Get Started

Data Processing Agreement

Last updated: May 24, 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between VantaWeb, Inc. ("Processor") and the customer ("Controller") and governs the processing of personal data by VantaWeb on the Controller's behalf in connection with the VantaWeb platform.

This DPA supplements and is incorporated into the Terms of Service. Capitalized terms not defined here have the meaning given in the Terms of Service.

Definitions

  • Personal Data — any information relating to an identified or identifiable natural person processed in connection with the Service.
  • Controller — the customer who determines the purposes and means of processing Personal Data.
  • Processor — VantaWeb, Inc., processing Personal Data on behalf of the Controller.
  • Sub-processor — any third party engaged by VantaWeb to assist in processing Personal Data.
  • Applicable Data Protection Law — GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection laws.

Scope and Purpose

VantaWeb processes Personal Data solely to provide the Service as described in the Terms of Service, including operating the AI receptionist ("Anna"), storing call records, and managing account data.

VantaWeb will not process Personal Data for its own independent purposes, sell Personal Data, or use it for advertising.

Controller Obligations

  • Ensure a lawful basis exists for processing Personal Data before providing it to VantaWeb.
  • Provide all required privacy notices to data subjects.
  • Respond to data subject requests (VantaWeb will assist as described below).
  • Configure the Service with accurate business information.

Processor Obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Privacy Policy — Security).
  • Notify the Controller without undue delay upon becoming aware of a Personal Data breach.
  • Delete or return all Personal Data upon termination of the Service, at Controller's election.

Sub-processors

VantaWeb engages the following categories of sub-processors to deliver the Service:

  • Anthropic (Claude AI) — conversational AI processing
  • Telnyx / LiveKit — telephony and real-time communications
  • AWS / Cloudflare — infrastructure and content delivery
  • Stripe — payment processing (PCI DSS compliant)

VantaWeb will provide 30 days advance notice of material changes to the sub-processor list. Current list available at privacy@vantaweb.io upon request.

Data Subject Rights Assistance

VantaWeb will provide reasonable assistance to the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). Contact privacy@vantaweb.io to initiate.

Security Measures

VantaWeb maintains the following technical and organizational measures:

  • TLS 1.3 encryption in transit; AES-256 encryption at rest
  • Role-based access control; principle of least privilege
  • Annual security audits and penetration testing
  • Incident response plan with breach notification within 72 hours of discovery

International Data Transfers

VantaWeb infrastructure is located in the United States. Transfers of Personal Data from the EU/EEA or UK to the US are governed by Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable. Contact privacy@vantaweb.io to execute SCCs.

Data Retention

Personal Data is retained for the duration of the Service agreement plus 90 days, unless a shorter or longer period is required by law or requested by the Controller. See the Data Retention Policy for full details.

Contact

For DPA inquiries, SCC execution, or sub-processor requests: privacy@vantaweb.io

VantaWeb, Inc. | Subject line: "DPA Inquiry"