Data Processing Agreement

In this data processing agreement:

• Controller — you, the business customer that uses Tirza and determines which personal data are processed and how.
• Processor — Tirza AI Ltd (Ireland), which provides the service.

Jointly the "parties". This agreement is inseparably linked to our terms of service; in the event of conflict on privacy matters, this DPA prevails.

The processor processes personal data solely to deliver Tirza to you: answering inbound calls, booking appointments, noting callback requests, sending confirmations.

This agreement lasts for as long as the main agreement lasts. On termination, section 10 (end and return) applies.

• Categories of data subjects: callers (customers of the controller), employees of the controller.
• Categories of personal data: phone numbers, names, audio recordings, transcripts, appointment details, contact events.
• Special categories: audio recordings may qualify as biometric data (Article 9 GDPR) and are handled with heightened safeguards.
• Purposes: telephony service provision, appointment booking, quality control, compliance with the EU AI Act (evidence log).

The processor processes personal data solely on documented instructions from the controller, unless Union or Member State law requires otherwise. In that case the processor informs the controller in advance, unless that law prohibits doing so.

The configuration you enter in the dashboard (opening hours, services, FAQ, escalation rules) counts as part of your instructions.

The processor ensures that persons authorised to process personal data have committed themselves to confidentiality either contractually or by statute.

We apply the following measures, among others:

• Encryption in transit (TLS 1.3) and at rest.
• Role- and rights management; access on a "least-privilege" basis.
• Audit logging of administrative access to production data.
• Data minimisation and automatic deletion after the retention period (audio 30/90 days, transcripts 2 years, evidence log 6 years).
• PII filters for error tracking and analytics prior to transmission.
• Row-level security (RLS) in the database for strict separation between customers.
• Periodic security reviews and vulnerability scans.

The controller grants general authorisation for the engagement of sub-processors. The current list is available at /subprocessors.

Notice of changes: the processor informs the legal contact you have provided at least 30 days before a change, by email.

Right to object: within these 30 days you may object in writing to a new sub-processor. If the parties cannot reach agreement, you may terminate the main agreement free of charge with effect from the date the change takes effect.

The processor imposes the same data protection obligations on each sub-processor in writing as set out in this DPA (back-to-back). For sub-processors in the US, Standard Contractual Clauses (Module 3) apply.

The processor assists the controller with appropriate technical and organisational measures in responding to requests from data subjects (access, rectification, erasure, restriction, objection, data portability).

If the processor receives a request directly from a data subject, it forwards this to the controller within 5 working days, unless the processor is directly and demonstrably authorised to act (for example, a caller who wants their own call recording deleted).

If the processor becomes aware of a personal data breach, it notifies the controller without undue delay and no later than within 48 hours.

The notification contains at least:

• Nature of the breach and categories of data subjects and data.
• Likely consequences.
• Measures taken and proposed.
• Contact details for further information.

The processor assists the controller with any notifications to supervisory authorities or data subjects.

On termination of the main agreement:

• You may request an export of your data within 30 days of cancellation (CSV/JSON).
• After 14 days we delete all personal data from production, unless retention is legally required (evidence log 6 years, invoices 7 years).
• Evidence data we are required to retain, we keep in anonymised form where possible.

The controller has the right, on reasonable request and no more than once per year, to have an audit carried out by an independent auditor bound by professional confidentiality. Audit costs are borne by the controller, unless the audit reveals structural deficiencies.

In lieu of its own audit, the controller may also accept current certifications or audit reports of the processor (for example SOC 2 Type II, ISO 27001 once available).

Transfers outside the European Economic Area only take place with:

• an adequacy decision of the European Commission, or
• appropriate safeguards: Standard Contractual Clauses (2021) + Transfer Impact Assessment + additional technical measures (encryption, data minimisation).

The legal basis per sub-processor is listed at /subprocessors.

For liability between the parties, the rules in the main agreement apply (section 9 of the terms of service). Claims by data subjects or supervisory authorities under the GDPR are borne by the party that caused the violation.

This DPA is governed by the laws of Ireland. Disputes are submitted to the courts of Ireland, unless mandatory law provides otherwise. Amendments are only valid if agreed in writing or if published on this page with a current change notice.