callmine.
§ Legal · DPA

callmine Data Processing Addendum

Last updated: May 10, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Discera Inc., doing business as callmine ("callmine," "Processor"), and the customer that has accepted the callmine Terms of Service or signed an order form ("Customer," "Controller") (together, the "Agreement"). This DPA applies when callmine processes Customer Personal Data on Customer's behalf.

If there is a conflict between this DPA and the Agreement on a privacy or data protection matter, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Laws.

  • ·"Customer Personal Data" means personal data within Customer Data that callmine processes on Customer's behalf.
  • ·"Data Protection Laws" means all privacy and data protection laws applicable to callmine's processing of Customer Personal Data, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), Québec Law 25, and other comparable laws.
  • ·"EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914.
  • ·"UK IDTA" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner.
  • ·"Personal Data Breach" has the meaning given in the GDPR.
  • ·"Subprocessor" means a third party engaged by callmine to process Customer Personal Data.
  • ·"Data Subject", "Process", "Controller", "Processor", "Service Provider", and "Supervisory Authority" have the meanings given in applicable Data Protection Laws.

2. Roles and Scope

For the purposes of Data Protection Laws:

  • ·Customer is the Controller (or business) of Customer Personal Data.
  • ·callmine is the Processor (or service provider) acting on Customer's documented instructions.

callmine will not act as an independent controller of Customer Personal Data, will not sell Customer Personal Data, and will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than performing the Service or as otherwise permitted by Data Protection Laws.

The subject matter, nature, purpose, duration, types of personal data, and categories of data subjects are described in Annex 1.

3. Processing by callmine

callmine will:

  • ·process Customer Personal Data only on Customer's documented instructions, including those reflected in the Agreement and in Customer's configuration of the Service;
  • ·promptly inform Customer if, in callmine's opinion, an instruction infringes Data Protection Laws (callmine is not obligated to perform a legal analysis on Customer's behalf);
  • ·ensure persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • ·implement and maintain the security measures described in Annex 2;
  • ·assist Customer, where reasonably possible, in fulfilling Customer's obligations under Data Protection Laws, including responding to Data Subject requests and performing data protection impact assessments;
  • ·comply with the international transfer terms in Section 8; and
  • ·on termination, return or delete Customer Personal Data as described in Section 9.

4. Customer Responsibilities

Customer is responsible for:

  • ·the lawfulness of its instructions and of Customer Personal Data;
  • ·providing all notices and obtaining all consents required for callmine to process Customer Personal Data under the Agreement and this DPA, including any consents required to record calls and to share call recordings, transcripts, and CRM data with callmine;
  • ·the accuracy, quality, and legality of Customer Personal Data;
  • ·complying with its own obligations under Data Protection Laws as Controller; and
  • ·maintaining appropriate workspace, admin, integration, and credential hygiene.

Customer must not direct callmine to process Customer Personal Data in violation of Data Protection Laws.

5. Subprocessors

Customer authorizes callmine to engage Subprocessors to process Customer Personal Data. callmine's current Subprocessors are listed in Annex 3 and at callmine.ai/subprocessors.

callmine will:

  • ·enter into a written agreement with each Subprocessor that imposes data protection obligations substantially similar to those in this DPA;
  • ·remain responsible to Customer for the acts and omissions of its Subprocessors that cause callmine to breach this DPA; and
  • ·provide at least 30 days' notice — by email, in-app notice, or update to the Subprocessor page — before adding or replacing a Subprocessor.

If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer may notify callmine within 30 days of notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve it, Customer may terminate the affected portion of the Service for convenience by written notice; this is Customer's exclusive remedy.

6. Security

callmine will implement and maintain the technical and organizational security measures described in Annex 2 to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

callmine may update Annex 2 from time to time, provided the updates do not materially reduce the overall level of protection.

7. Personal Data Breach

callmine will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include the information reasonably available to callmine at that time, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it. callmine will provide updates as additional information becomes available.

callmine's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

8. International Transfers

To the extent callmine processes Customer Personal Data outside the country of origin in a way that requires a transfer safeguard under Data Protection Laws, the parties agree to the following.

8.1 EEA transfers

The EU SCCs (Module Two — Controller to Processor) are incorporated into this DPA by reference and apply to transfers of Customer Personal Data from the EEA to callmine or its Subprocessors in countries that have not received a European Commission adequacy decision. The parties agree:

  • ·Module Two applies. Module Three (processor-to-processor) applies where Customer itself acts as a processor for an upstream controller.
  • ·For Clause 7 (docking clause): does not apply.
  • ·For Clause 9 (use of sub-processors): Option 2 (general written authorization) applies, with the 30-day notice period in Section 5.
  • ·For Clause 11 (redress): the optional independent dispute-resolution body language does not apply.
  • ·For Clauses 17 and 18: the governing law and jurisdiction is the law and courts of Ireland.
  • ·Annexes 1, 2, and 3 to this DPA serve as Annexes I, II, and III to the EU SCCs.

8.2 UK transfers

Transfers from the United Kingdom are governed by the UK IDTA, with the EU SCCs in Section 8.1 as the approved EU transfer mechanism. The parties complete the UK IDTA using the information in Annexes 1, 2, and 3 to this DPA.

8.3 Swiss transfers

Transfers from Switzerland are governed by the EU SCCs in Section 8.1, with references adapted to the FADP and to the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the supervisory authority.

8.4 Other jurisdictions

For transfers from other jurisdictions, the parties will use the transfer mechanism required by applicable Data Protection Laws, including any standard contractual clauses, adequacy decisions, or consent mechanisms.

9. Return or Deletion

On termination or expiration of the Agreement, or on Customer's earlier written request, callmine will delete or, at Customer's election, return Customer Personal Data within 30 days, except that:

  • ·backup copies will roll off within 90 days through normal backup rotation;
  • ·callmine may retain Customer Personal Data where required by law or for legitimate purposes such as billing records, dispute resolution, security, or fraud prevention; and
  • ·aggregated or de-identified data that cannot reasonably be linked back to Customer or a Data Subject may be retained.

Customer is responsible for exporting Customer Personal Data before termination using features available in the Service.

10. Data Subject Requests

callmine will, where reasonably possible and taking into account the nature of the processing, assist Customer through appropriate technical and organizational measures in responding to Data Subject requests for access, correction, deletion, restriction, portability, or objection.

If callmine receives a request directly from a Data Subject concerning Customer Personal Data, callmine will, unless legally prohibited, forward the request to Customer without responding to the substance of the request. Customer is responsible for responding.

11. DPIAs and Consultations

callmine will provide Customer with reasonably available information necessary for Customer to perform data protection impact assessments or to consult with Supervisory Authorities, taking into account the nature of the processing and the information available to callmine.

12. Audits

callmine will make available to Customer the information necessary to demonstrate compliance with this DPA, including third-party audit reports, certifications, and security documentation where available.

If applicable Data Protection Laws require, and to the extent the information made available is not sufficient, callmine will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer:

  • ·on reasonable prior written notice of at least 30 days;
  • ·no more than once per 12 months, unless required by a Supervisory Authority or following a Personal Data Breach;
  • ·during business hours;
  • ·at Customer's expense; and
  • ·subject to confidentiality obligations and reasonable security and operational restrictions.

13. Liability

Each party's liability under or in connection with this DPA is subject to the limitation of liability set out in the Agreement. For clarity, that limitation applies in the aggregate to all claims under the Agreement and this DPA combined.

14. General

This DPA is incorporated into and forms part of the Agreement. If any provision of this DPA is found unenforceable, the remaining provisions remain in effect. This DPA may be updated to reflect changes in Data Protection Laws; updates will not materially reduce protections for Customer Personal Data.

This DPA is governed by the law of the Agreement, except where mandatory law requires otherwise — for example, where the EU SCCs apply.

Annex 1 — Description of Processing

Subject matter: callmine's processing of Customer Personal Data to provide the Service.

Duration: for the term of the Agreement, plus the retention periods described in Section 9.

Nature and purpose of processing: hosting, transmission, retrieval, storage, structuring, analysis (including AI-assisted analysis), generation of reports and summaries, notification, audit, and other operations necessary to provide the Service.

Categories of Data Subjects:

  • ·Customer's employees, contractors, and other Authorized Users
  • ·Customer's prospects, customers, and partners (including call participants)
  • ·Contacts in Customer's connected CRM

Categories of Personal Data:

  • ·Identifiers and contact information: names, email addresses, phone numbers
  • ·Professional information: job titles, employer, role, owner assignments
  • ·Communication content: call transcripts, including speech-derived text
  • ·Commercial information: CRM deal data, pipeline data, deal amounts and close dates
  • ·Technical identifiers: Gong call IDs, Gong URLs, system identifiers
  • ·Usage data tied to Authorized Users

Special categories of data: none required by the Service. Customer is responsible for not directing special-category data into the Service unless an order form expressly permits it.

Frequency of processing: continuous during the term, on Customer's instructions and configuration.

Annex 2 — Technical and Organizational Measures

callmine maintains the following measures, which it may update from time to time provided overall protection is not materially reduced.

Encryption

  • ·HTTPS/TLS in transit for all production endpoints
  • ·Application-layer encryption (Fernet) of stored integration credentials (Gong, HubSpot, Slack)
  • ·Storage-level encryption at rest provided by Google Cloud (Cloud SQL, Cloud Storage, Memorystore)

Access controls

  • ·Authentication via Clerk with bearer-token verification for backend APIs
  • ·Workspace-scoped authorization on report, schedule, job, integration, billing, and audit endpoints
  • ·Role-based admin controls (org:admin vs org:member)
  • ·Admin-only mutations for integrations, billing, schedules, and preferences

Infrastructure security

  • ·Production deployment on Google Cloud Platform (Cloud Run, Cloud SQL, Cloud Storage, Memorystore, VPC connector)
  • ·Secrets managed in Google Secret Manager and mounted as environment variables
  • ·OIDC-verified internal worker requests (Cloud Tasks)
  • ·Signed webhook verification (Clerk via Svix, Stripe)

Application security

  • ·Rate limiting on analysis starts and checkout/add-on attempts
  • ·Job execution locks to prevent duplicate worker processing
  • ·CSRF state nonces and row locking for Gong OAuth refresh

Operational security

  • ·Audit logs for workspace admin actions on supported plans
  • ·Logging and monitoring of production systems
  • ·Vulnerability and dependency management
  • ·Incident response procedures

Personnel

  • ·Confidentiality obligations for personnel with access to Customer Personal Data
  • ·Access on a need-to-know basis

Annex 3 — Subprocessors

callmine maintains an up-to-date list of Subprocessors at callmine.ai/subprocessors. The list includes name, purpose, and location of processing for each Subprocessor. Current Subprocessors include:

SubprocessorPurposeLocation
Google Cloud (Google LLC)Hosting, storage, secrets, queues, Cloud SQLUnited States and other regions
OpenAIAI analysis of call transcripts and metadataUnited States
ClerkAuthentication and identityUnited States
StripePayments and billingUnited States
Mailgun (Sinch)Transactional emailUnited States
PostHogProduct analyticsUnited States or EU, depending on instance
SlackCustomer-configured notifications via webhookUnited States

Where Customer connects Gong or HubSpot, those integrations are at Customer's direction and are governed by Customer's agreements with those providers. They are not callmine Subprocessors for purposes of this DPA, except that callmine processes data flowing through those integrations on Customer's behalf.