Data Protection Addendum
CallTrackingMetrics has updated this Addendum to comply with updates to the GDPR and state-law requirements. The updated Addendum will automatically become effective on August 22, 2025.
This Data Processing Addendum and its Annexes (“DPA”) is between the end-user customer (“Customer” or “you”) and CallTrackingMetrics, LLC (“CallTrackingMetrics,” “we,” “us” or “our”) and is incorporated by reference into the CallTrackingMetrics Terms of Service. This DPA describes the parties’ obligations under applicable privacy, data protection, and data security laws, concerning the Processing and security of Customer Data (as defined below) when providing Services. The Services are described in the Agreement. In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall control. All capitalized terms not defined in this DPA shall have the meaning provided to them in the Agreement.
1. DEFINITIONS
“Applicable Data Protection Law” means all applicable legislation relating to the data protection and privacy, which applies to the Processing of Customer Personal Data under the Agreement, including without limitation, the GDPR, U.S. federal and state privacy, data security, or data protection laws or regulations, and all other applicable laws and regulations.
“CallTrackingMetrics Customer Data” means all data, personal or otherwise, exchanged using the Services, including Account Data, Usage Data, and other data collected as part of its routine business operations. For clarity, such data that is not Customer Data is not within the scope of this DPA.
“Customer Account Data” means Customer Personal Data that relates to Customer’s relationship with CallTrackingMetrics, including the names and/or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any data CallTrackingMetrics may need to collect for identity verification or as part of its legal obligation to retain subscriber records.
“Customer Content” means (a) personal data exchanged by using the Services, such as text, message bodies, voice and video media, images, email bodies, email recipients, and sound, and (b) data stored on Customer’s behalf.
“Customer Data” has the meaning given in the Agreement and includes Customer Account Data, Customer Usage Data, Customer Content, and Customer Personal Data, as defined in this DPA.
“Customer Personal Data” has the meaning given in the Agreement, which, for clarity, includes any personal data contained in the Customer Data (where “personal data” has the meaning given to it by the Applicable Privacy Laws and includes both personal and sensitive data).
“Customer Usage Data” means data Processed by CallTrackingMetrics to transmit or exchange Customer Content, including data used to identify the source and destination of a communication, such as (a) individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and the type of communication and (b) activity logs used to identify the source of Service requests, optimize and maintain performance of the Services, and investigate and prevent system abuse.
“Data Subject” means the individual to whom Customer Data relates.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Independent Controller” means a Controller that determines alone the means and purposes of the Processing of Customer Personal Data.
“Privacy Policies” means the current privacy policies for the Services available at https://calltrackingmetrics.com/legal/privacy/
“Sell, Selling, Sale or Sold” has the meaning given in subdivision (ad)(1) of Cal. Civ. Code
§1798.140.
“Security Controls” means the terms set forth in the Agreement outlining CallTrackingMetrics technical and organizational measures to protect Customer Data, or, if the Agreement has no such terms, then the CallTrackingMetrics Security Overview available at https://calltrackingmetrics.com/security/
“Security Incident” means any unauthorized or unlawful breach of security that leads to a confirmed or reasonably suspected accidental or unlawful destruction, acquisition, loss, alteration, unauthorized disclosure of, or access to Customer Data on systems managed or otherwise controlled by CallTrackingMetrics, but does not include any unsuccessful attempt or activity that does not compromise the security of Customer Data such as pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers)
“Sensitive Data” means a subset of Customer Personal Data that reveals or concerns: racial or ethnic origin; political opinions; religious, philosophical beliefs, or trade union membership; genetic data; biometric data to uniquely identify a natural person; health data or information concerning a natural person’s health, lifestyle, or exercise habits; sex life or sexual orientation; social security number; driver’s license number; state identification card number; passport number; precise geolocation data; account log-in information in combination with any required security or access code; financial account information; citizenship or immigration status; contents of mail, email and text messages (unless CallTrackingMetrics is the intended recipient); and any other data categories designated as “sensitive personal information” or similar terms under Applicable Data Protection Laws. Further, the term “Sensitive Personal Information” as defined in Applicable Privacy Law shall have the same meaning as Sensitive Data used in this DPA.
“Services” has the meaning given in the Agreement.
“Service Provider” has the meaning given in subdivision (ag)(1) of Cal. Civ. Code §1798.140.
“Share” or “Sharing” has the meaning given in subdivision (ah)(1) of Cal. Civ. Code §1798.140.
“Sub-Processor” means any Data Processor or vendor engaged by or on behalf of CallTrackingMetrics to assist in fulfilling its obligations under the Agreement or this DPA. For clarity, Sub-Processors include Service Providers.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
Terms used but not defined in this DPA (e.g., “Business Purpose,” “Consumer,” “Controller, “Data Protection Officer,” “Data Subject,” “EEA,” “Joint Controller,” “Process/Processing,” “Processor,” “Supervisory Authority,” ) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.
2. RELATIONSHIP OF THE PARTIES
2.1 Customer. For purposes of this DPA, you are the Controller of the Customer Data Processed by CallTrackingMetrics under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Customer Data to us when using our Services, including without limitation obtaining any consents, providing any notices, otherwise establishing the required legal basis, and responding promptly to any inquiries from Data Subjects, law enforcement, regulator, or data protection authority.
2.2 CallTrackingMetrics as Processor. CallTrackingMetrics is the Processor of Customer Data, except when you act as a Processor of Customer Content or Customer Usage Information, in which case we are a Sub-Processor. CallTrackingMetrics is responsible for the Processing of Customer Data solely for legitimate Business Purposes under the Agreement and this DPA.
2.3 CallTrackingMetrics as Independent Controller. CallTrackingMetrics is an Independent Controller of CallTrackingMetrics Customer Data that it collects as part of its business operations and is not a Joint Controller.
3. SCOPE AND APPLICABILITY OF THIS DPA
In the context of the scenarios described in the “Relationship of the Parties” (Section 2 above), each party agrees to Process Customer Data only for the purposes outlined in the Agreement and this DPA. For the avoidance of doubt, the categories of Customer Data Processed and the categories of data subjects subject to this DPA are described in Annex 1 to this DPA.
4. COMPLIANCE WITH THE LAWS
Each party shall comply with its respective obligations as Controllers and Processors under Applicable Data Protection Laws. Customer is responsible for ensuring it has, and will continue to have, the right to transfer, or provide access to, the Customer Data to us under the terms of the Agreement and this DPA.
5. PROCESSOR AND CONTROLLER OBLIGATIONS
5.1 Processor Obligations. CallTrackingMetrics and any persons acting under our authority under this DPA, including Sub-Processors, will:
a. Process Customer Data only to provide, support, and improve the Services to Customer, using appropriate technical and organizational security measures, and in accordance with your written instructions (“Customer Instructions”), this DPA, and in accordance with Applicable Data Protection Laws (“Permitted Purpose”).
b. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on the Processor’s behalf comply with the terms of the Agreement and this DPA.
5.2 Controller Obligations. The Customer represents and warrants that it:
a. Ensures that CallTrackingMetrics’ Processing of Customer Data, when done in accordance with the Customer Instructions, will not cause us to violate any applicable law, regulation, or rule, including Applicable Data Protection Law.
b. Implements and maintains suitable safeguards before transmitting or Processing or permitting Customer’s end users to transmit or Process any Sensitive Data via the Services.
5.3 Notices to Controller. CallTrackingMetrics shall promptly notify Customer if we determine that we cannot meet our obligations under this DPA and/or applicable Data Protection Laws. In addition, we will promptly notify you of any:
a. Instructions we believe to be inconsistent with Applicable Data Protection Laws.
b. Requirement to Process any Customer Data other than for a Permitted Purpose. We will notify you in advance of Processing any Customer Data, unless we are legally prohibited from doing so (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
c. legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless we are forbidden by law to inform you, for example, to preserve the confidentiality of an investigation by law enforcement authorities;
d. notice, inquiry, or investigation by a Supervisory Authority with respect to Customer Data; or
e. complaint, correspondence, inquiry, or request (in particular, requests for access to, rectification, or blocking of Personal Data) received directly from data subjects of the Controller or a third party.
5.4 Assistance to the Controller. Where required by Applicable Data Protection Law, CallTrackingMetrics will provide you with information reasonably necessary to assist you in enabling your compliance with your obligations under Applicable Data Protection Laws, including without limitation (i) responding to any Data Subject requests to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable), (ii) demonstrating our compliance with implementing appropriate data security measures under Applicable Data Privacy Laws, (iii) carrying out a data protection impact assessment, (iv) consulting the competent Supervisory Authority (taking into account the nature of Processing and the information available to us), and (v) as further described in this DPA.
6. CONFIDENTIALITY
CallTrackingMetrics represents and warrants that its employees, authorized agents, and any Sub-Processors are subject to a strict duty of confidentiality (whether a contractual duty or statutory duty). We will not disclose Customer Data in response to a request, inquiry, complaint from a data subject, a subpoena, judicial or administrative order, or other binding instrument from a regulatory or law enforcement authority or third party (a “Demand”) unless you consent, or we are required by law. We will promptly notify you of any Demand unless prohibited by law and provide you with reasonable assistance to facilitate your timely response to the Demand. We may disclose Customer Data in connection with any anticipated or actual merger, acquisition, sale, bankruptcy, or other reorganization of all or part of our business, subject to our obligation to protect Customer Data under the terms of this DPA.
7. SUB-PROCESSING
7.1 Consent. Subject to the terms of this DPA, you authorize us to engage Sub-Processors to fulfill our obligations under the Agreement and this DPA. We will ensure that any Sub-Processor is bound by written agreements that require them to provide at least the level of data protection and information security required of CallTrackingMetrics under the Agreement and this DPA, and we have implemented commercially reasonable measures designed to confirm compliance with such measures. You may also request copies of the data protection terms we have in place with any Sub-Processor involved in providing the Services. We remain responsible at all times for ensuring that such Sub-Processors comply with the requirements of the Agreement, this DPA, and Applicable Data Protection Laws. The Customer consents to our use of Sub-Processors to Process Customer Data to provide Services in accordance with the Permitted Purposes, provided that we maintain an up-to-date list of Sub-Processors on our website, available at https://www.calltrackingmetrics.com/legal/subprocessors/. Customer may subscribe to notifications of new Sub-Processors on the same website. If Customer subscribes to notifications, we will provide details of any changes to the list of Sub-Processors at least thirty (30) days in advance or as soon as reasonably practicable.
7.2 Objection. The customer may object to our appointment or replacement of a Sub-Processor (other than a Sub-Processor essential to CallTrackingMetrics’ provision of Services) prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection or information security. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot resolve the issue within ninety (90) days, Customer may suspend or terminate the affected Service under the termination provisions of the Agreement. The customer will still be responsible for any fees incurred by the Customer prior to suspension or termination. If no objection has been raised before CallTrackingMetrics replaces or appoints a new Sub-Processor, CallTrackingMetrics will deem Customer to have approved the new Sub-Processor.
8. INTERNATIONAL DATA TRANSFERS
8.1 General. Customer acknowledges that CallTrackingMetrics’ Processing facilities are located in the United States of America. Notwithstanding the foregoing, we may transfer Personal Data to as necessary to provide Services, and you appoint CallTrackingMetrics to perform any such transfer to Process Customer Data as required to provide the Services. We will comply with the requirements of this DPA regardless of where the Customer Data is stored or Processed.
8.2 International Transfers and Standard Contractual Clauses. Where the Processing involves the international transfer of Customer Data of resident(s) of a country within the EEA to CallTrackingMetrics or its Sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission to provide an adequate level of data protection, and (ii) there is not another legal basis for the international transfer of such Personal Data, such transfers are subject to either the 2021 EU Standard Contractual Clauses or other valid transfer mechanisms available under Applicable Data Protection Laws. For international transfers, you are the “data exporter,” and CallTrackingMetrics is the “data importer.” For international transfers subject to the GDPR, (i) the Module One terms shall apply where both parties are Controllers, (ii) the Module Two terms shall apply where the party receiving Personal Data under the SCCs is acting as a Processor on behalf of the other party as a Controller, (iii) in Clause 7, the optional docking clause shall apply; (iv) in Clause 9, Option 2 of Module Two shall apply and the Processor shall obtain authorization for Sub-Processors following the process described in Section 7 of this DPA; (vi) in Clause 11, the optional language shall be deleted; (vii) in Clause 17 and Clause 18(b), the SCCs shall be governed by the laws of the Republic of Ireland; (viii) in Annex I of the SCCs, the details of the parties is set out in the Agreement; and (ix) the remaining information in Annex I and Annex II of the SCCs shall be deemed completed with the information set out in Annex 1 of this DPA.
8.3 Conflicts. In the event of any direct conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control and supersede the terms of this DPA.
9. REQUESTS FROM DATA SUBJECTS
We will make several self-service features available, including the ability to delete, obtain a copy of, correct, or restrict the use of Customer Data. This feature may be used to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with our role as a Processor. We will provide reasonable assistance to respond to Data Subject requests. At your instruction, CallTrackingMetrics will provide reasonable additional and timely assistance (at your expense only if complying with your request requires CallTrackingMetrics to assign significant resources to that effort) to assist Customer in complying with its data protection obligations concerning data subject rights under Applicable Data Protection Law.
10. SECURITY
10.1 Security Measures. We have implemented and will maintain appropriate administrative, technical, and organizational practices in accordance with Applicable Data Protection Law designed to protect Customer Data against any Security Incident. Such Security Controls are described at https://calltrackingmetrics.com/security/. We continually seek to strengthen and improve our Security Controls, and therefore reserve the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant Agreement Term. Our employees are bound by appropriate confidentiality agreements and comply with our corporate privacy and security policies and procedures.
10.2 Determination of Security Requirements. Customer acknowledges that the Services include certain features and functionalities that Customer may elect to use that impact the security of the data Processed by Customer’s use of the Services, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Services account. Customer is responsible for reviewing the information we make available regarding our data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. The Customer is further responsible for properly configuring the Services and utilizing the features and functionalities made available by CallTrackingMetrics to maintain appropriate security in light of the nature of the data Processed through the Customer’s use of the Services.
11. SECURITY INCIDENT NOTIFICATION
11.1 Customer Notification. CallTrackingMetrics shall notify you within seventy-two (72) hours after becoming aware of a Security Incident involving Customer Data in our possession, custody, or control where we are the Processor, unless prohibited by law enforcement or applicable law. Such notification will: (i) describe the nature of the Security Incident ; (ii) provide the name and contact details of the data protection officer or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Security Incident including, where appropriate, measures to remediate or mitigate its possible adverse effects. We may provide notice of other Security Incidents where we are the Controller as required by law or in our sole discretion.
11.2 Law Enforcement or Regulatory Notices. Customer acknowledges that CallTrackingMetrics, as a Controller, may be required by Applicable Data Protection Law to notify a regulator of Security Incidents involving Customer Data. If the regulatory authority requires CallTrackingMetrics to notify impacted data subjects with whom CallTrackingMetrics does not have a direct relationship (e.g., Customer’s end users), CallTrackingMetrics will notify Customer of this requirement. Customer will provide reasonable assistance to CallTrackingMetrics to inform the impacted data subjects. CallTrackingMetrics will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident. You agree that you will coordinate with us and obtain our prior written approval on the content of any public statements or required notices to individuals and/or Supervisory Authorities.
12. IMPACT ASSESSMENTS AND CONSULTATIONS
CallTrackingMetrics will provide reasonable cooperation to Customer in connection with any data protection impact assessments (at Customer’s expense only if such reasonable cooperation will require CallTrackingMetrics to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
13. AUDITS
13.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data Processing facilities from which the Processor processes Personal Data to ascertain or monitor compliance with Applicable Data Protection Laws, the Processor will cooperate with such audit. The Controller will reimburse the Processor for its reasonable expenses incurred in cooperating with the audit.
13.2 Audit Requests. Notwithstanding the foregoing, CallTrackingMetrics will permit Customer to audit CallTrackingMetrics’ compliance with this DPA or as required by Applicable Data Protection Law, and on at least five (5) business days’ prior notice, to inspect and audit the facilities used by CallTrackingMetrics for the processing of Customer Data, subject to Customer bearing CallTrackingMetrics’ reasonable costs. Parties will maintain the confidentiality of audit results and reports. Customer will (i) provide CallTrackingMetrics with a copy of any final report unless prohibited by Applicable Data Protection Laws, (ii) treat the findings as confidential information in accordance with the terms of the Agreement (or confidentiality agreement entered into between you and CallTrackingMetrics), and (iii) use it solely to assess our compliance with the terms of the Agreement, this DPA, and Applicable Data Protection Laws.
13.3 Controller Audit Rights. In addition to the circumstances described in Section 13.2, CallTrackingMetrics shall, upon reasonable written notice, make available to Customer all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by Customer or an independent third-party auditor mandated by Customer, provided that (i) such audits shall not occur more than once per calendar year unless there has been a Security Incident affecting Customer Data or a material change in CallTrackingMetrics data Processing practices; (ii) Customer provides at least thirty (30) days’ prior written notice, except in cases of Security Incidents, where five (5) business days’ notice shall suffice; (iii) audits are conducted during CallTrackingMetrics’ regular business hours; (iv) Customer and any third-party auditor execute appropriate confidentiality agreements; and (v) Customer bears all reasonable costs associated with such audits.
13.4 Sub-Processor Audits. CallTrackingMetrics shall ensure that its agreements with Sub-Processors include audit rights consistent with this Section 13, and CallTrackingMetrics shall exercise such rights or facilitate Customer’s exercise of audit rights with respect to Sub-Processors upon Customer’s reasonable request.
13.5 Compliance Documentation. CallTrackingMetrics shall maintain and, upon reasonable request, provide Customer with (i) documentation of its technical and organizational measures according to Section 10; (ii) evidence of staff training on data protection obligations; (iii) certifications, assessment reports, or other evidence of compliance with this DPA and applicable Data Protection Laws; (iv) documentation of Sub-Processor due diligence and monitoring activities; and (v) records of data processing activities as required by applicable Data Protection Laws.
13.6 Alternative Compliance Verification. CallTrackingMetrics may satisfy its obligations under this Section 13 by completing a standardized information security questionnaire provided by Customer, provided such questionnaire is reasonable in scope and frequency.
14. RETURN OR DELETION OF CUSTOMER DATA; EXTENSION OF DPA; DATA RETENTION
14.1 Data Deletion. CallTrackingMetrics and its Sub-Processors will return or provide an opportunity for you to retrieve all Customer Data after the end of the provision of Services, as per the terms of the Agreement, this DPA, and Annex 1. You shall have sixty (60) calendar days to download your Customer Data after termination of the Agreement for Services. We will delete your Customer Data once that Customer Data is no longer accessible by you, except for (i) back-up systems, which will be securely isolated and protected from further processing, and (ii) Customer Data subject to retention requirements under applicable law. In the event of either (i) or (ii), we will continue to comply with the relevant provisions of this DPA, the Agreement, and the Applicable Data Protection Law until such data has been deleted. We will provide written confirmation of deletion upon request.
14.2 Extension of DPA. Upon termination of the Agreement, CallTrackingMetrics may retain Customer Data in storage for the periods specified in Annex 1 (Details of Processing), provided that CallTrackingMetrics will ensure that Customer Data is Processed only as necessary for the Permitted Purposes. Customer Data remains protected in accordance with the terms of the Agreement, this DPA, and Applicable Data Protection Law.
14.3 Retention Required by Law. Notwithstanding anything to the contrary in this Section 14, CallTrackingMetrics may retain Customer Content or any portion of it if required by applicable law, provided that it remains protected in accordance with the terms of the Agreement, this DPA, and Applicable Data Protection Law.
15. TERM
This DPA becomes effective upon your purchase of the Services. Termination of the Agreement does not relieve either party of its obligations under this DPA.
16. SALE OF DATA
CallTrackingMetrics does not Sell Customer Data and does not share such end users’ information with third parties for compensation or those third parties’ business interests.
17. UPDATES
CallTrackingMetrics may update the terms of this DPA from time to time; provided, however, CallTrackingMetrics will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.
18. FINES OR PENALTIES
Notwithstanding anything to the contrary in this DPA or the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the Applicable Data Protection Laws.
19. FAILURE TO PERFORM
If changes in law or regulation render performance of this DPA impossible or commercially unreasonable, the Parties may renegotiate this DPA in good faith. If renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement under the Agreement’s termination provisions.
20. MISCELLANEOUS
The customer acknowledges that CallTrackingMetrics collects and uses data from across our customer base to improve our products and services for our customers and to conduct related research. We take steps to aggregate or otherwise de-identify any Customer data used for these purposes and do not knowingly Process any personal data. However, to the extent that any such data is held to be personal data (or the equivalent term) in a particular jurisdiction, CallTrackingMetrics shall be the Controller (or the equivalent term) for the purposes of the applicable laws. CallTrackingMetrics will take reasonable measures to ensure that de-identified data cannot be re-associated with individuals and will maintain or use the de-identified data only in a de-identified manner.
21. CONTACT US
You can email us at privacy@calltrackingmetrics.com or write to us at the address listed below if you have any concerns.
CallTrackingMetrics
231 Najoles Road Suite #500
Millersville, MD 21108