1. Scope
This Data Processing Addendum ("DPA") describes how AI Agent Mindset handles personal data that a business client ("Client") asks us to process while we build, host, or operate a custom AI voice agent, WhatsApp agent, chatbot, or related automation on the Client's behalf. It supplements our Terms of Service or a signed statement of work, and applies only to the extent we process personal data as the Client's service provider/processor — it does not apply to our own website visitors and leads, which are covered by our Privacy Policy instead.
2. Definitions
"Personal data," "processing," "controller," and "processor" (or "business" and "service provider," depending on applicable law) have the meanings given to them under applicable data protection law, including India's Digital Personal Data Protection Act, the GDPR/UK GDPR, and relevant US state privacy laws, whichever applies to the Client's use of our services.
3. Roles of the Parties
The Client is the controller/business with respect to its end customers' personal data. AI Agent Mindset acts as processor/service provider, processing that data only to deliver the agreed AI automation services and only on the Client's documented instructions, except where we're required to do otherwise by law.
4. Client Instructions
The Client's instructions are set out in the applicable statement of work, agent configuration, and this DPA. We will notify the Client if, in our reasonable opinion, an instruction appears to violate applicable data protection law.
5. Confidentiality
We restrict access to Client personal data to personnel and contractors who need it to perform the services, and we bind them to confidentiality obligations at least as protective as those in this DPA.
6. Security Measures
We apply technical and organizational measures appropriate to the nature of the personal data and the risk involved, consistent with our Security & Trust page. We do not claim a specific third-party security certification unless separately confirmed in writing.
7. Subprocessors
We use subprocessors (such as cloud hosting, AI model, telephony, or messaging providers) to deliver the services. The specific subprocessors engaged for a given deployment depend on the technology stack agreed for that project.
Rather than publish a generic subprocessor list that may not reflect a specific engagement, we maintain (or will maintain, as we formalize this process) an up-to-date subprocessor list per Client engagement, available on request and updated when a new subprocessor is added. We'll give reasonable notice of new subprocessors so the Client can object on legitimate data-protection grounds.
8. International Transfers
Where personal data is transferred outside the country in which it was collected, we rely on the transfer mechanisms available from our subprocessors (such as standard contractual clauses) and take into account applicable restrictions under the Client's governing data protection law.
9. Data Subject Requests
Where we receive a request from one of the Client's end customers to access, correct, or delete their personal data, we will promptly forward it to the Client and reasonably assist the Client in responding, since the Client — not us — is generally best placed to verify and act on the request.
10. Security Incidents
If we become aware of a security incident affecting Client personal data we process, we will notify the Client without undue delay after becoming aware, and provide information reasonably available to us to help the Client meet its own notification obligations.
11. Audits and Information Requests
We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice, allow the Client (or an appointed auditor, subject to confidentiality) to conduct an audit of relevant processing activities, to the extent required by applicable law or the parties' written agreement.
12. Data Return and Deletion
On termination of the applicable services, we will, at the Client's choice, delete or return personal data processed on the Client's behalf, except where retention is required by law or for legitimate business archival/legal purposes for a limited period.
13. Processing Details
The sections below describe, at a general level, the categories of data subjects, personal data, and processing activities typically involved in our AI automation services. The specific details for a given engagement are confirmed in that Client's statement of work.
14. Categories of Data Subjects
- The Client's customers, leads, and prospects who call, message, or chat with the AI agent
- The Client's employees or contractors who configure, monitor, or use the agent/dashboard
- Visitors to a website where a client chatbot is embedded
15. Types of Personal Data
- Contact details (name, phone/WhatsApp number, email)
- Conversation content and call transcripts, and audio recordings where enabled
- Appointment and scheduling details
- Lead-qualification responses (e.g. budget, timeline, product interest)
- CRM record identifiers and related fields the Client chooses to sync
16. Nature and Purpose of Processing
- Receiving and responding to inbound calls, messages, and chats
- Generating transcripts and conversation summaries
- Qualifying leads and scoring intent
- Booking, confirming, and rescheduling appointments
- Sending confirmations, reminders, and follow-up messages
- Updating CRM records with conversation outcomes
- Retrieving information from the Client's knowledge base to answer questions
- Generating usage analytics and reporting for the Client
17. Duration of Processing
Processing continues for the term of the applicable services agreement, plus any post-termination retention/return period agreed with the Client or required by law.
18. Contact Details
Questions about this DPA or a request for the current subprocessor list for your engagement can be sent to .