Data Processing Agreement

Last updated: May 2026

Applicable to: All Boltcall customers whose use involves processing personal data of third parties (e.g., their own leads, callers, or customers). This DPA forms part of the Terms of Service and is governed by Israeli PPL Amendment 13 and EU GDPR where applicable.

1. Roles of the Parties

You (Customer) are the Data Controller (GDPR) / Database Owner (Israeli PPL) in respect of personal data belonging to your leads, callers, and customers that flows through the Boltcall platform.

Boltcall is the Data Processor (GDPR) / Database Holder (Israeli PPL). We process personal data on your behalf only as instructed by you and as described in this DPA.

In respect of account data you provide about yourself or your team, Boltcall is an independent Data Controller. See our Privacy Policy for that processing.

2. Processing Details

Categories of data subjects

  • Your inbound callers and leads
  • Existing customers who interact with your AI agent
  • Recipients of SMS, WhatsApp, or email sequences you configure

Categories of personal data

  • Name, phone number, email address
  • Call recordings and conversation transcripts
  • Appointment details and calendar data
  • Lead qualification answers and intent signals
  • IP address and device information (for web interactions)

Purpose & duration

Processing is solely to provide the Boltcall Service as described in the Terms of Service. Duration is for the term of your subscription plus the retention periods in our Privacy Policy.

3. Boltcall's Obligations

  • Process personal data only on your documented instructions (or as required by applicable law)
  • Ensure that personnel authorised to process personal data are bound to confidentiality
  • Implement appropriate technical and organisational security measures (encryption at rest and in transit, access controls, least-privilege)
  • Assist you in responding to data subject requests (access, correction, erasure) within 7 business days of your request
  • Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting your customers' data
  • Delete or return all personal data at your request upon termination of the Service
  • Provide information reasonably necessary for you to demonstrate compliance with applicable law

4. Customer's Obligations

  • Have a lawful basis (consent, legitimate interest, or contract) to collect and process your customers' personal data through the Service
  • Comply with Israeli Communications Law Amendment 40 (anti-spam): obtain explicit prior opt-in before sending promotional SMS, WhatsApp, or email campaigns
  • Ensure callers are notified of call recording as required by Israeli Wiretapping Law and equivalent local laws
  • Provide your own privacy notice to your customers that covers processing through Boltcall
  • Not instruct Boltcall to process personal data in a manner that would violate applicable law

5. Sub-Processors

You provide general authorisation for Boltcall to engage the sub-processors listed below. We will notify you at least 14 days before adding or replacing a sub-processor that processes your customers' data.

Sub-processorPurposeLocation
SupabaseDatabase, authentication, and storageUnited States (AWS us-east-1)
Retell AIAI voice agent engine and call transcriptionUnited States
TwilioPhone number provisioning, SMS, and call routingUnited States
StripePayment processing and subscription managementUnited States (EU/UK residents: also EU data residency)
OpenAIAI language model inference for agent conversationsUnited States
ElevenLabsText-to-speech voice synthesis for AI agentsUnited States
Brevo (formerly Sendinblue)Transactional and marketing email deliveryFrance (EU)
Meta (WhatsApp Business API)WhatsApp message deliveryUnited States / Ireland (EU residents)
Google (GTM + GA4)Analytics (consent-gated — only active after user accepts cookies)United States
GreeninvoiceIsraeli tax invoice generation (חשבונית מס) for Israeli customersIsrael

6. International Data Transfers

Disclosure required by Israeli PPL Amendment 13: The majority of sub-processors listed above are located in the United States, which is not on Israel's list of countries with adequate data protection. Data transferred to these processors is protected by contractual safeguards (Standard Contractual Clauses / equivalent data processing agreements with each sub-processor).

Core customer data (account records, leads, conversation history) is stored in Supabase (AWS us-east-1, United States). If your business requires Israeli or EU data residency, contact privacy@boltcall.org to discuss options.

7. Security Measures

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access to production systems is restricted by role and requires multi-factor authentication
  • Authentication managed by Supabase (Auth v2) with hashed passwords and JWT session tokens
  • Call recordings are stored with server-side encryption in Retell's infrastructure
  • Regular review of access controls and third-party sub-processor security postures

8. Contact & DPA Requests

To sign a countersigned DPA for enterprise contracts, or to submit data subject requests on behalf of your customers:

Related documents: Privacy Policy · Terms of Service