Data Processing Addendum

Last updated 2026-04-16. This DPA supplements the Terms for customers processing personal data through MeterCall.

1. Roles

You are the Controller. MeterCall is the Processor acting on your documented instructions. Where we process your instructions through other vendors, those are Sub-processors listed below.

2. Scope + purpose

We process personal data only to deliver the gateway service: proxying calls you initiate, metering usage, billing, support. We don't use personal data to train models. We don't profile your end-users.

3. Sub-processors

Current sub-processors — we notify Enterprise customers 30 days before adding any new one.

Sub-processor	Purpose	Location
Anthropic	LLM inference for optional AI features	US
Cloudflare	CDN, WAF, DDoS protection	Global edge
Fly.io	Gateway compute	US (iad), EU (cdg) on request
Supabase	Managed Postgres (metadata only)	US-east
Stripe	Payment processing	US, EU
Coinbase Commerce	Crypto payment processing	US
Resend	Transactional email	US

4. GDPR / UK GDPR representative

For data subjects in the EU or UK, contact our privacy team at privacy@metercall.ai. We'll route to our EU representative where required. SAR responses within 30 days.

5. Data retention

• Account data: held while your account is active, deleted 90 days after account closure.
• Gateway metadata (call logs): 13 months for audit + billing disputes, then purged.
• Request/response bodies: not stored by default; if you opt into per-request logging, 24h then purged.
• Invoices + tax records: 7 years, as required by law.
• Backups: rolling 35-day window, encrypted.

6. Security measures (summary)

Full details at /security.html. Highlights:

• TLS 1.3 in transit, AES-256 at rest.
• Upstream credentials encrypted with envelope keys rotated every 90 days.
• Least-privilege IAM, SSO for staff, MFA mandatory.
• Annual pen test, continuous vulnerability scanning.
• Incident response: customer notification within 72 hours of confirmed breach.

7. International transfers

For EU/UK → US transfers, we rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum. Signed copies available to Enterprise customers under NDA. We are not currently DPF-certified; we use SCCs.

8. Sub-processor flow-down

All sub-processors are bound by equivalent data protection obligations via written contract. We remain liable to you for their performance.

9. Audit rights

Enterprise customers get annual audit rights via questionnaire + SOC 2 report once available (Q3 2026). On-site audits on reasonable notice, at customer cost, for regulated industries.

10. Return + deletion

On termination, we return or delete personal data within 30 days. Certified deletion letter available on request.

11. Liability + precedence

This DPA takes precedence over the main Terms on data protection matters. Liability caps from the main Terms apply.

12. Signing

For a counter-signed DPA, email legal@metercall.ai with your entity name and jurisdiction. We use DocuSign.

Last updated 2026-04-16. Questions → /contact.html