Data Processing Agreement

Terms used in this DPA have the meanings given in the UK GDPR and Data Protection Act 2018, including:

• "Personal data" - any information relating to an identified or identifiable natural person
• "Processing" - any operation performed on personal data
• "Data subject" - the individual whose personal data is processed
• "UK GDPR" - the retained EU law version of the GDPR as it forms part of UK law

Voxcierge AI Ltd processes personal data on behalf of the customer for the purpose of providing the Voxcierge AI platform services, including:

• AI voice call handling and transcription
• SMS and messaging services
• CRM data synchronisation
• Call recording, storage, and analysis
• Real-time agent coaching (Isaac)

The types of personal data processed may include: names, phone numbers, email addresses, call recordings, call transcripts, and any other information provided by callers during AI-handled interactions.

Data subjects may include: the customer\'s own customers, prospects, and contacts who interact with the Voxcierge platform.

Voxcierge AI Ltd shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by law
• Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Not engage sub-processors without prior written consent of the Controller (general authorisation is granted for the subprocessors listed at voxcierge.ai/legal/subprocessors)
• Assist the Controller in responding to requests from data subjects exercising their rights
• Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations
• At the choice of the Controller, delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance with this DPA

Voxcierge AI Ltd implements the following technical and organisational security measures:

• Encryption of data in transit (TLS 1.2+) and at rest
• Access controls and role-based permissions within the platform
• Regular security monitoring and logging
• UK-hosted infrastructure on Railway
• Multi-factor authentication enforced for all platform access (via Auth0)
• Regular security reviews and vulnerability assessments

The Controller provides general authorisation for Voxcierge AI Ltd to engage our approved sub-processors (available on request from [email protected]). We will notify the Controller of any intended changes to sub-processors with at least 14 days' notice, giving the Controller the opportunity to object.

In the event of a personal data breach, Voxcierge AI Ltd shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification shall include all information reasonably available to assist the Controller in fulfilling their own notification obligations.

Upon termination of the services, Voxcierge AI Ltd will, at the Controller's choice, either delete or return all personal data and delete existing copies, unless retention is required by applicable law.

Standard data retention periods: call recordings are retained for 12 months unless otherwise agreed. Call transcripts are retained for 24 months. Log data is retained for 12 months.

This DPA is governed by the laws of England and Wales.

To execute this DPA for your account, please contact [email protected].