Skip to content
Close2u
Draft — pending legal review. This document is a working template based on common industry patterns. It must be reviewed and customized by qualified counsel before Close2u, Inc. relies on it in production.
Back to home

Data Processing Addendum

Last updated: April 22, 2026

This Data Processing Addendum (“DPA”) forms part of the master services agreement between Close2u, Inc.(“Processor”) and the customer organization (“Controller”) and governs the processing of personal data in connection with the Service.

1. Definitions

“Personal Data,” “Data Subject,” “Processing,” and related terms have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and, where applicable, the California Consumer Privacy Act (“CCPA”).

2. Subject matter and duration

Close2u processes Personal Data on behalf of Controller solely to deliver the Service. Processing continues for the term of the master services agreement and ends within 90 days of termination, subject to legal retention obligations.

3. Nature and purpose of processing

  • Answering inbound calls on Controller's behalf.
  • Transcribing, qualifying, and scoring caller conversations.
  • Booking appointments and sending SMS / email confirmations.
  • Executing follow-up sequences.
  • Producing analytics derived from call data.

4. Categories of Data Subjects and Personal Data

Data Subjects: end users and prospects who call Controller's business phone lines. Personal Data: name, phone number, email (if provided), voice recording (if opted-in), transcript, qualification answers, appointment details. Special categories (health data, for clinical Controllers): only non-PHI intake signals; full PHI access is Controller's EHR responsibility.

5. Processor obligations

Close2u will:

  • Process Personal Data only on documented instructions from Controller.
  • Ensure personnel authorized to process Personal Data are under obligations of confidentiality.
  • Implement appropriate technical and organizational measures (encryption at rest and in transit, access controls, audit logs, least-privilege engineering).
  • Assist Controller in responding to Data Subject rights requests.
  • Notify Controller without undue delay (and within 72 hours) of any Personal Data breach.
  • Delete or return all Personal Data at Controller's election after termination.
  • Make available all information necessary to demonstrate compliance and allow audits, subject to reasonable notice.

6. Sub-processors

Close2u engages the following categories of sub-processors to deliver the Service:

  • Voice infrastructure (Retell AI)
  • Large language model providers (Anthropic)
  • Hosting (Vercel, Modal)
  • Email delivery (Resend)
  • SMS delivery (Twilio)
  • Calendar and CRM integrations selected by Controller

A current, specific list is available on request. We give Controller at least 30 days' prior written notice of any new sub-processor and the right to reasonably object.

7. International transfers

Where Personal Data is transferred outside the EEA / UK / Switzerland,Close2urelies on the European Commission's Standard Contractual Clauses (2021/914/EU) or equivalent safeguards.

8. HIPAA (for covered entities)

For Controllers that are HIPAA-covered entities, Close2u will execute a Business Associate Agreement (BAA) prior to processing any Protected Health Information. The BAA supersedes this DPA to the extent of any conflict.

9. Contact

DPA-related inquiries: hello@close2u.ai.