CREATE FREE ACCOUNT · NO CARD REQUIRED START FREE
LOG IN SIGN UP

Data Processing Agreement

MuseRelay data processing agreement.

Home Data Processing Agreement

Last updated: 2026-05-07

This Data Processing Agreement (DPA) supplements the Terms and Conditions and applies whenever the Customer ("Controller") uses MuseRelay to process personal data in the context of providing services to its end users ("Data Subjects"). It is concluded in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

1. Parties

  • Controller: the Customer using the MuseRelay platform.
  • Processor (commercial operator): Muse Layer LLC — 5203 Juan Tabo Blvd, Ste 2B, Albuquerque, NM 87111, USA — EIN 30-1474701.
  • EU Representative and technology operator (Art. 27 GDPR): Screen Art S.L. — B57029415 — Carrer Rosari 47, 07420 - Sa Pobla, Illes Balears, España.

For Customers established in the European Economic Area, technical processing within the EEA is performed by the EU Representative on behalf of the Processor.

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the MuseRelay service (creation and operation of conversational AI agents, channel integrations, conversational analytics, billing). Processing lasts for the duration of the service contract and ends with deletion or return of the data.

3. Categories of data and data subjects

  • Data subjects: end users interacting with the Customer through the platform; the Customer's staff with access to the dashboard.
  • Categories: identifiers (name, email, phone), conversation content, audio (when voice channels are used), metadata (timestamps, IP, channel, device).
  • Excluded categories: the platform is not intended to process Article 9 special-category data; the Customer must avoid such processing or apply additional safeguards.

3.bis Module-specific processing

  • Messaging and webchat: messages, channel identifiers, attachments and metadata needed to deliver conversations and allow human takeover.
  • Tickets: subject, description, priority, status, attachments, replies, history and public tracking token.
  • Calendars: appointment data, resources, availability, confirmations, cancellations and reminders.
  • Voice: CLI, called number, timestamps, duration and textual transcript. Audio is not stored unless an expressly enabled feature requires it and prior information is provided.
  • AI and multimodal: prompts, responses, documents, images, audio or attachments submitted by the Controller or Data Subjects to provide the configured service.
  • Billing and payments: customer identifiers, plan, usage, credits, invoices and payment references, without storing full card data.

Where the Controller uses the native calendar and ticketing modules, the Processor handles that data within the MuseRelay platform and hosts it on European infrastructure, providing an option with reduced exposure to external subprocessors compared with third-party scheduling or support tools.

4. Obligations of the Processor

  • Process data only on documented instructions from the Controller.
  • Ensure persons authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR) — see Annex II.
  • Engage subprocessors only with prior general written authorisation, maintaining the published list at /subprocessors; notify changes with reasonable advance notice and allow the Controller to object.
  • Assist the Controller in handling Data Subjects' requests.
  • Notify the Controller of personal-data breaches without undue delay (within 72 hours of awareness).
  • Upon termination, return or delete personal data, except where Union or Member State law requires storage.
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR.

5. International transfers

Where personal data is transferred outside the EEA, transfers rely on Chapter V GDPR safeguards (Standard Contractual Clauses approved by the European Commission, adequacy decisions and/or supplementary technical measures such as encryption in transit and at rest).

6. Sub-processors

The current list of sub-processors is published at /subprocessors. Notable sub-processors include: AWS EMEA SARL, Google LLC / Vertex AI, Telnyx, Deepgram, Sweego, Stripe Payments Europe, Meta Platforms Ireland, the EU Representative Screen Art S.L. as technology operator.

7. Audits

The Controller may, with reasonable notice and no more than once a year, request information demonstrating compliance with this DPA. Audits requiring on-site access shall be conducted by an independent auditor under confidentiality and at the Controller's cost, except where they reveal a material breach.

8. Liability

Each party shall be liable for the damage caused by processing only where it has not complied with its specific obligations under the GDPR or has acted outside or contrary to lawful instructions of the Controller (Art. 82 GDPR).

9. Annex I — Description of processing

Purposes, categories of data and data subjects are described in sections 2 and 3 of this DPA and in the Privacy Policy.

10. Annex II — Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 on databases and backups).
  • Role-based access control with multi-factor authentication for administrative roles.
  • Audit logging of access and operational events.
  • Hardening of infrastructure (firewalling, automatic patching, vulnerability scanning).
  • Backups with retention policy and incident-recovery procedures.
  • Documented incident-response procedures and breach notification within 72 hours.
  • Main processing infrastructure located in Alemania (UE) y Bélgica (UE).

11. Contact

Privacy/GDPR: privacy@muserelay.com · DPO: privacy@muserelay.com · EU Representative: screenart@muserelay.com.