This Data Processing Addendum ("DPA") forms part of the Terms of Service between Callshu Inc. ("Processor") and the Customer ("Controller"). It describes how Callshu processes personal data on behalf of its customers.
The Customer is the data controller — the organization that determines the purposes and means of processing employee personal data. Callshu Inc. is the data processor — the service provider that processes personal data on behalf of and under the instructions of the Customer.
This DPA applies to the processing of personal data related to the Customer's employees, including employee contact information (name, phone number), consent status and consent event history, and call interaction data (call attempts, responses, campaign records). Processing continues for the duration of the Customer's use of the Service and until all personal data is deleted in accordance with the Terms of Service and Privacy Policy.
Callshu processes personal data solely to place automated phone calls and SMS messages on behalf of the Customer, manage employee consent (opt-in and opt-out) via SMS, generate campaign reports and call history for the Customer, send transactional notifications (shift confirmations, manager reports), and maintain system security, audit logs, and service integrity.
Callshu shall process personal data only on the documented instructions of the Customer, as defined by the Customer's use of the Service (creating campaigns, adding employees, configuring settings). Callshu shall not process personal data for its own purposes or for any purpose other than providing the Service. If Callshu is required by applicable law to process personal data for another purpose, it will notify the Customer before doing so, unless prohibited by law.
The Customer warrants that it has a lawful basis for providing employee personal data to Callshu, including obtaining consent where required by applicable telecommunications and privacy laws (TCPA, CASL, PIPEDA, CCPA). The Customer has provided or will provide all required notices to its employees regarding the processing of their data through the Service. The Customer complies with all applicable telecom and privacy laws in its use of the Service.
Callshu implements appropriate technical and organizational measures to protect personal data, including: encryption of all data in transit (TLS/HTTPS); password hashing using bcrypt with a cost factor of 12; JWT authentication with token versioning; role-based access controls limited to personnel with a legitimate need to know; rate limiting on authentication and API endpoints; Twilio webhook signature verification; comprehensive audit logging retained for up to 2 years; and internal incident response procedures. For a full description of security measures, see our Security Overview.
The Customer authorizes Callshu's use of the sub-processors listed in the Privacy Policy (Section 4). Callshu shall ensure that all sub-processors are bound by data protection obligations no less protective than those in this DPA, and Callshu remains responsible for the acts and omissions of its sub-processors. Callshu will provide notice of material changes to sub-processors by updating the Privacy Policy.
Callshu shall assist the Customer in responding to requests from data subjects (employees) exercising their rights under applicable privacy law, including requests for access, correction, deletion, or opt-out. Where Callshu receives a request directly from a data subject, Callshu will respond where legally required or forward the request to the relevant Customer without undue delay. The Customer remains responsible for fulfilling data subject requests related to its employees.
Callshu shall notify the Customer without undue delay — and in any event within 72 hours — upon becoming aware of a personal data breach affecting the Customer's data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Callshu shall cooperate with the Customer in meeting any regulatory notification obligations.
Upon termination of the Customer's account or at the Customer's request, Callshu shall delete all personal data processed on behalf of the Customer within 30 days, in accordance with the Privacy Policy (Section 7), except for: (a) audit log entries, which are anonymised rather than deleted, as described in the Privacy Policy; and (b) minimal consent and campaign records retained in a compliance archive for up to two years from the date of deletion, as described in the Privacy Policy (Section 7), to support legal defensibility under applicable telecommunications laws. After the two-year retention period, archived records are automatically and permanently deleted. Callshu may retain personal data beyond these periods only where required by applicable law.
The Customer acknowledges that personal data is processed and stored in the United States. Callshu implements safeguards appropriate to the nature of the data and applicable law, as described in the Privacy Policy (Section 11), including encryption, access controls, and contractual obligations on sub-processors. For a full description of cross-border transfer risks and safeguards, see the Privacy Policy.
Each party's liability arising out of or related to this DPA is subject to the limitations set out in the Terms of Service (Section 10).
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, consistent with the Terms of Service (Section 12).
For questions about this DPA or data processing practices:
Callshu Inc.
Toronto, Ontario, Canada
Email: support@callshu.com