Get started

Data processing

ThunderPhone's data processing terms, subprocessors, SCC/UK transfer terms, and technical and organizational security measures.

Last updated November 7, 2025

01How this DPA is accepted

In short

This DPA is part of the ThunderPhone Terms of Service for click-through customers.

This DPA is part of the ThunderPhone Terms of Service. By creating an account or using the Service, the Customer agrees to the Terms and this DPA. No signature is required for click-through customers. If a Customer has a signed agreement with us, that agreement governs and this DPA applies as an addendum to it.

02Using this DPA

This DPA has two parts: the Key Terms on this Cover Page and the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1 ("DPA Standard Terms"), incorporated by reference. If there is any inconsistency between the parts of the DPA, this Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on this Cover Page. If this Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this DPA. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.

03Key terms

Agreement

This DPA supplements the ThunderPhone Terms of Service. The Effective Date for a Customer is the date the Customer accepts the Agreement.

Approved Subprocessors

Approved Subprocessors are listed in Annex III. We use general authorization. We will post updates and notify admin contacts at least 10 business days before a new Subprocessor begins Processing Customer Personal Data. Customers may object by emailing privacy@thunderphone.com within that period; we will work in good faith to resolve objections.

Provider Security Contact

security@thunderphone.com

Physical notice address: Autophonix, LLC d/b/a ThunderPhone, 505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA

Security Policy

Security measures are defined in the Agreement and summarized in Annex II.

Service Provider Relationship (CCPA/CPRA)

To the extent the CCPA/CPRA applies, Provider is a service provider and will not sell or share Customer Personal Data. Provider will retain, use, and disclose such data only to provide the Service as described in the Agreement or as otherwise permitted by Applicable Data Protection Laws, and will notify Customer if it can no longer meet these obligations.

Restricted Transfers

EEA SCCs: Ireland governs; disputes are in Irish courts. Clause 7 docking is not used. Clause 9 uses Option 2, general authorization, with 10 business days' notice. Clause 11 optional language is not used. Clause 13 square brackets are removed.

UK Addendum: laws of England and Wales govern.

04Annex I(A) - List of parties

Data Exporter (Customer)

  • Name: Customer.
  • Address / Contact: as provided in the Customer account records.
  • Activities relevant to the transfer: see Annex I(B).
  • Role: Controller, or Processor as applicable to Customer's role.

Data Importer (Provider)

  • Name: Autophonix, LLC d/b/a ThunderPhone.
  • Address: 505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA.
  • Contact: Privacy Team — privacy@thunderphone.com / security@thunderphone.com.
  • Activities relevant to the transfer: see Annex I(B).
  • Role: Processor.

EU Representative (GDPR Art. 27)

Rickert Rechtsanwaltsgesellschaft mbH — Autophonix LLC, Colmantstrasse 15, 53115 Bonn, Germany · art-27-rep-autophonix@rickert.law

UK Representative (UK GDPR Art. 27)

Rickert Services UK Ltd — Autophonix LLC, PO Box 1487, Peterborough, PE1 9XX, United Kingdom · art-27-rep-autophonix@rickert-services.uk

05Annex I(B) - Description of transfer and processing activities

Service

ThunderPhone — AI-assisted telephony platform for call setup/routing, optional recording and transcription, analytics, support, and billing.

Categories of Data Subjects

  • Customer's end users/customers, including callers and call recipients.
  • Customer's employees and administrators.
  • Billing and payment contacts designated by Customer.

Categories of Personal Data

  • Name.
  • Contact information, such as email, phone number, and address.
  • Account and transactional information, such as account identifiers, purchases, and usage.
  • User activity and technical data, such as device, IP address, logs, and diagnostics.
  • Location information, coarse and derived from telecom metadata.
  • Call metadata, such as numbers dialed or received, timestamps, duration, and routing.
  • Audio content, including live streams, recordings if enabled, and transcripts if enabled.
  • Payment identifiers and tokens processed by Stripe; no full PAN on Provider systems.

Special Category Data

No. Provider does not require or intentionally collect special categories; Customer instructs Provider not to process such data. Any incidental inclusion is Customer-controlled content.

Frequency of Transfer

Continuous.

Nature and Purpose of Processing

Receiving, holding, using, updating, protecting, sharing to Approved Subprocessors, returning, and erasing data as necessary to provide and support the Service, including analysis, quality, security, troubleshooting, and billing.

Duration of Processing

For the term of the Agreement and as required to perform instructed Processing activities and by Applicable Laws. Upon termination, deletion or return occurs per the DPA Standard Terms and this Cover Page.

06Annex I(C) - Competent supervisory authority

The supervisory authority of the Data Exporter, as determined under SCC Clause 13 or the UK Addendum.

07Annex II - Technical and organizational security measures

Summary, in addition to the Security Policy:

  • Access control and authentication, including RBAC/least privilege, SSO/MFA, and periodic reviews.
  • Encryption.
  • Tenant segregation and minimization; configurable retention for recordings/transcripts.
  • Vulnerability and patch management; risk-based remediation; third-party testing as appropriate.
  • Business continuity and backups; tested restores; regional redundancy per hosting providers.
  • Incident response, including notice without undue delay and within 72 hours of awareness of a Security Incident, plus post-incident review.
  • Vendor management, including security/privacy due diligence and SCCs/UK Addendum as needed.
  • Workforce confidentiality and security/privacy training.

08Annex III - Subprocessors

In short

The providers that may process Customer Personal Data to run ThunderPhone.

SubprocessorPurposeLocation
Google Cloud PlatformInfrastructure hosting and storageUnited States by default; other regions where configured
LiveKit and telephony/carrier providers such as Twilio, Telnyx, SignalWire, Vonage, Plivo, or customer-configured SIP trunksRealtime media, PSTN connectivity, and phone numbersUnited States and other provider/customer-configured regions
Model and speech providers such as OpenAI, Google, Anthropic, Deepgram, ElevenLabs, and similar providers where configuredSpeech recognition, language model inference, voice generation, and evaluationUnited States and other provider/customer-configured regions
StripeBilling and payment processing; no call audio or transcriptsUnited States / global
Transactional email provider where configuredAccount and service email; no call audio or transcriptsUnited States / provider regions
OpenReplayPrivacy-filtered product analytics and session replay where enabledUnited States / provider regions

09Additional terms and contact

No additional changes to the DPA Standard Terms. This click-through page, together with the incorporated DPA Standard Terms v1.1, forms the complete DPA for Customers who accept our Terms online.

If a customer requires a signed copy, we can provide a signable cover page referencing this online DPA. Contact legal@thunderphone.com.

Privacy: privacy@thunderphone.com
Security: security@thunderphone.com
Notices: legal@thunderphone.com