Data Processing Addendum
Last updated June 28, 2026
This Data Processing Addendum is part of the AIOS Terms of Service. It sets out how AIOS processes the contact and lead data you entrust to us, as your processor and service provider, under GDPR Article 28 and US state privacy law. AIOS is operated by NoManagement B.V. (Netherlands).
How this addendum works
This Data Processing Addendum (DPA) forms part of, and is incorporated into, the AIOS Terms of Service between you and NoManagement B.V., a company registered in the Netherlands, trading as AIOS. It applies whenever AIOS processes personal data on your behalf as your processor and service provider. By accepting the Terms or using AIOS, you accept this DPA. It is governed by the laws of the Netherlands, without limiting any mandatory data-protection rights you or your contacts have. If anything in the Terms conflicts with this DPA about personal data, this DPA controls. For transfers of EEA, UK or Swiss personal data, the Standard Contractual Clauses referenced below control where they conflict. The current version is always at aios.supply/dpa.
The two roles, and which data this covers
AIOS handles two kinds of data. For information about you, our customer (account, billing and usage data), we are the controller, and our Privacy Policy governs it. This DPA covers only the contact and lead data that flows through AIOS so an agent can call, text, qualify, book and follow up on your behalf (contact records, call recordings, transcripts and message logs). For that data you are the controller and AIOS is your processor and service provider, acting only on your documented instructions.
What we process, and why (Annex 1)
Subject matter and duration: AIOS processes the personal data described here to provide the service for as long as your agreement is in effect, plus a short wind-down period. Nature and purpose: receiving, storing, transcribing, analyzing, routing and acting on contact data so AIOS agents can communicate with and qualify your contacts, book appointments, follow up, keep consent and compliance records, and write back to the systems you connect, all on your instructions. Categories of data subjects: your leads, contacts, and the people your agents call, text, or that call or text you. Categories of personal data: names, email addresses, phone numbers, the content of calls (including recordings and transcripts) and messages, consent records and the wording a person agreed to, approximate location (country, region and city) derived from a phone number or network, device and usage signals tied to a contact, and any other fields you choose to load. You must not instruct AIOS to process special-category or sensitive data beyond what the service needs, and you remain responsible for the lawfulness of the data you provide.
Our core processing commitments
As your processor and service provider, AIOS will: (a) process the personal data only on your documented instructions, including for international transfers, unless a law we are subject to requires otherwise, in which case we will tell you first unless that law forbids it; (b) ensure the people we authorize to process the data are bound by confidentiality; (c) put in place the technical and organizational security measures described in Annex 2, meeting GDPR Article 32 and reasonable security under US law; (d) engage subprocessors only under the conditions below; (e) assist you, by appropriate measures, to respond to requests from data subjects and consumers; (f) assist you with security, breach notification, data protection impact assessments and prior consultation (GDPR Articles 32 to 36), and notify you without undue delay after we become aware of a personal data breach affecting the data; (g) at your choice, delete or return the data at the end of the service, as set out below; and (h) make available the information reasonably needed to show we comply, and allow and contribute to audits as set out below. If we can no longer meet our obligations, we will tell you promptly and you may suspend or end the affected processing.
Subprocessors
You give a general written authorization for AIOS to engage the subprocessors listed at aios.supply/subprocessors. We will give you at least 14 days' notice before a new subprocessor begins processing personal data. You may object within that window on reasonable grounds relating to data protection; if we cannot resolve your objection, you may terminate the affected part of the service. We impose data-protection obligations on each subprocessor no less protective than this DPA, and we remain liable for their acts and omissions. The CRM and channels you connect are your own systems, which you choose and control; they are not AIOS subprocessors.
International transfers
AIOS operates from the Netherlands and uses subprocessors in the United States and elsewhere, so personal data may be transferred internationally. Where it is, we rely on the EU-US Data Privacy Framework for subprocessors certified under it, and on the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two for controller-to-processor transfers and Module Three for onward processor-to-processor transfers, together with a transfer impact assessment and additional safeguards. The UK International Data Transfer Addendum and the Swiss addendum apply to UK and Swiss data. We keep the Standard Contractual Clauses in place as a backup even where the Data Privacy Framework applies. The Clauses are incorporated by reference, with you as data exporter and NoManagement B.V. as data importer, and Annexes 1 to 3 serving as the Clauses' appendices.
US state privacy: service provider and processor
For personal information AIOS processes on your behalf, AIOS is a service provider under the California Consumer Privacy Act, as amended, and a processor under the comprehensive privacy laws of other US states. AIOS will not sell or share that information; will not retain, use or disclose it for any purpose other than the business purposes specified in your agreement, or as otherwise permitted by law; will not retain, use or disclose it outside the direct business relationship with you; and will not combine it with personal information from other sources or other customers, except as the law permits. AIOS certifies that it understands and will comply with these restrictions. This DPA is the parties' contract for the purposes of the CCPA (Civil Code sections 1798.100(d) and 1798.140) and the comparable provisions of the Colorado, Connecticut, Texas and other US state privacy laws.
Assistance with requests and obligations
AIOS assists you, by appropriate technical and organizational measures, to respond to requests from data subjects and consumers to access, correct, delete, port or restrict their data, to object, to opt out of sale, sharing or targeted advertising, or to withdraw consent. If a person sends such a request directly to AIOS about lead data, we route it to you, the controlling customer, and help you respond. We also assist you with breach notification, data protection impact assessments and prior consultation. Send any request to [email protected].
Telephony, recording and messaging instructions
When AIOS calls, texts or records a contact, it does so only on your documented instruction, and you are the caller and sender under the law. Your instruction to contact a number is your representation that you hold every consent the law requires before AIOS acts, including prior express written consent for marketing or AI-voice calls and texts where it applies, recording consent for the states where you and your contact are located, and any required messaging brand and campaign registration. AIOS enforces opt-outs and calling-hour limits technically and keeps a tamper-evident consent record for each contact, but this does not transfer your consent obligation to AIOS. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing with subprocessors in support services, such as the messaging platform and phone carriers that deliver the service, is permitted.
Return and deletion of data
At the end of the service, you choose whether AIOS deletes or returns the lead personal data, unless a legal hold or a law we are subject to requires us to keep it. AIOS supports retention rules per category of data (for example call recordings, transcripts, message logs and contacts) and processes erasure and export requests on the controlling party's instruction. Where a legal hold applies, we keep only what the hold requires and release it when the hold ends.
Audits and demonstrating compliance
AIOS makes available the information reasonably necessary to demonstrate compliance with this DPA, including our security summary and any reports we hold. You may audit our compliance no more than once in any twelve-month period, on reasonable prior notice, and also after a personal data breach. We may satisfy an audit through documentation, a security questionnaire or available reports before any on-site review. You may monitor our processing and require us to stop and remediate any processing that breaches this DPA.
Security measures (Annex 2)
AIOS applies technical and organizational measures appropriate to the risk, including: encryption of personal data in transit and at rest; isolation of each customer's data by tenant identifier so one customer cannot access another's data; access controls on a least-privilege basis; storage of connection credentials in an encrypted vault by reference, never as plaintext in an ordinary table or a log; an append-only audit log of user-facing changes and access logging of who did what and when; automated detection and logging of security events such as injection or jailbreak attempts, authentication failures and anomalous access; and use of speech-to-text and text-to-speech only to transcribe and synthesize voice. AIOS does not create, store or use a biometric voiceprint to identify any individual by their voice; if AIOS ever introduces voice-identification, it will do so only on your documented instruction and with the consent the law requires. We review and update these measures as the service evolves.
Subprocessor list (Annex 3)
The current list of subprocessors, with each one's function and location, is maintained at aios.supply/subprocessors and forms Annex 3 to this DPA and the appendix listing subprocessors under the Standard Contractual Clauses. Marketing-analytics technologies used on the AIOS website are described in our Cookie Policy, not here.
Questions, or a privacy or data request? Email [email protected].
This page is a plain-language summary, not legal advice. Have counsel review before relying on it.