Last Updated: Apr 28, 2026
This Data Processing Addendum ("DPA") forms part of the Vallo Terms of Use (the "Agreement") between Hummingbird Ventures LLC, DBA Vallo (hereinafter “Vallo”) and the Customer identified in the Agreement, and governs Vallo's processing of Customer Personal Data on behalf of Customer.
"Admin" means the person listed as administrator on Customer's account.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity ("control" meaning more than 50% ownership of voting interests).
"Agreement" means the Vallo Terms of Use, or any signed order form or master service agreement governing the provision of Services to Customer.
"Canadian Data Protection Law" means data protection laws applicable in Canada, including PIPEDA (SC 2000, c.5), Alberta's Personal Information Protection Act (SA 2003, c. P-6.5), British Columbia's Personal Information Protection Act (SBC 2003, c.63), Quebec's Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1), and any amendments or successor legislation.
"CCPA" means the California Consumer Privacy Act of 2018, as amended, and regulations promulgated thereunder.
"Customer Personal Data" means any Personal Data that Vallo processes on behalf of Customer in the course of providing Services as a Data Processor, Service Provider, or substantially similar role under applicable Data Protection Law.
"Data Protection Law" means all applicable data protection and privacy laws governing a Party's processing of Customer Personal Data under the Agreement, including but not limited to European Data Protection Law, CCPA, Canadian Data Protection Law, applicable U.S. state privacy laws, and Wiretap Laws.
"Data Controller" means the entity that determines the purposes and means of processing Personal Data (also referred to as "Business" under CCPA).
"Data Processor" means the entity that processes Personal Data on behalf of a Data Controller (also referred to as "Service Provider" or "Contractor" under CCPA).
"Data Subject" means the individual to whom Personal Data relates.
"Deidentified Data" means data that has been processed such that it can no longer be attributed to an identified or reasonably identifiable natural person.
"Europe" means the European Economic Area ("EEA") (comprising EU member states, Norway, Iceland, and Liechtenstein), the United Kingdom, and Switzerland.
"European Data Protection Law" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR"); (ii) UK Data Protection Laws; and (iii) the Swiss Federal Act on Data Protection; in each case as may be amended, superseded, or replaced.
"Personal Data" has the meaning given under applicable Data Protection Law, including "personal information," "personally identifiable information," and similar terms.
"Processing" has the meaning given under applicable Data Protection Law and includes collection, use, storage, disclosure, and deletion.
"Restricted Transfer" means a transfer or onward transfer of Customer Personal Data where such transfer would be prohibited by applicable Data Protection Law in the absence of an adequacy decision, permitted derogation, or protection provided by Standard Contractual Clauses or another mechanism specified under applicable Data Protection Law.
"Security Incident" means any unauthorized or unlawful access, loss, alteration, disclosure, or destruction of Customer Personal Data. Security Incident excludes unsuccessful attempts that do not compromise Customer Personal Data (e.g., failed log-in attempts, pings, port scans, denial-of-service attacks on network systems).
"Services" means the AI-powered voice agent services provided by Vallo to Customer under the Agreement.
"Standard Contractual Clauses" or "SCCs" means, as applicable to the relevant transfer: (i) the EU Commission SCCs for controller-to-processor transfers under GDPR (Module 2), as currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, as may be amended or replaced; (ii) the UK International Data Transfer Addendum ("UK IDTA") issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018; or (iii) such other terms providing adequate protection for transferred Personal Data as required under applicable Data Protection Law. When applicable, Annex C forms part of this DPA.
"Sub-processor" means any third party or Vallo Affiliate engaged by Vallo to assist in providing the Services, excluding Vallo employees.
"UK Data Protection Laws" means the UK GDPR (as defined by the European Union (Withdrawal) Act 2018) together with the Data Protection Act 2018 and any other applicable UK data protection legislation in force from time to time.
"Wiretap Laws" means federal or state statutes regulating the interception, recording, or monitoring of wire, oral, or electronic communications.
a. Applicability. This DPA applies only to Customer Personal Data subject to Data Protection Law that Vallo processes on behalf of Customer. It does not apply to data Vallo processes as a controller or to Deidentified Data.
b. Roles. Customer is the Data Controller. Vallo processes Customer Personal Data solely as a Data Processor acting on behalf of and pursuant to the instructions of Customer.
c. Customer Compliance. Customer agrees to: (i) comply with all applicable Data Protection Law in respect of its use of the Services and its processing instructions; (ii) ensure it has the right to transfer Personal Data to Vallo for processing; (iii) provide all notices and obtain all consents required by applicable law; and (iv) bear sole responsibility for the accuracy, quality, and legality of Customer Personal Data. Where consent is required, Customer will maintain a mechanism to obtain, record, and withdraw consent in accordance with applicable law, and will provide such records to Vallo upon request.
d. Purpose Limitation. Vallo will process Customer Personal Data only: (i) in accordance with Customer's documented lawful instructions as set forth in the Agreement and this DPA, including Annex A; (ii) as required by applicable law; or (iii) as further documented in written instructions acknowledged by Vallo. Processing outside these instructions requires prior written agreement. Vallo will notify Customer if it becomes aware that an instruction conflicts with applicable law.
e. Prohibited Data. Unless otherwise agreed in writing, Customer will not provide Personal Data that imposes additional statutory requirements beyond those applicable to the Services described in this DPA, including (without limitation) protected health information governed by HIPAA, non-public personal financial information governed by the Gramm-Leach-Bliley Act, or "sensitive personal information" or "special categories of data" as defined under applicable Data Protection Law. Vallo will have no liability for such data if provided in violation of this provision.
Vallo will enter into written agreements with Sub-processors imposing data protection obligations consistent with applicable Data Protection Law. Customer generally authorizes Vallo to engage the Sub-processors listed at https://govallo.ai/subprocessors, which may be updated from time to time with notice to Customer. Customer may object in writing within ten (10) days of notice of a new or replacement Sub-processor on reasonable grounds. The parties will discuss in good faith. If unresolved within ten (10) days, either party may terminate the affected portion of the Agreement.
a. Confidentiality. Vallo will ensure that personnel authorized to process Customer Personal Data are under appropriate confidentiality obligations and process such data solely for the purposes of providing the Services.
b. Security Measures. Vallo will maintain appropriate technical and organizational measures to secure Customer Personal Data as outlined in Annex B, including measures to protect against Security Incidents. Vallo may update these measures provided they do not materially decrease the overall security of the Services.
c. Security Incidents. Upon becoming aware of a Security Incident, Vallo will notify Customer without undue delay and provide information reasonably necessary for Customer to fulfill its data breach reporting obligations under applicable law. Customer bears responsibility for notifying affected individuals and regulators unless otherwise agreed. Vallo's notification does not constitute an admission of fault. Where a Security Incident is caused by Customer, Vallo will inform Customer and may charge a reasonable administrative fee for remediation assistance beyond standard notification.
d. Customer Responsibility. Customer is solely responsible for its use of the Services, including securing account credentials and systems used to access the Services. Vallo has no obligation to protect Customer Personal Data that Customer stores or transfers outside of Vallo's or its Sub-processors' systems.
a. Location of Processing. Customer acknowledges that Vallo may transfer, store, and process Customer Personal Data anywhere in the world where Vallo, its Affiliates, or its Sub-processors maintain data processing operations. The parties will at all times ensure that such transfers comply with applicable Data Protection Law and will enter into supplementary documents as necessary.
b. European Transfer Mechanism. The SCCs (Module 2: Controller to Processor), incorporated herein by reference as Annex C, will apply to any Restricted Transfer of Customer Personal Data to locations outside the EEA. The optional docking clause (Clause 7) and the optional language in Clause 11(a) shall not apply. Clause 9(a) Option 1 (general written authorization for Sub-processors) is elected with a ten (10) day notice period. The competent supervisory authority under Clause 13(a) shall be determined by the place of establishment of the data exporter.
For Restricted Transfers from the United Kingdom, the parties shall enter into the UK IDTA. For purposes of the UK IDTA tables: (i) Table 1 identifies the parties as Vallo and Customer; (ii) Table 2 references the SCCs in Annex C; (iii) Table 3 references Annexes A and B of this DPA; and (iv) for Table 4, neither party has a right of termination under Section 19 of the UK IDTA.
For Restricted Transfers from Switzerland, the SCCs referenced in Annex C shall be adapted to: reference the Swiss Federal Data Protection and Information Commissioner as the supervisory authority; ensure Swiss data subjects are not precluded from exercising their rights; and treat references to the GDPR as including the equivalent provisions of the Swiss Federal Act on Data Protection.
If Vallo adopts an alternative recognized compliance standard for lawful transfer of Personal Data outside Europe, the SCCs or UK IDTA will cease to apply to the extent covered by that standard. If the SCCs or UK IDTA are updated in a manner that materially affects the parties' rights or obligations, either party may request that the parties enter into replacement transfer documents.
c. Canadian Transfers. For Customer Personal Data subject to Canadian Data Protection Law, Vallo will ensure that appropriate safeguards are in place for any transfer of such data outside Canada as required by applicable Canadian Data Protection Law.
d. Other Jurisdictions. For transfers of Customer Personal Data subject to the data protection laws of other jurisdictions, Vallo will implement appropriate safeguards as required by applicable law.
a. Scope. This Section applies to Personal Data subject to the CCPA.
b. Roles. Vallo is a "Service Provider" and not a "Third Party." Customer is a "Business." Each Sub-processor is Vallo's "Service Provider."
c. No Sale or Sharing. Vallo will not: (i) "sell" or "share" Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than providing the Services; (iii) retain, use, or disclose Customer Personal Data for a commercial purpose outside the direct business relationship with Customer; or (iv) combine Customer Personal Data with Personal Data from other sources in a manner not permitted by the CCPA.
d. Deidentified Data. Vallo will not attempt to re-identify Deidentified Data and will maintain reasonable measures to ensure such data remains deidentified.
e. Compliance Notice. If Vallo determines it can no longer meet its obligations under the CCPA, it will promptly notify Customer.
f. Certification. To the extent Vallo is considered a "Contractor" under the CCPA, Vallo certifies that it understands and will comply with these restrictions.
a. Data Subject Rights. To the extent Customer cannot independently access relevant Customer Personal Data within the Services, Vallo will provide commercially reasonable assistance, at Customer's expense, to help Customer respond to data subject rights requests under applicable Data Protection Law. In the event a data subject contacts Vallo directly, Vallo will promptly inform Customer.
b. Data Protection Impact Assessments. To the extent required under applicable Data Protection Law, Vallo will provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities; provided that Vallo will not be liable for any failure of Customer to meet its own obligations in this regard.
c. Audits. No more than once per calendar year, upon reasonable written request, Vallo will make available documentation demonstrating compliance with this DPA. On-site audits, if required, will be conducted at Customer's expense by a qualified independent auditor mutually agreed upon by the parties, at a mutually agreed time and scope, subject to a non-disclosure agreement acceptable to Vallo. Any audit will be of reasonable duration and will not unreasonably interfere with Vallo's operations.
Upon request at termination or expiration of the Agreement, Vallo will delete, deidentify, or return Customer Personal Data in Vallo's possession. Vallo may retain copies: (i) as required by law; (ii) incorporated into standard business records (e.g., email, accounting records); or (iii) in backup systems until overwritten per Vallo's backup policy. Confidentiality obligations and use restrictions continue to apply to all retained data.
a. Indemnification. Each party ("Indemnifying Party") will indemnify the other party and, in the case of Vallo, its past, present, and future parent companies, holding companies, subsidiaries, affiliates, and related entities, and each of their respective officers, directors, members, employees, agents, successors, and assigns (collectively, "Vallo Indemnitees") (each an "Indemnitee") against third-party claims, liabilities, costs, damages, and expenses (including reasonable attorneys' fees) arising from any breach by the Indemnifying Party of this DPA, provided the Indemnitee: (i) promptly notifies the Indemnifying Party in writing; (ii) allows the Indemnifying Party to control the defense; and (iii) cooperates reasonably at its own expense. No indemnification is owed for breaches caused by the Indemnitee.
b. Limitation of Liability. Each party's aggregate liability under this DPA is subject to the exclusions and caps set forth in the Agreement.
c. Assistance Costs. Vallo's assistance to Customer under this DPA (including audits and data subject rights responses) is at Customer's cost and expense, except where such assistance directly arises from Vallo's own breach of this DPA.
a. Effective Date. This DPA is effective as of the date the Agreement is accepted. If Vallo has already processed Personal Data prior to the Effective Date, this DPA applies retroactively from the start of such processing.
b. Priority. In the event of a conflict between this DPA and the Agreement, this DPA controls. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.
c. Modifications. Vallo may modify this DPA to comply with applicable law, regulation, court order, or guidance from a regulatory authority, with notice to Customer.
d. Governing Law. This DPA is governed by the law stated in the Agreement, unless required otherwise by applicable Data Protection Law.
e. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in effect.
Subject Matter: Vallo's provision of AI-powered voice agent Services to Customer as described in the Agreement.
Categories of Data Subjects:
Categories of Personal Data Processed:
Category
Description
Caller ID Information
Name and phone number displayed via Caller ID, where available
Call Recordings
Audio recordings of calls processed through the Services
Transcriptions
Text transcriptions of calls processed through the Services
Text Messages
SMS/MMS messages sent or received through the Services
Account Information
Account admin names, email addresses, and credentials
Sensitive Personal Data: None. The Services are not intended for, and Customer agrees not to submit, protected health information, financial account data, government identification numbers, or other sensitive personal data as defined under applicable law.
Frequency of Transfers: Ongoing, in the course of day-to-day use of the Services.
Nature and Purpose of Processing:
Retention Period: Customer Personal Data is retained in accordance with Vallo's data retention policies and the Agreement.
Categories of Recipients: Vallo Sub-processors, as listed at https://govallo.ai/subprocessors.
Vallo will implement and maintain the following technical and organizational measures:
Module 2: Controller to Processor (incorporated herein by reference, subject to Section 4(b) of this DPA)
A. List of Parties
Data exporter: The Customer identified in the Agreement and this DPA (and Customer's Affiliates, if authorized to use the Services). The activities relevant to the transfer are Customer's use of Vallo's Services as described in the Agreement. The Customer Admin is the contact person responsible for data protection. Customer is the data controller.
Data importer: Hummingbird Ventures LLC, DBA Vallo. The activities relevant to the transfer are Vallo's provision of the Services per the Agreement, under which Vallo is authorized to process Personal Data on Customer's behalf and upon Customer's instructions. Vallo's contact for data protection matters is:
Vallo is the data processor.
B. Description of Transfer
The description of the processing and transfer of Personal Data is as set out in Annex A of this DPA.
C. Competent Supervisory Authority
The supervisory authority of the EU member state in which the data exporter is established, or where the data subject is located, shall act as the competent supervisory authority.
As set out in Annex B of this DPA.
As listed at https://govallo.ai/subprocessors, updated from time to time with notice to Customer.
