Data Processing Agreement
Last updated: April 11, 2026
This Data Processing Agreement (“DPA”) is entered into by and between the law firm or legal organization subscribing to the Service (“Customer”) and Orika, Inc., a Delaware corporation (“Orika” or “Processor”), and forms part of the Terms of Service (“Agreement”) between Customer and Orika. This DPA applies to the extent that Orika processes Personal Data on behalf of Customer in connection with the Service.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement. In addition:
- “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person, that Orika processes on behalf of Customer in connection with the Service.
- “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, erasure, or destruction.
- “Sub-processor” means any third party engaged by Orika to process Personal Data on behalf of Customer.
- “Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by Orika.
- “Applicable Data Protection Law” means all United States federal, state, and local laws, regulations, and rules relating to the privacy, protection, or processing of Personal Data as applicable to the Service, including the California Consumer Privacy Act (as amended by the CPRA) and any similar state privacy laws.
2. Scope and Roles
For the purposes of Applicable Data Protection Law, Customer is the controller of Personal Data and Orika is the processor. Customer determines the purposes and means of processing; Orika processes Personal Data only on behalf of and in accordance with Customer’s documented instructions.
This DPA applies to all Personal Data processed by Orika in connection with providing the Service, including data collected from callers during AI-assisted intake calls.
3. Categories of Data Processed
Orika processes the following categories of Personal Data on behalf of Customer:
Data subjects:
- Callers who contact Customer’s phone lines handled by the Service
- Customer’s staff members configured within the Service
- Customer’s authorized users of the web dashboard
Types of Personal Data:
- Caller data: phone numbers, names, spoken information captured during intake calls, call transcripts, lead qualification details, messages, consultation booking details (scheduled times, assigned staff, location, booking status), and any information callers voluntarily provide during a call
- Staff data: names, job titles, phone numbers (for transfers), staff notification email addresses, notification preferences, and calendar connection data (calendar provider, account email, selected calendar, and encrypted OAuth credentials)
- User data: email addresses, authentication credentials (managed by a third-party identity provider), and organization membership
- Call metadata: timestamps, call duration, call status, disposition, and routing information
Sensitive data:
Callers may voluntarily disclose information during intake calls that could be considered sensitive, including details about legal matters, injuries, or personal circumstances. Customer acknowledges that the nature of legal intake means such disclosures are inherent to the Service. Orika processes this data solely to deliver the Service and applies the security measures described in Section 6.
4. Purpose and Scope of Processing
Orika processes Personal Data solely for the following purposes:
- Providing the Service, including answering calls, conducting intake conversations, qualifying leads, taking messages, and transferring calls to designated staff
- Generating and storing call transcripts, lead records, and messages on behalf of Customer
- Scheduling consultations on behalf of Customer, including querying connected third-party calendar accounts for staff availability and creating calendar events that contain caller Personal Data (such as name, phone number, practice area, and matter summary)
- Delivering email notifications to Customer’s staff members regarding new leads and messages, and delivering booking confirmation emails to callers when consultation scheduling is enabled and requested by the caller
- Maintaining and securing Customer’s account and configuration, including encrypted storage of calendar authentication credentials
- Diagnosing technical issues and maintaining the reliability of the Service
Orika will not process Personal Data for any purpose other than those listed above or as otherwise instructed in writing by Customer. Orika does not sell Personal Data. Orika does not use Personal Data to train, fine-tune, or improve any artificial intelligence or machine learning models.
5. Customer Obligations
Customer represents and warrants that:
- It has a lawful basis under Applicable Data Protection Law for the collection and processing of Personal Data through the Service.
- It is solely responsible for providing any required notices to callers and obtaining any required consent, including consent for call transcription, email communications to callers, and the transmission of caller information to third-party calendar providers, in accordance with applicable federal, state, and local laws (including two-party consent jurisdictions).
- It will not configure the Service in a manner that would cause Orika to violate Applicable Data Protection Law.
- Its instructions to Orika regarding the processing of Personal Data comply with all applicable laws.
6. Security Measures
Orika implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption of Personal Data in transit using TLS and at rest using industry-standard encryption algorithms
- Access controls limiting access to Personal Data to authorized personnel on a need-to-know basis
- Logical separation of Customer Data to prevent cross-customer data access
- Credential-based authentication for all third-party service integrations
- Regular review and testing of security measures
All data processing occurs within the United States. Orika does not transfer Personal Data outside the United States.
7. Sub-processors
Customer authorizes Orika to engage the Sub-processors listed below to process Personal Data on behalf of Customer. Orika maintains an up-to-date list of Sub-processors at this page.
| Sub-processor | Purpose | Location |
|---|---|---|
| LiveKit | Voice infrastructure, call routing, and agent hosting | United States |
| PlanetScale | Database hosting and storage | United States |
| Large language model for AI-powered call interactions; calendar integration for consultation scheduling (Google Calendar) | United States | |
| Microsoft | Calendar integration for consultation scheduling (Microsoft Outlook via Microsoft Graph) | United States |
| Deepgram | Speech-to-text transcription | United States |
| Cartesia | Text-to-speech voice synthesis | United States |
| Clerk | User authentication and identity management | United States |
| Resend | Staff notification emails and booking confirmation emails to callers | United States |
| Vercel | Web application hosting and delivery | United States |
Orika imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA. Orika remains responsible for the acts and omissions of its Sub-processors to the same extent as if Orika were performing the processing directly.
Orika maintains this Sub-processor list and will update it when Sub-processors are added or replaced. Customer may review the current list at any time by visiting this page.
8. Data Breach Notification
Orika will notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Data Breach. The notification will include, to the extent reasonably available:
- A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
- The name and contact details of a point of contact at Orika
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its effects
Orika will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. Notification of a Data Breach is not an acknowledgment of fault or liability.
9. Data Subject Rights
To the extent that Orika receives a request from a data subject (such as a caller) to exercise rights under Applicable Data Protection Law (including access, correction, deletion, or portability), Orika will promptly forward the request to Customer unless Orika can identify the requesting party as Customer’s data subject, in which case Orika will notify Customer and await instructions. Orika will provide reasonable assistance to Customer in responding to data subject requests, including by making available the relevant Personal Data in Orika’s possession. Customer is responsible for responding to data subject requests.
10. Data Retention and Deletion
Orika retains Personal Data for as long as Customer’s account is active and as necessary to provide the Service.
Upon termination or expiration of the Agreement, Orika will retain Customer Data for a period of ninety (90) days to allow Customer to retrieve its data. During this period, Customer may request export of its data by contacting Orika. After the 90-day retention period, Orika will delete or anonymize all Personal Data in its possession and in the possession of its Sub-processors, except to the extent that retention is required by applicable law.
Upon Customer’s written request, Orika will provide written confirmation that deletion has been completed.
11. Audits and Compliance
Orika will make available to Customer, upon reasonable written request and no more than once per twelve (12) month period, information necessary to demonstrate compliance with this DPA.
When available, Orika will provide copies of relevant compliance reports (such as SOC 2 Type II reports) as its primary means of demonstrating compliance with the security obligations in this DPA. If such reports are not yet available, Orika will respond in good faith to reasonable written security questionnaires submitted by Customer.
12. Confidentiality
Orika ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations. Access to Personal Data is restricted to personnel who require access to perform their duties in connection with the Service.
13. Cooperation
Orika will provide reasonable assistance to Customer in ensuring compliance with Customer’s obligations under Applicable Data Protection Law, including with respect to data protection impact assessments and consultations with regulatory authorities, taking into account the nature of processing and the information available to Orika.
14. Term
This DPA takes effect on the date Customer first accesses the Service and remains in effect for as long as Orika processes Personal Data on behalf of Customer, including during the post-termination retention period described in Section 10. In the event of a conflict between this DPA and the Agreement, this DPA will control with respect to the processing of Personal Data.
15. Governing Law
This DPA is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles, consistent with the Agreement.
16. Contact
For questions about this Data Processing Agreement, or to submit a data-related request, please contact us at support@withorika.com.