Data Processing Addendum
Effective June 23, 2026 · Neuralgents, a DBA of ITP360 LLC
This DPA forms part of our agreement with you and governs our processing of personal data on your behalf as a processor. It incorporates the data-protection commitments required by applicable law.
1. Roles and scope
This Data Processing Addendum (“DPA”) is entered into between the customer (the “Controller” or “Business”) and ITP360 LLC, operating as Neuralgents (the “Processor” or “Service Provider”). It supplements the Terms of Service and applies whenever we process personal data on your behalf in delivering the Services. If there is a conflict, this DPA controls for matters of data protection.
2. Definitions
“Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings in applicable data-protection laws, including the GDPR, UK GDPR, and the CCPA/CPRA (“Data Protection Laws”). “Customer Personal Data” means Personal Data we process on your behalf under the Agreement.
3. Processing instructions
We will process Customer Personal Data only on your documented instructions — including as set out in the Agreement, this DPA, and your configuration of the Services — and as required by law. If we are legally required to process beyond your instructions, we will inform you unless prohibited. We will tell you if, in our opinion, an instruction infringes Data Protection Laws.
The subject matter, duration, nature, purpose, categories of data subjects, and types of Personal Data are described in Annex I.
4. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as instructed.
5. Security
We implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art and the risks of the processing. Those measures are described in Annex II.
6. Subprocessors
You authorize us to engage the subprocessors listed in Annex III to process Customer Personal Data. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give you notice before adding or replacing a subprocessor and a reasonable opportunity to object on legitimate data-protection grounds.
7. Data subject requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will advise the data subject to contact you and will not respond except on your instructions.
8. Assistance and impact assessments
We will provide reasonable assistance with your obligations regarding security, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the information available to us.
9. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your notification obligations.
10. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and security conditions and on reasonable notice. We may satisfy audit requests by providing relevant third-party certifications or reports where available.
11. International transfers
Where we transfer Customer Personal Data out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (and the UK Addendum, where applicable) are incorporated by reference and apply to that transfer, with the data exporter being you and the data importer being ITP360 LLC.
12. Deletion and return
On termination of the Services, we will, at your choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. This mirrors the data-portability commitments in the Terms of Service. Residual copies in routine backups are deleted in the ordinary course of our backup cycle.
13. CCPA terms
To the extent we process Personal Data of California residents on your behalf, we act as your service provider. We will not sell or share such Personal Data, retain, use, or disclose it for any purpose other than performing the Services, or combine it with data from other sources except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.
Annex I — Details of processing
| Subject matter | Provision of the Services — deploying and operating the Customer’s private platform and AI agents. |
|---|---|
| Duration | For the term of the Agreement, plus any deletion/return period in Section 12. |
| Nature and purpose | Hosting, storage, transmission, and AI-assisted processing of records to operate the Customer’s business functions (e.g. answering calls, scheduling, billing, ticketing). |
| Categories of data subjects | The Customer’s end customers, leads, contacts, vendors, and staff. |
| Types of Personal Data | Names, contact details, voice recordings and transcripts, message content, appointment and ticket records, and billing/invoice information. The Customer is responsible for not submitting special-category data unless agreed in writing. |
Annex II — Security measures
- Network isolation — each customer platform runs on a private network segment; a single hardened ingress handles rate limiting and security headers.
- Encryption — data encrypted in transit using TLS; storage encryption at the infrastructure layer.
- Access control — least-privilege access for personnel, authentication on administrative interfaces, and credential management.
- Logging and monitoring — centralized ingress logging and operational monitoring.
- Resilience — routine backups and documented recovery procedures.
- Change management — code review and controlled deployment of platform changes.
Annex III — Approved subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting, compute, storage, and backups for customer platforms | United States |
| Telephony / voice provider | Inbound and outbound calling, recording, and transcription for voice agents | United States |
| AI model providers | Large language model inference and speech for agent functionality | United States |
| Stripe | Payment processing and billing | United States |
| Email delivery provider | Transactional and support email (support@, billing@, noreply@) | United States |
For an up-to-date list of subprocessors, or to raise an objection, contact support@neuralgents.com.