Skip to main content

Data Processing Addendum

Version 1.1 · February 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Master Service Agreement between RPR Technologies LLC ("Processor") and the customer identified in an applicable Order Form ("Controller").

1. Definitions

Personal Data means any information relating to an identified or identifiable individual processed by the Processor in connection with providing the Services.

Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.

Subprocessor means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Roles and Responsibilities

Controller determines the purposes and means of processing Personal Data and is responsible for ensuring compliance with applicable data protection laws.

Processor processes Personal Data solely on behalf of Controller and only as necessary to provide the Services. Processor does not use Personal Data for any purpose other than delivering the Services.

3. Nature and Purpose of Processing

DDash is a read-only monitoring and analytics overlay. The platform ingests contact center event data from Controller's UCaaS/CCaaS platform via webhooks and API polling. DDash does not initiate, route, record, or modify calls.

Processing is limited to: agent status change events, call lifecycle events, event metadata storage for dashboards and reporting, analytics generation.

DDash does not process: call audio, call recordings, voicemail content, SMS message bodies, or video streams. The platform operates exclusively on event metadata and telephony signaling data.

4. Categories of Personal Data

Agent identifiers (user ID, display name, email, extension), agent status and availability states, call metadata (call ID, timestamp, duration, direction, disposition), caller identifiers (phone number, caller ID).

Not collected: social security numbers, financial account numbers, biometric data, health information, authentication credentials, or special categories of data under GDPR Article 9 or CCPA.

5. Immutable Transaction Architecture

DDash employs a two-database isolation architecture to ensure integrity, traceability, and non-repudiation of all ingested event data.

All events are written with server-side timestamps as verbatim JSONB payloads, never modified after insertion. No application service holds credentials to both databases simultaneously.

6. Data Storage and Retention

All Customer Data is stored on AWS infrastructure in the US-West-2 (Oregon) region. Default retention: 90 days (configurable, extended available).

Upon termination, data available for export for 30 days. Permanent deletion within 14 days after export period.

7. Security Measures

Data in transit: TLS 1.2+. Data at rest: AWS volume-level encryption. Access controls: RBAC with least-privilege.

Infrastructure isolation: Docker containers on private network. No container accesses both databases.

8. Subprocessors

30 days notice before new subprocessors. Controller may object within 15 days.

9. Data Subject Rights

Processor assists with access, deletion, portability, and rectification requests. Exports include operational data and immutable event archive records.

10. GDPR Compliance

Where GDPR applies, Processor processes only on documented instructions, maintains confidentiality obligations, implements appropriate security measures, assists with DPIAs, enables audits, and supports data transfers via Standard Contractual Clauses.

11. CCPA Compliance

Processor does not sell or share Personal Information. Does not retain or use data beyond providing Services. Cooperates with verifiable consumer requests. Deletion within 30 days.

12. HIPAA Position

DDash does not process Protected Health Information (PHI). The platform handles operational metadata only. BAA available for Enterprise tier where parties mutually determine PHI may be incidentally present.

13. Data Breach Notification

Processor notifies Controller within 72 hours of confirming a Security Incident. Notification includes nature, categories affected, likely consequences, and measures taken.

14. Term

DPA remains in effect for the duration of the Agreement. Obligations regarding data deletion and return survive termination.

DDash is a product of RPR Technologies LLC.