🚀 ThunderPhone is currently in soft-launch mode! Feel free to try us out while we put the finishing touches on. Full launch planned for Feb 2.

ThunderPhone DPA

Last updated: November 7, 2025

Version: DPA-2025-11-07

How this DPA is accepted. This DPA is part of the ThunderPhone Terms of Service at https://thunderphone.com/terms. By creating an account or using the Service, the Customer agrees to the Terms and this DPA. No signature is required for click-through customers. If a Customer has a signed agreement with us, that agreement governs and this DPA applies as an addendum to it.

Using This DPA

This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at http://commonpaper.com/standards/data-processing-agreement/1.1/ (“DPA Standard Terms”), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, this Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on this Cover Page. If this Cover Page omits or does not define a highlighted word, the default meaning will be “none” or “not applicable” and the correlating clause, sentence, or section does not apply to this DPA. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.

Key Terms

Agreement

This DPA supplements the ThunderPhone Terms of Service: https://thunderphone.com/terms. The Effective Date for a Customer is the date the Customer accepts the Agreement.

Approved Subprocessors

Live list available at https://thunderphone.com/trust/subprocessors

Subprocessor change notice: We use general authorization. We will post updates at the URL above and notify admin contacts at least 10 business days before a new Subprocessor begins Processing Customer Personal Data. Customers may object by emailing privacy@thunderphone.com within that period; we’ll work in good faith to resolve objections.

Provider Security Contact

security@thunderphone.com

Physical notice address: Autophonix, LLC d/b/a ThunderPhone, 505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA

Security Policy

As defined in the Agreement

Public summary: https://thunderphone.com/trust/security

Service Provider Relationship (CCPA/CPRA)

To the extent the CCPA/CPRA applies, Provider is a service provider and will not sell or share Customer Personal Data; Provider will retain, use, and disclose such data only to provide the Service as described in the Agreement or as otherwise permitted by Applicable Data Protection Laws, and will notify Customer if it can no longer meet these obligations.

Restricted Transfers

EEA SCCs (Clause 17/18 selections)

Ireland governs; disputes in Irish courts.

Clause 7 (docking): not used. Clause 9: Option 2 (general authorization), 10 business days’ notice. Clause 11: optional language not used. Clause 13: square brackets removed.

UK Addendum

Laws of England and Wales govern.

Annex I(A) — List of Parties

Data Exporter (Customer)

Name: Customer

Address / Contact: as provided in the Customer account records

Activities relevant to the transfer: See Annex I(B)

Role: Controller (or Processor, as applicable to Customer’s role)

Data Importer (Provider)

Name: Autophonix, LLC d/b/a ThunderPhone

Address: 505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA

Contact: Privacy Team — privacy@thunderphone.com / security@thunderphone.com

Activities relevant to the transfer: See Annex I(B)

Role: Processor

EU Representative (GDPR Art. 27)

Rickert Rechtsanwaltsgesellschaft mbH — Autophonix LLC

Colmantstraße 15, 53115 Bonn, Germany

Email: art-27-rep-autophonix@rickert.law

UK Representative (UK GDPR Art. 27)

Rickert Services UK Ltd — Autophonix LLC

PO Box 1487, Peterborough, PE1 9XX, United Kingdom

Email: art-27-rep-autophonix@rickert-services.uk

Annex I(B) — Description of Transfer and Processing Activities

Service

ThunderPhone — AI-assisted telephony platform for call setup/routing, optional recording and transcription, analytics, support, and billing.

Categories of Data Subjects

  • Customer’s end users/customers (callers and call recipients)
  • Customer’s employees/administrators
  • Billing/payment contacts designated by Customer

Categories of Personal Data

  • Name
  • Contact information (email, phone number, address)
  • Account/transactional information (account identifiers, purchases, usage)
  • User activity/technical data (device, IP address, logs, diagnostics)
  • Location information (coarse, derived from telecom metadata)
  • Custom: Call metadata (numbers dialed/received, timestamps, duration, routing)
  • Custom: Audio content (live streams; recordings if enabled) and transcripts (if enabled)
  • Custom: Payment identifiers/tokens processed by Stripe (no full PAN on Provider systems)

Special Category Data

No — Provider does not require or intentionally collect special categories; Customer instructs Provider not to process such data. Any incidental inclusion is Customer-controlled content.

Frequency of Transfer

Continuous

Nature and Purpose of Processing (per DPA Standard Terms §3.2 and Customer instructions)

Receiving, holding, using, updating, protecting, sharing to Approved Subprocessors, returning, and erasing data as necessary to provide and support the Service (including analysis/quality/security, troubleshooting, and billing).

Duration of Processing

For the term of the Agreement and as required: (i) to perform instructed Processing activities and (ii) by Applicable Laws. Upon termination, deletion/return occurs per the DPA Standard Terms and this Cover Page.

Annex I(C) — Competent Supervisory Authority

The supervisory authority of the Data Exporter, as determined under SCC Clause 13 or the UK Addendum.

Annex II — Technical and Organizational Security Measures

See Security Policy: https://thunderphone.com/trust/security

Summary (in addition to the Security Policy):

  • Access control & authentication (RBAC/least privilege, SSO/MFA, periodic reviews)
  • Encryption
  • Tenant segregation & minimization; configurable retention for recordings/transcripts
  • Vulnerability & patch management; risk-based remediation; third-party testing as appropriate
  • Business continuity & backups; tested restores; regional redundancy per hosting provider(s)
  • Incident response (notify without undue delay and within 72 hours of awareness of a Security Incident; post-incident review)
  • Vendor management (security/privacy due diligence; SCCs/UK Addendum as needed)
  • Workforce confidentiality; security & privacy training

Annex III — Subprocessors

See https://thunderphone.com/trust/subprocessors (live list + change log).

No additional changes to the DPA Standard Terms. This click-through page, together with the incorporated DPA Standard Terms v1.1, forms the complete DPA for Customers who accept our Terms online.

(Optional for enterprise customers)
If a customer requires a signed copy, we can provide a signable cover page referencing this online DPA. Contact legal@thunderphone.com.

Contact

Privacy: privacy@thunderphone.com

Security: security@thunderphone.com

Notices: legal@thunderphone.com (or the physical address above)