Last updated March 20, 2026

1. Introduction and Scope

CloudPBX Inc. (d.b.a. Corvum) (“Corvum,” “we,” “us,” or “our”) provides cloud-based Voice over Internet Protocol (VoIP) and Cloud PBX communications services to law firms and legal professionals in Canada and the United States (“Services”). We are committed to protecting the privacy and confidentiality of personal information in a manner consistent with the highest professional standards.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use our Services, visit our website at corvum.io, or otherwise interact with us. It applies to all customers, users, and individuals whose personal information we process in connection with our Services, regardless of whether they are located in Canada or the United States.

Given that our customers are law firms, we understand that communications processed through our platform may involve solicitor-client privileged information. We have designed our systems and practices with this sensitivity in mind.

2. Legal Framework and Compliance

Corvum operates in accordance with applicable privacy legislation in the jurisdictions where we and our customers operate. Our compliance framework covers both Canadian and U.S. law, including:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial equivalents;
• The Canadian Anti-Spam Legislation (CASL);
• Applicable provincial legislation including British Columbia’s Personal Information Protection Act (PIPA), Alberta’s PIPA, and Quebec’s Law 25 (Act respecting the protection of personal information in the private sector);
• Applicable telecommunications regulations under the CRTC and Telecommunications Act.
• The U.S. Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), which govern the interception of and access to wire, oral, and electronic communications, including VoIP calls;
• The U.S. Communications Act and applicable FCC regulations, including CALEA obligations for VoIP providers;
• Applicable U.S. state privacy laws where Corvum’s services are provided to customers in those states, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and equivalent laws in other U.S. states with comprehensive privacy legislation (see Section 10 for U.S. Customer Rights);
• U.S. state wiretapping and all-party consent laws, which impose requirements additional to federal law in California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

Where our customers’ law firms serve clients in other jurisdictions, our contractual data processing terms address applicable cross-border obligations. Corvum acts as a service provider (U.S.) / data processor (Canada) under applicable privacy laws; our U.S. law firm customers remain the controllers / businesses responsible for their own compliance obligations to their employees and clients.

3. Information We Collect

3.1 Account and Registration Information

When you register for our Services, we collect information necessary to establish and manage your account, including:

• Business name, address, and contact details;
• Names and contact information of authorized users and administrators;
• Billing and payment information (processed through PCI-DSS compliant payment processors; we do not store full payment card numbers);
• Username, password credentials, and security settings;
• Service configuration preferences and feature settings.

3.2 Communications Data

In providing VoIP and Cloud PBX services, we necessarily process certain communications-related data, including:

• Call detail records (CDRs): originating and terminating numbers, call duration, timestamps, and call routing data;
• Voicemail data, call recordings (where enabled and configured by the customer);
• Fax transmission metadata;
• Directory and contact list entries entered by users;
• Device provisioning data including MAC addresses for IP phone hardware.
• Where AI Features are enabled by the Customer: AI-generated call transcripts and call summaries (see Section 12 and the AI Features Addendum (Version 2.0)).

Important: Corvum does not listen to, review, or use the content of your voice communications except where you have specifically provided permission to do so, or as compelled by lawful authority. The content of calls is not used for advertising or commercial profiling purposes.

3.3 Technical and Device Data

We automatically collect certain technical data when you use our Services or infrastructure, including:

• IP addresses and network information;
• SIP registration data and session metadata;
• Mobile application usage data, device identifiers, and operating system information;
• System logs, error reports, and diagnostic data;
• Authentication and access logs.

3.4 Support and Communications Data

When you contact our support team or communicate with us, we collect:

• Support ticket contents, correspondence, and resolution history;
• Information you provide when reporting issues or requesting assistance;
• Survey responses and feedback.

3.5 Information We Do Not Collect

We do not intentionally collect or process:

• The substantive content of solicitor-client (Canada) or attorney-client (United States) privileged communications;
• Personal health information;
• Financial account information beyond what is necessary for billing;
• Information about individuals who are not users or administrators of our Services, except as incidentally contained in CDRs or voicemail data.

4. How We Use Personal Information

We use personal information only for the purposes for which it was collected or as otherwise permitted by law. Our primary purposes include:

4.1 Service Delivery

• Provisioning, operating, and maintaining VoIP and Cloud PBX services;
• Routing, completing, and logging telephone calls and communications;
• Authenticating users and securing account access;
• Providing mobile and desktop applications;
• Hardware provisioning and configuration.

4.2 Account and Billing Management

• Processing payments and issuing invoices;
• Managing service plans, upgrades, and renewals;
• Communicating material service changes, scheduled maintenance, or outages.

4.3 Customer Support

• Responding to support requests and resolving service issues;
• Investigating and diagnosing technical problems;
• Maintaining support history to improve service continuity.

4.4 Security and Fraud Prevention

• Detecting, preventing, and investigating fraud, unauthorized access, and security incidents;
• Monitoring for toll fraud, SIP abuse, and other telecommunications fraud;
• Maintaining audit logs for security purposes;
• Complying with our obligations under Canadian telecommunications regulations and, where applicable, U.S. federal telecommunications law including CALEA and FCC regulations.

4.5 Service Improvement

• Analyzing aggregated, de-identified usage patterns to improve service performance and reliability;
• Identifying and resolving systemic issues;
• AI Features: where enabled, processing call audio and transcripts through LLM sub-processors to generate transcripts and summaries for Customer use. Call content is never used to train AI models. See Section 12 and the AI Features Addendum for full details.
• Developing new features and capabilities.

4.6 Legal Compliance

• Complying with applicable laws, regulations, and lawful government or judicial requests;
• Enforcing our Terms of Service and contractual obligations;
• Establishing, exercising, or defending legal claims.

We do not sell personal information. We do not use personal information to serve third-party advertising.

5. Disclosure of Personal Information

We do not sell, rent, or trade personal information. We may disclose personal information in the following limited circumstances:

5.1 Service Providers and Sub-Processors

We engage trusted third-party service providers who process personal information on our behalf under contractual obligations consistent with this Policy. These include:

• Cloud infrastructure and data centre providers (Canadian and U.S. providers under appropriate data processing agreements);
• Payment processors (PCI-DSS compliant);
• Customer support and ticketing platforms;
• Telecommunications carriers and interconnect partners for call routing.

We require all service providers to maintain appropriate data security and to use personal information only for the purposes for which it was disclosed.

5.2 Legal and Regulatory Requirements

We may disclose personal information when required to do so by law, including:

• In response to valid court orders, subpoenas, or judicial warrants;
• In response to lawful requests by law enforcement or regulatory authorities under applicable Canadian law;
• As required by CRTC regulations or the Telecommunications Act;
• To prevent imminent harm, fraud, or serious illegal activity.

Where permitted by law, we will notify affected customers of compelled disclosures. For U.S. law enforcement and government access requests, including under the ECPA, Stored Communications Act, and CALEA, see Section 10.5.

5.3 Business Transactions

In the event of a merger, acquisition, sale of assets, or other corporate transaction, personal information may be transferred as part of that transaction, subject to the receiving party assuming equivalent privacy obligations. We will notify customers of any material change in ownership or control that affects how their information is handled.

5.4 With Your Consent

We may disclose personal information for other purposes with your express consent, which you may withdraw at any time.

6. Data Security

Corvum implements administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold, including:

• Encryption of data in transit using TLS/SRTP and equivalent protocols;
• Encryption of sensitive data at rest;
• Role-based access controls and the principle of least privilege;
• Multi-factor authentication for administrative access;
• Network segmentation and firewall controls;
• Regular security assessments and vulnerability management;
• Intrusion detection and security monitoring;
• Employee security awareness training.

No method of transmission over the internet or method of electronic storage is 100% secure. In the event of a data breach involving personal information, we will notify affected individuals and relevant authorities as required under applicable law, including: (a) within the timeframes prescribed by PIPEDA and applicable Canadian provincial laws; and (b) in the case of U.S. customers, within the timeframes required by applicable U.S. state breach notification laws, which vary by state but generally require notification within 30 to 90 days of discovery. CloudPBX Inc. (d.b.a. Corvum) maintains a breach response plan and will cooperate with affected customers to meet their own notification obligations to their clients and employees. In the event of a breach involving AI-generated transcripts or summaries, the sensitivity of that content will be taken into account in assessing risk and notification obligations; see the AI Features Addendum (Version 2.0), Section 5.

7. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to maintain the Services, and to comply with our legal obligations. Our general retention practices include:

• Account and billing information: retained for the duration of the customer relationship and for a minimum of seven (7) years following termination to meet tax and regulatory requirements;
• Call detail records: retained for a minimum of six (6) months and up to seven (7) years depending on regulatory requirements and customer contractual terms;
• Call recordings: retained for a minimum of six (6) months and up to twenty-four (24) months, depending on customer choice and agreement;
• Voicemail messages: retained for a minimum of three (3) months and up to twelve (12) months.
• Support records: retained for five (5) years following resolution;
• Security logs: retained for a minimum of twelve (12) months;
• Marketing communications consent records: retained for three (3) years following the end of the consent relationship;

AI-generated call transcripts and summaries (where AI Features are enabled): subject to Customer-configured retention periods; default ninety (90) days from date of generation. See the AI Features Addendum (Version 2.0), Section 6, for full details.

When personal information is no longer required, we securely delete or anonymize it in accordance with our data destruction procedures.

8. Cross-Border Data Transfers

Corvum is a Canadian company and our primary data processing occurs in Canada. We provide services to customers in both Canada and the United States. For U.S.-based customers, personal information is processed primarily in Canada and may also be processed within the United States by our sub-processors. For Canadian customers, personal information may also be processed in the United States by certain sub-processors, as described below.

Where personal information is transferred outside Canada, we ensure that appropriate safeguards are in place, including contractual protections consistent with PIPEDA and applicable provincial requirements. Customers in Quebec should be aware that, where required under Law 25, we conduct privacy impact assessments before transferring personal information outside Quebec.

Canadian customers: By using our Services, you acknowledge that your information may be processed in Canada and, where sub-processors operate in the United States, in the United States under the safeguards described above.

U.S. customers: By using our Services, you acknowledge that your information will be processed primarily in Canada and may also be processed within the United States. Transfers to Canada are not subject to U.S. state cross-border transfer requirements. Canada has been recognized as providing an adequate level of data protection, and PIPEDA is acknowledged under a number of international adequacy frameworks. Canadian-based processing therefore does not require additional cross-border transfer mechanisms under most U.S. state privacy laws.

9. Your Privacy Rights — Canadian Customers

This section describes privacy rights available to Canadian customers under PIPEDA and applicable provincial legislation. U.S. customer rights are described in Section 10. Subject to applicable law and reasonable verification of your identity, you have the following rights with respect to your personal information:

9.1 Right of Access

You may request access to the personal information we hold about you, including information about the purposes for which it is used and to whom it has been disclosed.

9.2 Right to Correction

If personal information we hold about you is inaccurate or incomplete, you may request that we correct or update it.

9.3 Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you may withdraw that consent at any time, subject to legal or contractual restrictions. Withdrawal of consent for processing that is necessary to provide the Services may affect our ability to continue providing those Services.

9.4 Right to Challenge Compliance

You have the right to challenge our compliance with this Policy and applicable privacy legislation. We will investigate all complaints and respond in a timely manner.

9.5 Right to Complain to a Regulator (Canadian Customers)

If you are not satisfied with our response to a privacy concern, you have the right to make a complaint to the Office of the Privacy Commissioner of Canada (OPC) at http://www.priv.gc.ca, or to the applicable provincial privacy commissioner.

Customer administrators should note that employee and end-user privacy rights should be addressed in the customer’s own privacy policies, which should be consistent with how Corvum’s Services are deployed. U.S.-based law firm customers should ensure their own privacy policies address the rights of their employees and clients under applicable U.S. state privacy laws.

10. Your Privacy Rights — U.S. Customers

This section describes privacy rights available to U.S.-based customers and individuals. The specific rights available to you depend on the state in which you are located. Corvum is committed to honoring these rights to the extent applicable and will not discriminate against you for exercising them.

10.1 Rights Under U.S. State Privacy Laws

As of 2025, nineteen U.S. states have enacted comprehensive consumer privacy laws. The rights under these laws vary by state, but commonly include the following, subject to applicable thresholds and exemptions:

• Right to Know / Access: You may request that we disclose the categories and specific pieces of personal information we collect, use, disclose, and sell about you.
• Right to Deletion: You may request deletion of personal information we have collected from or about you, subject to exceptions where retention is required by law or necessary to complete a transaction or provide a requested service.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you (available under most, but not all, state laws).
• Right to Opt Out of Sale or Sharing: Corvum does not sell personal information and does not share personal information for cross-context behavioral advertising. This right is therefore not applicable to Corvum’s practices, and no “Do Not Sell or Share” mechanism is required.
• Right to Limit Use of Sensitive Information: Where we process sensitive personal information (such as the content of communications or account login credentials), we use it only to provide the Services and as otherwise described in this Policy. We do not use sensitive information for secondary purposes that would require a limitation mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

10.2 California-Specific Disclosures (CCPA/CPRA)

For California residents, the following additional disclosures apply under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

• Categories of personal information collected: identifiers (names, email addresses, IP addresses); commercial information (billing and service records); internet or electronic network activity (usage logs, authentication records); audio and electronic communications (call recordings, voicemail, and where AI Features are enabled, transcripts and summaries); professional and employment information (customer firm details, user roles). See Section 3 for full details.
• Business or commercial purpose for collection: Service delivery, account management, billing, security and fraud prevention, customer support, and legal compliance. See Section 4 for full details.
• Sale or sharing of personal information: Corvum does not sell personal information and does not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
• Retention: We retain each category of personal information for the periods described in Section 7.
• Sensitive personal information: To the extent we process sensitive personal information as defined under the CCPA/CPRA (including the content of communications and account credentials), we use it solely to provide the Services and do not use it for purposes that would require a “Limit the Use of My Sensitive Personal Information” mechanism.

10.3 How to Submit a U.S. Privacy Rights Request

U.S. customers may submit privacy rights requests by contacting us at support@corvum.io. Please identify the right you wish to exercise and provide sufficient information to verify your identity and your relationship with Corvum. We will respond within the timeframe required by applicable state law (45 days under most state laws, with an extension of up to an additional 45 days where reasonably necessary). We will not charge a fee for a reasonable rights request unless it is excessive or manifestly unfounded.

Note: Because Corvum provides services exclusively to business customers (law firms), Corvum acts as a service provider / data processor under applicable U.S. state privacy laws rather than as a business / controller. Many U.S. state privacy rights requests regarding personal information processed by Corvum on behalf of a law firm should therefore be directed to the relevant law firm as the data controller. Corvum will assist law firm customers in fulfilling their own obligations to respond to such requests upon written request from the law firm.

10.4 U.S. Wiretapping and Recording Consent

U.S. federal law (ECPA / Wiretap Act) permits recording of calls with the consent of one party. However, the following U.S. states require the consent of all parties to a telephone or VoIP call before it may be recorded or intercepted: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

Law firm customers in these all-party consent states are solely responsible for ensuring that all parties to calls processed through Corvum’s Services (including call recording and AI Features) have provided legally sufficient consent before processing begins. Corvum strongly recommends that these customers deploy an automated call announcement on all applicable lines. The obligation to comply with state wiretapping laws rests with the Customer; Corvum does not monitor, verify, or enforce customer compliance with state-specific recording consent requirements. See the AI Features Addendum (Version 2.0), Section 4.2 and Section 4.5, for specific guidance on all-party consent obligations and U.S. legal framework disclosures applicable to AI-assisted call transcription and summarization.

10.5 U.S. Law Enforcement and Government Access

As a VoIP provider, Corvum is subject to lawful interception obligations under the Communications Assistance for Law Enforcement Act (CALEA), which requires that our network infrastructure be capable of facilitating lawful interception by U.S. law enforcement pursuant to a valid court order or other legal authority. Corvum will not disclose the existence of a lawful interception order to the extent prohibited by law.

U.S. law enforcement may also seek access to stored communications under the Stored Communications Act (SCA), including AI-generated transcripts and summaries stored on the Corvum platform. Corvum will review any such requests for legal validity before responding and will notify affected customers where permitted by applicable law. Customers with concerns about government access to their communications data should contact support@corvum.io. See the AI Features Addendum (Version 2.0), Section 4.5, for further details on CALEA and SCA obligations as they apply to AI Features.

11. Cookies and Online Tracking

Our website (corvum.io) uses cookies and similar tracking technologies to improve user experience and understand how visitors use our site.

11.1 Types of Cookies We Use

• Essential cookies: Required for the website and customer portal to function properly. These cannot be disabled without affecting core functionality.
• Analytical cookies: Used to understand aggregate traffic patterns and improve our website. We use privacy-respecting analytics tools.
• Preference cookies: Used to remember your settings and preferences.

11.2 Managing Cookies

You can control and manage cookies through your browser settings. Disabling certain cookies may affect the functionality of our website and customer portal. We do not use cookies for third-party advertising.

12. AI-Powered Features

Corvum offers optional AI-powered call transcription and summarization features (“AI Features”). These features are enabled by default (with customers onboarded after September 1st, 2025), and to be changed must be explicitly requested by a Customer. When enabled, call audio or transcript text is processed by third-party large language model (LLM) API services to generate transcripts and/or summaries for the Customer’s authorized users.

The collection, use, disclosure, and retention of personal information in connection with AI Features is governed by the CloudPBX Inc. (d.b.a. Corvum) AI Features Addendum (Version 2.0), which forms part of this Privacy Policy and is available at corvum.io/legal. The Addendum should be read together with Section 10.4 of this Policy (U.S. Wiretapping and Recording Consent) and Sections 10.2–10.3 (U.S. Customer Rights). The following is a summary of key commitments applicable to AI Features:

• AI Features are optional and on by default; they can be configure by the Corvum support team;
• Call content processed through AI Features is transmitted to third-party LLM sub-processors under contractual terms that prohibit retention, training use, and any secondary use of the data;
• Call content is never used to train, fine-tune, or improve any LLM model, whether by Corvum or its sub-processors;
• LLM sub-processors do not retain call audio, transcripts, or summaries after returning the processed output to Corvum;
• Customers are responsible for ensuring that call parties are informed of and consent to AI-assisted transcription and summarization, including compliance with applicable Canadian and U.S. consent requirements and law society or bar association professional obligations;
• Customers may disable AI Features and request deletion of all AI-generated content at any time.

Law firm customers should review the AI Features Addendum carefully with respect to solicitor-client privilege considerations and professional obligations before enabling AI Features. The Addendum includes specific guidance on privilege risk, recommended call announcements, and customer responsibilities.

13. Minors

Our Services are intended for use by businesses and legal professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Policy on our website with a new effective date;
• Notify existing customers by email or through the customer portal at least thirty (30) days before the changes take effect;
• Where required by law, obtain renewed consent.

Your continued use of our Services after the effective date of a revised Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically.

15. Contact and Privacy Officer

CloudPBX Inc. (d.b.a. Corvum) has designated a Privacy Officer responsible for overseeing compliance with this Policy and applicable privacy legislation. If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact:

Privacy Officer

CloudPBX Inc. (d.b.a. Corvum)

916 – 470 Granville Street

Vancouver, BC V6C 1V5

Email: support@corvum.io

Website: corvum.io

We will acknowledge receipt of privacy inquiries within five (5) business days and will respond substantively within thirty (30) days. Where a more complex investigation is required, we will advise you of the expected timeline.

CloudPBX Inc. (d.b.a. Corvum) — Privacy Policy  |  Effective March 23, 2026

AI FEATURES ADDENDUM

To the CloudPBX Inc. (d.b.a. Corvum) Privacy Policy

Effective Date: March 23, 2026

Last Reviewed: March 23, 2026

Version: 2.0

LEGAL VERTICAL NOTICE:  This Addendum addresses AI processing of communications that may contain solicitor-client privileged information (Canada) or attorney-client privileged information (United States). Law firm customers in both Canada and the United States must review this Addendum carefully and ensure their own clients are informed of AI-assisted transcription and summarization services prior to enabling these features.

Preamble and Relationship to Privacy Policy

This AI Features Addendum (“Addendum”) supplements and forms part of the CloudPBX Inc. (d.b.a. Corvum) Privacy Policy. It governs the collection, processing, use, disclosure, and retention of personal information in connection with Corvum’s optional AI-powered call transcription and summarization features (“AI Features”) for customers in both Canada and the United States. Capitalized terms not defined in this Addendum have the meanings given to them in the CloudPBX Inc. (d.b.a. Corvum) Privacy Policy.

In the event of any conflict between this Addendum and the core Privacy Policy with respect to AI Features, this Addendum governs.

AI Features are entirely optional, but are enabled by default for all customers onboarded on or after September 1st, 2025. They can be configured or disabled by the Corvum support team, reachable via support@corvum.io.

1. Description of AI Features

Corvum offers the following optional AI-powered features to subscribing law firm customers in Canada and the United States:

1.1 AI Call Transcription

When enabled, audio from calls routed through the Corvum platform is processed to generate a text transcript of the conversation. Transcription is performed using a large language model (LLM) API service. The transcript is returned to the Corvum platform and made available to authorized users of the Customer’s account.

1.2 AI Call Summarization

When enabled, the transcript generated under Section 1.1 (or audio directly, depending on configuration) is processed by a second LLM API service to generate a structured summary of the call. Summaries may include key topics discussed, action items, and a brief narrative overview. The summary is returned to the Corvum platform and made available to authorized users of the Customer’s account.

1.3 Feature Independence

Call Transcription and Call Summarization may be enabled independently. Summarization may be configured to process the transcript output of the Transcription feature, or may operate as a separate pipeline depending on Customer configuration. Both features can be enabled or disabled at any time by the Customer’s account administrator.

NOTE:  Depending on configuration, these features may operate in real-time with or without Customer configuration to that effect. Customers may configure features to apply to, specific inbound/outbound/internal calls or on an on-demand basis. Review your account configuration to confirm how these features are applied.

2. AI Sub-Processors

Corvum uses two third-party LLM API services as sub-processors to power AI Features. These services process call audio and/or transcript text on Corvum’s behalf under contractual terms described in this section.

COMMITMENT:  Corvum contractually prohibits both AI sub-processors from retaining, storing, or using any call audio, transcript, or summary content for any purpose other than returning the processed output to Corvum. This prohibition expressly includes model training, product improvement, benchmarking, and any other secondary use.

Corvum will notify customers of any material change to the identity or data processing practices of AI sub-processors at least thirty (30) days before such change takes effect, and will update this Addendum accordingly.

3. Data Flows and Processing Details

3.1 Transcription Data Flow

The following describes how call audio is processed when Call Transcription is enabled:

• Call audio is captured by the Corvum platform at the point of call termination or during the call, depending on Customer configuration.
• Audio for each call channel is transmitted over an encrypted connection (TLS) to the Transcription LLM API.
• The Transcription LLM processes each audio channel separately, and returns a text transcript to Corvum.
• The audio sent to the LLM is not retained by the LLM provider after the API response is returned.
• Corvum assembles the separate transcripts into a single cohesive transcript.
• The transcript is stored by Corvum and made available to the Customer’s authorized users through the account portal or API.
• The original call audio is retained separately, subject to the Customer’s call recording retention configuration.

3.2 Summarization Data Flow

The following describes how transcript content is processed when Call Summarization is enabled:

• The transcript (from Section 3.1) or call audio is transmitted over an encrypted connection (TLS) to the Summarization LLM API.
• The Summarization LLM processes the input and returns a structured summary to Corvum.
• The input data sent to the LLM is not retained by the LLM provider after the API response is returned.
• The summary is stored by Corvum and made available to the Customer’s authorized users.
• Transcripts and summaries are stored separately and may have different retention periods as configured by the Customer.

3.3 What Is and Is Not Sent to LLM Providers

For certainty, the following table describes what data is and is not transmitted to LLM sub-processors:

4. Consent and Disclosure Requirements

4.1 Customer’s Responsibility

The Customer (the subscribing law firm) is responsible for ensuring that all parties to calls processed through AI Features have been appropriately informed and, where required by law, have consented to AI-assisted transcription and summarization. This obligation exists independently of Corvum’s own privacy obligations.

Corvum strongly recommends that law firm customers (in both Canada and the United States):

• Update their own client intake and engagement letter processes to disclose the use of AI call transcription and summarization tools where calls with clients may be processed;
• Obtain informed consent from clients prior to enabling AI Features on lines used for solicitor-client communications;
• Consider whether Law Society rules (Canada) or State Bar / ABA Model Rules (United States) in their jurisdiction require disclosure of AI tool usage in client communications, and comply accordingly — multiple U.S. state bars have issued formal guidance on AI use in legal practice;
• Implement a call announcement (see Section 4.3) on all lines where AI Features are active; and consult Section 10.4 of the CloudPBX Inc. (d.b.a. Corvum) Privacy Policy for the definitive list of U.S. all-party consent states.

4.2 All-Party Consent Considerations

Canadian federal law (under PIPEDA and the Criminal Code’s interception provisions) generally permits recording of calls with the consent of one party. U.S. federal law (ECPA) also operates on a one-party consent basis at the federal level. However, the following U.S. states require the consent of all parties before a telephone or VoIP call may be recorded, transcribed, or otherwise intercepted: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Where calls involve parties located in any of these all-party consent states, explicit disclosure and consent from all parties is legally required before AI Features process those calls. Given recent class-action litigation against AI transcription vendors (see, e.g., Brewer v. Otter.ai, 2025), Corvum strongly advises Customers to treat all-party consent requirements as a compliance priority.

Corvum provides configurable tools to assist with consent compliance. Customers are responsible for deploying and configuring these tools appropriately.

4.3 Recommended Call Announcement

Corvum recommends that Customers enable an automated call announcement played at the outset of calls processed by AI Features. A suitable announcement might read:

“This call may be recorded, transcribed, and summarized using AI-powered tools for the internal use of [Firm Name]. If you do not consent to this, please inform the staff member you are speaking with.”

For customers in U.S. all-party consent states (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington), a stronger announcement is legally required. We recommend the following variant for those jurisdictions:

“This call will be recorded, transcribed, and summarized using AI-powered tools for the internal use of [Firm Name]. By continuing this call, you consent to this recording and AI processing. If you do not consent, please say so now and we will proceed without recording.”

This announcement should be customized to reflect the firm’s actual practices and reviewed by the firm’s own legal counsel for compliance with applicable law in the relevant jurisdiction(s).

4.4 Corvum’s Role

Corvum acts as a data processor (Canada) and service provider (United States) with respect to personal information processed through AI Features. The Customer is the data controller (Canada) or business (United States) for purposes of applicable privacy legislation. Corvum processes personal information through AI Features solely on the Customer’s instructions and in accordance with this Addendum. U.S. law firm customers remain the controller / business responsible for their own compliance obligations to their employees and clients under applicable U.S. state privacy laws, including the CCPA/CPRA and equivalent state laws.

4.5 U.S. Customers: ECPA, CALEA, and State Law Disclosure

U.S. customers enabling AI Features should be aware of the following additional legal context:

• ECPA / Wiretap Act: The Electronic Communications Privacy Act prohibits the intentional interception of wire, oral, or electronic communications without consent. Corvum’s transmission of call audio to LLM sub-processors for transcription is conducted under the service provider exception (18 U.S.C. § 2511(2)(a)(i)) and pursuant to Customer consent obtained through the act of enabling AI Features. Customers are responsible for obtaining consent from call parties as required under applicable federal and state law.
• CALEA: As a VoIP provider, Corvum is subject to the Communications Assistance for Law Enforcement Act, which requires that Corvum’s network be capable of facilitating lawful interception pursuant to a valid court order or other legal authority. AI-generated transcripts and summaries stored on the Corvum platform may be subject to lawful access requests under the Stored Communications Act (SCA). Corvum will review any such requests for legal validity before responding.
• U.S. State Privacy Laws: AI-generated transcripts and summaries may constitute personal information or sensitive personal information under applicable U.S. state privacy laws (including the CCPA/CPRA, which categorizes audio recordings as sensitive personal information). Corvum processes this data solely as a service provider on the Customer’s instructions. U.S. law firm customers are responsible for disclosing AI Features in their own privacy notices and providing any required opt-out or consent mechanisms to their employees and clients.
• Third-Party AI Vendor Liability: Recent U.S. litigation has examined whether generic “call may be recorded” disclosures are sufficient when third-party AI vendors process call content, particularly under state wiretapping laws such as California’s CIPA. Customers are advised to implement explicit disclosures naming AI transcription and summarization at the start of applicable calls, and to review this approach with qualified legal counsel.

5. Security Measures for AI Features

In addition to the security measures described in the core Privacy Policy, Corvum implements the following controls specifically for AI Features:

• All audio and transcript data transmitted to LLM sub-processors is encrypted in transit using TLS 1.2 or higher;
• Transcripts and summaries stored on the Corvum platform are encrypted at rest;
• Access to transcripts and summaries is restricted to authorized users of the Customer’s account, as configured by the Customer administrator;
• LLM sub-processor API calls use dedicated enterprise API credentials that are isolated from consumer or general-purpose service tiers;
• Corvum does not log the full content of audio or transcripts in system logs; only metadata (call ID, processing status, timestamp) is logged for operational purposes;
• Corvum’s LLM sub-processor agreements include security requirements consistent with industry standards for enterprise API services.

6. Retention and Deletion of AI-Generated Content

6.1 Customer-Controlled Retention

Customers control the retention period for transcripts and summaries generated through AI Features. Account administrators may configure retention periods through the account portal. Upon expiry of the configured retention period, transcripts and summaries are permanently deleted from the Corvum platform.

6.2 Default Retention

Where a Customer has not configured a specific retention period, the following defaults apply:

• Call transcripts: retained for one hundred eighty (180) days from the date of generation;
• Call summaries: retained for one hundred eighty (180) days from the date of generation;
• Operational metadata (call ID, processing status, timestamp): retained for (12) months.

6.3 LLM Provider Retention

As described in Section 2, neither LLM sub-processor retains call audio, transcript text, or summary content after returning the processed output to Corvum. Corvum contractually verifies this commitment and conducts periodic reviews of sub-processor compliance.

6.4 Deletion on Request

Customers may request deletion of specific transcripts or summaries, or all AI-generated content associated with their account, at any time through the account portal or by contacting support@corvum.io. Deletion requests are processed within five (5) business days.

7. Privilege Considerations (Solicitor-Client / Attorney-Client)

IMPORTANT NOTICE TO LAW FIRM CUSTOMERS:  This section addresses specific considerations for law firms using AI Features in connection with solicitor-client (Canada) or attorney-client (United States) privileged communications. Law firm administrators should review this section with their firm’s own privacy counsel before enabling AI Features.

7.1 Privilege Risk

Call content processed through AI Features is transmitted to third-party LLM sub-processors. While Corvum has taken contractual and technical steps to minimize risk (including zero-retention commitments and prohibitions on training use), law firms in both Canada and the United States should be aware that:

• Transmission of privileged communications to a third-party processor may, in some circumstances, be argued to constitute a waiver or potential waiver of solicitor-client privilege (Canada) or attorney-client privilege (United States), depending on the jurisdiction and applicable rules of professional conduct;
• AI-generated transcripts and summaries of privileged communications may not themselves attract privilege protection unless they reflect the exercise of legal judgment;
• Law society rules in some Canadian jurisdictions have issued guidance or are developing guidance on the use of AI tools in legal practice; U.S. firms should consult applicable State Bar rules and any formal ethics opinions on AI use in legal practice issued in their jurisdiction. Both Canadian and U.S. firms should consult current guidance from their relevant law society or bar association.

7.2 Risk Mitigation

To mitigate privilege risk, law firm customers are advised to:

• Enable AI Features only on lines and extensions used for non-privileged communications (e.g., reception, scheduling, administrative calls), unless the firm has conducted a privilege risk assessment and obtained appropriate client consent for privileged call lines;
• Obtain explicit informed consent from clients prior to using AI Features on lines used for substantive legal advice — for U.S. firms, consider whether this consent must be documented in the client engagement letter under applicable state bar rules;
• Review AI-generated transcripts and summaries before relying on them and apply appropriate legal judgment;
• Implement access controls so that AI-generated content is available only to the professionals who need it;
• Consider whether AI-generated content should be labeled as privileged or work product in the firm’s document management system.

7.3 Corvum’s Limitation

Corvum is not a law firm and does not provide legal advice. The considerations in this Section 7 are provided for informational purposes only. Law firm customers are solely responsible for compliance with their professional obligations, including confidentiality, privilege (solicitor-client in Canada; attorney-client in the United States), and applicable law society or bar association rules. Corvum recommends that each firm seek independent legal advice before enabling AI Features.

8. Accuracy of AI-Generated Content

AI-generated transcripts and summaries are produced by automated systems and may contain errors, inaccuracies, omissions, or “hallucinations” (content that was not present in the source audio). Specifically:

• Transcripts may mis-transcribe words, names, legal terminology, numbers, or other content, particularly in low-audio-quality calls or calls with multiple simultaneous speakers;
• Summaries are AI-generated interpretations of the transcript and may omit nuance, mischaracterize positions, or incorrectly attribute statements;
• Neither transcripts nor summaries should be treated as verbatim or authoritative records of a call without review and verification by an authorized user.

Corvum makes no warranty, express or implied, as to the accuracy, completeness, or fitness for purpose of AI-generated transcripts or summaries. Law firm customers in particular must exercise independent professional judgment when reviewing AI-generated content.

9. Customer Obligations

By enabling AI Features, the Customer agrees to:

• Ensure that all call parties on lines processed by AI Features are appropriately informed of and, where legally required, consent to AI-assisted transcription and summarization prior to or at the start of the call;
• Update the firm’s own privacy policy, client intake processes, and retainer / engagement letter agreements to reflect the use of AI call processing tools where applicable, including in any CCPA-required privacy notice for California-based law firms;
• Comply with all applicable laws, including consent, recording, and data protection requirements in all jurisdictions where calls are placed or received — for U.S. customers, this expressly includes compliance with the ECPA, applicable U.S. state wiretapping and all-party consent laws, and U.S. state privacy laws such as the CCPA/CPRA;
• Ensure that access to AI-generated content is appropriately restricted within the firm;
• Not use AI Features to process calls involving individuals who have explicitly objected to recording or AI processing;
• Promptly notify Corvum if the Customer becomes aware of any unauthorized access to or disclosure of AI-generated content;
• Review and comply with any updated versions of this Addendum as published by Corvum.

10. Disabling AI Features and Data Deletion

AI Features may be disabled at any time by Corvum support staff.  Disabling AI Features will immediately stop the processing of new calls through the AI pipeline. Existing transcripts and summaries will be retained until deleted by the Customer or until the applicable retention period expires.

Upon termination of the Customer’s Corvum account, all transcripts and summaries associated with the account will be deleted within thirty (30) days, subject to any legal hold obligations. Customers may request earlier deletion by contacting support@corvum.io.

11. Updates to This Addendum

Corvum may update this Addendum from time to time, including to reflect changes to the AI sub-processors used, data flow architecture, or applicable legal requirements. Where changes are material, Corvum will provide at least thirty (30) days’ notice to Customers before the updated Addendum takes effect, by email or through the customer portal.

Continued use of AI Features following the effective date of an updated Addendum constitutes acceptance of the updated terms.

12. Contact

Questions or concerns about this Addendum or the AI Features described herein should be directed to:

Privacy Officer — CloudPBX Inc. (d.b.a. Corvum)

Email: support@corvum.io

Website: corvum.io

CloudPBX Inc. (d.b.a. Corvum) AI Features Addendum  |  Effective March 23, 2026  |  Version 2.0