Data Processing Agreement
Last updated · 2026-01-15
The DPA covers how Vorel handles personal data as a processor on behalf of its customers: call audio, transcripts, CRM records, and anything else the agent touches in production. The signed PDF is the binding document; this page is a plain-language summary so security and procurement teams can read the shape of the commitments before signing.
Roles
The customer is the controller of their end-user data. Vorel is the processor. Vorel only processes data on documented instructions from the customer and only for the purposes set out in the master service agreement.
Security commitments
- SOC 2 Type II in progress. Current report furnished on request under NDA.
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control for Vorel staff; least-privilege production access with quarterly review.
- Customer-managed data residency (US, EU, UAE) on request.
Subprocessors
The current subprocessor list is maintained alongside this DPA and shared on signing. Notifications are issued at least 14 days before adding a subprocessor that touches regulated data. Customers may object in writing and trigger the migration clauses in the master service agreement.
Retention and deletion
Call audio, transcripts, and processed records are retained only as long as the customer instructs. Defaults are 90 days for audio, 24 months for transcripts, and the lifetime of the CRM record for written outcomes. On contract termination, all customer data is returned or deleted within 30 days.
International transfers
For data leaving the EU, the EU Standard Contractual Clauses (controller-to-processor) are incorporated into the DPA. For UK transfers, the UK IDTA addendum is included. UAE deployments may opt for an in-region deployment to avoid cross-border transfers entirely.
This page is a working draft and is not a binding legal document. Questions, data-subject requests, and final-version requests go to [email protected].

