Data Processing Agreement (DPA)

1. Roles

• Controller: the Customer. Determines the purposes and means of the processing of the personal data they load or generate when using SIVO.
• Processor: Cloudtree Solutions, S.L. Processes data only under the Controller’s documented instructions.

2. Subject matter and duration

• Subject: processing of personal data necessary to provide the SIVO service (multi-tenant SaaS virtual PBX).
• Duration: throughout the main contract term + 30 days for return/deletion phase.

3. Nature and purpose

• Nature: collection, storage, organization, retrieval, query, transmission, deletion.
• Purpose: providing the PBX service (call handling, IVR, ACD, recording, transcription, SF integration, telemetry).

4. Data categories

• Customer’s authorized users: name, email, optional phone, role, SIP extension, hashed password (bcrypt), encrypted JWT tokens (AES-256-GCM).
• Third-party callers: phone number, call audio (if recording policy active), transcript (if transcription policy active).
• Call metadata: timestamp, duration, agent, queue, hangup cause, IVR path, MOS score.
• Integration-derived data activated by the Customer: Salesforce IDs, outbound webhook payloads.

5. Data subject categories

• Customer’s authorized users.
• Callers and recipients handled by the PBX.
• Any person whose data the Customer chooses to load (outbound campaigns, contact lists, etc.).

6. Processor obligations

Cloudtree commits to:

1. Process data only under the Customer’s documented instructions (including this DPA and SIVO panel configuration).
2. Ensure authorized personnel have committed to confidentiality.
3. Apply appropriate technical and organizational measures (section 8).
4. Assist the Customer in fulfilling data subject rights.
5. Assist with breach notifications, DPIA and supervisory authority consultations.
6. Delete or return data at end of provision, subject to legal retention.
7. Make available to the Customer the information needed to demonstrate compliance and allow audits (section 10).
8. Notify the Customer without undue delay of any security breach (section 9).

7. Authorized sub-processors

The Customer generally authorizes:

Sub-processor	Service	Processing location	Safeguards
Hetzner Online GmbH	Cloud infrastructure	EU (DE/FI)	DPA, ISO 27001
Cloudflare, Inc.	CDN, DNS, WAF	Global (EU-filtered for EU)	DPA, SCC
Google Ireland Ltd.	Email (Workspace)	EU/USA	DPA, SCC, USA Adequacy
Stripe Payments Europe	Payment processor	EU/USA	DPA, SCC
Resend / Postmark	Transactional email	EU/USA	DPA, SCC

Optional AI providers (Deepgram, ElevenLabs, OpenAI, Groq, Cerebras, Together): only invoked when the Customer activates them with their own API keys. In that case, the Customer is responsible for signing a direct DPA with those providers.

Salesforce integration (optional): when the Customer activates it, Cloudtree acts as a technical intermediary; legal responsibility lies with the Customer and their SF org.

Any change to the list will be notified with 30-day advance notice. The Customer may reasonably object; if the objection is unresolvable, they may terminate without penalty.

8. Technical and organizational measures

Cloudtree applies (non-exhaustive):

Encryption

• TLS 1.3 mandatory on API and dashboard.
• SRTP / DTLS-SRTP on audio (WebRTC + SIP).
• AES-256-GCM for SIP passwords, JWT keys and provider secrets in DB.
• KMS-encrypted storage (S3 / GCS / Azure / MinIO) for recordings and transcripts.

Access control

• Granular RBAC with 5 base roles.
• Mandatory MFA on backend administrative access.
• Short-lived JWT + blacklist on logout.
• Row-Level Security in PostgreSQL across 23+ tables for multi-tenant isolation.

Availability and resilience

• Encrypted backups with retention and periodic restore tests.
• Multi-AZ in Hetzner infra when applicable.
• SIP trunk failover.
• Public status at status.sivocenter.com.

Audit

• Monthly-partitioned audit_logs.
• Centralized logs retained per plan (30 d, 1 y, 7 y).
• Cross-tenant superadmin access traceability.

Personnel

• Signed confidentiality commitments.
• Periodic privacy and security training.
• Principle of least privilege.

Testing

• Annual external pentest (planned).
• ISO 27001 roadmap → 2027 Q1.
• SOC 2 Type II roadmap → 2027 Q3 for US customers.

9. Breach notification

Cloudtree will notify the Customer without undue delay (and in any case in less than 72 hours) upon becoming aware of a security breach affecting their data. Notification includes:

• Nature and categories of data affected.
• Estimated number of data subjects.
• Likely consequences.
• Measures taken or proposed.
• Cloudtree DPO contact details.

10. Audit

• The Customer may request documentary evidence of compliance (policies, certifications, pentest reports when available).
• On-site audits: once per year max, with 30-day notice and under NDA. Customer bears costs unless audit reveals material non-compliance.
• Cloudtree may substitute on-site audit with an independent auditor report (SOC 2 Type II or ISO 27001) when available.

11. International transfers

When a transfer outside the EEA is necessary, Cloudtree will apply:

• Updated Standard Contractual Clauses (Decision 2021/914 EU).
• Additional safeguards assessment (TIA) when applicable.
• Adequacy decisions when in force (e.g. UK, Japan, etc.).

For customers with strict residency requirements, Enterprise can be configured to process exclusively on EU infrastructure.

12. Return and deletion

At contract end, the Customer has 30 days to download:

• User data (JSON export).
• CDR (CSV).
• Recordings and transcripts (original format).
• Audit logs (CSV).

After the deadline, Cloudtree will delete all copies in productive and backup systems within an additional 90-day max, except for explicitly notified legal retention.

13. Liability

Each party will respond to the other and to the supervisory authority to the extent that corresponds under GDPR. Cloudtree’s accumulated liability for DPA breaches is subject to the cap in the general Terms’ limitation clause.

14. DPO contact

dpo@sivocenter.com