This Data Processing Agreement ("DPA") forms part of the Terms of Service between AJVoiceAI ("Processor") and the customer ("Controller").
1. Scope of processing
The Processor processes personal data on behalf of the Controller for the purpose of:
- Placing automated outbound voice calls to the Controller's contacts
- Screening contacts against the TPS/CTPS register
- Logging call outcomes and duration
- Managing campaign scheduling and retry logic
2. Types of personal data
- Contact names and phone numbers
- Call metadata (timestamps, duration, outcome)
- Custom metadata provided by the Controller
3. Controller obligations
The Controller shall:
- Obtain all necessary consents before uploading contact data
- Ensure a lawful basis exists for each contact being called
- Not upload special category data unless explicitly agreed
- Promptly notify the Processor of any data subject requests
4. Processor obligations
The Processor shall:
- Process data only on the Controller's documented instructions
- Ensure personnel with access are under confidentiality obligations
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent (see Section 6)
- Assist the Controller with data subject requests within 10 business days
- Delete or return all personal data on termination, except where retention is required by law
5. Security measures
- Encryption in transit (TLS 1.2+) for all data transfers
- Encryption at rest for database storage (Supabase AES-256)
- JWT-based access control with cryptographic signing
- Tenant isolation via Twilio subaccounts
- Audit logging of data access and modifications
- Password hashing with bcrypt (cost factor 10)
6. Sub-processors
The Controller consents to the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Database hosting | EU (Frankfurt) |
| Upstash | Redis job queue | UK (London) |
| Twilio Inc. | Telephony services | US/EU |
| Google LLC | AI voice processing (Gemini) | US |
| Stripe Inc. | Payment processing | EU |
The Processor will notify the Controller at least 30 days before adding new sub-processors.
7. Data breach notification
The Processor will notify the Controller within 72 hours of becoming aware of a personal data breach. Notification will include the nature of the breach, categories of data affected, approximate number of records, and measures taken.
8. Audit rights
The Controller may request an audit of the Processor's compliance with this DPA once per year with 30 days' written notice. The Processor will provide reasonable cooperation.
9. Data return and deletion
On termination of the service agreement:
- Contact data and call logs will be deleted within 30 days
- Billing records will be retained for 7 years as required by UK law
- The Controller may request data export before deletion
10. International transfers
Where data is transferred outside the UK, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses and the sub-processor's relevant compliance certifications.