Data Processing Addendum

Processor:Praxxii Global, Aligarh, India, operator of PraxTalk (“we”, “PraxTalk”). Contact for DPA matters: privacy@praxtalk.com.

Controller:the legal entity behind the workspace owner account at praxtalk.com (“you”, “Customer”).

Data subjects: the visitors of your sites, apps, and channels that interact with PraxTalk-powered widgets, calls, emails, or chats.

On your instructions (the choices you make in the workspace + the conversations your visitors send), we process:

• Conversation transcripts and message metadata (timestamps, channel, status).
• Visitor identifiers, optional name / email / phone, and approximate IP-derived location (city level).
• Operator account data (name, email, role, brand access) for your team.
• Atlas AI run logs (prompt, response, tools called, confidence) when AI auto-resolution is enabled.
• Optional structured lead data (status, remarks, assignee) when you save a conversation as a lead.

We do not process special-category data (health, biometric, etc.) unless your visitors include it in their messages — in which case it lives inside the conversation content and is treated with the same protections as the rest.

We use the following sub-processors to deliver PraxTalk. Each is bound by a written agreement that imposes data-protection obligations no less protective than this DPA. We will give you 30 days' notice before adding or replacing a sub-processor; you may object via privacy@praxtalk.com.

• Convex (USA) — primary database + real-time backend. Multi-tenant, encrypted at rest and in transit.
• Vercel (USA) — application hosting, Edge runtime, and CDN.
• Anthropic (USA) — Atlas AI inference (Claude). Zero data retention for API calls; we do not opt in to model training.
• Postmark / SendGrid / Resend (USA / EU) — transactional + workspace email delivery, one of which is selected by the customer per-workspace.
• Twilio / CallHippo / TeleCMI (USA / India) — voice + SMS, when the customer enables a voice integration.
• Meta WhatsApp Business Cloud API (Ireland) — WhatsApp channel, when enabled.
• Upstash (USA) — Redis-backed rate limiting + ephemeral session counters.
• Cloudflare (USA) — Turnstile CAPTCHA + DDoS protection at the edge.
• PayPal / Razorpay (USA / India) — subscription billing; we never see your card details.

A current machine-readable sub-processor list is published at /security.

Personal data may be transferred to and processed in countries outside your local jurisdiction (notably the United States, the European Union, and India). For each transfer we rely on:

• EEA / UK / Switzerland → USA: the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum, supplemented by the EU-US Data Privacy Framework where the recipient is certified.
• EEA / UK → India:the EU SCCs (Module Two) plus India's DPDP Act safeguards.
• USA / India → EEA: contractual processor-to-controller arrangements.

On request we will provide an executed copy of the SCCs + transfer impact assessment for your records.

We maintain technical + organisational measures appropriate to the risk, including:

• TLS 1.2+ everywhere in transit, AES-256 at rest in the underlying Convex storage.
• Multi-tenant isolation enforced by workspace-scoped indexes on every query; no cross-tenant query path exists in the codebase.
• Operator passwords hashed with bcryptjs (cost 12); session tokens stored only as SHA-256 hashes.
• Webhook payloads HMAC-SHA256 signed; per-workspace API keys with prefix + hash storage.
• Field-level redaction of OAuth tokens, signing secrets, and password hashes in every export — including the customer-facing JSON download at /app/settings.
• Continuous deployment with type-checked schema migrations; no out-of-band production database access.
• SOC 2 Type II audit in progress — committed for v1.0 GA. ISO 27001 on the post-GA roadmap.

Detailed control mappings are at /security.

We will assist you in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 5 business days. Most requests can be satisfied directly:

• Access + portability: the workspace owner can download a complete JSON export of every record in the workspace from /app/settings at any time — no support ticket required.
• Erasure: deleting a workspace removes all associated records; deleting a single conversation cascades to its messages. Hard-delete is immediate; backups roll over within 30 days.
• Rectification: in-place edit of every record from the dashboard.

For everything else, email privacy@praxtalk.com and we will action it.

We will notify you without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting your workspace, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures we are taking. Notification is sent to the workspace owner's email on file and posted to /status for severity 1 incidents.

On reasonable notice (and no more than once per twelve- month period unless required by your supervisory authority), we will make available all information necessary to demonstrate compliance with this DPA, including the SOC 2 Type II report (when available), penetration-test summary, and answers to a standard CAIQ / SIG questionnaire. Audits beyond document review are by mutual agreement and at the requesting party's cost.

We retain personal data for as long as your workspace is active. On workspace deletion or termination of the underlying agreement:

• Operational records (conversations, leads, messages, integrations) are deleted within 30 days.
• Backups containing the workspace expire within a further 30 days under our rolling backup schedule.
• Audit log entries that name a deleted operator retain the operator id but no other PII; we keep these for 12 months for security investigation.

On request before deletion takes effect, we will provide a final export in machine-readable form (JSON), at no charge.

Liability under this DPA is governed by the limitation of liability clause in the underlying Terms. The DPA is governed by the laws of India (where Praxxii Global is incorporated); for customers established in the EEA / UK, GDPR / UK GDPR applies as a matter of public order. Disputes go to the courts of Aligarh, India unless mandatory law requires otherwise.

This DPA is incorporated by reference into the Terms when you create a workspace. Customers requiring a counter-signed copy on their own paper can request one by emailing privacy@praxtalk.com with the legal entity name, registered address, and VAT/GST number.

Material amendments will be announced 30 days in advance via email to workspace owners and posted to this page with an updated “Last updated” date.