Data Processing Agreement
Version 1.0, effective 2026-04-30. Read alongside the privacy policy.
1. Preamble and parties
1.1 Parties
This data processing agreement (the "DPA") is entered into between:
(1) AutomateIT Online Ltd, a private company limited by shares incorporated in England and Wales under company number 17096237, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("AutomateIT", the "Processor"); and
(2) the customer who accepts this DPA electronically at the point of signup or by continuing to use the AutomateIT platform after a material change is notified (the "Customer", the "Controller"),
each a "party" and together the "parties".
1.2 Effective date
This DPA takes effect on the date the Customer accepts it electronically at signup (the "Effective Date"). Acceptance is recorded against the Customer's account.
1.3 Background
(a) The Customer has signed up to AutomateIT's AI phone agent service (the "Service"), under which AutomateIT receives, routes, records, transcribes and analyses inbound calls placed to a UK number associated with the Customer.
(b) In providing the Service, AutomateIT processes personal data of the Customer's end-callers and other individuals on the Customer's behalf.
(c) The parties enter into this DPA to satisfy Article 28(3) UK GDPR and record the obligations that apply when AutomateIT processes personal data as the Customer's processor.
1.4 Director and accountable person
The director accountable for data protection matters is Ivan Aguilar Mari, ivan@automateitonline.co.uk (with privacy@automateitonline.co.uk as the alternative address for data protection notices). AutomateIT is registered with the Information Commissioner under ZC129488.
1.5 Order of acceptance
The Customer must accept this DPA before AutomateIT routes any inbound call to the Customer's account. Acceptance is a precondition of the Service.
2. Definitions
In this DPA, the following terms have the meanings given to them below. Other capitalised terms have the meaning given to them in the UK GDPR.
"Applicable Data Protection Law" means, as in force from time to time: (a) the UK GDPR (as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection Act 2018 and the Data (Use and Access) Act 2025); (b) the Data Protection Act 2018; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"); and (d) binding guidance issued by the Information Commissioner's Office.
"Controller", "Data Subject", "Personal Data", "Personal Data Breach" and "Processor" have the meanings given in Article 4 UK GDPR. Under this DPA the Customer is the Controller and AutomateIT is the Processor of Customer Personal Data.
"Customer Personal Data" means personal data that AutomateIT processes on the Customer's behalf in providing the Service. It includes End-Caller Personal Data and any other personal data the Customer routes through the Service. It does not include personal data the Customer provides for AutomateIT's own controller purposes (account registration, billing, feedback submissions), which are governed by AutomateIT's privacy policy, not this DPA.
"Director" means the director of AutomateIT accountable for data protection matters from time to time, identified at the Effective Date in clause 1.4.
"DPA 2018" means the Data Protection Act 2018.
"End-Caller" means a member of the public who places an inbound call to the Customer's AutomateIT-allocated number, or who is routed through the Service in connection with that call. "End-Caller Personal Data" means personal data of End-Callers processed under this DPA.
"IDTA" means the International Data Transfer Agreement issued by the Information Commissioner under section 119A of the DPA 2018.
"Restricted Transfer" means a transfer of personal data from the United Kingdom restricted under Chapter V of the UK GDPR.
"Service" has the meaning given in clause 1.3.
"Special Category Data" means personal data within Article 9(1) UK GDPR, and includes criminal-offence data within Article 10 UK GDPR where the context requires.
"Sub-processor" means any third party directly engaged by AutomateIT to process Customer Personal Data in providing the Service.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from 21 March 2022, issued by the Information Commissioner under section 119A of the DPA 2018.
"UK GDPR" has the meaning given in section 3(10) of the DPA 2018.
"UK-US Data Bridge" means the United Kingdom Extension to the EU-US Data Privacy Framework as approved by the UK adequacy regulations in force from 12 October 2023, applied to US recipients self-certified to the EU-US Data Privacy Framework with the UK Extension.
References to legislation are to that legislation as amended, replaced, consolidated or re-enacted from time to time. Headings are for convenience only and do not affect interpretation.
3. Subject matter and duration of the processing
3.1 Subject matter (Article 28(3) UK GDPR)
The subject matter of the processing is the operation of the Service for the Customer, comprising the receipt, routing, recording, transcription, classification and post-call analysis of inbound telephone calls placed to the Customer's AutomateIT number, together with the related transactional outputs (booking confirmations, payment links, calendar events, callback records and dashboard records) generated by or through the Service.
3.2 Duration
This DPA is effective from the Effective Date and continues for so long as AutomateIT processes Customer Personal Data on the Customer's behalf. It survives termination of the Customer's account for the period set out in clause 11 (term, termination and survival) and for any longer period required by law.
3.3 Annex 1 controls
Annex 1 to this DPA sets out, in the form required by Article 28(3) UK GDPR, the nature and purpose of the processing, the type of Personal Data, the categories of Data Subjects, the duration of the processing, the obligations and rights of the Controller, and the documented instructions of the Controller.
4. Nature and purpose of the processing
4.1 Nature of the processing
The processing comprises the following operations performed by AutomateIT or its Sub-processors: (a) receiving inbound calls placed to the Customer's AutomateIT number; (b) routing those calls to AutomateIT's AI agent; (c) recording the call audio; (d) speech-to-text transcription; (e) automated classification of the call (intent, outcome, sentiment and emergency status); (f) creating job, callback and call records on the Service database; (g) sending transactional SMS to End-Callers on the Customer's instructions (booking confirmations, payment links, follow-ups); (h) creating Google Calendar events on the Customer's connected calendar where instructed; (i) creating Stripe Checkout Sessions on the Customer's connected Stripe account where instructed (no card data); (j) making the resulting records available to the Customer through the dashboard and APIs; (k) post-call analytics over the Customer's own data; and (l) ancillary processing necessary to operate, secure, support, back up and bill the Service.
4.2 Purpose of the processing
The purpose of the processing is to provide the Service to the Customer in accordance with the customer terms of service and the Customer's documented instructions, so that the Customer can take inbound business calls, capture jobs and bookings, take deposits, and operate their trade business.
4.3 Documented instructions
The Customer's documented instructions consist of: (a) this DPA and its Annexes; (b) the customer terms of service; (c) the configuration choices the Customer makes during onboarding and in Settings (including working hours, recording, classification, voice, escalation contacts, deposit rules and SMS preferences); (d) any specific written instructions the Customer sends to ivan@automateitonline.co.uk; and (e) any in-product action that constitutes a processing instruction (for example, requesting playback of a recording, exporting data, or deleting a record).
AutomateIT processes Customer Personal Data only on those documented instructions, except where otherwise required by UK law. In that case AutomateIT will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.4 Unlawful instructions
AutomateIT will inform the Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law. AutomateIT may refuse to act on an instruction it reasonably considers unlawful and will not be in breach of this DPA for that refusal.
5. Type of personal data
5.1 Categories of personal data
The categories of personal data processed under this DPA are set out in full in Annex 1. They include:
(a) the End-Caller's telephone number, as supplied by Twilio in the call signalling; (b) the audio recording of the call and the speech-to-text transcript; (c) the AI's post-call summary, outcome label, sentiment classification and emergency classification; (d) the End-Caller's name, address, postcode, email address and any other identifying information the End-Caller provides during the conversation; (e) booking and job details captured during the call (service requested, scheduled date and time, deposit amount, deposit status); (f) outbound SMS message metadata (sender, recipient, time, status) for messages AutomateIT sends on the Customer's instructions; (g) calendar event metadata (event identifier, start, end, attendee where supplied) for events written to the Customer's connected Google Calendar; (h) Stripe Checkout Session references (session identifier, amount, status); no payment card data is processed; and (i) call traffic and cost metadata (duration, cost, time of day) for billing and analytics on the Customer's own data.
5.2 Special category and criminal-offence data
The Service is not designed to elicit Special Category Data. AutomateIT acknowledges that Special Category Data may be incidentally captured in a call recording or transcript where an End-Caller volunteers it (most commonly health information shared during an emergency) and that criminal-offence data within Article 10 UK GDPR may similarly be incidentally captured. The Customer is responsible for identifying any Article 9(2) condition and any associated DPA 2018 Schedule 1 condition under which it processes such data as Controller, and for any onward use of the recording or transcript. AutomateIT processes such data only on the Customer's instructions and only to the extent necessary to provide the Service.
5.3 Payment card data
AutomateIT does not collect, store, transmit or otherwise process payment card data. Where the Service creates a Stripe Checkout Session, the End-Caller enters their card details directly with Stripe; only the resulting session reference is stored.
6. Categories of Data Subjects
6.1 Primary category
The primary category of Data Subject is the End-Caller. End-Callers are predominantly UK residents who place inbound calls to the Customer's AutomateIT number. End-Callers have no direct contractual relationship with AutomateIT.
6.2 Other categories
Other categories of Data Subject whose Personal Data may be incidentally processed include:
(a) third parties about whom an End-Caller speaks during a call (for example, a partner, a tenant, a property owner); (b) the Customer's own staff or agents whose contact details are configured as escalation contacts or who appear in the call; (c) third parties whose phone numbers the Customer routes through the Service (for example, a callback that loops in a sub-contractor); and (d) any other natural person whose personal data is included in a record the Customer creates or stores through the Service.
7. Obligations and rights of the Customer (Controller)
7.1 Lawful basis
The Customer is responsible for identifying and documenting the lawful basis under Article 6 UK GDPR (and, where applicable, Article 9 UK GDPR or Article 10 UK GDPR) for its processing of Customer Personal Data. AutomateIT does not select that lawful basis on the Customer's behalf.
7.2 Notice to End-Callers
(a) AutomateIT injects a short pre-call recording disclosure into the Customer's agent at the start of every inbound call ("One quick thing, calls are recorded for quality.") as the auto-injected pre-call recording disclosure built into the Service. The Customer cannot accidentally remove this disclosure from their saved greeting.
(b) The disclosure is the minimum AutomateIT delivers on the Customer's behalf. The Customer remains responsible, as Controller, for any further notice obligations to End-Callers under Articles 13 or 14 UK GDPR, including a written privacy notice on the Customer's own website explaining how the Customer uses recordings, transcripts and any onward processing.
7.3 Configuration as instruction
The Customer's configuration choices in the onboarding wizard and in Settings (including, but not limited to, working hours, emergency scenarios, escalation contacts, deposit rules, SMS preferences and voice selection) constitute the Customer's documented instructions to AutomateIT as to how Customer Personal Data is to be processed. The Customer must keep those configuration choices up to date.
7.4 No unlawful instructions
The Customer must not instruct AutomateIT to process Customer Personal Data in a manner that would breach Applicable Data Protection Law. The Customer warrants that the documented instructions in clause 4.3, taken together, are sufficient to enable AutomateIT to provide the Service in compliance with Applicable Data Protection Law.
7.5 Customer warranties
The Customer warrants that: (a) it has provided, or will provide before any processing under this DPA begins, all notices and (where required) obtained all consents necessary for AutomateIT to provide the Service lawfully on its behalf; (b) it has identified an Article 6 UK GDPR lawful basis (and, where applicable, an Article 9 condition and a DPA 2018 Schedule 1 condition) for its processing of Customer Personal Data; (c) the Customer Personal Data has been collected and is provided to AutomateIT in accordance with Applicable Data Protection Law; (d) it has the authority to provide AutomateIT with the documented instructions in clause 4.3 and any further written instructions; and (e) it will respond to End-Caller requests under Chapter III UK GDPR within the timelines in Article 12 UK GDPR.
8. Processor obligations under Article 28(3) UK GDPR
This clause 8 contains the obligations that Article 28(3)(a) to (h) UK GDPR requires the Processor to undertake. Each sub-clause maps to the corresponding sub-paragraph of Article 28(3).
8.1 Documented instructions only (Art 28(3)(a))
(a) AutomateIT processes Customer Personal Data only on the documented instructions of the Customer set out in clause 4.3, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by United Kingdom law to which AutomateIT is subject.
(b) Where AutomateIT is required by United Kingdom law to process Customer Personal Data otherwise than on the Customer's instructions, AutomateIT will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
8.2 Confidentiality (Art 28(3)(b))
AutomateIT ensures that any natural person authorised to process Customer Personal Data under this DPA, including the Director, has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality. The Director's confidentiality is documented in a written undertaking to AutomateIT Online Ltd, retained in the company minute book. Any future personnel will be required to enter equivalent confidentiality undertakings before being authorised to process Customer Personal Data.
8.3 Security (Art 28(3)(c) and Art 32 UK GDPR)
(a) AutomateIT implements the technical and organisational measures set out in Annex 3 to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons.
(b) AutomateIT regularly tests, assesses and evaluates the effectiveness of those measures and updates Annex 3 from time to time. Updates to Annex 3 do not lower the overall level of protection. The current Annex 3 is the version published on the Effective Date; the most recent version is available on request at ivan@automateitonline.co.uk.
8.4 Sub-processors (Art 28(3)(d) and Art 28(2) and (4))
(a) General authorisation. The Customer grants AutomateIT a general written authorisation under Article 28(2) UK GDPR to engage the Sub-processors listed in Annex 2.
(b) Notification of changes. AutomateIT will inform the Customer of any intended addition or replacement of a Sub-processor at least 30 days before the new Sub-processor begins processing Customer Personal Data, by updating Annex 2 (or the privacy policy section it references) and notifying the Customer by email.
(c) Right to object. The Customer may object on reasonable data-protection grounds within the 30-day notice window by written notice to ivan@automateitonline.co.uk. The parties will discuss the objection in good faith. If no resolution is agreed within 14 days, the Customer may, as its sole and exclusive remedy, terminate the account in accordance with the customer terms of service. Where AutomateIT must replace a Sub-processor on shorter notice for security or continuity reasons, AutomateIT will notify the Customer as soon as reasonably practicable. Nothing in this clause limits any non-excludable rights the Customer has under the Consumer Rights Act 2015 or other applicable consumer-protection law, or any direct rights a Data Subject has under Article 82 UK GDPR.
(d) Flow-down and liability. AutomateIT imposes on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA, providing sufficient guarantees under Article 28(4) UK GDPR. Where a Sub-processor fails to fulfil its data protection obligations, AutomateIT remains fully liable to the Customer.
8.5 Data subject rights assistance (Art 28(3)(e))
(a) Taking into account the nature of the processing, AutomateIT assists the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the UK GDPR.
(b) Where AutomateIT receives a rights request directly from an End-Caller or other Data Subject in respect of Customer Personal Data, AutomateIT will:
(i) acknowledge receipt of the request to the requester; (ii) forward the request to the Customer within 5 working days; and (iii) on request, provide the Customer with the information needed to respond to the request within the Customer's own one-month deadline under Article 12(3) UK GDPR.
(c) AutomateIT will not respond substantively to such a request itself except where (i) the Customer instructs AutomateIT to do so, (ii) the Customer fails to respond within a reasonable period and AutomateIT considers a response is required to comply with Applicable Data Protection Law, or (iii) AutomateIT is acting as Controller of the data in question (in which case the privacy policy applies, not this DPA).
(d) AutomateIT will provide the standard assistance in this clause at no additional charge. Where a Customer's request requires bespoke engineering or operational effort beyond the standard self-service tooling exposed in the dashboard, AutomateIT may charge for that bespoke effort at its then-current professional rates, on prior written notice and with the Customer's prior agreement.
8.6 Other processor-side assistance (Art 28(3)(f); Articles 32 to 36)
(a) Security assistance. Taking into account the nature of the processing and the information available to AutomateIT, AutomateIT assists the Customer in ensuring compliance with the obligations under Articles 32 to 36 UK GDPR.
(b) Personal Data Breach notification. Where AutomateIT becomes aware of a Personal Data Breach affecting Customer Personal Data, AutomateIT will notify the Customer without undue delay and in any event within 24 hours of becoming aware. The notification will include, to the extent then known, the information described in Article 33(3) UK GDPR (the nature of the breach, categories and approximate number of Data Subjects, categories and approximate number of records, likely consequences and the measures taken or proposed). AutomateIT will provide further information as it becomes available so that the Customer can meet its own 72-hour notification deadline to the Information Commissioner under Article 33(1) UK GDPR.
All time periods in this clause refer to calendar hours, not working hours. The 24-hour Customer notification commitment runs from the Director's confirmation that a Personal Data Breach has occurred, on a calendar-hour basis.
(c) DPIA assistance. AutomateIT assists the Customer with any data protection impact assessment under Article 35 UK GDPR and with any prior consultation with the Information Commissioner under Article 36 UK GDPR, in each case to the extent the assistance relates to AutomateIT's processing of Customer Personal Data and is reasonably required.
8.7 Deletion or return at termination (Art 28(3)(g))
(a) On termination of the Customer's account, AutomateIT will, at the Customer's choice, delete or return all Customer Personal Data to the Customer and delete existing copies, unless United Kingdom law requires storage of the Personal Data.
(b) The Customer's choice between deletion and return is recorded in writing at termination. If the Customer does not record a choice within 30 days of termination, deletion is the default. AutomateIT will send at least one reminder before the 30-day deadline.
(c) Deletion is performed within 30 days of the termination of the Customer's account, in accordance with the data retention policy at docs/legal/data-retention-policy.md (in particular section 5 of that policy, "customer-cancellation deletion flow"). Residual copies in time-limited backups age out on the backup window described in section 6 of the data retention policy and are not retroactively scrubbed; this is the position accepted by the Information Commissioner.
As at the Effective Date, the cancellation flow described in the data retention policy section 5 is (proposed). Until the automated cancelled_at column and retention cron ship, deletion is performed manually within 30 days; the manual process is documented in the data retention policy section 11 and supervised by the Director.
(d) AutomateIT may retain Customer Personal Data after termination only to the extent and for the period required by United Kingdom law (including, in particular, the obligation to retain accounting records for 6 years under Schedule 18 paragraph 21 of the Finance Act 1998 (corporation tax records) and Regulation 31 of the VAT Regulations 1995 (VAT records); the Companies Act 2006 section 388 requires 3 years but the longer HMRC obligation governs), and only for that legal purpose. In that case, the technical and organisational measures in Annex 3 continue to apply for as long as the data is held.
8.8 Audit and information rights (Art 28(3)(h))
(a) Information rights. AutomateIT makes available to the Customer all information necessary to demonstrate compliance with Article 28 UK GDPR. This is provided, by default, by means of:
(i) this DPA, together with the privacy policy and the data retention policy referenced in it; (ii) the current Annex 2 (Sub-processors) and Annex 3 (technical and organisational measures); (iii) on request, copies of relevant Sub-processor data processing addenda or written attestations of compliance; and (iv) on request, the most recent Article 30 record of processing activities for the Service insofar as it relates to Customer Personal Data, redacted as necessary to protect other customers' personal data and AutomateIT's legitimate confidentiality interests.
(b) Audit rights. AutomateIT allows for and contributes to audits conducted by the Customer or another auditor mandated by the Customer, on the following basis:
(i) ordinarily, audit obligations are satisfied by the Customer's review of the documents listed in clause 8.8(a);
(ii) where the Customer reasonably considers the documentation insufficient, the Customer may request a written response to specific questions, which AutomateIT will provide within 30 days;
(iii) where the Customer reasonably considers the written response insufficient, the Customer may request an on-site or remote audit, on at least 30 days' written notice, no more than once in any 12-month period (other than where the law or the Information Commissioner requires otherwise, or where there has been a Personal Data Breach affecting the Customer's data within the preceding 12 months); audits must be conducted during normal business hours, must not unreasonably interfere with AutomateIT's operations, and must not access other customers' personal data or AutomateIT's confidential business information; the Customer (and any third-party auditor) must sign appropriate confidentiality undertakings before the audit begins; and
(iv) the Customer bears its own costs and reimburses AutomateIT for time reasonably spent at AutomateIT's then-current professional rates, unless the audit reveals a material breach of this DPA by AutomateIT, in which case AutomateIT bears its own costs.
(c) Nothing in this clause 8.8 limits the Information Commissioner's audit and information rights under the DPA 2018.
9. International transfers
9.1 General
Customer Personal Data is processed primarily in the United Kingdom and the EEA, with controlled transfers to the United States to Sub-processors as described in Annex 4. Where transfers outside the United Kingdom are made, AutomateIT relies on the transfer mechanisms in Annex 4.
9.2 General authorisation for transfers
The Customer grants AutomateIT a general written authorisation, on the Customer's behalf as Controller, to enter into the transfer mechanisms in Annex 4 with the Sub-processors listed in Annex 2 to the extent those Sub-processors are located outside the UK or process Customer Personal Data outside the UK. This includes reliance on the UK-US Data Bridge where the Sub-processor is DPF-certified, and execution of the UK Addendum or the IDTA where it is not.
9.3 Transfer Risk Assessments
For each Sub-processor where AutomateIT relies on the UK Addendum or the IDTA rather than on the UK-US Data Bridge or another adequacy mechanism, AutomateIT completes a Transfer Risk Assessment in line with ICO guidance. The register is held by the Director and is available to the Customer and to the Information Commissioner on written request.
9.4 Customer onward transfers
The Customer must not instruct AutomateIT to make a Restricted Transfer not covered by Annex 4 without first agreeing the additional transfer mechanism in writing.
9.5 Loss of adequacy
If a transfer mechanism in Annex 4 ceases to be available, AutomateIT will, without undue delay, put in place an alternative mechanism approved under Chapter V UK GDPR or, where none is available, suspend the affected processing.
10. Liability
10.1 Article 82 UK GDPR
AutomateIT is liable for the damage caused by the processing only where (a) it has not complied with obligations of Applicable Data Protection Law specifically directed to processors, or (b) it has acted outside or contrary to the lawful instructions of the Customer, in each case as set out in Article 82(2) UK GDPR.
10.2 Indemnification
Subject to the customer terms of service, each party indemnifies the other against fines, penalties and direct losses suffered by the indemnified party as a result of the indemnifying party's breach of Applicable Data Protection Law, to the extent that breach is attributable to the indemnifying party.
10.3 Customer terms of service
The cap on liability and other limitations and exclusions of liability in the customer terms of service apply to the parties' respective liabilities under this DPA, except that nothing in this DPA or the customer terms of service limits a party's liability for the matters that cannot be limited by law (including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, and any liability that cannot be limited under Applicable Data Protection Law).
10.4 Article 82(4) joint and several liability
Where Article 82(4) UK GDPR applies, each party is liable for the entire damage to the affected Data Subject in order to ensure effective compensation, and the parties may then settle responsibility between themselves in accordance with Article 82(5) UK GDPR.
11. Term, termination and survival
11.1 Term
This DPA takes effect on the Effective Date and continues for so long as AutomateIT processes Customer Personal Data on the Customer's behalf.
11.2 Termination
This DPA terminates automatically on the later of:
(a) closure of the Customer's account in accordance with the customer terms of service; and
(b) the completion of the deletion or return of Customer Personal Data under clause 8.7.
11.3 Survival
The following clauses survive termination of this DPA: (a) clause 8.7 (deletion or return), until completed and any retention required by law has expired; (b) clause 8.8 (audit and information rights) for 6 months after termination in respect of the period during which AutomateIT processed Customer Personal Data; (c) clause 9 (international transfers) for so long as AutomateIT or any Sub-processor holds Customer Personal Data subject to a Restricted Transfer mechanism; (d) clause 10 (liability), without time limit, in respect of breaches occurring during the term; (e) the Annexes, for so long as AutomateIT holds any Customer Personal Data subject to this DPA; and (f) any other clause that, by its nature, is intended to survive.
11.4 Continuing obligations
For 6 months after termination, or for any longer period during which AutomateIT continues to hold Customer Personal Data under a legal obligation, the technical and organisational measures in Annex 3 continue to apply to that data, and the Customer's clause 8.8 rights continue.
12. General
12.1 Order of precedence
In the event of a conflict between this DPA and the customer terms of service, the customer terms of service prevail in respect of commercial and operational matters and this DPA prevails in respect of data protection matters.
12.2 Variation
AutomateIT may vary this DPA on at least 30 days' written notice to the Customer, where the variation is required to reflect a change in Applicable Data Protection Law, ICO guidance or any Sub-processor's terms, or to reflect a material change in the way Customer Personal Data is processed. A variation that materially reduces the Customer's data protection rights or AutomateIT's data protection obligations under this DPA may be made only with the Customer's express written agreement.
A reasonable Customer test applies to materiality. The Customer may dispute the characterisation of a variation as non-material; pending resolution, the prior version of the DPA continues to apply to that Customer.
12.3 Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, except that the Customer may bring proceedings in any other competent court if required by Applicable Data Protection Law.
12.4 Entire agreement
This DPA, together with the customer terms of service and the documents referred to in this DPA (including the privacy policy and the data retention policy), constitutes the entire agreement between the parties in respect of the processing of Customer Personal Data and supersedes any prior agreement, representation or understanding on that subject.
12.5 No third-party rights
A person who is not a party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of it, except that a Data Subject may enforce clauses that are intended to be for the benefit of Data Subjects to the extent required by Article 82 UK GDPR.
12.6 Severability
If any provision of this DPA is held to be invalid, illegal or unenforceable, the remaining provisions remain in full force and effect, and the parties will negotiate in good faith to replace the invalid provision with a valid one that gives effect to the parties' original intention.
12.7 Electronic acceptance
This DPA is accepted by the Customer electronically at signup. AutomateIT considers electronic acceptance to be conclusive evidence of the Customer's agreement to this DPA. AutomateIT records the time and method of acceptance against the Customer's account.
12.8 Assignment
Neither party may assign or novate this DPA without the other's prior written consent, except that AutomateIT may assign to a successor on a sale of the business on terms at least as protective as these. AutomateIT will give the Customer at least 30 days' notice of any such assignment.
12.9 Notices
Notices under this DPA must be sent:
(a) to AutomateIT, at ivan@automateitonline.co.uk and to the registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, marked for the attention of the Director; and
(b) to the Customer, at the registered email address on the Customer's account.
A notice sent by email is taken to have been received on the next working day after sending, unless the sender receives a delivery-failure notification.
13. Change log
| Version | Date | Author | Notes |
|---|---|---|---|
| 1.0 | 2026-04-30 | AI-drafted | Initial release. |
Swipe the table sideways ›
Annex 1. Description of the processing
This Annex completes the Article 28(3) description of the processing. Detail elaborated in clauses 4 to 6 is incorporated by reference rather than repeated.
| Item | Particulars |
|---|---|
| Subject matter | Provision of the Service to the Customer (clause 1.3 and clause 4). |
| Duration | From the Effective Date for the duration of the Customer's account, plus any post-termination retention period under clause 8.7 or required by law. |
| Nature of the processing | As set out in clause 4.1. |
| Purpose of the processing | As set out in clause 4.2. |
| Type of personal data | As set out in clause 5 of this DPA. |
| Categories of Data Subjects | As set out in clause 6 of this DPA. |
| Frequency | Continuous, for so long as inbound calls are routed to the Customer's AutomateIT number and for so long as the resulting records are held on the Service. |
| Documented instructions | As set out in clause 4.3. |
Swipe the table sideways ›
A1.1 Retention by category
Retention periods are set out in the data retention policy at docs/legal/data-retention-policy.md, in particular section 4.2 (call-related data, processor role). Headline figures:
| Category | Retention |
|---|---|
| Call audio recording (held at Retell) | Configured target of up to 12 months at Retell, subject to verification at the next Retell dashboard review |
Call transcript (calls.transcript, calls.summary) | 24 months from call date, then anonymised |
| Call metadata (caller-identifying fields) | 24 months from call date, then anonymised |
Job records (jobs) | 6 years from job completion or cancellation |
Callback requests (callback_requests) | 12 months from creation |
| Outbound SMS bodies (held at Twilio) | Approximately 13 months for message bodies under Twilio's current default; AutomateIT will notify the Customer if Twilio changes that default |
| Google Calendar event references | Tied to parent jobs row |
Swipe the table sideways ›
The Customer may shorten any of these defaults by written instruction under clause 4.3.
Retention periods apply during the term. On termination, deletion-or-return under clause 8.7 takes precedence.
Annex 2. List of Sub-processors
A2.1 Canonical list
The canonical, maintained list of Sub-processors is published in section 6 of the privacy policy at docs/legal/privacy-policy.md. That section is updated whenever AutomateIT engages or replaces a Sub-processor and is the authoritative reference for the Sub-processor inventory.
A2.2 Snapshot at Effective Date
For convenience, the Sub-processor list as at the Effective Date is reproduced below. In the event of any difference between this snapshot and the current section 6 of the privacy policy, the current privacy policy prevails.
| Sub-processor | Role for the Service | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Application database, authentication, file storage | EU (eu-west-1, Dublin) | DPA + EU SCCs + UK Addendum |
| Retell AI (Retell, Inc.) | Call handling, speech-to-text, AI dialogue, recording, post-call analysis | United States | UK Addendum to EU SCCs |
| Twilio Inc. (Twilio Ireland Limited in EEA) | UK number provisioning, inbound routing, SMS | EEA and US | UK-US Data Bridge; SCCs + UK Addendum fallback |
| Stripe (Stripe Payments Europe Limited; Stripe LLC) | Stripe Connect Express; no card data | Ireland and US | UK adequacy (Ireland); UK-US Data Bridge (US, DPF-certified); fallback as above |
| Google (Google Ireland Limited; Google LLC) | Google Calendar, Places, Geocoding, Gemini, Workspace | EEA and US | UK adequacy (Ireland); UK-US Data Bridge (US, DPF-certified); fallback as above |
| Anthropic, PBC | Claude API (help widget, scrape extraction, feedback workflow, avatar sanitisation) | United States | UK Addendum to EU SCCs (Anthropic is not DPF-certified). Default API retention 30 days for trust-and-safety review; commercial inputs/outputs not used for training |
| Resend, Inc. | Transactional email | United States | UK-US Data Bridge (DPF-certified); fallback as above |
| ElevenLabs Inc. (with Eleven Labs Poland sp. z o.o. as EU controller for some voice data) | Marketing-site chat widget only | United States and Poland | UK-US Data Bridge (DPF-certified, US leg); UK adequacy (Poland leg); fallback as above |
| Cloudflare, Ltd. (UK presence) and Cloudflare, Inc. (US data importer) | DNS, CDN, edge proxy | Global edge | UK-US Data Bridge (DPF-certified, US leg); fallback as above |
| Railway Corp. | Application hosting and cron | United States | UK-US Data Bridge (DPF-certified); fallback as above |
Swipe the table sideways ›
Other recipients (not Sub-processors under Article 28).
Companies House: source of public-register data consulted at customer onboarding. Not a Sub-processor under Article 28.
A2.3 Onward Sub-processors
Several Sub-processors above use their own infrastructure providers (typically AWS, Google Cloud or Microsoft Azure). Each Sub-processor publishes its own list and is contractually required to flow these transfer protections down. Links available on request.
Annex 3. Technical and organisational measures (Article 32)
A3.1 Encryption
(a) In transit. All transport between End-Callers, the Customer's browser, the Service on Railway, and every Sub-processor uses TLS 1.2 or higher, with TLS 1.3 preferred where supported. Live call media between Twilio and Retell is carried over encrypted SIP.
(b) At rest. Customer Personal Data stored at Supabase (database and storage) is encrypted at rest by Supabase. Recordings stored at Retell are encrypted at rest by Retell. Supabase Storage buckets logos/ and avatars/ apply the same encryption.
(c) Application secrets. API keys, OAuth client secrets and the cron shared secret are stored only as environment variables on Railway and in the Director's local development environment. They are not committed to source control. Service-role keys are server-only and never reach the browser.
A3.2 Access control
(a) Customer access. Each Customer can only access their own rows. Row-level security ("RLS") is enforced at the database level on every customer-facing table (businesses, services, working_hours, service_areas, calls, jobs, callback_requests, feedback_submissions, feedback_tasks, and others). The application's session token is bound to the Customer's auth user; no application path bypasses RLS for cross-customer reads.
(b) Administrator access. Administrative endpoints in the (admin) route group are gated by an app_metadata.role === 'admin' check on the authenticated session, enforced server-side in the layout. Service-role access is restricted to the Director.
(c) Multi-factor authentication. The Director's account on the application database, on Supabase, on Railway, on Cloudflare, on Twilio and on the third-party AI providers is protected by multi-factor authentication. The factor used is a TOTP authenticator or hardware security key (no SMS-only MFA).
(d) Principle of least privilege. Application code uses the service role key only in server-side handlers and only where row-level security would otherwise prevent legitimate cross-tenant operations (typically administrative queries and cron jobs).
A3.3 Pseudonymisation and minimisation
(a) Minimisation by design. Forms collect only fields with a defined downstream use. Where a field is collected for a single workflow, it is not propagated to long-lived records.
(b) Anonymisation at retention horizon. Call records are anonymised at 24 months under section 4.2 of the data retention policy: caller phone, business identifier and precise timestamps are removed and free-text fields are scrubbed of residual identifiers. Where the scrubber cannot guarantee removal of identifiers, the row is hard-deleted instead.
(c) No salted-hash pseudonymisation as a substitute for deletion. AutomateIT does not retain salted-hash records of caller identifiers as a substitute for deletion or anonymisation, on the basis that salted hashes are pseudonymous rather than anonymous under UK GDPR Recital 26.
A3.4 Compliance-by-design controls
(a) Auto-injected recording disclosure. A short pre-call recording disclosure ("One quick thing, calls are recorded for quality.") is injected server-side into every customer agent's begin_message at call start. The Customer cannot accidentally remove it; the helper re-applies it on every call. Implementation: applyRecordingDisclosure() in src/lib/retell-recording-disclosure.ts.
(b) No payment card data. Payment links use Stripe Checkout; card details are entered directly with Stripe and never traverse AutomateIT's servers.
(c) Row-level security and server-only secrets as set out in A3.2.
A3.5 Business continuity
(a) AutomateIT is on the Supabase Free plan as at the Effective Date, which does not expose customer-restorable daily backups. Recovery from corruption or accidental deletion depends on Supabase's internal disaster recovery process. AutomateIT does not export weekly backups to a separate provider. Upgrading to Supabase Pro (which provides 7 days of customer-restorable daily backups) is on the post-launch operational checklist; on upgrade, a documented annual restore drill will be added to this commitment.
(b) The application is hosted on Railway with restart on failure. DNS is managed at Cloudflare with edge caching and bot-management.
(c) Call audio is held at Retell and survives independently of AutomateIT's application database for the period configured at Retell.
A3.6 Testing and review
(a) AutomateIT monitors advisories from the npm advisory database and applies updates as they are surfaced. Automated scanning will be added before public launch. Critical-severity findings trigger an out-of-cycle update.
(b) Server access logs are reviewed monthly by the Director for unusual patterns.
(c) This Annex 3 is reviewed at least annually and on any material change to the Service.
A3.7 Incident response
(a) Any person who detects or suspects a Personal Data Breach must report it to the Director within one working hour. The Director assesses the risk against the Article 33 and Article 34 UK GDPR thresholds.
(b) Where the breach affects Customer Personal Data, AutomateIT notifies the affected Customer within 24 hours of becoming aware (clause 8.6(b)).
(c) Every breach (including those that did not require notification) is recorded in the internal breach log per Article 33(5) UK GDPR. A written breach runbook is maintained at docs/legal/breach-runbook.md.
A3.8 Personnel and Sub-processor controls
(a) All personnel with access to Customer Personal Data are bound to confidentiality, by contract or by statutory duty. As at the Effective Date, AutomateIT is operated by a single Director. Future personnel will receive data protection training and sign a written confidentiality undertaking before being granted access.
(b) Each Sub-processor listed in Annex 2 is engaged under a written contract that imposes data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) UK GDPR. Copies of the relevant Sub-processor agreements or written attestations of compliance are available on written request under clause 8.8(a)(iv).
Annex 4. International transfer mechanisms
A4.1 Mechanisms relied on
For each Sub-processor located outside the United Kingdom, or that processes Customer Personal Data outside the United Kingdom, AutomateIT relies on the following mechanism in priority order:
(a) UK adequacy regulations for transfers to recipients in the European Economic Area, under the Data Protection (Adequacy) (European Union) Regulations 2021 and the Data Protection (Adequacy) (European Economic Area) Regulations 2021;
(b) UK-US Data Bridge for transfers to recipients in the United States that are self-certified to the EU-US Data Privacy Framework and have opted into the UK Extension; and
(c) UK Addendum to the EU Commission Standard Contractual Clauses, Version B1.0 (in force from 21 March 2022), or the IDTA, where neither (a) nor (b) is available.
A4.2 Per-Sub-processor mechanism and Module selection
The mechanism applied to each Sub-processor is recorded at A2.2 and in the canonical privacy policy section 6. For onward transfers from AutomateIT (as Processor) to a Sub-processor (as sub-processor), the parties select Module 3 (processor-to-processor) of the EU SCCs as incorporated by the UK Addendum. The Customer-to-AutomateIT transfer is UK-domestic and not subject to Chapter V. The UK Addendum tables are completed by AutomateIT consistently with the Sub-processor's published terms; the Annex of the EU SCCs is satisfied by reference to Annexes 1, 2 and 3 of this DPA.
A4.3 Customer-controller authorisation
The Customer authorises AutomateIT under clause 9.2 to enter into the transfer mechanism in A4.1 with each Sub-processor on the Customer's behalf, including execution of the UK Addendum and any Module 3 terms required.
A4.4 Transfer Risk Assessments
A Transfer Risk Assessment is held by the Director for each Sub-processor for which AutomateIT relies on the UK Addendum or the IDTA rather than on adequacy or the UK-US Data Bridge. The TRA register is maintained at docs/legal/tra-register.md and is available to the Customer and to the Information Commissioner on written request. AutomateIT reviews the basis of reliance for each non-DPF transfer (currently Retell, Anthropic and the Supabase US-leg) at least every 6 months, and updates the register accordingly.
A4.5 Loss of mechanism
Where a transfer mechanism becomes unavailable (for example, because the UK-US Data Bridge is suspended or invalidated), AutomateIT will, without undue delay, put in place an alternative transfer mechanism approved under Chapter V of the UK GDPR or suspend the affected processing in accordance with clause 9.5.
Acceptance
This DPA is accepted by the Customer electronically at signup. Acceptance is recorded against the Customer's account, including the timestamp of acceptance and the version of this DPA accepted. By accepting this DPA, the Customer confirms that the person accepting has authority to bind the Customer.
Document owner: Ivan Aguilar Mari, Director, AutomateIT Online Ltd. Version: 1.0 (AI-drafted) Effective date: 2026-04-30