Back to Voice AILegal

Data Processing Addendum

Last updated: 1 April 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between GRX10 Solutions Private Limited ("Processor") and the Customer ("Data Fiduciary"). It governs the processing of Personal Data under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1. Roles

Customer is the Data Fiduciary; GRX10 is the Data Processor. GRX10 processes Personal Data only on documented instructions from Customer.

2. Nature of processing

  • Subject matter: Voice AI services for making and receiving phone calls.
  • Duration: For the term of the Agreement.
  • Categories of data subjects: Customer's end-users (callers, callees).
  • Types of data: Phone numbers, names, audio recordings, transcripts, call metadata.

3. Sub-processors

GRX10 engages the following sub-processors. Updated list at grx10.com/trust/subprocessors:

  • Primary cloud provider (Mumbai region) — hosting, storage.
  • Secondary India compute provider — GPU inference.
  • Licensed Indian telco partners — voice termination.
  • Cloud AI provider — audio model inference.

4. Security measures

  • AES-256 at rest, TLS 1.3 in transit.
  • Per-tenant encryption keys.
  • PII tokenisation in application logs.
  • Access on least-privilege, MFA-enforced.
  • Annual penetration test.

5. Breach notification

GRX10 will notify Customer within 48 hours of confirming a Personal Data breach affecting Customer data.

6. Audit rights

Customer may audit GRX10's compliance on 30-day notice, once per year, during business hours, under NDA. Enterprise Customers may request a more frequent cadence.

7. Termination

On termination, GRX10 will delete or return all Personal Data within 30 days, subject to statutory retention obligations.

GRX10 Solutions Private Limited · CIN: U72900KA2022PTC XXXXXX · GSTIN: 29AAXXXXXXXX1ZX · MKB Tower, 3rd Floor, Indiranagar, Bengaluru 560008