← Back to AI Agent Calls

Data Processing Agreement

Last updated: 21 May 2026  ·  Inteligencia Artificial Limited

This Data Processing Agreement ("DPA") is entered into between Inteligencia Artificial Limited, a company registered in England and Wales ("AI Agent Calls" or "Processor"), and the Customer identified in the Order Form or who has accepted the Terms of Service ("Customer" or "Controller"). This DPA is incorporated into and forms a binding part of the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail. Capitalised terms not defined here have the meanings given in the Terms of Service.

1. Parties and Background

1.1 Processor. Inteligencia Artificial Limited is a company registered in England and Wales. AI Agent Calls provides an AI-powered outbound telephone calling software-as-a-service platform (the "Platform") that enables Customers to deploy automated outbound calling campaigns using AI voice agents, manage contact lists, record and transcribe calls, and analyse campaign performance.

1.2 Controller. The Customer is the entity or individual who has subscribed to the Platform and who determines the purposes and means of processing personal data of End Recipients and other data subjects in connection with their use of the Platform.

1.3 Role allocation. The parties acknowledge that, in respect of personal data processed through the Platform, the Customer acts as Controller and AI Agent Calls acts as Processor within the meaning of UK GDPR Article 4(7) and Article 4(8) respectively. Where AI Agent Calls processes personal data for its own purposes (such as account management, billing, and Platform analytics relating to AI Agent Calls' own business), AI Agent Calls acts as Controller and that processing is governed by AI Agent Calls' Privacy Policy.

1.4 Incorporation. This DPA is incorporated into the Terms of Service by reference. Execution of the Terms of Service (whether by electronic acceptance, order form signature, or API key activation) constitutes acceptance of this DPA. AI Agent Calls may update this DPA from time to time and will provide at least 30 days' notice of material changes. Continued use of the Platform after the notice period constitutes acceptance of the updated DPA.

2. Definitions

"Applicable Data Protection Law" means, as applicable to the relevant processing: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR and applicable EU member state implementing legislation; (c) PECR; and (d) any amendment, replacement, or successor legislation to any of the foregoing.

"Authorised Persons" means employees, contractors, and agents of AI Agent Calls who are authorised to process personal data in connection with the Platform and who are bound by appropriate confidentiality obligations.

"Controller" has the meaning given in UK GDPR Article 4(7): a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data Subject" has the meaning given in UK GDPR Article 4(1): an identified or identifiable natural person whose personal data is processed.

"DPIA" means a data protection impact assessment conducted pursuant to UK GDPR Article 35 or EU GDPR Article 35.

"DSAR" means a data subject access request or any other exercise of Data Subject rights under Applicable Data Protection Law.

"End Recipients" means the consumers, sole traders, and business contacts whose telephone numbers and associated personal data are uploaded to the Platform by the Customer for the purpose of outbound calling campaigns.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"ICO" means the Information Commissioner's Office, the supervisory authority for data protection in the United Kingdom.

"IDTA" means the International Data Transfer Agreement published by the ICO, as amended from time to time, and any associated addenda.

"Personal Data" has the meaning given in UK GDPR Article 4(1): any information relating to an identified or identifiable natural person.

"Personal Data Breach" has the meaning given in UK GDPR Article 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

"PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), as amended from time to time.

"Processing" has the meaning given in UK GDPR Article 4(2): any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

"Processor" has the meaning given in UK GDPR Article 4(8): a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU, as amended or replaced from time to time.

"Special Category Data" has the meaning given in UK GDPR Article 9(1): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation.

"Sub-processor" means any third party engaged by AI Agent Calls (or by a sub-processor of AI Agent Calls) to process personal data in connection with the Platform on behalf of the Customer.

"Supervisory Authority" means any regulatory body or authority responsible for enforcing Applicable Data Protection Law, including the ICO and any relevant EU data protection authority.

"TOMs" means technical and organisational security measures implemented to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

"UK GDPR" means Regulation (EU) 2016/679 as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) and any subsequent amendment.

3. Scope and Duration

3.1 Scope. This DPA applies to all processing of personal data carried out by AI Agent Calls as Processor on behalf of the Customer as Controller in connection with the Platform, including the processing activities described in Section 4 (Details of Processing).

3.2 Duration. This DPA comes into force on the date the Customer accepts the Terms of Service and continues in full force and effect for the duration of the Customer's subscription to the Platform. This DPA terminates automatically upon termination or expiry of the Terms of Service, subject to the survival provisions in Section 13 (Retention and Deletion).

3.3 Instructions. The Terms of Service and this DPA together constitute the Customer's documented instructions to AI Agent Calls for the purpose of processing personal data. The Customer may issue additional specific instructions in writing (including by email to privacy@inteligencia-artificial.co.uk). AI Agent Calls will not process personal data in any other manner without the Customer's prior written consent, except where required by applicable law, in which case AI Agent Calls will inform the Customer before such processing unless prohibited from doing so by law.

4. Details of Processing (Schedule 1)

4.1 Categories of Data Subjects. The personal data processed relates to the following categories of data subjects:

  • End Recipients: consumers, sole traders, and business contacts whose details are uploaded by the Customer for outbound calling campaigns;
  • Customer's own employees and platform users who access and administer the Platform on behalf of the Customer.

4.2 Categories of Personal Data. AI Agent Calls processes the following categories of personal data on behalf of the Customer:

  • Telephone numbers in E.164 international format;
  • Full names and contact names of End Recipients;
  • Job titles and professional roles;
  • Company names and employer information;
  • Call recordings (audio files);
  • Call transcripts (full text);
  • AI-generated call summaries and outcomes;
  • AI-generated sentiment scores and engagement classifications;
  • Call metadata including timestamp, duration, call outcome, and calling line identification (CLI);
  • Consent records and opt-out preferences;
  • IP addresses and browser/session data from Platform access logs (Customer's users);
  • Any additional personal data fields included by the Customer in contact list uploads.

4.3 Special Category Data. The Platform is not designed or intended to process Special Category Data. The Customer must not upload or include Special Category Data in any contact list, custom field, or campaign notes. If the Customer becomes aware that Special Category Data has been processed through the Platform, the Customer must notify AI Agent Calls immediately at privacy@inteligencia-artificial.co.uk. AI Agent Calls accepts no liability for processing of Special Category Data uploaded by the Customer in breach of this DPA.

4.4 Purposes of Processing. AI Agent Calls processes personal data for the following purposes:

  • Facilitating outbound telephone calling campaigns as directed by and on behalf of the Customer;
  • Recording, transcribing, and analysing calls for the benefit of the Customer;
  • Generating AI-driven summaries, sentiment analysis, and campaign analytics for the Customer;
  • Storing and managing consent records and do-not-call preferences;
  • Providing the Customer with access to the Platform and related support services;
  • Compliance monitoring and fraud prevention to protect the integrity of the Platform.

4.5 Frequency of Processing. Processing is carried out on a continuous basis throughout the subscription term, as and when the Customer initiates or schedules calling campaigns.

5. Controller's Obligations

The Customer, as Controller, represents, warrants, and undertakes on an ongoing basis throughout the term of this DPA that:

5.1 Lawful basis. The Customer has identified and documented a valid lawful basis under UK GDPR Article 6 (and, where applicable, EU GDPR Article 6) for each category of personal data processed through the Platform before uploading that data. For direct marketing calls to consumers, this will ordinarily require either a valid consent under UK GDPR Article 6(1)(a) or a demonstrable legitimate interest that has survived a documented legitimate interests assessment. The Customer will maintain records of the lawful bases relied upon and make such records available to AI Agent Calls on request.

5.2 Privacy notices. The Customer has provided, and continues to provide, adequate and transparent privacy notices to Data Subjects in accordance with UK GDPR Articles 13 and 14 (and EU GDPR equivalents). Where the Platform is used to make AI-automated outbound calls, the Customer's privacy notices must explicitly disclose that calls may be made by AI and that calls may be recorded and transcribed.

5.3 TPS/CTPS screening. Prior to uploading any contact list to the Platform, the Customer has screened all telephone numbers against the Telephone Preference Service (TPS) and, where applicable, the Corporate Telephone Preference Service (CTPS) registers, unless the Customer holds a valid prior consent from the relevant individual that overrides the TPS/CTPS registration. The Customer will re-screen contact lists at intervals of no more than 28 days in respect of any live campaign. The Customer accepts sole responsibility for compliance with PECR Regulation 21 (telephone calls) and all related ICO guidance.

5.4 PECR consent obligations. Where the Customer's campaign involves automated calling systems (including AI voice agents) to consumers under PECR Regulation 19, the Customer confirms it holds the specific prior consent of each called individual. The Customer will maintain evidence of such consents and provide copies to AI Agent Calls on request where required for compliance purposes.

5.5 Data Subject rights. The Customer is responsible for handling all DSARs, erasure requests, rectification requests, restriction requests, portability requests, and objection requests from Data Subjects within the statutory timeframes under Applicable Data Protection Law. Where a DSAR or other data subject rights request requires action by AI Agent Calls as Processor (for example, retrieving call recordings), the Customer will notify AI Agent Calls promptly and in sufficient time to allow AI Agent Calls to assist within the statutory deadline, and in any event within 5 business days of the Customer receiving the request.

5.6 ICO registration. The Customer confirms that it is registered as a data controller with the ICO (where required under the Data Protection (Charges and Information) Regulations 2018) and that such registration remains current throughout the term of this DPA.

5.7 Article 30 records. The Customer is responsible for maintaining its own records of processing activities as required by UK GDPR Article 30(1) in respect of the processing carried out through the Platform. AI Agent Calls will provide reasonable assistance to the Customer in completing such records upon written request.

5.8 Lawful instructions. The Customer warrants that its instructions to AI Agent Calls for processing personal data do not and will not violate Applicable Data Protection Law, and that the Customer has the authority to give such instructions. The Customer indemnifies AI Agent Calls against any claim, loss, liability, or regulatory fine arising from processing carried out by AI Agent Calls in accordance with the Customer's instructions where such instructions are found to be in breach of Applicable Data Protection Law.

6. Processor's Obligations (Article 28 UK GDPR)

AI Agent Calls, as Processor, undertakes the following obligations in accordance with UK GDPR Article 28:

6.1 Documented instructions. AI Agent Calls will process personal data only on documented instructions from the Customer, unless required to do so by applicable law. Where applicable law requires AI Agent Calls to process personal data for other purposes, AI Agent Calls will inform the Customer of this requirement before processing (unless prohibited by law on grounds of public interest).

6.2 Notification of unlawful instructions. If AI Agent Calls forms the view that any instruction issued by the Customer infringes UK GDPR, EU GDPR, or any other applicable data protection law, AI Agent Calls will immediately inform the Customer in writing. AI Agent Calls reserves the right to suspend processing pending clarification where it reasonably believes that continuing to act on an instruction would expose either party to regulatory liability.

6.3 Confidentiality. AI Agent Calls will ensure that all Authorised Persons who access personal data in connection with the Platform are subject to binding contractual or statutory confidentiality obligations and have received appropriate data protection training. Access to personal data is granted on a strictly need-to-know basis.

6.4 Security measures. AI Agent Calls will implement and maintain the TOMs described in Section 7 of this DPA, and will take all measures required by UK GDPR Article 32 to ensure a level of security appropriate to the risk.

6.5 Sub-processing. AI Agent Calls will not engage any Sub-processor other than those listed in Section 8 of this DPA without first providing written notice to the Customer in accordance with Section 8.3. AI Agent Calls will enter into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those imposed on AI Agent Calls under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. AI Agent Calls remains fully liable to the Customer for the performance of each Sub-processor's data protection obligations.

6.6 Assistance with Data Subject rights. AI Agent Calls will provide reasonable technical assistance to the Customer in fulfilling its obligations to respond to DSARs and other data subject rights requests, as further described in Section 11 of this DPA.

6.7 Assistance with compliance obligations. AI Agent Calls will assist the Customer, taking into account the nature of processing and information available to AI Agent Calls, in ensuring compliance with: (a) the security obligations in UK GDPR Article 32; (b) the breach notification obligations in UK GDPR Articles 33 and 34; (c) the DPIA obligations in UK GDPR Article 35; and (d) the prior consultation obligations in UK GDPR Article 36.

6.8 Deletion and return of data. AI Agent Calls will, at the Customer's choice, delete or return all personal data to the Customer upon termination of the Terms of Service, in accordance with Section 13 of this DPA, and will delete existing copies unless applicable law requires storage of the personal data.

6.9 Audit cooperation. AI Agent Calls will make available to the Customer all information necessary to demonstrate compliance with the obligations under UK GDPR Article 28, and will allow for and contribute to audits as further described in Section 14 of this DPA.

7. Technical and Organisational Security Measures (Schedule 2)

AI Agent Calls implements and maintains the following technical and organisational measures in accordance with UK GDPR Article 32:

7.1 Encryption in transit. All personal data transmitted between the Customer's browser and the Platform, and between Platform services and Sub-processors, is encrypted using TLS 1.3 as a minimum. TLS 1.2 is accepted only where required for legacy telephony carrier compatibility, with migration to TLS 1.3 enforced where technically feasible.

7.2 Encryption at rest. All personal data stored within AI Agent Calls' database infrastructure is encrypted at rest using AES-256 encryption. Call recordings stored by telephony Sub-processors are subject to equivalent encryption requirements imposed by contract.

7.3 Access controls. Access to systems and data is governed by the principle of least privilege. Staff are granted the minimum level of access necessary to perform their role. All administrative access to production systems requires multi-factor authentication (MFA). Access rights are reviewed at least quarterly and revoked promptly upon role change or departure.

7.4 Audit logging. AI Agent Calls maintains comprehensive audit logs of all access to personal data, including the identity of the person accessing the data, the timestamp, and the action performed. Audit logs are retained for a minimum of 12 months and are tamper-evident.

7.5 Penetration testing. AI Agent Calls commissions an independent penetration test of the Platform at least annually, conducted by a qualified third-party security firm. Identified critical and high-severity vulnerabilities are remediated within 30 days of discovery. Summary results of penetration tests are made available to Customers on request and subject to an appropriate non-disclosure agreement.

7.6 Vulnerability management. AI Agent Calls operates a continuous vulnerability management programme, including automated dependency scanning, security patch management, and a responsible disclosure policy. Critical security patches are applied within 72 hours of release; high-severity patches within 7 days.

7.7 Incident response. AI Agent Calls maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. The plan is tested at least annually through tabletop exercises. The plan includes specific procedures for Personal Data Breach notification to Customers and, where applicable, to the ICO.

7.8 Business continuity and disaster recovery. AI Agent Calls maintains business continuity and disaster recovery plans with a target recovery time objective (RTO) of 4 hours and a recovery point objective (RPO) of 1 hour for critical Platform services. Backup integrity is tested at least monthly.

7.9 Staff training. All Authorised Persons receive mandatory data protection and information security training upon commencement of their engagement and at least annually thereafter. Role-specific training is provided to staff with access to personal data.

7.10 Data minimisation and pseudonymisation. AI Agent Calls applies data minimisation principles by design, collecting and processing only the personal data necessary for the specified purposes. Where technically feasible and appropriate, personal data within internal analytics systems is pseudonymised.

7.11 Automated retention enforcement. Data retention limits described in Section 13 are enforced automatically by the Platform. Scheduled deletion jobs run daily to remove data that has exceeded its retention period. Customers may configure custom retention periods within the limits permitted by this DPA.

7.12 Supplier security assessments. AI Agent Calls conducts security assessments of material Sub-processors prior to engagement and reviews such assessments annually, including review of relevant security certifications (such as SOC 2 Type II or ISO 27001) where available.

7.13 Physical security. AI Agent Calls' infrastructure is hosted in data centres operated by Sub-processors (see Section 8) that maintain appropriate physical access controls, environmental controls, and are certified to recognised standards including ISO 27001.

8. Sub-processors

8.1 Authorised Sub-processors. The Customer provides a general authorisation for AI Agent Calls to engage the Sub-processors listed in the table below. AI Agent Calls has entered into written data processing agreements with each Sub-processor imposing obligations equivalent to those in this DPA.

Sub-processorPurposeEntity & LocationTransfer Mechanism
Retell AI IncAI voice agent orchestration; real-time call transcriptionUSAUK IDTA; EU SCCs (Module 3)
Telnyx LLCTelephony carrier; call routing; call recording storageUSAUK IDTA; EU SCCs (Module 3)
DigitalOcean LLC / DigitalOcean UK LtdCloud infrastructure; database hosting; object storageUK / EU datacentresUK storage (adequate); EU adequacy
Anthropic PBCLarge language model processing (optional AI summary feature)USAUK IDTA; EU SCCs (Module 3)
ElevenLabs IncAI voice synthesis (optional custom voice feature)USAUK IDTA; EU SCCs (Module 3)
Resend IncTransactional email delivery (platform notifications)USAUK IDTA; EU SCCs (Module 3)

8.2 Changes to Sub-processors. AI Agent Calls will give the Customer at least 30 days' prior written notice (by email to the Customer's registered account email address or by in-platform notification) of any intended addition or replacement of Sub-processors. The notice will include the name of the Sub-processor, its location, the purpose of the processing, and the transfer mechanism to be used.

8.3 Customer right to object. The Customer may object to a new Sub-processor by notifying AI Agent Calls in writing within 14 days of receiving the notice, setting out the reasonable grounds for objection. AI Agent Calls will work in good faith to address the objection. If AI Agent Calls is unable to accommodate the objection and the Customer demonstrates that use of the new Sub-processor would materially impair the Customer's compliance with Applicable Data Protection Law, the Customer may terminate the Terms of Service on 30 days' written notice without liability for early termination charges.

8.4 Sub-processor liability. AI Agent Calls remains fully liable to the Customer for the performance of each Sub-processor's obligations to the extent that AI Agent Calls is liable under this DPA.

9. International Data Transfers

9.1 General. AI Agent Calls processes personal data primarily within the United Kingdom and European Economic Area. Where personal data is transferred outside the UK or EEA (including to US-based Sub-processors), AI Agent Calls ensures that appropriate transfer safeguards are in place as described in this Section.

9.2 UK-to-USA transfers. Transfers of personal data from the United Kingdom to US-based Sub-processors are governed by the ICO's International Data Transfer Agreement (IDTA), incorporated into the data processing agreements between AI Agent Calls and each US Sub-processor. AI Agent Calls conducts a transfer risk assessment (TRA) in respect of each such transfer and reviews TRAs at least annually or upon material change in the legal environment of the destination country.

9.3 EU-to-UK transfers. Where AI Agent Calls receives personal data from Customers established in EU member states, such transfers are made on the basis of the adequacy decision adopted by the European Commission in respect of the United Kingdom (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021). AI Agent Calls will monitor the status of the UK adequacy decision and will implement alternative transfer safeguards promptly in the event that the decision is suspended, limited, or revoked.

9.4 EU-to-USA transfers via AI Agent Calls. Where AI Agent Calls is processing personal data of EU data subjects and onward transfers to US Sub-processors are necessary, such transfers are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914/EU), Module 3 (Processor-to-Processor), incorporated into the relevant Sub-processor agreements. AI Agent Calls acts as data exporter in such transfers.

9.5 Copies of transfer mechanisms. The Customer may request a copy of the relevant executed transfer mechanisms (IDTA or SCCs) by emailing privacy@inteligencia-artificial.co.uk. AI Agent Calls will provide copies within 10 business days, subject to redaction of commercially sensitive information.

9.6 Monitoring. AI Agent Calls will monitor developments in international data transfer law in the UK and EU and will update the transfer mechanisms described in this Section as required. AI Agent Calls will notify Customers of material changes to transfer mechanisms within 30 days.

10. Personal Data Breach

10.1 Notification to Customer. AI Agent Calls will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Customer. Where it is not possible to provide full details within 72 hours, AI Agent Calls will provide an initial notification within that period and supplement it as further information becomes available.

10.2 Content of notification. To the extent known at the time of notification, and updated as information becomes available, AI Agent Calls' breach notification will include:

  • A description of the nature of the Personal Data Breach;
  • The categories and approximate number of Data Subjects affected;
  • The categories and approximate number of personal data records affected;
  • The name and contact details of the AI Agent Calls data protection contact;
  • A description of the likely consequences of the Personal Data Breach;
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

10.3 Cooperation. AI Agent Calls will cooperate with the Customer and provide reasonable assistance in connection with the Customer's obligations under UK GDPR Articles 33 and 34 to notify the ICO and, where required, Data Subjects. Such assistance will include providing updated information as AI Agent Calls' investigation progresses and completing requests for information in sufficient time to allow the Customer to comply with the 72-hour notification deadline to the ICO.

10.4 Customer responsibility. The Customer is solely responsible for determining whether and when to notify the ICO under UK GDPR Article 33, whether and when to notify Data Subjects under UK GDPR Article 34, and the content of any such notifications. AI Agent Calls' notification to the Customer does not constitute an admission of fault or liability.

10.5 Reporting channel. AI Agent Calls' security incident reports should be directed to privacy@inteligencia-artificial.co.uk. AI Agent Calls will designate a named point of contact for each material Personal Data Breach.

11. Data Subject Rights Assistance

11.1 Technical assistance. Taking into account the nature of the processing and information available to AI Agent Calls, AI Agent Calls will provide reasonable technical assistance to the Customer to fulfil its obligations to respond to the following categories of Data Subject rights requests under Applicable Data Protection Law:

  • Right of access (UK GDPR Article 15): retrieval of personal data held about a specific Data Subject;
  • Right to rectification (UK GDPR Article 16): correction of inaccurate personal data;
  • Right to erasure (UK GDPR Article 17): deletion of a Data Subject's personal data from the Platform;
  • Right to restriction of processing (UK GDPR Article 18);
  • Right to data portability (UK GDPR Article 20): export of personal data in a structured, commonly used, machine-readable format;
  • Right to object (UK GDPR Article 21): suppression of a Data Subject from future campaigns.

11.2 Response timescales. AI Agent Calls will respond to the Customer's written requests for assistance with DSARs and data subject rights requests within 5 business days. AI Agent Calls will use reasonable endeavours to provide the requested assistance within a timeframe that allows the Customer to respond to the Data Subject within the applicable statutory deadline (ordinarily one calendar month from receipt of the request by the Customer).

11.3 Charges. AI Agent Calls will not charge the Customer for reasonable assistance with data subject rights requests. AI Agent Calls reserves the right to charge at its standard professional services rate for assistance that is manifestly unfounded or excessive, having given the Customer prior written notice.

11.4 Opt-out and DNC management. Where AI Agent Calls is notified of a Data Subject's right to object to direct marketing or a request to be added to a do-not-call list, AI Agent Calls will flag the relevant record in the Platform and ensure that the number is suppressed from future campaign dials within 24 hours of notification. Opt-out records are retained for 5 years to prevent inadvertent re-inclusion.

12. Data Protection Impact Assessments

12.1 Customer responsibility. The Customer is responsible for determining whether a DPIA is required in respect of processing activities carried out through the Platform and for conducting such DPIAs in accordance with UK GDPR Article 35.

12.2 AI Agent Calls cooperation. Where AI Agent Calls' processing activities are within the scope of the Customer's DPIA, AI Agent Calls will cooperate with and provide reasonable assistance to the Customer in conducting the DPIA, including by providing documentation of the TOMs implemented by AI Agent Calls, information about Sub-processors and international transfers, and information about the residual risks identified by AI Agent Calls in connection with the Platform.

12.3 Prior consultation. If the outcome of a DPIA indicates a high residual risk that cannot be mitigated and the Customer determines that prior consultation with the ICO is required under UK GDPR Article 36, AI Agent Calls will cooperate with any ICO consultation process to the extent that AI Agent Calls' processing is relevant.

12.4 AI Agent Calls' own DPIA. AI Agent Calls maintains its own internal DPIA in respect of the Platform's processing activities. A summary of this DPIA is available to Customers on written request and subject to an appropriate non-disclosure agreement.

13. Retention and Deletion

13.1 Default retention periods. Subject to the Customer's configuration and any applicable regulatory obligation, AI Agent Calls applies the following default retention periods:

  • Call recordings (audio): 90 days from the date of the call, after which recordings are permanently deleted;
  • Call transcripts (text): 90 days from the date of the call;
  • AI-generated summaries and sentiment scores: 90 days from the date of generation;
  • Consent records and opt-out preferences: 5 years from the date of recording, to comply with regulatory obligations;
  • Contact lists and campaign data: retained for the duration of the subscription and deleted 30 days after termination;
  • Call metadata: 12 months from the date of the call;
  • Platform access logs (including IP addresses): 12 months.

13.2 Extended retention for regulated sectors. Customers operating in regulated sectors (including financial services, insurance, and healthcare) may configure extended retention periods for call recordings and transcripts of up to 7 years, in order to comply with sector-specific regulatory requirements (including FCA COBS 11.8 and MiFID II Article 16(7) obligations). Extended retention must be enabled by the Customer in the Platform settings and is the Customer's responsibility to configure correctly.

13.3 Earlier deletion on request. The Customer may request deletion of specific personal data (including individual Data Subject records, entire contact lists, or all data relating to a specific campaign) at any time during the subscription term by raising a request through the Platform or by writing to privacy@inteligencia-artificial.co.uk. AI Agent Calls will confirm completion of deletion in writing within 30 days of the request.

13.4 Deletion on termination. Upon termination or expiry of the Terms of Service, AI Agent Calls will, at the Customer's election (to be notified before or within 30 days after termination): (a) export and return all personal data to the Customer in a structured, machine-readable format within 30 days of the termination date; or (b) permanently delete all personal data within 30 days of the termination date. AI Agent Calls will provide a written certification of deletion to the Customer upon completion. Where no election is made within 30 days of termination, AI Agent Calls will delete all personal data.

13.5 Backup retention. Notwithstanding the above, encrypted backup copies of data may be retained for up to 30 additional days beyond the applicable deletion deadline, reflecting standard backup rotation cycles. AI Agent Calls will use reasonable technical measures to exclude data subject to a deletion request from backups at the point of next backup rotation.

13.6 Regulatory retention obligations. Nothing in this Section requires AI Agent Calls to delete personal data where AI Agent Calls is required to retain it by applicable law or a binding order of a court or regulatory authority, provided that AI Agent Calls will notify the Customer of such requirement to the extent permitted by law.

14. Audit Rights

14.1 Information provision. AI Agent Calls will, upon written request from the Customer, make available to the Customer all information reasonably necessary to demonstrate AI Agent Calls' compliance with the obligations of a Processor under Applicable Data Protection Law and this DPA, including copies of relevant certifications, security assessment summaries, and Sub-processor data processing agreements (subject to redaction of commercially sensitive information).

14.2 Audit entitlement. The Customer may, upon giving at least 30 days' prior written notice to AI Agent Calls, conduct or commission an independent audit of AI Agent Calls' data processing activities relevant to this DPA. Audits are limited to once per calendar year, unless a Personal Data Breach has occurred, in which case an additional audit directly related to the breach may be conducted within 6 months of the breach.

14.3 Audit process. Audits must be conducted during normal business hours (Monday to Friday, 09:00–17:00 GMT/BST, excluding UK public holidays) in a manner that does not unreasonably disrupt AI Agent Calls' operations. The Customer must provide AI Agent Calls with a written audit scope in advance. AI Agent Calls may satisfy an audit request by providing the Customer with a current independent third-party audit report (such as SOC 2 Type II or ISO 27001 audit report) covering the relevant systems and controls, in lieu of a direct audit.

14.4 Cost. The costs of the audit (including any fees charged by AI Agent Calls for staff time, at AI Agent Calls' published professional services rates, and the costs of any third-party auditors engaged by the Customer) are borne by the Customer.

14.5 Competitor restriction. AI Agent Calls may refuse access to any third-party auditor who is a direct competitor of AI Agent Calls in the AI outbound calling market, or who has not signed a confidentiality agreement acceptable to AI Agent Calls in terms no less stringent than AI Agent Calls' standard non-disclosure agreement.

14.6 Confidentiality of results. All audit results, findings, and reports are the confidential information of both parties and shall be used solely for the purpose of verifying compliance with this DPA.

15. Liability

15.1 Alignment with Terms of Service. The liability of each party under or in connection with this DPA, including any breach of the data protection obligations contained herein, is subject to the same exclusions and limitations of liability as set out in the Terms of Service.

15.2 Controller liability for instructions. The Customer is solely responsible and liable for: (a) the accuracy, completeness, and lawfulness of any personal data uploaded to the Platform; (b) the lawfulness of the instructions given to AI Agent Calls; and (c) compliance with the Customer's obligations set out in Section 5 of this DPA. AI Agent Calls' liability under this DPA shall be reduced to the extent that a loss or liability arises from the Customer's instructions, breach of this DPA, or non-compliance with Applicable Data Protection Law.

15.3 Nothing in this DPA limits or excludes either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded by law.

15.4 Regulatory fines. Each party is solely responsible for any regulatory fines imposed on it by a Supervisory Authority in respect of its own breach of Applicable Data Protection Law. Where a fine is apportioned between the parties, liability is determined in accordance with the allocation of fault. The parties will cooperate and consult with each other in good faith in the event of any Supervisory Authority investigation or enforcement action arising from the processing activities described in this DPA.

16. Term and Termination

16.1 Term. This DPA takes effect on the date the Customer accepts the Terms of Service (or the date a DPA-specific order form is executed by both parties, if later) and continues in force until the termination or expiry of the Terms of Service, subject to the survival provisions below.

16.2 Termination. This DPA terminates automatically and simultaneously with the termination or expiry of the Terms of Service for any reason. Neither party may terminate this DPA independently of the Terms of Service.

16.3 Survival. The following provisions survive termination or expiry of this DPA: Section 6.8 (deletion and return of data); Section 10 (Personal Data Breach, in respect of breaches discovered after termination); Section 13 (Retention and Deletion); Section 14 (Audit Rights, in respect of audit rights accruing before termination); Section 15 (Liability); and Section 17 (Governing Law).

16.4 Effect of termination on processing. On and from the termination date, AI Agent Calls will cease all processing of personal data on behalf of the Customer (other than processing required to fulfil its deletion and return obligations under Section 13) as soon as reasonably practicable and in any event within 30 days.

17. Governing Law and Jurisdiction

17.1 Governing law. This DPA is governed by and construed in accordance with the laws of England and Wales. Where the Customer is an EU-established entity and EU GDPR applies to the relevant processing, the parties acknowledge that EU GDPR requirements shall apply to that processing alongside the obligations of this DPA, and any conflict between UK GDPR and EU GDPR requirements shall be resolved in the manner most protective of Data Subject rights.

17.2 Jurisdiction. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute or claim arising out of or in connection with this DPA, save that either party may seek urgent injunctive or other interim relief in any court of competent jurisdiction.

17.3 Supervisory Authority. AI Agent Calls' lead Supervisory Authority is the Information Commissioner's Office. The Customer's lead Supervisory Authority will depend on the Customer's establishment. The parties will cooperate and notify each other of any Supervisory Authority inquiry or investigation relating to processing under this DPA.

18. Precedence

18.1 In the event of any conflict or inconsistency between this DPA and the Terms of Service, or any other agreement between the parties, the provisions of this DPA shall prevail with respect to the subject matter of data protection and the processing of personal data.

18.2 In the event of any conflict or inconsistency between the body of this DPA and any schedule or appendix to it, the body of the DPA shall prevail unless the schedule or appendix expressly states otherwise.

18.3 Nothing in this Section prevents the parties from agreeing in writing to vary the provisions of this DPA, provided that any such variation is set out in a signed written amendment and expressly identifies the provision of this DPA being amended.

19. General

19.1 Entire agreement. This DPA (together with the Terms of Service and any order forms) constitutes the entire agreement between the parties with respect to the processing of personal data in connection with the Platform, and supersedes all prior discussions, representations, and agreements relating to that subject matter.

19.2 Severability. If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable. The remaining provisions of this DPA shall continue in full force and effect.

19.3 No waiver. Failure by either party to enforce any provision of this DPA shall not constitute a waiver of that party's right to enforce that provision or any other provision of this DPA at any time.

19.4 Notices. All notices under this DPA shall be in writing. Notices to AI Agent Calls relating to data protection matters should be addressed to privacy@inteligencia-artificial.co.uk. Notices to the Customer will be sent to the email address registered with the Customer's account.

19.5 Updates. AI Agent Calls may update this DPA from time to time to reflect changes in law, regulatory guidance, or the Platform. AI Agent Calls will provide at least 30 days' prior written notice of material changes. The current version of this DPA is always available at voiceops.ai/dpa. Continued use of the Platform after the effective date of an update constitutes acceptance.

Inteligencia Artificial Limited · Registered in England and Wales · Terms of Service → · Privacy Policy →

Data protection enquiries: privacy@inteligencia-artificial.co.uk