Legal

Data Processing Agreement

Last updated: May 30, 2026

Request counter-signed copy

Plain-English summary

  • You (the customer) are the data controller. ProoN is the data processor.
  • We process the data you send us only to provide the AI phone agent service you signed up for.
  • We never sell your data. We never train AI models on your calls or customer records.
  • You can export or delete all your data self-serve from /app/settings/data.
  • We use a fixed list of subprocessors (below). Each is GDPR-compliant and has its own DPA.

1. Scope and roles

This Data Processing Agreement (“DPA”) governs the processing of Personal Data by Bakes & Brews LLC, a California limited liability company, doing business as ProoN (“ProoN”) on behalf of the Customer in connection with the ProoN service.

The Customer acts as the data controller and is responsible for determining the purposes and means of processing Personal Data. ProoN acts as the data processor and processes Personal Data only on documented instructions from the Customer, which include the ProoN Terms of Service and the use of the ProoN service itself.

2. Categories of Personal Data processed

  • Caller data: phone numbers, names if provided by the caller, transcripts of calls, recorded audio (if enabled), voicemail recordings.
  • Customer team data: business email addresses, names, phone numbers of the Customer's teammates (when they sign in to ProoN).
  • Business data: the Customer's business name, address, industry, agent configuration (greeting, voice, prompt), menu and pricing data (where applicable).
  • Usage data: call duration, timestamps, IP addresses (logged for security), browser user-agent strings.

3. Duration and purpose of processing

ProoN processes Personal Data for the duration of the Customer's subscription and for a limited retention period after termination.

  • Active retention: Personal Data is retained for as long as the Customer's account is active.
  • Post-termination retention: 30 days from account deletion, after which all Personal Data is permanently removed from production systems and from rolling backups.
  • Self-serve deletion: the Customer may delete all account data at any time from /app/settings/data.

4. Security measures

ProoN implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

  • Encryption in transit: TLS 1.2+ for all HTTP traffic, including HSTS preload.
  • Encryption at rest: AES-256 for database and object storage at the infrastructure level.
  • Access control: Postgres Row-Level Security policies isolate tenant data. Internal staff access is gated by per-action permissions; all admin actions are audit-logged.
  • Two-factor authentication: available for all Customer accounts at /app/settings/security.
  • Backups: daily encrypted backups with 30-day retention and ~5-minute point-in-time recovery RPO.
  • Incident response: Customer notified within 72 hours of confirmed Personal Data breach, per GDPR Art. 33.

5. Subprocessors

ProoN engages the following subprocessors to deliver the service. Each subprocessor has its own published DPA and meets equivalent security obligations.

SubprocessorPurposeLocationDPA
Supabase, Inc.Database, authentication, file storageUnited StatesView
Vercel, Inc.Application hosting + serverless computeUnited StatesView
Retell AI, Inc.Voice AI infrastructure (TTS, STT, voice agents)United StatesView
Stripe, Inc.Payment processingUnited StatesView
Twilio Inc.PSTN telephony, SMS deliveryUnited StatesView
ResendTransactional email deliveryUnited StatesView

ProoN will notify Customers in advance of adding or replacing subprocessors via the in-app changelog and an email to the org owner. Customers may object to a new subprocessor within 30 days by emailing [email protected].

6. International data transfers

Personal Data is currently stored and processed in the United States (AWS us-east-1). For Customers in the EEA or UK, ProoN relies on the EU-US Data Privacy Framework (DPF) and, where applicable, Standard Contractual Clauses (SCCs) for transfers outside the EEA.

7. Data subject rights

ProoN supports the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) under GDPR Articles 15–22. Most requests can be fulfilled directly by the Customer via the self-serve tools at /app/settings/data. For assistance with complex requests, email [email protected].

8. Audit rights

The Customer (or its appointed auditor) may, upon at least 30 days' written notice, conduct an audit of ProoN's processing activities relevant to this DPA. Audits will be limited in scope and frequency to what is reasonably necessary and will be conducted during business hours under appropriate confidentiality terms.

In lieu of an on-site audit, ProoN will share its SOC 2 Type II report (once available) and current security policies under NDA.

9. Termination

Upon termination of the Customer's subscription, ProoN will (a) cease processing Personal Data, (b) make a final export available to the Customer for 30 days, and (c) delete all Personal Data from production and backups within 30 days of termination.

10. Contact

Questions about this DPA: [email protected]

Security and privacy operations: [email protected] / [email protected]