1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Voco Ltd ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of AI receptionist services. This DPA sets out the terms on which we will process personal data on your behalf.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on Personal Data
"Data Subject" means the individual to whom the Personal Data relates
"Sub-processor" means any third party engaged by us to process Personal Data

3. Scope of Processing

Subject matter: AI-powered call answering and lead qualification services

Duration: For the term of the service agreement plus any retention period required by law

Nature and purpose: Answering calls, recording conversations, transcribing, extracting caller information, scheduling appointments

Types of Personal Data:

Caller names and contact details
Voice recordings and transcripts
Appointment preferences
Service enquiry details

Categories of Data Subjects: Your customers and prospective customers who call your business

4. Processor Obligations

We shall:

Process Personal Data only on your documented instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Assist you in responding to Data Subject requests
Assist with data protection impact assessments when required
Delete or return all Personal Data upon termination
Make available information necessary to demonstrate compliance
Notify you without undue delay of any Personal Data breach

5. Security Measures

We implement the following security measures:

Encryption of data in transit and at rest (AES-256)
Access controls and authentication
Regular security assessments and penetration testing
Staff training on data protection
Incident response procedures
Business continuity and disaster recovery

6. Sub-processors

You provide general authorisation for us to engage Sub-processors. We maintain a list of current Sub-processors available upon request. We will notify you of any intended changes to Sub-processors, giving you the opportunity to object.

All Sub-processors are bound by written agreements imposing equivalent data protection obligations.

7. International Transfers

All Personal Data is stored and processed within the UK and European Economic Area. If any transfer outside these regions becomes necessary, we will ensure appropriate safeguards are in place in accordance with UK GDPR, such as Standard Contractual Clauses.

8. Controller Obligations

You shall:

Ensure you have a lawful basis for processing
Provide Data Subjects with appropriate privacy notices
Ensure the accuracy of Personal Data provided to us
Respond to Data Subject requests within legal timeframes
Notify us of any changes to processing instructions

9. Audits

You may request an audit of our data processing activities with reasonable notice. We will provide access to relevant documentation and facilities. Costs of audits beyond standard compliance reporting may be charged at our standard rates.

10. Data Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay (and in any event within 48 hours) after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

11. Termination

Upon termination of services, we will, at your choice, delete or return all Personal Data and delete existing copies unless EU or UK law requires storage. Deletion will be completed within 90 days of termination.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the main service agreement. Nothing in this DPA excludes liability for breaches of data protection law.

13. Contact

For data protection queries:

Voco Ltd
Data Protection Contact
Email: dpo@vocohq.co.uk
Phone: 0333 XXX XXXX