RingOwl

Data Processing Addendum

Last updated: April 29, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between RingOwl, Inc. (“Processor”) and the customer subscribing to the RingOwl Service (“Controller”). It applies to the extent that Processor processes Personal Data on behalf of Controller in connection with the Service.

How to execute: click Save as PDF at the top of this page, sign the last page, and email a copy to hello@ringowl.ai. We will counter-sign and return the executed copy within 5 business days.

1. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on Personal Data.
  • Sub-processor: a third party engaged by Processor to process Personal Data on Controller’s behalf.
  • Data Subject: the individual to whom Personal Data relates (e.g. the caller, the Controller’s end users).

2. Subject matter & duration

Processor will process Personal Data on Controller’s behalf for the purpose of providing the Service for the duration of the underlying subscription, plus the retention period in the Privacy Policy.

3. Categories of Personal Data & Data Subjects

  • Data Subjects:Controller’s employees and authorized users; Controller’s end users (callers).
  • Categories: name, phone number, email, account credentials, business profile data, call recordings and transcripts, AI-generated call summaries, lead and appointment metadata, payment metadata.

4. Controller and Processor obligations

4.1 Controller

  • Has a lawful basis for the Processing it instructs Processor to perform.
  • Provides any required notices to Data Subjects (including call recording disclosures).
  • Configures the Service in compliance with applicable laws.

4.2 Processor

  • Processes Personal Data only on documented instructions from Controller.
  • Ensures personnel are bound by confidentiality.
  • Implements appropriate technical and organizational measures (Annex A).
  • Notifies Controller without undue delay (and within 72 hours where applicable) upon becoming aware of a Personal Data breach affecting Controller’s data.
  • Assists Controller in responding to Data Subject requests, where reasonably possible.

5. Sub-processors

Controller authorizes Processor’s use of the following sub-processors:

  • Stripe — payment processing.
  • Twilio — telephony, SMS, call routing.
  • Retell AI — voice agent inference and orchestration.
  • Amazon Web Services (AWS) — hosting, storage, and recording archive.
  • Anthropic — large language model inference.
  • Postmark — transactional email.

Processor will give Controller at least 30 days’ notice before adding or replacing a sub-processor. Controller may object on reasonable grounds; if the objection cannot be resolved, Controller may terminate the affected portion of the Service.

6. Data Subject rights

Processor will, taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures in fulfilling Controller’s obligations to respond to Data Subject rights requests under applicable law.

7. International data transfers

Where Personal Data of EEA, UK, or Swiss Data Subjects is transferred to Processor in the United States, the parties agree the Standard Contractual Clauses (Module 2: Controller-to-Processor) issued by the European Commission are incorporated by reference, with the optional docking clause and option 1 (independent SAs) selected. The UK International Data Transfer Addendum applies for UK Data Subjects.

8. Security measures (Annex A)

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Role-based access control with least-privilege principles.
  • Network segmentation and firewall controls in our hosting environment.
  • Regular security reviews of code and infrastructure.
  • Documented incident response procedure.
  • Vendor due diligence before adding sub-processors.

9. Audits

Upon written request, no more than once per 12 months and subject to a reasonable confidentiality agreement, Processor will provide Controller with information necessary to demonstrate compliance with this DPA, including third-party audit summaries (where available).

10. Return or deletion of Personal Data

On termination of the Service or written request from Controller, Processor will delete or return all Personal Data within 90 days, except to the extent retention is required by law.

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the underlying Terms of Service.

12. Order of precedence

In the event of a conflict, this DPA prevails over the Terms of Service with respect to the Processing of Personal Data.

13. Signatures

Controller (Customer)Processor (RingOwl, Inc.)
Name: ___________________________
Title: ____________________________
Company: _______________________
Signature: _______________________
Date: ___________________________		Name: Mukul Chaware
Title: Founder
Company: RingOwl, Inc.
Signature: _______________________
Date: ___________________________

Questions? Email hello@ringowl.ai.