Data Processing Addendum (DPA)

Last updated: 2026-04-20 · Version 0.1 (draft, pending legal review)

This Data Processing Addendum governs Wisky's processing of personal data on behalf of the Customer under the General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR, and equivalent laws. The executed DPA is incorporated into the Master Services Agreement.

1. Roles

The Customer is the Controller. Wisky is the Processor, and our subprocessors are Sub-Processors. For Service-generated telecoms metadata (CDRs, signaling captures) retained to comply with our own regulatory obligations, Wisky acts as Controller.

2. Subject Matter and Duration

Processing covers the duration of the underlying MSA and any mandatory post-termination retention period. The subject matter is the provision of voice telecommunications services.

3. Nature and Purpose

We process personal data to deliver SIP termination, DID number inventory, hosted PBX, billing, abuse prevention, and support.

4. Categories of Data

Identifiers: telephone numbers (A-number, B-number), SIP URIs, IP addresses.
Call metadata: timestamps, duration, codec, call state, routing decisions.
Where Customer configuration enables it: call content (recordings, voicemail).
Customer account data: contact names, emails, billing information.

5. Categories of Data Subjects

Customer's End Users (employees, contractors).
Third parties whom End Users contact or are contacted by.
Customer's own administrative and billing contacts.

6. Processor Obligations

Process personal data only on documented instructions from the Controller.
Ensure personnel with access are bound by confidentiality.
Maintain appropriate technical and organizational measures per Article 32.
Assist the Controller with data subject requests, DPIAs, and security breach notifications.
Delete or return personal data at the end of Services, subject to legal retention requirements.

7. Sub-Processors

The Customer grants general authorization to engage Sub-Processors. A current list is maintained and available on request to privacy@wisky.com. The Customer will be notified of additions with opportunity to object for a 30-day period.

8. International Transfers

Transfers outside the EEA rely on (a) an adequacy decision, (b) Standard Contractual Clauses, or (c) another lawful transfer mechanism as appropriate. SCCs are incorporated by reference where applicable.

9. Security Measures (Annex)

Encryption in transit (TLS 1.2+) and at rest (AES-256 for archived recordings and backups).
SRTP for media on Customer-facing legs where negotiated.
Role-based access control, least privilege, MFA on administrative access.
Centralized audit logging with integrity protection.
Regular vulnerability scanning and annual penetration testing.
Documented incident response procedures with defined notification timelines.
Business continuity: backups replicated across regions, tested restore at least quarterly.

10. Breach Notification

Wisky will notify the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer data.

11. Audit Rights

Customers may audit Wisky's compliance once per year with reasonable notice, at the Customer's expense, subject to confidentiality, or may rely on third-party audit reports or certifications Wisky makes available.

12. Return and Deletion

Upon termination, Wisky will delete or return all Customer personal data at the Customer's choice, except where retention is required by law. Retained data will continue to be protected under this DPA.

13. Contact

privacy@wisky.com