Skip to content
← Voix

Data Processing Agreement

Effective 2026-07-15

This Data Processing Agreement (“DPA”) applies when you use Voix to process personal data on behalf of an organisation. In that relationship you (the “Customer”) are the Controller and Voix is the Processor, acting only on your documented instructions under Article 28 GDPR.

This is the current standard version, incorporated into the Terms of Service. To put a counter-signed copy in place for your organisation, contact privacy@voixapp.org and we will provide an executable copy with an order form.

1. Parties

Processor: John Afinni, trading as Future_AI_Lab, Barcelona, Spain (“Voix”). Controller: the customer entity named in the order form or signature block (“Customer”). This DPA forms part of and is subject to the Voix Terms of Service; where they conflict on data protection, this DPA prevails.

2. Definitions

“GDPR”, “personal data”, “processing”, “data subject”, “controller”, “processor”, “sub-processor”, “personal data breach”, and “supervisory authority” have the meanings given in Regulation (EU) 2016/679 (GDPR). “Applicable Data Protection Law” means the GDPR and the Spanish LOPDGDD as amended.

3. Roles and scope (Art. 28(3))

  • Customer is the Controller; Voix is the Processor and acts only on Customer's documented instructions.
  • The subject-matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Annex 1.
  • The Terms of Service, this DPA, and Customer's configuration of the Service together constitute Customer's complete documented instructions. Any additional instruction must be agreed in writing.

4. Processor obligations (Art. 28(3)(a)–(h))

Voix shall:

  • (a) process personal data only on Customer's documented instructions, including as to transfers, unless required by EU or Member-State law (in which case Voix informs Customer first, unless legally prohibited);
  • (b) ensure persons authorised to process the data are bound by confidentiality;
  • (c) implement the technical and organisational measures in Annex 2 (Art. 32);
  • (d) engage sub-processors only in accordance with Section 5;
  • (e) assist Customer, by appropriate technical and organisational measures, to respond to data-subject rights requests (Art. 12–22);
  • (f) assist Customer with its Art. 32–36 obligations (security, breach notification, data-protection impact assessment, prior consultation), taking into account the nature of processing and the information available;
  • (g) at Customer's choice, delete or return all personal data at the end of the provision of services and delete existing copies, unless EU or Member-State law requires storage (see Section 8);
  • (h) make available to Customer the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits per Section 9.

5. Sub-processors (Art. 28(2), 28(4))

  • Customer grants general authorisation for Voix to engage the sub-processors listed in Annex 3.
  • Voix imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains fully liable to Customer for each sub-processor's performance.
  • Voix gives Customer at least 30 days' notice before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, Customer may terminate the affected service.

6. International transfers (Chapter V)

  • Where Voix or a sub-processor transfers personal data outside the EEA, the transfer relies on an appropriate safeguard under Article 46: Standard Contractual Clauses (Commission Decision 2021/914) and/or the EU-US Data Privacy Framework where the importer is certified.
  • The SCCs (Module Two, Controller-to-Processor; Module Three where a sub-processor is involved) are incorporated by reference and completed by Annex 1, Annex 2, and Annex 3. In case of conflict, the SCCs prevail.

7. Data-subject requests (Art. 28(3)(e))

Voix will, without undue delay, notify Customer of any request it receives directly from a data subject, and will not respond except on Customer's instruction. The Service provides self-serve deletion and disconnect controls Customer can use to action erasure and withdrawal of access.

8. Deletion and return (Art. 28(3)(g))

  • On termination, Customer may export or request return of personal data. A self-serve export of core account data is available; anything beyond it is provided on request.
  • Voix deletes personal data per its retention model: briefing content is scrubbed within 30 days of generation; on account deletion, all user-scoped rows are removed within 30 days, backups within 60 days, with no copy remaining after 90 days. Deletion cascades from the user record, and provider-side OAuth grants (Google, Slack) are revoked first.

9. Audit (Art. 28(3)(h))

Voix will make available its security documentation, Annex 2, and any third-party attestations it holds. Customer may request a once-yearly audit on 30 days' written notice, during business hours, subject to confidentiality and without unreasonably disrupting Voix's operations.

10. Personal data breach (Art. 33)

Voix will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer's data, with the information then available, and will cooperate with Customer's own Article 33 and 34 obligations.

11. Liability

Liability under this DPA is subject to the limitations in the Voix Terms of Service, except where Applicable Data Protection Law prohibits such limitation.

12. Term and governing law

This DPA runs for the duration of the service. It is governed by the laws of Spain; disputes are subject to the courts of Barcelona, without prejudice to mandatory data-subject or consumer rights.

Annex 1: Details of processing

  • Subject-matter: provision of the Voix inbox-briefing service to Customer's authorised users.
  • Duration: the term of the service agreement.
  • Nature and purpose: reading connected-inbox messages on demand, AI ranking, generating and (on approval) sending draft replies, reply-monitoring, and account and billing administration.
  • Types of personal data: email subject, sender, and excerpt; message text from connected sources; account identity (name, email); derived ranked summaries; billing metadata. No card data (Stripe-hosted). No intentional special-category (Art. 9) data, though it may incidentally appear in correspondence.
  • Categories of data subjects: Customer's authorised users, and third parties appearing in those users' messages.

Annex 2: Technical and organisational measures (Art. 32)

  • Encryption at rest: AES-256-GCM application-level encryption on OAuth and connector tokens, stored message bodies, and phone numbers, plus AES-256 disk encryption at the database layer, hosted in the EU (Frankfurt).
  • Encryption in transit: TLS 1.2 or higher.
  • Access control: per-user ownership enforced server-side from the authenticated session, never from a client-supplied value; row-level security enabled with deny-all defaults; the privileged service key is server-only and never reaches the browser.
  • Minimisation: messages read on demand (about 10 recent), no full-body or attachment storage; Gmail scopes limited to read and send (plus optional calendar read).
  • No autonomous action: every email send requires explicit user approval on a fully-visible draft.
  • Untrusted-content handling: message content is treated as data and never executed as instructions (defence against indirect prompt injection).
  • Abuse controls: per-user rate limits; billing, AI, speech, and telephony endpoints fail closed.
  • Sub-processor controls: AI providers are contractually prohibited from training on the data; no data is sold or shared with advertisers.
  • Retention and deletion: 30-day content scrub; 30/60/90-day deletion cascade; provider OAuth grant revoked on deletion.
  • Logging: access and audit logs retained for 90 days.

Annex 3: Authorised sub-processors

Voix engages the following sub-processors. Those marked conditional are engaged only when you activate the corresponding feature.

  • Anthropic (US): AI ranking and reply drafting.
  • Google Workspace + Google Cloud Text-to-Speech (US/global): inbox read/send and spoken-briefing synthesis.
  • Microsoft (US/EU): Outlook mail, calendar, and Teams chat (when Microsoft 365 is connected).
  • Clerk (US): sign-in identity (name + email).
  • Supabase (EU, Frankfurt): primary data store.
  • Stripe (US/EU): billing.
  • Vercel (US): application hosting.
  • PostHog (EU, Frankfurt): analytics and error monitoring, consent-gated.
  • Conditional: Resend (US, morning email), Twilio and Vapi (US, Private Call), Meta (US/global, WhatsApp/Instagram business).