Data Processing Agreement

1. Definitions

Terms used and not defined here have the meaning given in the UK GDPR. "Customer Personal Data" means personal data we process on the Controller's behalf in providing the Service — including names, phone numbers, email addresses, call recordings, transcripts, message content, lead form submissions, and any other personal data submitted to or generated by the Service on behalf of the Controller.

2. Roles

The Controller determines the purposes and means of processing Customer Personal Data. Beluga AI Ltd acts as a processor and processes Customer Personal Data only on documented instructions from the Controller, including those given through the configuration and use of the Service.

3. Processing details

• Subject matter — provision of AI agent infrastructure, conversational AI, voice, lead capture, messaging, and workflow automation services to the Controller.
• Duration — for the term of the subscription, plus any post-term return / deletion period set out below.
• Nature & purpose — hosting, transmission, voice and text processing, storage, analysis to improve the Controller's service, and support.
• Categories of data subjects — the Controller's end customers, prospects, leads, employees, contractors, and contacts.
• Categories of personal data — contact details (name, phone, email, address), enquiry details, call audio and transcripts, message content, calendar availability, behaviour, and usage metadata.

4. Our obligations as processor

• Process Customer Personal Data only on the Controller's documented instructions and as needed to provide the Service.
• Ensure persons authorised to process the data are under appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures to protect the data (see Annex A).
• Assist the Controller in responding to data subject requests and meeting its obligations under Articles 32–36 of the UK GDPR.
• Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting Customer Personal Data.
• Make available all information reasonably necessary to demonstrate compliance and allow audits at reasonable intervals and on reasonable notice.

5. Sub-processors

The Controller authorises Beluga AI to engage the sub-processors listed in Annex B to provide the Service. We will:

• Maintain an up-to-date list of sub-processors and make it available on request.
• Impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA.
• Provide at least 30 days' prior notice of any new or replacement sub-processor; the Controller may object on reasonable data protection grounds.
• Remain liable for the acts and omissions of our sub-processors with respect to Customer Personal Data.

6. International transfers

Some sub-processors are located outside the UK and EEA. Where Customer Personal Data is transferred we use the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or another lawful transfer mechanism approved under the UK GDPR.

7. Data subject rights

We will assist the Controller, by appropriate technical and organisational measures and so far as possible, in responding to requests from data subjects to exercise their rights under Chapter III of the UK GDPR. If we receive a request directly from a data subject we will, unless legally required to respond, redirect them to the Controller.

8. Return or deletion

On termination of the Service the Controller may export Customer Personal Data via the platform. Within 30 days of termination we will delete or anonymise Customer Personal Data, except where retention is required by law or for the establishment, exercise, or defence of legal claims.

9. Liability

Each party's liability under this DPA is subject to the limits of liability in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable data protection law.

Annex A — Technical & organisational measures

• Encryption in transit (TLS 1.2+) and at rest for all Customer Personal Data stored at rest.
• Role-based access control with least-privilege defaults and multi-factor authentication for staff accounts.
• Logging and monitoring of access to production systems with periodic review.
• Vendor due diligence on all sub-processors with data protection responsibilities.
• Incident response plan with defined escalation paths and breach notification procedures.
• Regular backups, with restore testing and documented data retention schedules.
• Mandatory data protection and security awareness training for all staff with access to Customer Personal Data.
• Network segmentation between development, staging, and production environments.

Annex B — Sub-processors

The following categories of sub-processors may be used to provide the Service. The current list is available on request.

• Cloud hosting & CDN (e.g. Vercel, Cloudflare, AWS) — application hosting and delivery.
• AI model providers (e.g. OpenAI, Anthropic, Google) — voice, transcript, and text generation.
• Telephony providers (e.g. Twilio, Telnyx) — inbound and outbound calling, SMS.
• CRM & automation (e.g. HighLevel / LeadConnector) — pipeline, calendars, messaging.
• Email infrastructure (e.g. Postmark, Resend) — transactional email delivery.
• Analytics (e.g. Google Analytics, PostHog) — usage measurement.
• Payments (e.g. Stripe) — subscription billing.
• Customer support (e.g. Intercom, LeadConnector) — support tickets and live chat.

Acceptance

By signing up to the Service, accepting an order form, or otherwise using the Service, the Controller agrees to this DPA. Enterprise customers may request a separately executed copy by emailing support@agentbeluga.com.