DATA PROCESSING ADDENDUM (DPA)

📄 DATA PROCESSING ADDENDUM (DPA)

Last Updated: 15 November 2025
*This DPA forms part of the Terms of Service between:

Customer (“Controller”)
and
Tellimon Inc. (“Processor”)
162, 28 Geary St, STE 650, San Francisco, CA 94108, United States.

1. DEFINITIONS

For the purposes of this DPA:

“Data Protection Laws” includes: GDPR, UK-GDPR, CCPA/CPRA, ePrivacy Directive, PECR, LGPD, PIPEDA, PDPA, and all applicable telecom/KYC regulations.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing / Processed / Process” means any operation performed on Personal Data, automated or not.
“Controller” means the Customer who determines the purpose and means of processing.
“Processor” means Tellimon, who processes data on behalf of the Controller.
“Sub-processor” means third parties engaged by Tellimon to provide parts of the Services.
“Services” means Tellimon’s telecommunication, virtual numbers, SIP trunking, messaging, CPaaS, cloud PBX, and API-related services.

2. PURPOSE OF PROCESSING

Tellimon processes Personal Data solely to:

Provide virtual numbers, inbound/outbound telephony, SMS, CPaaS, SIP trunking
Facilitate routing, forwarding, analytics, verification
Ensure compliance with legal, regulatory, and telecom obligations
Conduct identity and KYC verification
Prevent fraud, spam, and abuse
Provide support, billing, and account management

Tellimon will not process data for any purpose other than what is required to deliver the Services.

3. NATURE & TYPES OF DATA PROCESSED

3.2 Sensitive Data

Tellimon does not request or intentionally process special-category data unless legally required (e.g., ID verification).

3.3 Call & SMS Content

Tellimon does not store call audio or SMS content unless required for debugging, lawful compliance, or unless customer explicitly enables logging.

4. CONTROLLER RESPONSIBILITIES

The Controller agrees to:

Comply with all applicable data protection laws
Provide accurate and lawful data
Obtain necessary consents from end users
Ensure lawful use of telecom numbers and services
Implement secure credentials and access controls

5. PROCESSOR RESPONSIBILITIES (Tellimon)

Tellimon shall:

5.1 Process Only on Documented Instructions

Process Personal Data solely based on written or API instructions from the Controller.

5.2 Confidentiality

Ensure all personnel handling data are bound by confidentiality obligations.

5.3 Security Measures

Tellimon implements strong technical and organizational measures, including:

Encryption (TLS, SRTP, AES-256)
DDoS protection
SIP authentication & rate limiting
Secure firewalls
Zero-trust access control
API key protections
Intrusion detection
Regular vulnerability scans

5.4 Assistance with Data Subject Rights

Tellimon will assist Controller with:

Access
Correction
Deletion
Restriction
Portability
Objection

(subject to lawful telecom retention requirements).

5.5 Telecommunication Compliance

Tellimon ensures compliance with:

Local numbering laws
Emergency services routing
KYC/identity verification requirements
Anti-spam, anti-fraud regulations

6. SUB-PROCESSORS

Tellimon uses the following categories of sub-processors:

Telecom carriers and number providers
Cloud hosting and storage services (AWS/Google/Azure)
Payment processors (Stripe, PayPal, Razorpay, etc.)
Verification/KYC providers
Anti-fraud systems

Tellimon will:

Maintain an updated list of sub-processors
Notify the Controller of changes
Ensure sub-processors meet GDPR-compliant security standards

7. INTERNATIONAL DATA TRANSFERS

Tellimon may transfer data globally for service delivery.
All transfers comply with:

GDPR Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum
Adequacy decisions
Supplementary protection measures

8. DATA RETENTION & DELETION

Tellimon retains data for the minimum duration required by:

Telecom regulations
Fraud prevention
Law enforcement compliance
Billing & taxation laws

CDRs, SMS logs, and SIP logs are retained only for required durations (3–60 months). After retention periods expire, data is securely deleted or anonymized.

Upon request and where legally permitted, Tellimon will delete or return Personal Data.

9. AUDITS & COMPLIANCE

Tellimon will:

Provide documentation needed for compliance assessments
Allow reasonable audits (virtual or on-site)
Provide SOC/ISO compliance documentation where applicable

10. DATA BREACH NOTIFICATION

Tellimon will notify the Controller without undue delay (typically within 72 hours) after confirming any Personal Data breach, including:

Nature of the breach
Affected data subjects
Likely consequences
Measures taken or proposed

11. TELECOM-SPECIFIC REQUIREMENTS

Due to regulatory obligations:

Some data cannot be deleted until legal retention expires
Lawful interception requests must be honored only with valid government orders
Numbering/KYC data must be retained per country laws
Emergency services routing requires accurate caller identity

This does not override GDPR/CCPA rights, but operates alongside required telecom compliance.

12. LIABILITY

Liability is governed by the main Tellimon Terms of Service.
Each party remains responsible for its compliance with applicable data protection laws.

13. TERMINATION

Upon termination of services:

Data will be deleted or returned after legal retention ends
Access credentials, SIP endpoints, and API keys will be revoked
Number porting (where applicable) will be supported

14. CONTACT INFORMATION

For all data protection matters:

Tellimon Inc.
162, 28 Geary St, STE 650
San Francisco, CA 94108
United States

📧 privacy@tellimon.com
🌍 www.tellimon.com

The Controller may also contact our Data Protection Officer (DPO) via email for GDPR/CCPA inquiries.