This addendum describes how Sampark Karo processes personal data on your behalf when you upload contacts and run calling campaigns. It forms part of our Terms of Service. [LEGAL REVIEW: pending counsel sign-off — draft DPA]
For contact lists and call recipients you upload, you are the data fiduciary under the DPDP Act, 2023 and Sampark Karo is your data processor. We process this data only to run the campaigns and broadcasts you configure, and on your documented instructions.
Categories of data: contact names, phone numbers, consent flags, call outcomes, recordings/transcripts of AI-assisted calls where enabled. Duration: while your workspace is active or until you delete the data. Purpose: outbound voice communication you initiate, and reporting on it back to you.
We rely on infrastructure sub-processors to deliver the service: database and authentication hosting (Supabase, Mumbai region), real-time voice transport (LiveKit), SIP termination (VoiceLink), speech and language AI (Google Gemini, Sarvam AI), and payments (Razorpay). We will maintain an up-to-date sub-processor list on request and give notice of material changes. [LEGAL REVIEW: confirm final sub-processor list]
Row-level tenant isolation enforced in the database, role-based access, server-side secret handling, encryption in transit, phone-number masking in cross-tenant and operational contexts, and trigger-based audit logging of sensitive actions. Details in our security overview.
We assist you in responding to data principal requests (access, correction, erasure) that relate to data we process for you. On termination of your workspace we delete personal data within 30 days, except where law requires retention.
We will notify affected customers without undue delay after becoming aware of a personal data breach affecting their data, and will share the information needed for your own notifications to the Data Protection Board of India and data principals.