1. Parties and roles
You (the "Tenant") are the controller of personal information of your end callers. VoxReach is the processor acting on your documented instructions through the VoxReach platform. For information VoxReach collects directly from Tenant account holders (billing, onboarding, support), VoxReach is the controller and acts in accordance with its Privacy policy.
2. Scope and subject matter
VoxReach processes personal information on behalf of the Tenant for the sole purpose of providing the VoxReach voice-AI service (answering inbound calls, dialling outbound calls, transcribing, recording, scoring, and warm-transferring calls; billing and reporting).
Categories of data subject: end callers (consumers, business contacts).
Categories of personal information: phone number, call audio, call transcript, IVR input, any information voluntarily disclosed during the call.
Duration: the term of the Tenant's subscription, plus the retention periods in section 8.
3. Tenant obligations
- Warrant that the Tenant has a lawful basis under Australian law (APP 3, APP 6) to collect and process each caller's personal information through the platform.
- Warrant, on every outbound lead-list upload, that the list has been washed against the Australian Do Not Call Register within the 30 days preceding the dial, subject to any documented exception under the Do Not Call Register Act 2006.
- Disclose call recording to callers in accordance with the Tenant's state-by-state recording-disclosure obligations.
- Honour any in-call opt-out, DNCR listing, or subsequent unsubscribe from the recipient.
- Respond to caller access, correction, and deletion requests directly, and contact VoxReach when processor assistance is required.
4. VoxReach obligations (processor)
- Process personal information only on documented Tenant instructions, including transfers to third countries.
- Ensure personnel with access to personal information are under a written duty of confidentiality.
- Implement and maintain the security measures set out in the Security policy, including TLS 1.2+ in transit, AES-256 at rest, role-based access control, audit logging, and continuous vulnerability scanning.
- Notify the Tenant of any eligible data breach affecting Tenant personal information within 72 hours of becoming aware (or sooner where required by the Notifiable Data Breaches scheme).
- Assist the Tenant in responding to data subject requests and regulator enquiries.
- Make available to the Tenant on request the information necessary to demonstrate compliance with this DPA, including SOC 2-aligned controls documentation and annual sub-processor attestations.
- At the end of the service provision, at the Tenant's election, delete or return all Tenant personal information and delete remaining copies, save where Australian law requires retention (ATO seven-year rule for billing records).
5. Sub-processors (current list)
VoxReach engages the following sub-processors to deliver the service. This list is authoritative. Material additions are notified to Tenant account holders by email at least 30 days before the new sub-processor is engaged; the Tenant may object in writing, in which case the parties will work in good faith on an alternative.
| Sub-processor | Purpose | Location |
|---|---|---|
| Twilio Inc | Telephony, SIP, SMS, number provisioning | United States |
| Vapi | Voice-agent orchestration | United States |
| Anthropic PBC | LLM reasoning (Claude) | United States |
| ElevenLabs Inc | Text-to-speech | United States |
| Cartesia | Text-to-speech (alternate) | United States |
| Deepgram Inc | Speech-to-text transcription | United States |
| Stripe Payments Australia Pty Ltd | Card payments, invoicing | Australia / United States |
| Google Workspace | Business email, support ticketing | Australia / United States |
| Plausible Insights | Privacy-preserving site analytics (no cookies) | European Union |
| Hosting provider(s) | Application + database hosting for tenant data | Australia |
Each sub-processor is contractually bound to protect personal information to a standard consistent with the Australian Privacy Principles and to permit VoxReach to audit its handling of Tenant data.
6. Cross-border transfers (APP 8)
Some sub-processors are located outside Australia. Transfers are lawful because:
- the Tenant has instructed VoxReach to use those sub-processors by entering into the Terms;
- VoxReach has taken reasonable steps (contractual commitments, sub-processor due diligence, encryption in transit and at rest) to ensure each recipient handles the information consistently with the APPs;
- where a sub-processor is in the EU/UK/US and offers standard contractual clauses, VoxReach has executed them;
- Tenant data content (call recordings, transcripts) is processed in memory by the non-AU sub-processors and is not retained for model training.
7. Security
See the Security policy for full detail. Summary: dedicated AU region, TLS 1.2+ in transit, AES-256 at rest, per-tenant isolation at the database layer, role-based access control, MFA enforced on all staff accounts, audit logging, intrusion detection, continuous vulnerability scanning, principle-of-least-privilege for engineering.
8. Retention and deletion
Default retention for Tenant-controlled data:
- Call recordings: 90 days, then deleted.
- Call transcripts: 24 months, then deleted.
- Operational metadata (call timestamp, dialled number, outcome, cost): retained for the life of the account plus 2 years.
- On Tenant request, any category can be deleted earlier; export available in CSV or JSON at any time.
- On account closure, all Tenant-controlled data is deleted within 30 days, except ATO-required billing records (seven years).
9. Liability
Liability under this DPA is subject to the limitation of liability in the Terms of service. Nothing in this DPA excludes the parties' non-excludable obligations under Australian law.
10. Governing law
This DPA is governed by the laws of New South Wales, Australia. The exclusive jurisdiction is the courts of New South Wales.
11. Contact
legal@voxreach.com.au — counter-signed DPA requests.
privacy@voxreach.com.au — privacy operational requests.