Data Processing Agreement (DPA)
TheReach.ai Last updated: 3 April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SORIN-CONSTANTIN CIORNEI ("Processor") and the Client ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller, as required by Article 28 of the EU General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
- "Controller" means the Client who determines the purposes and means of processing personal data (i.e. the business using TheReach.ai to interact with their customers)
- "Processor" means SORIN-CONSTANTIN CIORNEI, operating TheReach.ai, who processes personal data on behalf of the Controller
- "Data Subject" means an identified or identifiable natural person whose personal data is processed (callers, chat users, leads)
- "Personal Data" has the meaning given in GDPR Article 4(1)
- "Processing" has the meaning given in GDPR Article 4(2)
- "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller
- "Services" means the TheReach.ai platform as described in the Terms of Service
2. Subject Matter and Duration
2.1 The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the Services as described in the Terms of Service.
2.2 This DPA commences on the date the Controller accepts the Terms of Service and remains in effect for the duration of the Controller's subscription, and until all personal data is deleted or returned in accordance with Section 10.
3. Nature and Purpose of Processing
The Processor processes personal data on behalf of the Controller for the following purposes:
| Purpose | Processing activities |
|---|---|
| Voice AI call handling | Receiving inbound call audio, generating AI responses, returning audio to caller |
| Call transcription | Converting call audio to text transcript using AI models |
| Call logging | Storing call metadata (phone numbers, timestamps, duration, outcome) |
| Chat AI | Processing text messages and generating AI responses |
| Lead capture | Storing contact details voluntarily provided by Data Subjects |
| Dashboard provision | Storing and displaying logs, transcripts, and analytics to the Controller |
4. Categories of Personal Data
The Processor processes the following categories of personal data on behalf of the Controller:
- Phone numbers (caller and called)
- Voice recordings and transcripts
- Chat message content
- Lead information (name, email, phone number — where provided by Data Subject)
- Call metadata (timestamps, duration, call outcome)
The Processor does not intentionally process special categories of personal data (GDPR Article 9). If a Data Subject discloses special category data during a call or chat, the Controller is responsible for ensuring appropriate safeguards are in place.
5. Categories of Data Subjects
- Callers who contact the Controller's business via a phone number operated through TheReach.ai
- Users who interact with the Controller's chat widget or WhatsApp integration
- Leads who provide contact details via any channel
6. Processor Obligations
The Processor agrees to:
6.1 Process only on documented instructions. Process personal data only on the documented instructions of the Controller, as set out in the Terms of Service and this DPA, unless required to do so by EU or Member State law.
6.2 Confidentiality. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as a minimum:
- Encryption of personal data in transit (TLS) and at rest
- Ability to ensure ongoing confidentiality, integrity, and availability of processing systems
- A process for regularly testing and evaluating the effectiveness of security measures
- Procedures to restore availability of personal data in the event of an incident
6.4 Sub-processors. Not engage a new sub-processor without prior written authorisation from the Controller, except for the sub-processors listed in Section 8 of this DPA, which the Controller authorises by accepting this DPA.
6.5 Data Subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of GDPR.
6.6 Breach notification. Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller data. Notification shall include, to the extent then known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.
6.7 Data protection impact assessments. Provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities where required by GDPR Articles 35 and 36.
6.8 Deletion or return. At the Controller's choice, delete or return all personal data to the Controller after the end of the provision of Services, and delete existing copies unless EU or Member State law requires storage.
6.9 Audit. Make available to the Controller all information necessary to demonstrate compliance with this Article, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor may charge reasonable costs for such audits and may require reasonable advance notice.
7. Controller Obligations
The Controller shall:
7.1 Have a lawful basis under GDPR Article 6 for the personal data it instructs the Processor to process.
7.2 Ensure that Data Subjects have been provided with the information required under GDPR Articles 13 and 14, including notice that their calls may be handled by an AI and may be recorded and transcribed.
7.3 Not instruct the Processor to process personal data in a manner that would violate GDPR or any applicable national data protection law.
7.4 Ensure that the TheReach.ai platform's call disclosure announcement is active and has not been disabled.
7.5 Configure appropriate data retention periods within the platform for their jurisdiction and sector.
7.6 Promptly inform the Processor if the Controller becomes aware of any instruction that infringes GDPR.
8. Sub-processors
The Controller grants general authorisation for the Processor to engage the following sub-processors. The Processor ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA.
| Sub-processor | Role | Location | Legal mechanism |
|---|---|---|---|
| Fly.io | Application hosting and database | EU (Paris, France) | DPA with Fly.io; data stored in EU |
| Google LLC | AI audio and text processing (Gemini API) | USA | Standard Contractual Clauses (SCCs); Google Cloud DPA |
| xAI Corp | AI audio and text processing (Grok API, where selected) | USA | Standard Contractual Clauses (SCCs); xAI DPA |
| Telnyx LLC | Telephony, phone number provisioning, call routing | USA/EU | SCCs; Telnyx DPA |
| Stripe Inc | Payment processing | USA/EU | SCCs; Stripe DPA |
The Processor will notify the Controller of any intended changes to this sub-processor list by updating this DPA with 14 days' notice. The Controller may object in writing within 14 days; if the parties cannot resolve the objection, the Controller may terminate the Services.
9. International Transfers
Where personal data is transferred to sub-processors located outside the European Economic Area, the Processor ensures that appropriate safeguards are in place in accordance with GDPR Chapter V, specifically Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
10. Deletion and Return of Data
10.1 On termination of the Services, the Processor will delete Controller data within 30 days, unless a longer retention period is required by law.
10.2 The Controller may export call logs, transcripts, and chat data via the dashboard at any time during the subscription. Upon written request to privacy@thereach.ai, the Processor will provide an export in machine-readable format within 30 days.
10.3 Upon deletion, the Processor will provide written confirmation to the Controller on request.
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a party's liability to Data Subjects or supervisory authorities under applicable law.
12. Governing Law
This DPA is governed by the law of the Republic of Poland. Disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
13. Acceptance
This DPA is incorporated into and forms part of the Terms of Service. The Controller accepts this DPA by accepting the Terms of Service at registration.
14. Contact
For all data protection matters:
SORIN-CONSTANTIN CIORNEI ul. Szlak 77, room 222, 31-153 Kraków, Poland NIP: 6793214413 privacy@thereach.ai