LEGAL

Data Processing Agreement

This page summarises VoiceCosmos\' Data Processing Agreement (DPA) under GDPR Art. 28. The full executable DPA is provided as a PDF on request and forms part of the master service agreement when you become a customer.

1. Roles

You (the customer) are the Data Controller. number7even UG (operating VoiceCosmos) is the Data Processor. We process personal data only on your documented instructions.

2. Categories of data processed

  • Guest contact data (name, email, phone) — when captured by ARIAN during a guest interaction
  • Booking data (dates, room type, special requests, payment confirmation reference)
  • Voice recordings + transcripts — for service delivery and quality auditing
  • Voice biometric vectors — only with explicit Article 9 consent
  • Operational metadata (timestamps, channel, language, sentiment)

3. Sub-processors

Current sub-processors:

  • OpenAI Ireland (LLM + voice synthesis, EU data residency)
  • Supabase (Frankfurt region — primary database hosting)
  • Vercel (Frankfurt region — application hosting)
  • Stripe Payments Europe (billing only, never voice or guest data)
  • Resend (transactional email only)
  • Twilio (SMS reminders only, opt-in)

Sub-processor changes are notified 30 days in advance with right to object.

4. Security measures

See our Privacy & Security page for the operational summary. Detailed controls (encryption at rest + in transit, access logging, sub-processor isolation, incident response) provided in the full DPA PDF.

5. Data Subject Rights

Right to access, rectify, delete, and data portability — all programmatic via your tenant cockpit OR by emailing privacy@number7even.com. Response within 30 days, typically within 5 business days for standard requests.

Need the executable DPA PDF? Email legal@number7even.com with your company name and counterparty.