This Data Processing Agreement (“DPA”) forms part of the Master Services Agreementbetween Ace Peak Invest Pte Ltd operating 9278.ai (“Processor”, “we”) and the business customer (“Controller”, “Customer”). It applies where 9278.ai processes Customer Personal Data on the Customer's behalf — in practice, the personal data of the Customer's callers handled by the AI agent. For 9278.ai's own controller processing, see the Privacy Policy.
1. Roles and Instructions
The Customer is the controller and 9278.ai the processor of Customer Personal Data. 9278.ai processes only on the Customer's documented instructions (the MSA, this DPA, and the Customer's configuration and use of the Services), unless required otherwise by law (in which case 9278.ai informs the Customer where lawful).
2. Subject-Matter, Duration and Details (Annex I)
- Subject-matter: provision of the AI voice-agent Services (answering, recording, transcribing, routing, analytics).
- Personal data: caller/called numbers, call detail records, recordings, transcripts, AI-interaction data, contact records.
- Data subjects:the Customer's callers, contacts, and end-customers.
- Duration: the term of the MSA. Retention: per Customer configuration and applicable law; otherwise deletion/return on termination.
3. Processor Obligations
- process only on documented instructions; flag instructions that appear to breach data-protection law;
- ensure authorised persons are bound by confidentiality;
- implement the Annex II security measures (GDPR Art. 32);
- assist the Customer with data-subject requests, security, breach notification, and DPIAs (Arts. 32–36);
- notify the Customer without undue delay and, where feasible, within 24 hours of becoming aware of a personal data breach affecting Customer Personal Data;
- on termination, delete or return Customer Personal Data within 30 days and confirm in writing, except where law requires retention;
- make available compliance information and allow audits on 30 business days' notice (or provide an ISO 27001 / SOC 2 report in lieu); maintain Art. 30(2) records.
4. Customer Obligations
The Customer must have a lawful basis and provide all notices/obtain all consents for the data processed through the Services (including for recording, AI voice, and any outbound/telemarketing under the TCPA/ePrivacy/local law), and must not instruct unlawful processing.
5. Sub-Processors
The Customer authorises 9278.ai to engage the sub-processors in the Sub-Processor List(hosting, AI/ASR/TTS, payments, communications). 9278.ai imposes equivalent terms, remains responsible for them, gives at least 14 days' notice of changes, and allows objection on reasonable data-protection grounds.
6. International Transfers
For transfers of Customer Personal Data from the EEA/UK to a country without an adequacy decision, the EU SCCs (Decision 2021/914), Module Two (Controller-to-Processor), and the UK IDTA/Addendum apply, completed with the Annex I details. 9278.ai, in Singapore, also complies with the PDPA Transfer Limitation Obligation. Transfer impact assessments are conducted for third-country sub-processors.
7. Jurisdiction-Specific Terms
- United States — CCPA/CPRA:9278.ai is a “service provider”, not a “third party”; it will not sell/share Customer Personal Data or use it outside the direct business relationship, and binds sub-processors equivalently.
- Brazil — LGPD: 9278.ai acts as operator (operador); transfers and security follow the LGPD; assists with ANPD requests.
- Other Latin American countries: 9278.ai applies equivalent processor obligations under applicable national data-protection law.
8. Annex II — Security Measures (GDPR Art. 32)
- Encryption — TLS 1.2+ in transit, SRTP for media, AES-256 at rest for recordings/transcripts; no unencrypted transmission.
- Access control — MFA, role-based access, unique accounts, quarterly access reviews, immediate revocation on role change.
- Monitoring & logging — continuous monitoring, intrusion detection, tamper-evident audit logs ≥12 months, tested incident response.
- Infrastructure — ISO 27001-certified data centres, physical controls, encrypted backups, tested disaster recovery.
- Personnel & vendors — confidentiality obligations and security training; vendor due diligence on sub-processors.
- Secure development — secure SDLC, code review, annual penetration testing, vulnerability/patch management, data minimisation/pseudonymisation.
9. Liability, Term and Governing Law
This DPA supplements the MSA and prevails on data-processing matters. Governed by the laws of Singapore, except that EU SCC disputes are governed as the SCCs specify. Business customers needing a signed DPA may contact legal@9278.ai.
Contact
- Legal: legal@9278.ai
- Privacy: privacy@9278.ai
- DPO: dpo@9278.ai
Ace Peak Invest Pte Ltd (9278.ai), 1 Scotts Road, #24-10, Shaw Centre, Singapore 228208.