This Data Processing Agreement ("DPA") is incorporated into and forms part of the NightAI Service Agreement executed between NightAI, LLC ("Provider," "Processor") and the business identified in that Agreement ("Client," "Controller"). By signing the Service Agreement, Client agrees to this DPA in full.
As used in this DPA:
The parties acknowledge that:
NightAI processes Personal Data for the purpose of delivering its AI voice agent service: answering inbound calls, collecting caller information, scheduling appointments, sending confirmations, and related intake functions as described in the Service Agreement.
Categories of Personal Data processed:
Categories of Data Subjects: Individuals who call Client's business phone number and interact with NightAI's AI voice agent.
No Protected Health Information (PHI) is permitted. Client agrees not to instruct NightAI to collect, process, or store PHI as defined under HIPAA. NightAI does not hold a HIPAA Business Associate Agreement with any sub-processor and is not a HIPAA-covered entity. See also the AI Addendum.
This DPA is in effect for the duration of the Service Agreement and continues until all Personal Data has been returned to Client or securely deleted by NightAI, as described in Section 9 below.
NightAI shall process Personal Data only on Client's documented instructions, as set out in this DPA and the Service Agreement, except where required by applicable law to process Personal Data for other purposes. In such a case, NightAI will inform Client of that legal requirement before processing, unless the law prohibits such notice.
NightAI shall ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations and have access only to Personal Data necessary for their role.
NightAI shall implement and maintain technical and organizational measures appropriate to the risk of the processing, as described in Schedule B to this DPA. NightAI shall not be responsible for security incidents caused by Client's systems, credentials, or instructions.
Client hereby provides general written authorization for NightAI to engage the sub-processors listed in Schedule A. NightAI shall:
If Client objects to a new sub-processor within 14 days of notice and NightAI is unable to reasonably accommodate that objection, either party may terminate the Service Agreement without penalty on 30 days' written notice.
NightAI shall promptly notify Client (within 5 business days) if it receives a request from a Data Subject to exercise rights under Applicable Data Protection Law (access, deletion, portability, rectification, or restriction of processing). NightAI shall not respond to such requests directly but shall cooperate with and assist Client in fulfilling Client's obligations to respond.
NightAI shall notify Client without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting Personal Data processed under this DPA. The notice will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records affected, likely consequences, and measures taken or proposed to mitigate adverse effects.
NightAI shall provide reasonable assistance to Client for any data protection impact assessments (DPIAs) required by Applicable Data Protection Law, considering the nature of processing and the information available to NightAI.
Upon termination of the Service Agreement, NightAI shall, at Client's choice and within 30 days of written request: (a) return to Client all Personal Data in a machine-readable format; or (b) securely delete all Personal Data. NightAI will provide written confirmation of deletion upon request. NightAI may retain Personal Data where required by applicable law for the minimum period required.
Upon at least 30 days' prior written notice, NightAI shall make available to Client (or Client's designated auditor) information reasonably necessary to demonstrate NightAI's compliance with this DPA, and shall allow for and contribute to audits — which shall be conducted during normal business hours, with minimal disruption, no more than once per 12-month period, and subject to confidentiality obligations.
Client, as Data Controller, agrees to:
| Sub-Processor | Role | Location | Privacy / DPA Reference |
|---|---|---|---|
| Twilio Inc. | Voice telephony transport (SIP/PSTN) — routes inbound calls to NightAI's AI agent | USA | twilio.com/legal/privacy |
| Retell AI, Inc. | Speech-to-text transcription, text-to-speech synthesis, and call orchestration. NightAI has executed a BAA and DPA with Retell AI. Retell AI may use third-party voice synthesis providers (such as Cartesia or ElevenLabs) to deliver TTS; these are sub-processors of Retell AI, not of NightAI directly. | USA | retellai.com/privacy |
| OpenAI, L.L.C. | Large language model (GPT-4o-mini) — intent extraction and response generation | USA | openai.com/policies/privacy-policy |
| Railway Corp. | Cloud hosting for NightAI application servers and PostgreSQL database | USA | railway.app/legal/privacy |
| Upstash / Redis | Session-state cache (30-minute TTL); no Personal Data persisted beyond call session | USA | upstash.com/trust/privacy.pdf |
| Stripe, Inc. | Payment processing and subscription billing | USA | stripe.com/privacy |
| Twilio SendGrid | Transactional email delivery (appointment confirmations, reminders) | USA | twilio.com/legal/privacy |
| Clerk, Inc. | Authentication and identity management for Client's NightAI dashboard account | USA | clerk.com/legal/privacy |
NightAI will provide at least 14 days' advance email notice before adding any new sub-processor that will process caller Personal Data.
NightAI implements the following measures to protect Personal Data:
| Measure | Implementation |
|---|---|
| Encryption at rest | Sensitive credentials and API keys are encrypted using AES-256-GCM before storage in the database. Appointment data is stored in an encrypted-at-rest PostgreSQL instance on Railway. |
| Encryption in transit | All data transmitted between NightAI's services and sub-processors uses TLS 1.2 or higher. |
| Webhook integrity | Inbound webhooks from Twilio are validated using HMAC-SHA1 signature verification. Retell AI webhooks are validated using a secret token. |
| Minimal data in logs | Application logs do not contain caller PII (name, phone, email). Structured logs capture operational metadata only. |
| Session state TTL | Per-call state (including collected caller details) stored in Redis with a 30-minute TTL. Data is automatically purged after call completion or timeout. |
| Access controls | Client dashboard access is controlled via Clerk authentication. Database access is restricted to the application service account only. No shared credentials. |
| Multi-tenant isolation | All database queries for caller and appointment data include a business_id filter, preventing cross-tenant data access. |
| Data minimization | NightAI collects only the data required to book an appointment: name, phone, email, date, and reason for visit. |
All NightAI sub-processors are located in the United States. If Client is based in the European Economic Area (EEA) or United Kingdom, Client acknowledges that Personal Data will be transferred to and processed in the United States. Client shall ensure that any such transfers comply with Applicable Data Protection Law, including by implementing appropriate safeguards such as Standard Contractual Clauses if required. NightAI will cooperate in good faith with Client to support any such compliance requirements.
This DPA is governed by the same law as the Service Agreement: the laws of the State of Illinois, USA. Disputes shall be resolved through binding arbitration in Chicago, Illinois, under the AAA Commercial Arbitration Rules, consistent with the Service Agreement's dispute resolution clause.
NightAI may amend this DPA from time to time. Material amendments will be communicated by email to the Client's account contact at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the revised DPA.
In the event of any conflict between this DPA and the Service Agreement, this DPA shall control with respect to data processing matters. All other terms of the Service Agreement remain in full force.