Data Processing Agreement

Last updated: 17 June 2026

1. Status and incorporation

1.1 This Data Processing Agreement ('DPA') forms part of, and is incorporated by reference into, the Terms of Service between the Customer and Inteligencia Artificial Limited, a company registered in England & Wales (company no. 15667932), registered office Highdown House, 11 Highdown Road, Leamington Spa, Warwickshire, CV31 1XT, which operates the service at ai-agent-calls.com ('we', 'us', 'our', the 'Processor'). Together with the Terms of Service it forms the agreement between the parties (the 'Agreement').

1.2 This DPA records the terms on which Inteligencia Artificial Limited Processes Personal Data on behalf of the Customer in connection with the Services, as required by Article 28 of the UK GDPR. Where this DPA conflicts with any other part of the Agreement on the subject of data protection, this DPA prevails.

1.3 This DPA takes effect on the date the Customer first accepts the Terms of Service or first uses the Services, whichever is earlier, and continues for as long as Inteligencia Artificial Limited Processes Personal Data on the Customer's behalf.

2. Definitions

2.1 Capitalised terms used but not defined in this DPA have the meaning given to them in the Terms of Service. The following definitions apply:

  • 'Data Protection Laws' means all laws applicable to the Processing of Personal Data under the Agreement, including the UK GDPR, the Data Protection Act 2018, and (where applicable to the Customer's processing) the EU GDPR and the Privacy and Electronic Communications Regulations (PECR), in each case as amended or replaced from time to time.
  • 'UK GDPR' means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
  • 'Controller', 'Processor', 'Data Subject', 'Personal Data', 'Personal Data Breach', 'Processing', 'Special Category Data' and 'Supervisory Authority' have the meanings given in the UK GDPR.
  • 'Customer Data' means Personal Data that Inteligencia Artificial Limited Processes on behalf of the Customer in providing the Services, including data relating to Contacts / Call Recipients uploaded by or on behalf of the Customer.
  • 'Contact' / 'Call Recipient' means an individual whom the Customer's AI voice agent calls or attempts to call through the Platform.
  • 'Sub-processor' means any third party engaged by Inteligencia Artificial Limited to Process Customer Data on Inteligencia Artificial Limited's behalf.
  • 'Standard Contractual Clauses' / 'SCCs' means the clauses approved for restricted transfers under the EU GDPR; 'IDTA' means the UK International Data Transfer Agreement (and/or the UK Addendum to the SCCs) issued by the Information Commissioner.

2.2 For the purposes of this DPA and in respect of Customer Data, the Customer is the Controller and Inteligencia Artificial Limited is the Processor.

3. Roles and scope

3.1 The Customer is the Controller of Customer Data. Inteligencia Artificial Limited acts as Processor and Processes Customer Data only to provide the Services and only as set out in this DPA and the Customer's documented instructions.

3.2 The Customer's documented instructions are: (a) the Agreement (including this DPA); (b) the Customer's use and configuration of the Platform (including campaigns, contact lists, Compliance Pack selections, and settings); and (c) any further written instructions agreed by the parties. The Customer may give additional reasonable written instructions consistent with the Agreement; if Inteligencia Artificial Limited considers an instruction to require disproportionate effort or to fall outside the scope of the Services, the parties will discuss it in good faith and Inteligencia Artificial Limited may charge for it or decline it.

3.3 The details required by Article 28(3) — subject-matter, duration, nature and purpose of the Processing, types of Personal Data, and categories of Data Subjects — are set out in Annex 1.

3.4 Where Inteligencia Artificial Limited acts as Controller (for example, in respect of Account Data and the Customer's own administrative, website and marketing data), that Processing is governed by the Privacy Policy and not by this DPA.

4. Processor obligations

Inteligencia Artificial Limited will:

4.1 Documented instructions. Process Customer Data only on the Customer's documented instructions (including in respect of international transfers), unless required to do otherwise by law to which Inteligencia Artificial Limited is subject; in which case Inteligencia Artificial Limited will inform the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

4.2 Lawfulness flag. Inform the Customer without undue delay if, in Inteligencia Artificial Limited's opinion, an instruction infringes Data Protection Laws. Inteligencia Artificial Limited is not obliged to verify the lawfulness of the Customer's instructions or the Customer's underlying lawful basis or consent.

4.3 Confidentiality of personnel. Ensure that persons authorised to Process Customer Data are bound by an appropriate duty of confidentiality (whether contractual or statutory) and Process Customer Data only as instructed.

4.4 Security (Article 32). Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. A summary of those measures is set out in Annex 2. The Customer acknowledges that the measures in Annex 2 provide an appropriate level of security having regard to the risks of the Processing.

4.5 Assistance — Data Subject rights (Articles 12–23). Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as reasonably possible, to respond to requests by Data Subjects exercising their rights (including access, rectification, erasure, restriction, portability, and objection). If Inteligencia Artificial Limited receives a request directly from a Data Subject in respect of Customer Data, it will not respond to that request itself (except to acknowledge or to direct the individual to the Customer where appropriate) but will, without undue delay, forward it to the Customer.

4.6 Assistance — Articles 32–36. Taking into account the nature of the Processing and the information available to Inteligencia Artificial Limited, assist the Customer in ensuring compliance with its obligations relating to security of Processing (Art. 32), Personal Data Breach notification (Arts. 33–34), data protection impact assessments (Art. 35), and prior consultation with the Supervisory Authority (Art. 36).

4.7 Records. Maintain records of its Processing activities carried out on behalf of the Customer as required by Article 30(2), and make them available to the Customer on reasonable request.

4.8 Charges. Inteligencia Artificial Limited may charge a reasonable fee for assistance requested under clauses 4.5–4.6 and for audits under clause 9, except where the assistance is required to remedy Inteligencia Artificial Limited's own breach of this DPA.

5. Personal Data Breach notification

5.1 Inteligencia Artificial Limited will notify the Customer without undue delay after becoming aware, and within any timeframe required by applicable law, of a Personal Data Breach affecting Customer Data.

5.2 The notification will, to the extent then known and as it becomes available, describe: the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and records concerned); the likely consequences; the measures taken or proposed to address it; and a contact point for further information.

5.3 Inteligencia Artificial Limited will cooperate with the Customer and take reasonable steps to investigate, mitigate and remediate the breach. The Customer (as Controller) is responsible for any notification to the Supervisory Authority and/or affected Data Subjects; nothing in this clause obliges Inteligencia Artificial Limited to make such notifications on the Customer's behalf or to admit fault.

6. Sub-processors

6.1 General authorisation. The Customer gives Inteligencia Artificial Limited general written authorisation to engage Sub-processors to Process Customer Data for the purpose of providing the Services. The categories of Sub-processor include, without limitation: telephony providers, speech-to-text and speech-synthesis providers, AI model providers, cloud hosting and infrastructure providers, and email/communications providers.

6.2 Sub-processors generally. We may engage sub-processors to help deliver the Services. Each sub-processor is engaged under a written contract imposing data-protection obligations no less protective than those set out in this DPA, and each is appropriately registered/able to process personal data on our behalf and on behalf of our clients. A description of the categories of sub-processor we use is available to the Customer on request.

6.3 Change notification and objection. Inteligencia Artificial Limited will give the Customer at least 30 days' prior notice (by a reasonable notification mechanism) before adding or replacing a Sub-processor. The Customer may object on reasonable, documented data-protection grounds within that period. The parties will work in good faith to resolve the objection; if it cannot be resolved, the Customer may, as its sole remedy, terminate the affected part of the Services on written notice.

6.4 Flow-down. Inteligencia Artificial Limited will impose on each Sub-processor, by written contract, data-protection obligations that are substantially the same as, and in any event no less protective than, those imposed on Inteligencia Artificial Limited under this DPA, in particular obligations to provide sufficient guarantees to implement appropriate technical and organisational measures.

6.5 Continuing liability. Inteligencia Artificial Limited remains fully liable to the Customer for the performance of each Sub-processor's data-protection obligations where the Sub-processor fails to fulfil them.

7. International transfers

7.1 Inteligencia Artificial Limited and its Sub-processors may Process Customer Data outside the United Kingdom (and, where the EU GDPR applies, outside the EEA) only where an appropriate transfer mechanism is in place under Data Protection Laws.

7.2 Where a restricted transfer occurs, the parties will rely on an applicable safeguard, which may include an adequacy decision/adequacy regulations, the Standard Contractual Clauses, the UK IDTA and/or the UK Addendum, and any supplementary measures required following a transfer risk assessment.

7.3 To the extent the SCCs and/or the IDTA apply between the parties, they are incorporated into this DPA by reference and, in the event of conflict on the subject of restricted transfers, those clauses prevail.

8. Deletion or return of Customer Data

8.1 On termination or expiry of the Services, and at the Customer's election, Inteligencia Artificial Limited will delete or return all Customer Data and delete existing copies, unless retention is required by law to which Inteligencia Artificial Limited is subject.

8.2 The Customer may make its election in writing within 30 days of termination. If no election is made within that period, Inteligencia Artificial Limited may delete the Customer Data after that period, subject to any legal retention requirement.

8.3 Inteligencia Artificial Limited may retain Customer Data that is held in routine backups for the period of the standard backup cycle, provided it remains protected by the measures in Annex 2 and is not actively Processed except as needed for backup integrity, and is deleted in the ordinary course.

9. Audits and information

9.1 Inteligencia Artificial Limited will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

9.2 To minimise disruption and protect the confidentiality and security of Inteligencia Artificial Limited's systems and other customers' data, audits will: be conducted no more than once per 12 months (unless required by a Supervisory Authority or following a Personal Data Breach); be on at least 30 days' prior written notice; be during normal business hours; and be subject to confidentiality. Inteligencia Artificial Limited may satisfy audit requests by providing recent third-party certifications or audit reports where these reasonably address the Customer's request.

10. Customer (Controller) warranties

10.1 The Customer warrants and undertakes that, in respect of all Customer Data and all calls placed through the Platform:

(a) it has a valid lawful basis under Data Protection Laws for the Processing it instructs, and where consent is the basis (including for direct-marketing calls under PECR/ePrivacy), it has obtained and can evidence valid consent for each Contact / Call Recipient;

(b) its instructions to Inteligencia Artificial Limited are lawful and will not cause Inteligencia Artificial Limited to breach Data Protection Laws;

(c) it has provided all required information (privacy notices) to Data Subjects and is responsible for the lawfulness of the underlying Processing, the contact lists, and the campaign content; and

(d) it holds all authorisations, licences and consents necessary for its sector and use of the Services.

10.2 The Customer is solely responsible as Controller for determining the purposes and means of the Processing within the Platform's configuration options, and acknowledges that Inteligencia Artificial Limited provides Compliance Packs and controls as a tool and does not thereby become a Controller or guarantee the Customer's compliance.

11. Liability

11.1 Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service, including the aggregate liability cap, as if those provisions were set out in full here.

11.2 Nothing in this DPA or the Agreement limits or excludes any liability that cannot lawfully be limited or excluded, including any statutory liability under Data Protection Laws (such as liability to Data Subjects under Article 82 of the UK GDPR or to a Supervisory Authority), or liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

11.3 As between the parties, each is responsible for its own role under the UK GDPR; this clause does not reallocate statutory responsibilities between Controller and Processor.

12. General

12.1 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, consistent with the Terms of Service.

12.2 If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect.

Annex 1 — Details of Processing (Article 28(3))

  • Subject-matter of Processing: Provision of the Services: configuring and running AI voice agents that place outbound telephone calls to the Customer's Contacts / Call Recipients on the Customer's behalf.
  • Duration of Processing: For the term of the Agreement and until deletion or return of Customer Data under clause 8.
  • Nature and purpose of Processing: Collection, storage, organisation, structuring, use, transmission, recording, transcription, and analysis of Customer Data to operate campaigns; place, connect, and record/transcribe calls; provide AI disclosure; generate call outcomes, transcripts, and reporting; and enable Compliance Pack safeguards.
  • Types of Personal Data: Contact identifiers and details (e.g. name, telephone number, and other fields uploaded by the Customer); call content (audio recordings and transcripts of the AI agent's calls with Call Recipients); call metadata (date, time, duration, outcome, disposition).
  • Categories of Data Subjects: The Customer's Contacts / Call Recipients (the individuals called via the Platform). Where relevant, the Customer's Authorised Users to the extent their data forms part of campaign records.
  • Special Category / criminal-offence data: None instructed by default. If the Customer processes any such data through the Platform, it must identify the categories and ensure an applicable Article 9/10 condition is in place.
  • Frequency of Processing: Continuous / on an ongoing basis for the duration of the Agreement.

Annex 2 — Technical and Organisational Security Measures (Article 32)

This is a summary of the measures and does not disclose detail that would compromise security.

  • Encryption in transit (TLS) for personal data moving between systems.
  • Encryption at rest for all stored personal data belonging to clients or their contacts.
  • Role-based, least-privilege access control; unique credentials; multi-factor authentication for administrative access.
  • Network protection: firewalling, segregation and restricted access to production systems.
  • Logging and monitoring of access to personal data and of security events.
  • Regular backups with restoration testing.
  • Secure development practices and timely patching of dependencies.
  • Staff confidentiality obligations and data-protection awareness.
  • Sub-processor due diligence and contractual data-protection terms.
  • Documented incident-response and breach-notification procedures.
  • Data minimisation and defined retention with secure deletion at end of retention (per-call context snapshots are time-boxed and purged after the call).

Contact

Questions about this DPA can be sent to privacy@inteligencia-artificial.co.uk.