Legal - Effective May 17, 2026

CallOrbit Data Processing Addendum

This Data Processing Addendum explains how CallOrbit processes customer personal data as a processor or operator for business phone system, call center software, hosted PBX, cloud PBX, SIP trunking, business SMS, WhatsApp, AI phone system, telecom API, programmable voice, recordings, transcripts, and related services.

Effective date: May 17, 2026. Review cadence: Reviewed when privacy law, subprocessor, telecom, or product changes require updates. Contact: privacy@callorbit.tech.

  • 1. Incorporation And Scope
  • 2. Roles
  • 3. Customer Instructions
  • 4. Categories Of Data And Data Subjects
  • Is CallOrbit a processor under GDPR?
  • Is CallOrbit an operator under POPIA?
Privacy Policy GDPR Disclosure POPIA Disclosure Call Recording Consent Notice Terms of Service

Policy snapshot

  • Effective date: May 17, 2026
  • Review cadence: Reviewed when privacy law, subprocessor, telecom, or product changes require updates
  • Contact: privacy@callorbit.tech

1. Incorporation And Scope

This Data Processing Addendum forms part of the Terms of Service or another written agreement between CallOrbit and a customer when CallOrbit processes customer personal data on behalf of that customer. It applies to personal data submitted to or generated through the platform by the customer, its users, agents, callers, message recipients, employees, contractors, integrations, and end users.

This DPA covers processing for cloud communications services, including business phone system features, hosted PBX, cloud PBX, virtual PBX, SIP trunking workflows, browser phone, softphone, call center software, IVR, queues, voicemail, call recordings, transcripts, analytics, business SMS, WhatsApp workflows, AI phone system features, telecom API, programmable voice, DID numbers, toll free numbers, local phone numbers, and related support.

2. Roles

The customer is the controller, responsible party, business, or equivalent decision-maker for customer personal data. CallOrbit is the processor, operator, service provider, or equivalent service provider that processes customer personal data according to customer instructions.

CallOrbit is an independent controller for account administration, billing, fraud prevention, security, product analytics, website data, sales communications, legal compliance, and records it must keep for its own business or legal purposes.

3. Customer Instructions

  • CallOrbit will process customer personal data to provide, secure, support, maintain, and improve the contracted services.
  • Customer instructions include the Terms, order forms, product settings, API calls, workspace configuration, routing rules, user actions, retention settings, support requests, and this DPA.
  • CallOrbit will notify the customer if it believes an instruction violates applicable data protection law, unless law prohibits notification.
  • The customer is responsible for ensuring its instructions are lawful and that it has a valid legal basis for processing.

4. Categories Of Data And Data Subjects

  • Data subjects may include customer employees, agents, administrators, contractors, callers, leads, customers, prospects, message recipients, support contacts, vendors, and end users.
  • Data may include names, phone numbers, email addresses, company details, IP addresses, account identifiers, call metadata, message content, recordings, transcripts, voicemail, analytics, routing data, queue data, caller ID, consent records, opt-out records, notes, AI summaries, and integration data.
  • Sensitive data should not be submitted unless it is necessary, lawful, supported by the subscribed service, and protected by appropriate customer controls.

5. Security Measures

  • Access control, role-based permissions, limited staff access, authentication controls, and administrative safeguards.
  • Encryption in transit and encryption at rest where supported by the relevant data store, provider, or service path.
  • Logging, monitoring, backup practices, incident response processes, vulnerability management, and provider review.
  • Separation of customer workspaces through application-level controls and infrastructure safeguards.
  • Confidentiality obligations for personnel who may access customer personal data.

6. Subprocessors

CallOrbit may use subprocessors to provide hosting, storage, telecommunications, SMS, WhatsApp, email, authentication, payments, analytics, support, security, AI, and operational services. Subprocessors are required to process customer personal data only for authorized purposes and protect it with appropriate safeguards.

Customers authorize CallOrbit to use subprocessors for the services. CallOrbit remains responsible for subprocessor performance as required by applicable data protection law and will take reasonable steps to ensure subprocessors protect customer personal data.

7. International Transfers

Customer personal data may be processed in countries where CallOrbit, carriers, infrastructure providers, subprocessors, support providers, or customer-selected integrations operate. Where required, CallOrbit will use lawful transfer mechanisms such as standard contractual clauses, adequacy decisions, contractual safeguards, or other valid mechanisms.

8. Data Subject Requests

CallOrbit will provide reasonable assistance to customers responding to verified access, correction, deletion, portability, restriction, objection, opt-out, and similar requests where the customer cannot reasonably fulfill the request using the service. Customers remain responsible for receiving, validating, and responding to requests relating to their own data subjects unless law requires otherwise.

9. Deletion And Return

Upon termination or a verified deletion request, CallOrbit will delete or return customer personal data according to the service functionality, customer instructions, legal retention requirements, backup practices, billing needs, security needs, abuse prevention needs, and dispute obligations.

Deleted data may persist for a limited period in backups, logs, archives, billing records, carrier records, fraud records, or legal records until those systems cycle out or retention obligations expire.

10. Incidents

CallOrbit will notify affected customers without undue delay after confirming a personal data breach involving customer personal data processed by CallOrbit, unless law enforcement or legal obligations restrict notice. Notice may include available details about the incident, affected data, mitigation steps, and recommended customer actions.

11. Audits And Information

CallOrbit will provide reasonable information needed to demonstrate compliance with this DPA, subject to confidentiality, security, operational, and customer-data protection limits. Enterprise customers may request security questionnaires, DPA review, and additional documentation through privacy@callorbit.tech.

12. Liability And Conflict

The liability limits in the Terms or applicable written agreement apply to this DPA unless mandatory law requires otherwise. If this DPA conflicts with the Terms on a data processing topic, this DPA controls for that topic.

Quick answers

  • Is CallOrbit a processor under GDPR? - For customer content processed through the platform, CallOrbit generally acts as a processor and the customer acts as controller. For account, billing, security, and website data, CallOrbit may act as controller.
  • Is CallOrbit an operator under POPIA? - For customer personal information processed on customer instructions, CallOrbit generally acts as an operator and the customer acts as responsible party.
  • Does the DPA cover call recordings and transcripts? - Yes. The DPA covers call recordings, voicemail, transcripts, message content, AI summaries, call metadata, and related communications data processed through CallOrbit.