Data processing agreement

This data processing agreement ("DPA") forms part of the agreement between RemoteAmbition, LLC, doing business as Mercateer ("Mercateer"), and the customer and applies whenever Mercateer processes personal data on the customer’s behalf in providing the service ("customer personal data").

The customer is the controller (or, where the customer acts for a third-party controller, a processor), and Mercateer is the customer’s processor or service provider. Mercateer acts as an independent controller only for its own account, billing, and security and fraud prevention data; model training on customer personal data happens only as the customer’s processor, under the instructions and safeguards in this DPA, never as an independent controller.

This DPA covers the GDPR, the UK GDPR, the Swiss FADP, and US state privacy laws including the CCPA/CPRA and similar state acts, as each applies to the processing.

Subject matter and nature: operating an AI receptionist and answering service that answers calls, chats, and texts, records and transcribes conversations, generates summaries, generates price estimates (from the customer’s price book and other pricing information such as typical regional and trade rates), books appointments, and sends missed-call text-backs, with related hosting, support, and security.

Duration: the term of the agreement, plus the deletion period below. Purpose: providing the service to the customer as configured by the customer.

Categories of personal data: call audio recordings, transcripts and AI-generated summaries, voicemail, caller phone numbers and call metadata, text message and web chat content, booking and job details, contact details, and pricing data associated with identifiable people. Callers may incidentally volunteer sensitive details such as health or payment information; Mercateer applies the protections in this DPA to all customer personal data and does not seek out or separately use such details.

Categories of data subjects: the customer’s callers and end customers, prospects, and personnel who interact with the service.

Mercateer processes customer personal data only on the customer’s documented instructions, including for international transfers, unless required to do otherwise by law, in which case Mercateer will inform the customer before processing unless the law prohibits it.

The agreement, this DPA, and the customer’s configuration of the service (including its retention, disclosure, and integration settings, its use of AI features, and its model-training opt-out election) constitute the documented instructions. Mercateer will inform the customer if, in its opinion, an instruction infringes applicable data protection law.

The customer instructs Mercateer to use customer personal data to train and improve the AI models that power the service. Before such use, Mercateer de-identifies the data by removing names, phone numbers, and other direct identifiers; training happens in-house; and models are never sold, exposed to third parties, or built in a way that could reveal one customer’s data to another. The customer may opt out of model training at any time with effect for future training, without affecting the core service.

Mercateer will not permit any subprocessor to use customer personal data to train its own models. AI model providers are additionally prohibited from retaining customer personal data beyond short periods needed to provide the service and for safety and abuse monitoring.

Mercateer will not sell or share customer personal data, will not use it for cross-context behavioral advertising, will not profile data subjects across customers, and will not combine customer personal data across customers except in de-identified form for the model training described above.

Mercateer ensures that every person authorized to process customer personal data is bound by contractual or statutory confidentiality obligations, and limits access to those who need it to provide the service, on a least-privilege basis.

Mercateer implements and maintains technical and organizational measures appropriate to the risk, including: encryption of customer personal data in transit (TLS 1.2 or higher) and at rest, including recordings and transcripts; access controls with multi-factor authentication; logical separation of customer data; logging and monitoring; vulnerability management; secure deletion; and backup and recovery procedures.

Mercateer will not materially decrease the overall protection of these measures during the term, and will assist the customer in ensuring compliance with its own security obligations, taking into account the nature of the processing and the information available to Mercateer.

The customer gives general written authorization for Mercateer to engage subprocessors to provide the service. The current list, including each provider’s purpose and location, is published at mercateer.com/legal/subprocessors.

Mercateer will give the customer at least 30 days’ notice before adding or replacing a subprocessor that processes customer personal data. The customer may object within 14 days on reasonable data protection grounds; the parties will work in good faith to resolve the objection, and if it cannot be resolved, the customer may terminate the affected service and receive a pro-rata refund of prepaid fees.

Mercateer imposes data protection obligations on each subprocessor that are no less protective than this DPA and remains liable for its subprocessors’ performance.

Taking into account the nature of the processing, Mercateer will assist the customer with appropriate technical and organizational measures to fulfil the customer’s obligation to respond to data subject requests (access, rectification, erasure, restriction, objection, and portability).

If Mercateer receives a request directly from a data subject, such as a caller, it will forward the request to the customer within 5 business days and will not respond on the merits except on the customer’s instructions, unless the law requires otherwise. Mercateer will carry out the customer’s lawful instructions, including locating, exporting, and deleting a specific person’s recordings, transcripts, and messages.

Mercateer will notify the customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting customer personal data, providing information reasonably available to help the customer meet its own notification obligations, and will keep the customer informed as the investigation develops.

Mercateer will take reasonable steps to contain and remediate the breach and will not make any public statement identifying the customer without the customer’s consent unless required by law.

Mercateer will provide reasonable assistance to the customer with data protection impact assessments and consultations with supervisory authorities, taking into account the nature of the processing and the information available to Mercateer.

At the end of the services, at the customer’s choice, Mercateer will return customer personal data in a commonly used format or delete it, including subprocessor copies, except where law requires longer retention, in which case the data is isolated and protected from further processing.

The customer can export its data for 30 days after termination. Mercateer deletes customer personal data within 30 days of a deletion request or the end of that export window, and copies in encrypted backups are purged within 90 days. These timelines match the terms of service and privacy policy.

Mercateer will make available the information necessary to demonstrate compliance with this DPA, starting with documentation such as security overviews and other compliance documentation Mercateer makes available, provided under confidentiality.

Where the customer reasonably requires more, the customer or its mandated auditor (not a Mercateer competitor) may audit Mercateer’s compliance no more than once in any 12-month period, on at least 30 days’ notice, during business hours, at the customer’s expense, and without access to other customers’ data. A breach affecting the customer, or a supervisory authority requirement, lifts the frequency limit.

Customer personal data is processed primarily in the United States, including AI processing of call and message content.

Where the GDPR, UK GDPR, or Swiss FADP applies to a transfer, the parties incorporate the European Commission’s 2021 Standard Contractual Clauses by reference: Module Two (controller to processor) or Module Three (processor to processor) as appropriate, with the optional docking clause adopted, the subprocessor notice period set to the period in the Subprocessors section above, and the Clause 17 governing law and Clause 18 forum set to Ireland, supplemented by the UK Addendum and Swiss adaptations. The SCCs prevail over this DPA and the agreement for the matters they govern.

Mercateer will reasonably cooperate with the customer’s transfer impact assessments and will notify the customer of legally binding government requests for customer personal data unless prohibited by law, will review the validity of such requests, and will disclose only the minimum necessary.

Where the CCPA/CPRA or a similar US state law applies, Mercateer acts as the customer’s service provider or processor. Mercateer will process customer personal data only for the business purposes described in this DPA, will provide the same level of privacy protection the law requires of the customer, and will not sell or share the data, retain, use, or disclose it outside the direct business relationship, or combine it with personal data from other sources except as the law permits.

Mercateer certifies that it understands these restrictions and will comply with them, will confirm this compliance to the customer on reasonable request, and will notify the customer if it can no longer meet these obligations, in which case the customer may take reasonable and appropriate steps to stop and remediate unauthorized use of personal data.

This DPA applies for as long as Mercateer processes customer personal data and survives termination of the agreement until deletion is complete. Liability under this DPA is subject to the limitations of liability in the agreement.

For conflicts concerning personal data, the order of precedence is: the Standard Contractual Clauses, then this DPA, then the agreement. Mercateer will update this DPA only as needed to reflect law or service changes, with notice to customers, and never in a way that materially reduces its protections during a paid term.