Data Processing Addendum
Last updated: 2026-05-09
This Data Processing Addendum ("DPA") forms part of the Voxly Customer Agreement or other agreement between you ("Customer") and Daya Corp d/b/a Voxly ("Voxly") governing Customer's use of the Voxly platform (the "Agreement"). This DPA reflects the parties' obligations under applicable data protection laws when Voxly processes Personal Data on Customer's behalf.
1. Scope and Roles
1.1 Roles of the parties
For the purposes of this DPA: (a) Customer is the Controller (or, where Customer is acting on behalf of another Controller, the Processor passing instructions to Voxly); and (b) Voxly is the Processorof Customer Personal Data. A description of the processing is in Schedule 1.
1.2 Term
This DPA takes effect on the commencement date of the Agreement and terminates when Voxly ceases all processing of Customer Personal Data (or, if later, the date the Agreement terminates).
1.3 Order of precedence
In the event of conflict among (a) the region-specific terms in Schedule 2, (b) Schedule 1, (c) this DPA body, and (d) the Agreement, the order of precedence is highest to lowest as listed.
2. Processing of Personal Data
2.1 Customer's instructions
The Agreement, this DPA, applicable Orders, and Customer's use of the Voxly platform (including configuration choices) constitute Customer's documented instructions regarding processing. Voxly will process Customer Personal Data only in accordance with those instructions, except where required to comply with applicable law (in which case Voxly will inform Customer first, where lawful).
2.2 Customer responsibilities
Customer is responsible for ensuring its instructions comply with applicable data protection law and for determining whether the Voxly platform is appropriate for Customer's intended processing. Voxly is not responsible for monitoring Customer's compliance.
2.3 Confidentiality
Voxly will treat Customer Personal Data as Customer's Confidential Information. Voxly personnel authorised to process Customer Personal Data are bound by written or statutory obligations of confidentiality.
3. Security
3.1 Security measures
Voxly implements and maintains appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of Customer Personal Data. These measures include tenant isolation via Postgres row-level security, encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase), encrypted storage of OAuth tokens in Supabase Vault, role-based access control, audit logging of administrative actions, and the security controls documented in our Trust Center (linked from the Voxly footer).
3.2 Security incidents
Voxly will notify Customer without undue delay, and where feasible no later than seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data. Voxly will make reasonable efforts to identify the cause, mitigate the effects, and remediate to the extent within Voxly's reasonable control. Notification is not an admission of fault.
4. Sub-processors
4.1 General authorisation
Customer authorises Voxly to engage the sub-processors listed below to process Customer Personal Data. Voxly enters into written agreements with each sub-processor that impose data protection obligations no less protective than those in this DPA, and remains liable to Customer for sub-processor performance.
4.2 Current sub-processors
The current list is auto-generated from Voxly's sub-processor registry. The same list is published in human-readable form at voxly.io/legal/sub-processors.
| Sub-processor | Purpose | Location | Opt-in? |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge network, CDN, and serverless function execution. | United States (multi-region) | No |
| Supabase Inc. | Managed PostgreSQL database, authentication, storage, and Vault for encrypted secrets. | United States (AWS, multi-region) | No |
| Functional Software, Inc. (Sentry) | Server- and client-side error tracking. PII is scrubbed before transmission via Sentry beforeSend hook. | United States (AWS, GCP) | No |
| Stripe, Inc. | Subscription billing. Voxly never sees raw card data — Stripe Checkout/Elements tokenises payment instruments before they reach our servers. | United States; EU subsidiaries for EU customers | No |
| Resend, Inc. | Transactional email delivery (workspace invites, notifications, GDPR Art.17 erasure-verification emails). | United States (AWS) | No |
| Anthropic, PBC | LLM-powered feedback summarisation and categorisation (Claude API). Voxly does not allow Anthropic to retain prompts for training (zero-retention enrolment). | United States (AWS) | No |
| OpenAI, L.L.C. | Embedding generation for semantic feedback search. API access only; prompts not retained for training under our zero-retention agreement. | United States | No |
| Atlassian Pty Ltd / Atlassian, Inc. | Customer-opt-in connector. When a workspace admin connects Jira, Voxly relays feedback content the admin chooses to push, plus OAuth tokens stored in Voxly Vault, to Atlassian. Voxly never accesses the customer's Jira data outside the explicit push action. | United States (AWS), Europe | Yes |
| Slack Technologies, LLC | Customer-opt-in connector. When a workspace admin connects Slack, Voxly posts notifications to the channels the admin selects. OAuth tokens stored in Voxly Vault. | United States (AWS) | Yes |
| Zapier, Inc. | Customer-opt-in connector. When a workspace admin enables Zapier, Voxly delivers trigger payloads (feedback events) to Zaps the admin configures. Authentication is via a Voxly-issued API key. | United States (AWS) | Yes |
| Discord Inc. | Customer-opt-in connector. When a workspace admin attaches a Discord webhook to an AlertConfig rule, Voxly POSTs notification payloads to the channel the webhook addresses. The webhook URL itself (which is the credential) is stored in Voxly Vault; Discord never receives Voxly credentials. No PortalUser PII is sent unless the workspace admin includes it in the alert template. For the webhook-outbound model, the workspace admin's acceptance of the Discord Developer Terms of Service is the operative agreement governing data handling. | United States (GCP, multi-region) | Yes |
4.3 Notice of new sub-processors
Voxly will notify Customer at least thirty (30) days before any new sub-processor begins processing Customer Personal Data. Customer can subscribe to change notifications by emailing privacy@voxly.io.
4.4 Objection
Customer may object to a new sub-processor during the 30-day notice window for legitimate data protection reasons. Customer's sole and exclusive remedy in that case is to terminate the affected subscription in accordance with the Agreement's termination provisions.
5. Assistance and Cooperation
5.1 Data subject rights
Taking into account the nature of the processing, Voxly will provide reasonable and timely assistance to enable Customer to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, objection, and portability. Voxly's self-serve admin tools and export capabilities are designed so most requests can be fulfilled by Customer directly.
5.2 Regulatory cooperation
On Customer's reasonable request, Voxly will provide reasonable assistance with data protection impact assessments and consultations with regulatory authorities, where Customer cannot reasonably fulfil such obligations independently using available documentation.
5.3 Third-party requests
Unless prohibited by law, Voxly will promptly notify Customer of any valid, enforceable legal process or governmental request compelling disclosure of Customer Personal Data. Voxly will redirect inquiries from data subjects or regulators to Customer and will not respond itself unless required by law.
6. Deletion and Return
6.1 During the term
During the term of the Agreement, Customer can access, retrieve, and delete Customer Personal Data through the Voxly platform's admin tools and export functionality.
6.2 Post-termination
Within ninety (90) days of termination of the Agreement, Voxly will delete all Customer Personal Data, except as required by applicable law or as retained in Voxly's standard backup or record retention systems. Retained data remains subject to this DPA's confidentiality and security obligations and will not be further processed.
7. Audit
7.1 Audit reports
Voxly is regularly assessed against industry standards including SOC 2 Type II (in progress; ETA Q4 2026) and provides summary audit reports to Customer under NDA on request, no more than once every twelve (12) months.
7.2 On-site audits
Where Customer cannot reasonably verify compliance through Section 7.1, or where required by applicable data protection law, Customer (or its authorised representative) may conduct an audit at Customer's expense, no more than once every twelve (12) months, on at least sixty (60) days' written notice, subject to reasonable confidentiality obligations.
8. International Transfers
Where Voxly transfers Personal Data protected by EU GDPR, UK GDPR, or Swiss FADP from those regions to a country that does not benefit from an adequacy decision, the EU Standard Contractual Clauses (Implementing Decision 2021/914), the UK International Data Transfer Addendum (Version B1.0), and Swiss-FADP equivalents are deemed incorporated into this DPA and signed by both parties as of the Agreement commencement date. Customer is the data exporter; Voxly is the data importer. Modules 2 and 3 of the EU SCCs apply as appropriate to Customer's role.
Where Voxly processes data subject to US state privacy laws (CCPA, VCDPA, and successors), Voxly acts as a Service Provider / Processor and will not retain, use, or disclose Customer Personal Data outside the direct business relationship except as permitted by law.
9. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
10. Definitions
Capitalised terms not defined here have the meanings given in the Agreement or in applicable data protection law.
- Customer Personal Datameans Personal Data contained in customer content that Voxly processes solely on Customer's behalf.
- Personal Data, Controller, Processor, Processing have the meanings given in applicable data protection law.
- Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data processed by Voxly or its sub-processors.
- Sub-processor means any third party engaged by Voxly to process Customer Personal Data, as listed in Section 4.2.
Schedule 1 — Description of processing
- Categories of data subjects:Customer's employees and contractors (workspace members) and end users of Customer's feedback portals (portal users).
- Categories of Personal Data: name, email address, workspace role, feedback content authored by data subjects, votes and comments, IP-derived rate-limit metadata. Customer controls what additional content data subjects submit.
- Sensitive data: Voxly does not solicit special category data. Customer is responsible for not directing data subjects to submit it.
- Frequency: continuous.
- Nature and purpose: hosting, storage, transmission, search, aggregation, AI-assisted summarisation, and ancillary operations needed to provide the Voxly platform.
- Duration: for the term of the Agreement plus the deletion window in Section 6.2.
- Sub-processor transfers: as listed in Section 4.2.
Schedule 2 — Region-specific terms
Where Customer is established in or its data subjects reside in the EEA, UK, Switzerland, Brazil, or a US state with applicable privacy law, the standard contractual clauses or equivalent transfer mechanism for that region (as identified in Section 8) apply and are deemed signed by both parties on the Agreement commencement date. The competent supervisory authority is determined by the data subject's habitual residence or as otherwise specified by applicable law.
Contact
Privacy and data protection inquiries: privacy@voxly.io.