Data Processing Agreement (AVV)

This DPA applies between Prezio (Processor) and the customer who signed up for our service (Controller) when the customer uses Prezio to process personal data of their own end-users. It complements (and forms part of) the Terms of Service.

1. Subject matter

Prezio processes personal data on the Controller's behalf as part of providing the multi-channel AI agent platform. Processing operations include receiving inbound messages, generating AI responses, storing conversation history, generating leads, scheduling appointments, and delivering outbound messages via the integrated channels.

2. Duration

Processing continues for the duration of the Controller's subscription. On termination, the Controller has 30 days to export their data; after that, all processed data is hard-deleted as described in the Privacy Policy section 6.

3. Nature and purpose of processing

Automated processing for the purpose of operating an AI conversational agent on behalf of the Controller, including: storage of message content, embedding generation for retrieval-augmented responses, classification of leads (BANT scoring + ICP matching), routing to sales reps, appointment scheduling, and cost telemetry.

4. Categories of data subjects

Individuals who interact with the Controller's Prezio-powered agents via any supported channel — typically the Controller's customers, leads, prospects, and event attendees.

5. Categories of personal data

Contact data (name, email, phone number where provided), conversation content (messages exchanged with the AI agent), behavioural data (session timing, channel preference), inferred data (lead scoring, ICP match), and technical metadata (IP at the time of the request, channel-specific identifiers like Twilio MessageSid).

6. Obligations of the processor

Prezio processes personal data only on documented instructions from the Controller (the API calls and dashboard actions you take ARE the instructions). Personnel with access to personal data are bound to confidentiality. Appropriate technical and organisational measures are in place — see our Security page. We assist the Controller with responding to data subject rights requests (via the export and erasure endpoints) and with security incident notifications without undue delay.

7. Subprocessors

The Controller authorises the engagement of the subprocessors listed on our Subprocessors page. We will notify Controllers at least 30 days before adding or replacing a subprocessor, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the Controller may terminate the service for the affected workload with prorated refund.

8. Technical and organisational measures

Specific TOMs are detailed on our Security page (encryption at rest and in transit, least-privilege IAM, password hashing, audit logging, backup strategy, incident response). The Controller agrees these are appropriate for the categories of data processed. If the Controller requires additional measures for specific use cases, contact us — bespoke arrangements may be available on the Enterprise plan.

9. Return or deletion on termination

On termination of the underlying service contract, the Controller has 30 days to export their data via the Account → Export endpoint. After 30 days, all data processed under this DPA is hard-deleted. Backups containing data are aged out per the retention policy described in BACKUP.md (lifecycle ends at 400 days). Anonymised audit log entries are retained as legally required.