Data Processing Agreement

Last updated: March 28, 2026

1. Scope

This Data Processing Agreement (“DPA”) forms part of the agreement between Tilk AI (“Processor”) and the customer (“Controller”) for the provision of AI voice agent services. It applies to all processing of personal data by Tilk AI on behalf of the Controller.

2. Data Processing

Categories of Data Subjects

  • End users who interact with AI voice agents
  • Customer employees who configure and manage agents
  • Contact list entries uploaded for outbound campaigns

Types of Personal Data

  • Phone numbers
  • Names and contact information
  • Call recordings and transcriptions
  • Appointment booking details

3. Sub-Processors

Tilk AI uses the following sub-processors for service delivery:

  • Google Cloud (Gemini API) — AI model inference for voice conversations
  • Twilio / Telnyx — Telephony infrastructure for voice calls
  • Cloudflare — CDN and security services
  • PostgreSQL hosting provider — Database storage

The Controller will be notified of any changes to sub-processors with at least 30 days advance notice.

4. Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Tenant isolation at the database level
  • Role-based access control (RBAC)
  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Incident response procedures with documented playbooks

5. Breach Notification

In the event of a personal data breach, Tilk AI will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, estimated number of data subjects, and measures taken to address the breach.

6. Data Subject Rights

Tilk AI will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, and objection) through the platform admin tools and API. Requests will be processed within 30 days.

7. Audit Rights

The Controller may audit Tilk AI’s compliance with this DPA once per year with reasonable advance notice. Tilk AI will provide access to relevant documentation and cooperate with the audit process.

8. Data Deletion

Upon termination of the agreement, Tilk AI will delete all personal data processed on behalf of the Controller within 90 days, unless retention is required by law. The Controller may request a data export before deletion.

9. Request a Signed Copy

To request a signed copy of this DPA, or to discuss specific data processing requirements for your organization, contact us at:

legal@tilk.ai

Ready to get started?

Deploy your first AI phone agent in under 30 minutes.

Start Free Book a Demo

No credit card required. Free plan available.