Book a Demo
Login Book a Demo
Login Book a Demo

Data Processing Addendum (DPA)

Last Updated: [30th March 2026] 

This Data Processing Addendum (“DPA”) forms part of the agreement between Nora Voice (“NoraVoice”, “Processor”, “we”, “us”) and the customer entity that uses Nora Voice services (“Customer”, “Controller”) and governs the processing of Personal Data in connection with the Services. 

This DPA applies where Nora Voice processes Personal Data on behalf of the Customer as a data processor or service provider under applicable data protection laws. 

  1. Definitions for the purposes of this DPA:
  • Applicable Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under the Services, including the UK GDPR, the UK Data Protection Act 2018, the Australia Privacy Act 1988, and the New Zealand Privacy Act 2020. 
  • Personal Data means any information relating to an identified or identifiable individual that is processed by Nora Voice on behalf of the Customer. 
  • Processing has the meaning given to it under Applicable Data Protection Laws. 
  • Services means Nora Voice’s voice-based artificial intelligence services, including automated call handling, routing, scheduling, transcription, and related functionality. 
  • Subprocessor means any third party engaged by Nora Voice to process Personal Data on behalf of the Customer. 
  1. Roles of the Parties

2.1 The Customer acts as the Controller and determines the purposes and means of processing Personal Data.
2.2 Nora Voice acts as a Processor or Service Provider and processes Personal Data solely on documented instructions from the Customer, including as set out in the agreement, this DPA, and Customer configurations.
2.3 Nora Voice does not determine the purposes for which Personal Data is processed and does not use Personal Data for its own independent purposes. 

  1. Scope of Processing 

3.1 Subject Matter: Processing of Personal Data for the purpose of delivering voice AI services, including automated call answering, call routing, scheduling, transcription, and workflow execution.
3.2 Duration: For the duration of the Services, unless otherwise agreed in writing.
3.3 Nature and Purpose: Processing is limited to what is necessary to operate, secure, support, and maintain the Services in accordance with Customer instructions.
3.4 Types of Personal Data: Depending on Customer configuration, Personal Data may include: 

  • Names 
  • Phone numbers 
  • Call metadata such as date, time, and duration 
  • Voice recordings or call transcripts 
  • Appointment or scheduling information 
  • Information voluntarily provided by callers during interactions 

3.5 Categories of Data Subjects 

  • Customer employees or contractors 
  • Callers, patients, or end users contacting the Customer 
  • Other individuals whose data is processed through the Services 
  1. Processor Obligations, Nora Voice shall: 
  • Process Personal Data only on documented instructions from the Customer 
  • Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations 
  • Implement appropriate technical and organizational measures to protect Personal Data 
  • Assist the Customer, where applicable, with obligations relating to data subject rights and privacy compliance 
  • Notify the Customer without undue delay of a confirmed Personal Data breach 
  • Delete or return Personal Data upon termination of the Services, subject to applicable law 
  1. Security Measures: NoraVoice maintains a structured information security program designed to protect Personal Data against unauthorized access, disclosure, alteration, or loss.
    Security measures include administrative, technical, and organizational controls appropriate to the nature of the processing, such as access controls, encryption where applicable, monitoring, logging, and regular security reviews.
    Access to Personal Data is restricted to authorized personnel with a legitimate business need.
     
  2. Subprocessing

6.1 The Customer authorizes Nora Voice to engage Subprocessors as necessary to provide the Services.
6.2 Nora Voice ensures that Subprocessors are subject to written agreements imposing data protection obligations consistent with this DPA.
6.3 Nora Voice remains responsible for the acts and omissions of its Subprocessors in relation to Personal Data processing.
6.4 Information about Subprocessors may be made available upon request. 

  1. Assistance with Individual Rights: Taking into account the nature of the processing, Nora Voice shall provide reasonable assistance to enable the Customer to respond to requests from individuals exercising their rights under Applicable Data Protection Laws, including rights of access, correction, and deletion.
    If Nora Voice receives such a request directly, it will promptly notify the Customer and will not respond unless required by law.
     
  2. Personal Data Breach Notification: Nora Voice shall notify the Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Personal Data processed under this DPA and will provide information reasonably necessary to assist the Customer in meeting its legal obligations under Applicable Data Protection Laws.
     
  3. Audits and Compliance: Upon reasonable written request,Nora Voice shall make available information necessary to demonstrate compliance with this DPA, subject to reasonable confidentiality, security, and operational requirements.
     
  4. Data Retention and Deletion: Personal Data is retained only for the duration and purposes defined by Customer configuration and contractual obligations. 

Upon termination or expiry of the Services, Nora Voice shall delete or return Personal Data in accordance with Customer instructions, unless retention is required by applicable law.

11. Regional Data Protection Compliance Nora Voice processes Personal Data in accordance with applicable regional data protection and privacy laws, including: 

  • The UK General Data Protection Regulation (UK GDPR) 
  • The UK Data Protection Act 2018 and applicable guidance issued by the UK Information Commissioner’s Office (ICO) 
  • The General Data Protection Regulation (GDPR), where applicable 
  • The Australian Privacy Act 1988, including the Australian Privacy Principles 
  • The New Zealand Privacy Act 2020, including the Information Privacy Principles 

Nora Voice supports Customers in meeting their obligations under these laws, including obligations relating to lawful processing, data security, access, correction, and deletion of Personal Data. 

  1. Order of Precedence in the event of any conflict between this DPA and the main agreement, this DPA shall govern with respect to data protection and privacy matters.
     
  2. Governing Law: This DPA shall be governed by the law specified in the main agreement between the parties, unless Applicable Data Protection Laws require otherwise.
     
  3. Contact Information for privacy or data protection inquiries:

Email: talk@noravoice.ai
Website: https://noravoice.ai