Data Processing Agreement
Between CallPilot Voice (“Processor”) and the customer business (“Controller”). This template forms part of our Terms when you subscribe. Have it reviewed by your own adviser before relying on it.
1. Roles
The customer is the data controller of personal data relating to its callers and customers. CallPilot Voice is the data processor, processing that data only on the controller's documented instructions and as needed to provide the service (answering calls, taking bookings, alerting the owner).
2. Subject matter & duration
Processing lasts for the term of the subscription. On termination we delete or return personal data within 30 days, except where law requires retention.
3. Nature & purpose of processing
Receiving and answering inbound calls with an AI assistant; recording and transcribing calls; creating and managing appointments; and notifying the business owner of bookings.
4. Categories of data & data subjects
- Data subjects: the controller's callers and customers.
- Personal data: name, phone number, email (if given), call audio and transcript, appointment details and any information the caller volunteers.
- No special-category data is intentionally collected.
5. Processor obligations
- Process only on documented instructions from the controller.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational security measures (encryption in transit, access controls, least privilege).
- Assist the controller with data-subject requests and breach duties.
- Notify the controller without undue delay after becoming aware of a personal-data breach.
- Delete or return data at the end of the service.
6. Sub-processors
The controller authorises the following sub-processors. We will give notice before adding or replacing a sub-processor so the controller may object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Telnyx | Telephony, voice AI, SMS | EU/UK/US |
| Google (Calendar) | Appointment scheduling | EU/US |
| Vercel | Application hosting | EU/US |
| Stripe | Billing (no caller data) | EU/US |
7. International transfers
Where personal data is transferred outside the UK/EEA, it is covered by the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses, or another approved safeguard.
8. Security & audits
We maintain reasonable, industry-standard security and will provide information necessary to demonstrate compliance on reasonable request.
9. Liability
Each party's liability under this DPA is subject to the limitations in the main subscription agreement.
This is a starter template, not legal advice. Have it reviewed by a UK data-protection adviser before relying on it. Contact: privacy@callpilotvoice.co.uk.