(425) 647-1537
Talk to AI Describe your business in 30 seconds. Get a custom ROI plan and the exact automations to stop missed calls and missed bookings. Book ROI Call
Legal Document

Data Processing Agreement

Effective: January 1, 2025
Updated: December 22, 2025

This Data Processing Agreement ("DPA") forms an integral part of the Master Service Agreement between Shockwave HQ ("Processor") and the Client ("Controller") for AI automation services including lead response, appointment booking, customer communication, and revenue recovery systems.

1. Definitions

1.1 Capitalized terms have meanings defined in GDPR Article 4 and CCPA §1798.140, including:

  • Personal Data: Any information relating to identified or identifiable individuals
  • Processing: Any operation on Personal Data
  • Controller: Client determining purposes and means
  • Processor: Shockwave processing on Client's behalf
  • Data Subject: Individuals whose data is processed
  • Subprocessor: Third-party processors engaged by Shockwave

1.2 Scope of Processing: Client contact data (names, phone numbers, email addresses, appointment details, communication history) processed solely to deliver AI automation services.

PHI Exclusion Protected Health Information (PHI) and legally privileged communications remain in Client systems and are NOT processed by Shockwave unless explicitly authorized in writing.

2. Processor Obligations

2.1 Processing Instructions: Shockwave processes Personal Data only on Client's documented instructions, which include:

  1. Automated lead response and qualification
  2. Appointment booking and reminder delivery
  3. Missed-call recovery and follow-up sequences
  4. Communication history logging
  5. Performance analytics generation

2.2 Confidentiality: All Shockwave personnel with access to Client Personal Data are bound by confidentiality obligations through employment contracts and security training protocols.

2.3 Security Measures: Shockwave implements industry-standard technical and organizational measures including:

  1. Encrypted data transmission (TLS 1.3+)
  2. Encrypted data storage (AES-256)
  3. Role-based access controls
  4. Regular security audits and penetration testing
  5. Intrusion detection and monitoring systems
  6. Secure backup and disaster recovery procedures
  7. Annual security awareness training for all personnel

2.4 Data Breach Notification: Shockwave shall notify Client within 24 hours of discovering any Personal Data breach affecting Client data, providing:

  1. Nature and scope of breach
  2. Categories and approximate number of affected Data Subjects
  3. Likely consequences and mitigation steps taken
  4. Contact information for further inquiries

3. Subprocessors & Third-Party Integrations

3.1 Authorized Subprocessors: Shockwave engages the following vetted Subprocessors, each bound by equivalent data protection obligations:

Subprocessor Purpose Compliance
n8n (DigitalOcean) Workflow Automation SOC 2 Type II, ISO 27001
Twilio SMS/Voice Communications GDPR, CCPA Compliant
OpenAI / Anthropic AI Language Models Enterprise Data Protection
Google Workspace Business Operations GDPR, ISO 27001

3.2 Subprocessor Changes: Client consents to Shockwave engaging additional Subprocessors provided:

  1. 30 days advance written notice via email
  2. Client may object within 14 days
  3. If unresolved, Client may terminate without penalty

3.3 Subprocessor Liability: Shockwave remains fully liable to Client for Subprocessor performance under this DPA.

4. Data Subject Rights

4.1 Assistance Obligations: Shockwave shall assist Client in responding to Data Subject requests (access, rectification, erasure, data portability, restriction, objection) by providing available Personal Data within 5 business days of Client request.

4.2 Request Handling: Data Subject requests received directly by Shockwave are forwarded to Client within 2 business days without independent response unless legally compelled.

5. Data Retention & Deletion

5.1 Active Services: Personal Data is retained for the duration of Service Agreement to enable automation functionality and performance analytics.

5.2 Service Termination: Within 30 days of Service Agreement termination, Shockwave shall:

  1. Return all Client Personal Data in machine-readable CSV format
  2. Securely delete all copies from production systems
  3. Provide written certification of deletion

5.3 Backup Retention: Backup copies are automatically purged within 90 days of termination through secure deletion procedures.

6. Cross-Border Data Transfers

6.1 Data Locations: Client Personal Data is processed and stored within: (a) United States (primary operations); (b) European Economic Area (EEA) if Client is EU-based and requests regional processing.

6.2 International Transfers: For EU/UK Clients, international data transfers from EEA/UK to United States rely on:

  1. EU-US Data Privacy Framework
  2. Standard Contractual Clauses (SCCs) - 2021 Module 2
  3. UK International Data Transfer Agreement (IDTA)
  4. Supplementary measures

6.3 Transfer Impact Assessment: Shockwave conducts and maintains Transfer Impact Assessments (TIAs) demonstrating adequate safeguards for international transfers. Copies available upon Client request.

7. Audits & Compliance

7.1 Audit Rights: Client may audit Shockwave's compliance with this DPA through:

  1. SOC 2 Type II reports (annually)
  2. Security questionnaires (within 30 days)
  3. On-site/remote audits (60 days notice, max once annually)

7.2 Data Protection Impact Assessments: Shockwave shall reasonably assist Client with DPIAs required under GDPR Article 35 by providing documentation of Processing activities and security measures.

8. California Consumer Privacy Act (CCPA) Provisions

8.1 Service Provider Status: Shockwave qualifies as a Service Provider under CCPA §1798.140(ag). Shockwave certifies that it:

  1. Processes solely to perform Services
  2. Does NOT sell Personal Information
  3. Does NOT retain/use/disclose for other purposes
  4. Does NOT combine with other sources

8.2 CCPA Compliance: Shockwave provides Client with:

  1. Notice of any inability to comply with CCPA requirements (immediate written notice)
  2. Cooperation with Client's CCPA compliance obligations including Consumer Rights requests

9. Liability & Indemnification

9.1 Processor Liability: Shockwave is liable for damages caused by Processing that violates this DPA or applicable Data Protection Laws, subject to liability limitations in the Service Agreement.

9.2 Regulatory Cooperation: Shockwave shall cooperate with Supervisory Authorities and provide information reasonably requested for investigations related to Client Personal Data Processing.

10. Term & Termination

10.1 Term: This DPA remains in effect for the duration of the Service Agreement and survives termination for obligations requiring post-termination performance (data deletion, audit cooperation).

10.2 Conflict: In case of conflict between this DPA and Service Agreement, this DPA prevails on data protection matters.

11. Governing Law

This DPA is governed by:

  • GDPR for EU Clients
  • CCPA for California Clients
  • Delaware law, Wilmington federal court (general)

Appendix A: Processing Details

Subject Matter AI-powered lead response, appointment booking, customer communication automation
Duration Term of Service Agreement plus 90 days retention period
Nature Automated collection, storage, analysis, communication, and deletion
Purpose Revenue recovery through fast response times, appointment optimization, no-show reduction

Data Categories

  • Contact Information: Names, phone numbers, email addresses, physical addresses
  • Communication Records: Message history, call transcripts, response timestamps
  • Appointment Data: Booking times, service types, cancellation history
  • Behavioral Metadata: Response rates, engagement patterns, lead source attribution

Data Subject Categories

  • Prospective customers (leads and inquiries)
  • Active customers (appointment holders)
  • Former customers (follow-up and win-back campaigns)
Special Categories NONE — no PHI, financial account numbers, or sensitive personal data processed.

Signature Block

Controller (Client)
Signature
Name
Title
Date
Processor (Shockwave HQ)
Signature Vincent Johnally
Name Vincent Johnally
Title Founder & CEO, Shockwave HQ
Date January 1, 2025

Built for real-world chaos: after-hours, emergencies, “we need it done today.”
Aligned to Shockwave’s 4-tier model — start lean, scale to governance.
Response AI $3–4K/mo Revenue AI $6–7K/mo Shockwave OS $9–12K/mo Network Intelligence $15K+/mo

Get Started

(425) 647-1537
[email protected]

Stop feeding your competitors missed calls

Shockwave answers, qualifies, and routes leads while you’re busy doing the actual work.

  • HVAC: no-heat call at 2:17 AM—captured, qualified, booked before they tap the next listing.
  • Dental: “Do you take my insurance?”—answered instantly, eligibility captured, consult requested.
  • Plumbing: burst pipe—address + urgency confirmed, dispatch pinged, job details logged clean.
  • Small Law (DUI/PI): intake starts immediately—incident details captured, urgency assessed, consult scheduled.
  • Med Spa: “How much is lip filler?”—price band + availability shared, deposit link sent, slot held.
  • Pest Control: same-day request—service area verified, quote range provided, booking completed.
Limited Q1 build slots

Most owners start with Response AI, then upgrade to Revenue AI once routing + reporting prove ROI. See tiers.

Book Strategy Call

© 2026 Shockwave HQ. All rights reserved.