Subject: Urgent: DPA (v2.1) Mismatch - End-User Data & OpenAI Not Covered
To Voiceflow Support,
We have an urgent legal issue with your DPA (v2.1, dated Oct 20, 2025). This document is unsuitable for our purpose: building GDPR-compliant bots for our clients.
The problem is twofold:
Incorrect Scope (No End-Users): The DPA, in Annex I.B, only covers PII for our own "employees, contractors" (our developers) for the purpose of "user account creation." The PII (name, email) of our end-users (the "chatters") is not covered.
Incorrect Sub-processor List: Annex III lists only "Amazon Web Services, Inc." as an authorized sub-processor. OpenAI (which we use via the standard AI integration) is not on this legally binding list.
Action Required: Please provide us with the correct DPA that:
Covers the data processing of end-users.
Contains a correct sub-processor list (including OpenAI).
Our projects are completely stalled because of this.
4 Replies
@Braden (Voiceflow CEO) @jacklyn :)
heyo, escalating internally 🙂 will let you know when i get a reply
hey @Maxg! our legal/security teams recommended reaching out here: security@voiceflow.com
In general, self-serve (non-enterprise) customers are bound by our terms of service (https://www.voiceflow.com/legal/terms) which encompass our webhosted DPA (https://www.voiceflow.com/legal/dpa).
if you have specific questions or need more info, send an email and the teams should be able to help you out
Terms | Voiceflow
Voiceflow Terms and Conditions
Hi Jacklyn, thanks for your reply. I will send an email. Cheers