This Data Processing Agreement (“DPA”) is entered into between you (the “Customer” and “Controller”) and JAMDIT Limited (“Processor”, “we”, “us”). It forms part of, and is subject to, our Terms of Service (the “Agreement”) and applies to the extent we process Personal Data on your behalf in providing the Service. It is designed to satisfy Article 28 of the UK GDPR.
If you require a countersigned copy for your records or for your own EU clients, contact dpo@harborne.ai.
1. Definitions
“Personal Data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings given in the UK GDPR. “Customer Personal Data” means Personal Data we process on your behalf under the Agreement.
2. Roles and scope
You are the controller and we are the processor of Customer Personal Data. We process it only to provide and support the Service and on your documented instructions (including via your configuration of the Service), unless required to do otherwise by law - in which case we will tell you first, unless the law prohibits it.
3. Details of processing
- Subject matter: provision of the AI communications Service.
- Duration: the term of the Agreement, plus any limited retention described in our Privacy Policy.
- Nature and purpose: hosting, storing, transmitting, transcribing and AI-processing of communications to answer calls/messages, book appointments and run campaigns.
- Types of Personal Data: contact details (name, phone, email, address), call and voicemail recordings and transcripts, chat and message content, appointment details, and any other data you choose to submit.
- Categories of data subjects: your customers, leads, contacts and staff.
You must not submit special category data (such as health, biometric or criminal-offence data) unless agreed in writing and supported by appropriate safeguards on your side.
4. Our obligations
- process Customer Personal Data only on your documented instructions;
- ensure persons authorised to process it are bound by appropriate confidentiality obligations;
- implement appropriate technical and organisational security measures (see Annex A) taking into account the state of the art and the risks involved;
- assist you, taking into account the nature of processing, with: responding to data subject requests; security, breach notification and data protection impact assessments; and prior consultation with the ICO where required;
- make available information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (see clause 8).
5. Sub-processors
You give general authorisation for us to engage sub-processors (for example hosting, telephony/SMS, AI model and email providers) to deliver the Service. We impose data protection terms on each sub-processor that are no less protective than this DPA and remain responsible for their performance. We will maintain a current list of sub-processors and give you reasonable notice of intended changes so you can object on reasonable data protection grounds.
6. International transfers
Where we or our sub-processors transfer Customer Personal Data outside the UK, we ensure an appropriate transfer mechanism is in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures as needed.
7. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably available to help you meet your own breach-notification obligations to the ICO and affected individuals.
8. Audit
On reasonable prior written notice, and no more than once a year (unless required by a regulator or following a breach), we will make available information necessary to demonstrate compliance, which may include relevant third-party certifications or reports. On-site audits will be scheduled to minimise disruption and subject to confidentiality.
9. Return and deletion
On termination of the Service, or on your written request, we will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. Backups are deleted in the ordinary course of our backup cycle.
10. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit any rights a data subject has under the UK GDPR.
11. Governing law
This DPA is governed by the law of England and Wales and is subject to the jurisdiction clause in the Agreement. If there is any conflict between this DPA and the Agreement on data protection matters, this DPA prevails.
Annex A - Security measures (summary)
- encryption of Personal Data in transit, and at rest where supported by our providers;
- role-based access controls and least-privilege administrative access;
- authentication controls for access to systems holding Personal Data;
- logical separation of customer data and regular backups;
- vendor due diligence and data protection terms with sub-processors;
- logging and monitoring to detect and respond to security events.
Contact
Questions about this DPA: dpo@harborne.ai, JAMDIT Limited, Kemp House, 152-160 City Road, London EC1V 2NX, United Kingdom.