|
| Start date | The effective date of this DPA |
| Exporter | Customer |
| Importer | Fuentes Digital Ventures LLC (Callengo) |
| Selected SCCs, Modules and Selected Clauses | Module Two, as described in Annex III |
| Appendix Information | As set out in Annex I and Annex II of this DPA |
The full text of the UK IDTA is available at: ICO IDTA page.
Contact
For questions about this DPA, to request a signed copy of the SCCs, or to exercise any right under this DPA, contact:
EntityFuentes Digital Ventures LLC
BrandCallengo
Address5830 E 2nd St, Ste 7000 #20312, Casper, WY 82609, United States
Legal & DPAlegal@callengo.com
Privacyprivacy@callengo.com
This Data Processing Addendum is effective as of January 1, 2026 and supersedes any prior data processing agreement between the parties relating to the subject matter hereof.