Legal · Data Processing

Data Processing Agreement.

This DPA, executed between Meetzy and our customers, governs the processing of personal data under GDPR Article 28 and equivalent regulations.

Download DPA (PDF) Contact our DPO Last updated: 2026-04-29

At a glance

Processor

Meetzy is the Data Processor. You are the Controller.

EU-only

Frankfurt + Dublin AWS regions. No data leaves the EU.

AES-256

Encryption at rest. TLS 1.3 in transit. Quarterly key rotation.

30 days

Notice period for any sub-processor change, with right to object.

01

Scope and roles.

This agreement applies whenever Meetzy processes personal data on behalf of a customer who is a Data Controller under GDPR. Meetzy acts strictly as a Data Processor and only processes data on documented instructions from the Controller.

02

Sub-processors.

We rely on the following sub-processors. Each is bound by data protection terms equivalent to those in this DPA.

Sub-processor Purpose Region
TwilioTelephony / call routingEU + US (failover)
ElevenLabsVoice synthesisEU + US
AWSHosting + data storageEU only (Frankfurt + Dublin)
Anthropic / OpenAI / Google / Meta / Mistral / xAILLM inference (per-customer opt-in)Varies — opt-in by Controller
StripeBillingEU
HubSpot / Salesforce / Zoho / GenesysCRM / contact-center sync (only when enabled by Controller)Per-vendor

03

Data categories processed.

  • — Identifiers (caller phone numbers, names if disclosed)
  • — Audio recordings of calls
  • — Transcriptions
  • — Conversation metadata (timestamps, durations, outcomes)
  • — CRM-synced data (only if the Controller enables a CRM integration)

04

Security measures (Article 32).

  • — Encryption at rest (AES-256) and in transit (TLS 1.3)
  • — Access control: RBAC + MFA for all admin actions
  • — Audit logging on every API call, 90-day retention default, 7-year retention available
  • — Annual third-party penetration testing
  • — Incident response within 24h of detection

05

Data subject rights.

Meetzy assists Controllers in fulfilling access, deletion, rectification, and portability requests within 5 business days of receiving a documented request.

06

Term and termination.

This DPA terminates with the underlying service agreement. Upon termination, Meetzy returns or deletes all personal data within 30 days, at the Controller's choice.

07

Sub-processor change notification.

We provide 30 days' advance notice via email and a banner on this page before adding or replacing a sub-processor. Controllers may object during the notice period.

08

Liability.

Liability under this DPA is governed by the underlying service agreement and applicable data protection law. Statutory liability under Article 82 GDPR is unaffected.

Need a signed DPA?

Email dpo@meetzy.io and our team will counter-sign within 2 business days.

Download DPA (PDF) Email DPO