Sagentic
Contact usLog in
SIGN UP

Data Processing Agreement

This Data Processing Agreement applies when Sagentic LLC processes personal data on behalf of a business customer.

Effective date: February 25, 2026

Last updated: February 25, 2026

1. Parties and roles

This DPA forms part of the agreement between Sagentic LLC ("Processor") and the business customer using the Services ("Controller"). Controller determines the purposes and means of processing personal data related to its customers and contacts. Processor processes such data only to provide the contracted Services.

2. Processing details

2.1 Subject matter and duration

Processing covers customer communications and operational data handled through the Services for the term of the customer relationship and any agreed post-termination period.

2.2 Nature and purpose of processing

  • Voice and chat interaction handling, transcription, and response generation.
  • Appointment booking, follow-up messaging, and review management workflows.
  • Integration syncing with connected services and customer-selected automations.
  • Storage and retrieval of uploaded business content and knowledge materials.

2.3 Categories of data subjects and data

  • Data subjects: Controller personnel, end customers, leads, and message recipients.
  • Data categories: contact details, communication content, call recordings, transcripts, booking details, review data, and associated metadata.

3. Processing instructions and controller obligations

Processor processes personal data only on documented instructions from Controller, including configuration choices made in the platform.

Controller is responsible for:

  • Providing lawful basis and notices for personal data processing.
  • Obtaining required consents for calls, recording, and messaging where applicable.
  • Ensuring that submitted data and instructions comply with applicable law.

4. Confidentiality and personnel access

Processor ensures that personnel authorized to process personal data are bound by confidentiality obligations and have access only as needed for service delivery, support, or security operations.

5. Security measures

Processor implements technical and organizational measures appropriate to processing risk, including:

  • Encryption at rest for SQLite-stored data and encrypted transport in transit.
  • Authentication, access controls, and role-based permissions.
  • System monitoring, logging, and incident response procedures.
  • Logical segregation and lifecycle controls for stored content and backups.

6. Authorized sub-processors

Controller authorizes Processor to use the following sub-processors for service delivery:

  • OpenAI: AI voice and chat processing.
  • Twilio: voice telephony, SIP trunking, phone numbers, and messaging delivery.
  • Stripe: payment and billing operations.
  • Google APIs: business data, reviews, and calendar integration processing.
  • Cloudflare (R2): object storage for uploaded content.

Processor remains responsible for sub-processor performance to the extent required by applicable data protection law and contractual commitments.

7. Data subject rights and assistance

Taking into account the nature of processing, Processor provides reasonable assistance to Controller for responding to verified requests related to access, correction, deletion, portability, and processing restrictions.

8. Security incident and breach notification

Processor will notify Controller without undue delay after becoming aware of a confirmed security incident affecting Controller personal data. Notification includes known details on incident nature, likely impact, and remediation steps in progress.

9. Return and deletion of data

Upon termination of Services, Processor will delete or return Controller personal data, unless retention is required by law or necessary for limited security, accounting, or dispute resolution obligations.

Deletion may occur in stages as part of backup lifecycle controls, after which data is permanently removed or de-identified.

10. Cross-border transfers

Where personal data is transferred across borders, Processor will apply appropriate safeguards required by applicable law, including contractual protections and provider mechanisms intended to support lawful transfers.

11. Audit and information rights

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and may support proportionate audits or assessments subject to confidentiality, security, and operational constraints.

12. Contact information

Sagentic LLC
Sheridan, Wyoming, USA
[email protected]