Last updated: Feb 9 2026
DPA version: v1.1
Effective date: Feb 9 2026
Contact: contact@getremy.ai.
This page contains Remy’s Data Processing Addendum (“DPA”) and our current list of authorized subprocessors (“Subprocessor List”). The DPA applies to customers where Nomad Technologies LLC and its affiliated companies (“Provider”) processes personal data on the customer’s behalf in connection with providing the Remy services.
The DPA is incorporated by reference into our Terms and Conditions and forms part of the agreement governing your use of the services. If you require an executed/signed copy of the DPA for internal compliance purposes, contact us at the email above.
1) Data Processing Addendum (DPA)
1.1 Parties
This DPA forms part of the agreement between:
Customer: the entity agreeing to the Terms and Conditions (“Customer”), and
Provider: Nomad Technologies LLC – RemyAI, 114 Odyssey Dr, Wilmington DE 19808 (“Provider”).
1.2 Definitions
“Customer Personal Data” means personal data contained in Customer Data that Provider processes on behalf of Customer.
“Customer Data” means data submitted to or collected by the services under the agreement, including communications content and related metadata.
“Data Protection Laws” means all laws applicable to the processing of Customer Personal Data under the agreement, including applicable US federal and state privacy/security laws, and—where relevant—the EU GDPR and UK GDPR.
“Process/Processing” means any operation performed on Customer Personal Data (e.g., collection, storage, access, disclosure, deletion).
“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (excluding unsuccessful attempts that do not compromise security, such as blocked scans).
“Subprocessor” means a third party authorized by Provider to process Customer Personal Data to provide the services.
1.3 Roles of the parties
Customer is responsible for determining the purposes and means of processing and for complying with its obligations under Data Protection Laws.
Provider processes Customer Personal Data only:
to provide, maintain, support, and secure the services,
in accordance with Customer’s documented instructions (the agreement, this DPA, and any written instructions), and
as required by applicable law.
Provider will not sell Customer Personal Data or share it for cross-context behavioral advertising where those terms are defined under applicable US state privacy laws.
1.4 Details of processing
The subject matter, duration, nature, and purpose of processing, and categories of data subjects and Customer Personal Data are described in Section 2 (Annex I) below.
1.5 Confidentiality
Provider ensures that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
1.6 Security measures
Provider will implement and maintain reasonable administrative, technical, and organizational safeguards designed to protect Customer Personal Data against Security Incidents. A summary of safeguards is described in Section 3 (Annex II) below. Provider may update these safeguards from time to time, provided updates do not materially reduce the overall level of protection.
1.7 Subprocessors
Customer authorizes Provider to engage Subprocessors in accordance with this DPA and the Subprocessor List in Section 4 (Annex III).
Provider will impose written data protection obligations on Subprocessors that are no less protective than those in this DPA, to the extent applicable to the Subprocessor’s processing.
Subprocessor changes and notice. Provider will provide notice of material changes to Production Subprocessors (additions or replacements) by updating this page and, where feasible, providing at least 30 days advance notice. Customer may object on reasonable data protection grounds by contacting the email above within the notice period. The parties will work in good faith to address objections (e.g., by providing information, offering a workaround, or not using that Subprocessor for Customer). If unresolved, either party may terminate the affected services in accordance with the agreement.
1.8 Assistance to Customer
Provider will provide reasonable assistance to enable Customer to respond to data subject requests and support Customer’s privacy/security assessments, to the extent legally required and technically feasible, subject to confidentiality.
1.9 Security Incident notification
Provider will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and will provide available information reasonably necessary for Customer to meet its obligations under applicable law.
1.10 Return and deletion
Upon termination or expiration of the services, Provider will return or delete Customer Personal Data in accordance with the agreement and Provider’s standard deletion timelines, unless retention is required by law. Provider supports deletion/purging to help Customer meet applicable data protection obligations (e.g., right to erasure), subject to lawful retention needs and technical constraints.
1.11 Audits and compliance information
Where available, Provider will provide third-party audit reports (e.g., SOC 2 / ISO 27001) under confidentiality. If not available, Provider can provide reasonable security documentation (e.g., a security overview or bridge letter) and respond to reasonable security questionnaires, subject to confidentiality and reasonable limits.
1.12 International transfers and GDPR/UK GDPR (conditional)
This section applies only to the extent Customer Personal Data is subject to GDPR/UK GDPR and is transferred internationally. If required, the parties will implement an appropriate transfer mechanism (e.g., EU Standard Contractual Clauses and/or the UK Addendum) as an exhibit or as otherwise agreed.
1.13 Precedence
If there is a conflict between this DPA and the agreement regarding processing of Customer Personal Data, this DPA controls.
2) Annex I — Description of processing
Subject matter: Provision of the Remy service (communications capture/processing, transcription, summarization, workflow/task generation, analytics, and support).
Duration: For the term of the agreement, plus any limited retention required for deletion workflows, backups, dispute resolution, or legal compliance.
Nature and purpose of processing: Processing necessary to:
ingest and manage communications (calls/SMS/metadata) where configured,
generate transcripts and AI outputs (summaries, classifications, tasks),
provide user access, search, and retrieval,
operate, secure, troubleshoot, and support the platform.
Categories of data subjects: Customer users (employees/contractors/agents), Customer clients/leads, and other communication counterparties.
Categories of personal data: identifiers (name, phone number, email), communications content (audio recordings, transcripts, SMS content), metadata (timestamps, routing details, interaction history), and user account data (roles/permissions).
Special categories of data: Not intentionally collected. If processed incidentally, protected under the same safeguards.
3) Annex II — Security measures summary (TOMs)
Provider maintains safeguards designed to protect Customer Personal Data, including:
access controls (least privilege, role-based access, MFA for privileged access),
encryption in transit and at rest,
environment separation (production vs non-production),
logging and monitoring to detect suspicious activity (with minimization of sensitive content where feasible),
vulnerability management and remediation practices,
secure development practices (change control, code review),
backups and recovery procedures,
incident response procedures, and
supplier risk management and contractual controls for Subprocessors.
4) Annex III — Subprocessor List
Important note on data residency: Our current default hosting region is EU (Frankfurt). For North American operations, a US-only deployment can be provided by hosting customer data in a US AWS region (e.g., us-east-1 / N. Virginia) and selecting US-based vendor options where supported.
4.1 Production Subprocessors (may process customer personal data)
Subprocessor
Purpose
Processing locations
Notes
Amazon Web Services
Cloud hosting and storage (compute, databases, object storage)
Default: EU (Frankfurt). US-only deployment available via US regions
Location is deployment-specific
Twilio
Telephony and messaging; storage/processing of call/SMS data as configured
United States (US region configuration); deployment-specific confirmation available
US account; regional configuration confirmed per deployment
Speechmatics
Speech-to-text transcription
Region determined by endpoint used (EU and US endpoints available)
US-only available via US endpoints
OpenAI
LLM inference for summarization/classification/task extraction
Per provider configuration/terms
Provider does not opt in to training on customer data
Cloudflare
CDN/WAF/edge security
Global edge network (config-dependent); origin can be region-restricted
Edge presence is global by nature
Make
Workflow automation/integrations (production workflows where configured)
US or EU depending on organization region selected
Enabled where configured; minimize sensitive payloads
Zapier
Customer-enabled integrations via Zapier App
Determined by provider infrastructure and subprocessors
Optional; only when enabled by customer
