Data Processing Agreement (DPA)

VoiceDock by Flireo B.V. provides a standard Data Processing Agreement that is compliant with Article 28 of the EU General Data Protection Regulation (GDPR). This page explains what our standard DPA covers, when it applies, and how to obtain it.

Download the DPA

📄 VoiceDock Standard DPA (English, v1.0) — PDF

Translations (Dutch, German, French, or other European languages) are available on request. Contact administratie@flireo.com.

What this DPA covers

The VoiceDock Standard DPA is a ready-to-sign data-processing agreement that governs the relationship between Flireo B.V. (as Processor) and you (as Controller) when you use VoiceDock in our recommended EU-compliant configuration.

It is fully aligned with Article 28(3) GDPR and contains:

Subject matter, nature, purpose and duration of processing

Categories of Data Subjects and Personal Data

Flireo's processor obligations: confidentiality, security, sub-processors, assistance with Data Subject rights, breach notification, deletion

Standard Contractual Clauses (EU Commission Decision 2021/914) for any sub-processor-level transfers outside the EEA

A full sub-processor list with locations, roles, retention, transfer mechanisms and certifications

Technical and Organisational Measures (Art. 32 GDPR)

Liability, audit, termination and Dutch law provisions

When this DPA applies

The Standard DPA applies only when your VoiceDock assistant is configured with both of the following:

Live-call routing via Google Vertex AI in the EU

Your assistant's LLM provider is set to Google Gemini Live on Vertex AI in the europe-west4 region (Netherlands). As of the effective date of the DPA, this means the model gemini-live-2.5-flash-native-audio.

Future Gemini Live models that Google makes generally available through Vertex AI in europe-west4 will automatically fall within scope.

GDPR Mode enabled

Your assistant has gdpr_mode = true. In this mode, VoiceDock does not persist call audio, transcripts, summaries, analysis results, or recordings in our systems. Derived signals (summary and structured analysis) are generated in memory and sent directly to your webhook, then released.

Configuration changes automatically change scope

If your assistant is reconfigured such that either condition above is no longer met (for example, by selecting a non-Vertex model, or by turning off GDPR Mode), the DPA automatically ceases to apply to the subsequent processing. The general data-processing terms of the Master Services Agreement then govern instead.

Why we scope the DPA this way

The Vertex-EU + GDPR-mode configuration is the cleanest compliance path we offer. By scoping the free standard DPA to this path, we make strong, honest, technically-backed commitments rather than a one-size-fits-all document that hedges.

EU data residency

Call content is processed exclusively in europe-west4 (Netherlands).

No training

Google does not use your data to train or fine-tune any AI/ML models.

No in-memory caching

Google's implicit caching is disabled at the project level.

Minimal retention

Under GDPR Mode we retain only operational metadata (call ID, numbers, duration, end reason). No audio, transcript, summary, or analysis.

Self-hosted core

The VoiceDock platform runs on hardware we control at Hetzner Online (Gunzenhausen, DE). No public-cloud provider has access to our primary platform.

Honest contracting

A scoped DPA matches the technical commitments precisely — no vague language to paper over edge cases.

Sub-processors at a glance

Google LLC (Vertex AI)

Role: Processor — real-time generative AI and post-call analysis
Location: europe-west4 (Netherlands)
Certifications: ISO 27001, ISO 27017/27018, SOC 1/2/3

Hetzner Online GmbH

Role: Processor — infrastructure hosting
Location: Gunzenhausen, Germany (EU-only for our servers)
Certifications: ISO 27001, ISO 27018, ISO 27701

Telnyx LLC

Role: Processor (call audio) / Independent Controller (CDRs, phone numbers)
Location: USA HQ with EU PoPs; EU SCCs in place
Certifications: SOC 2, ISO 27001

Vercel Inc.

Role: Processor (dashboard data) / Independent Controller (service-generated data)
Location: Functions in EU region; HQ USA with EU SCCs
Certifications: SOC 2 Type 2 (annual)

Full details — entities, addresses, data categories, retention, transfer mechanisms, applicable DPAs — are in Annex C of the DPA document.

Key commitments summarised

Obligation	Our commitment
Personal Data Breach notification	Within 72 hours of becoming aware, with the information required by Art. 33 GDPR
Data Subject rights assistance	Forwarded to Customer; reasonable technical assistance available
Sub-processor changes	14 days prior notice; Customer may object on reasonable data-protection grounds
Audit rights	Via SOC 2 / ISO reports standard; on-site audits up to once per calendar year on 60 days' notice
Data deletion on termination	Within 30 days, with written certification on request
Governing law / forum	Dutch law; Rechtbank Overijssel (Zwolle)

What the Standard DPA does NOT cover

The Standard DPA is scoped tightly on purpose. The following are out of scope and require a separate arrangement — see Custom DPAs below.

Assistants configured with Google AI Studio (rather than Vertex AI)

Assistants configured with other realtime providers (e.g., xAI Grok Realtime)

Assistants configured with orchestrated STT + LLM + TTS stacks

Assistants with gdpr_mode = false (transcripts, summaries, analyses and recordings are persisted in VoiceDock for call-history functionality)

Sector-specific compliance requirements (HIPAA, PCI-DSS, FINMA, etc.)

Dedicated-infrastructure deployments

Bespoke contractual clauses, specific redlines, or jurisdiction-specific amendments

Custom DPAs and bespoke compliance (Enterprise)

VoiceDock supports custom Data Processing Agreements for alternative provider configurations or customer-specific compliance requirements as a paid Enterprise service.

Typical use cases:

Customers who need to stay on a different model or provider for operational reasons

Sector-specific requirements (healthcare, financial services, public sector)

Jurisdiction-specific amendments (e.g., Swiss FADP, UK DPA 2018 clauses beyond the standard UK IDTA)

Bespoke liability, audit, or sub-processor terms

E-mail administratie@flireo.com or reach out via your VoiceDock account manager. Include a short description of your configuration and the compliance requirements that drive the need for a custom agreement.

Scope & quote

We scope the work with you and provide a fixed quote. Typical one-off legal-review fees start from €1,500 for standard adjustments; complex redlining scales up from there.

Drafting & negotiation

Our legal counsel drafts the custom DPA and negotiates redlines with your legal team. Turnaround is typically 2–4 weeks, depending on depth of changes.

Execution

Signed via electronic signature (DocuSign / PandaDoc) or wet-ink, at your preference.

Why we charge for custom DPAs

The fee covers our legal and engineering review costs. It also filters for serious enterprise engagements, which lets us maintain turnaround quality for everyone and keeps the free Standard DPA genuinely free.

Frequently asked

We are a small business and don't have in-house legal. Is the Standard DPA enough for us?

For EU-based small and mid-market businesses using the Vertex-EU + GDPR-mode configuration, yes — the Standard DPA is a fully Article 28 GDPR-compliant document ready to sign. Many of our customers sign it as-is.

Does signing the DPA cost anything?

No. The Standard DPA, for the configuration described in When this DPA applies, is included in your VoiceDock subscription at no additional cost.

Can I sign the DPA before I pick my configuration?

Yes. The DPA can be signed at any point. It only takes legal effect once your assistant is configured as described in When this DPA applies. If you later reconfigure the assistant, the DPA's protections cease to apply to the subsequent processing automatically.

How is the DPA executed?

Typically via electronic signature (DocuSign or PandaDoc) at no additional cost. Wet-ink signatures are also possible on request.

Who from Flireo signs the DPA?

Jesper Rietbergen, Director of Flireo B.V., signs on behalf of Flireo.

Can I get an earlier or different version of the DPA?

The version linked at the top of this page is always the current version. Earlier versions are available on request for audit or record-keeping purposes. Contact administratie@flireo.com.

What if my legal team has minor edits to the Standard DPA?

Minor, one-page-or-less redlines (e.g., adjusted notice addresses, company-specific definitions) can often be accommodated within the Standard DPA process. Substantive changes to liability, audit, or sub-processor terms fall under Custom DPAs and are a paid Enterprise service.

We are a US-based customer. Does the Standard DPA work for us?

The Standard DPA is written for EU / EEA GDPR scope. US customers typically also need to consider CCPA / state privacy laws; those are best handled as amendments under the Custom DPA process.

Contact

Flireo B.V.
Leeuwenbrug 89a, 7411 TH Deventer, The Netherlands
KvK: 92548806

Subject	Contact
General enquiries	administratie@flireo.com
Compliance, DPA, security questions	compliance@flireo.com

Last updated: 23 April 2026 — DPA version 1.0.

Data Processing Agreement (DPA)

What this DPA covers#

When this DPA applies#

Why we scope the DPA this way#

Sub-processors at a glance#

Key commitments summarised#

What the Standard DPA does NOT cover#

Custom DPAs and bespoke compliance (Enterprise)#

Frequently asked#

Contact#

What this DPA covers

When this DPA applies

Why we scope the DPA this way

Sub-processors at a glance

Key commitments summarised

What the Standard DPA does NOT cover

Custom DPAs and bespoke compliance (Enterprise)

Frequently asked

Contact