Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Missed Call Help AI Ltd ("Processor", "we"). It governs our processing of personal data on your behalf when you use our Services.

How to execute: If your organisation requires a counter-signed DPA, email gdpr@missedcallhelpai.com with subject "DPA Request" — include your business name, signatory's name and email. We send back a signed PDF within 2 business days.

1. Subject matter

The subject matter of this processing is the provision of an AI receptionist service that handles voice calls, SMS, and messaging on behalf of the Customer's business.

2. Duration

For the duration of the Customer's subscription, plus the agreed retention period after termination.

3. Nature and purpose of processing

We process personal data of the Customer's end users (callers / message senders) to: receive and answer calls; transcribe and analyse calls; book appointments; send confirmations and reminders; route leads to the Customer; provide reporting; and support the Customer.

4. Types of personal data

• Identifiers: name, phone number, email address
• Voice recordings and machine-generated transcripts
• Booking details (date, time, service, location)
• SMS / WhatsApp / email message contents
• Inferred data: lead score, intent classification
• Where Customer chooses: PHI (HIPAA mode), payment data (deposit-on-book)

5. Categories of data subjects

Callers, message senders, end customers, prospective customers of the Customer's business.

6. Customer's instructions

We process personal data only on documented instructions from the Customer, including (a) the Terms of Service, (b) configuration choices made in the dashboard (e.g. retention period, HIPAA mode, voice cloning toggle), and (c) any subsequent written instructions. We notify the Customer if we believe an instruction violates UK GDPR or other data protection laws.

7. Confidentiality

Personnel authorised to process personal data are bound by written confidentiality obligations.

8. Security (Annex II)

We implement appropriate technical and organisational measures including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control with least privilege
• Multi-factor authentication for all internal access
• Audit logging of all access to personal data
• Regular vulnerability scans and annual penetration testing
• Documented incident response procedures with 24/7 on-call
• Annual security awareness training for all personnel
• Background checks for personnel with access to production systems
• Geographic data residency controls (UK / EU primary)

9. Sub-processors

The Customer authorises us to engage the sub-processors listed in our Privacy Policy. We will give 30 days' notice of new sub-processors via email, and the Customer may object on reasonable grounds. We remain liable for sub-processors' compliance.

10. Data subject rights

We provide tooling within the dashboard for the Customer to fulfil data subject access, rectification, erasure, restriction, portability, and objection requests. Where a data subject contacts us directly, we forward the request to the Customer.

11. Personal data breach notification

We notify the Customer without undue delay (and within 72 hours) of becoming aware of a personal data breach affecting the Customer's personal data, with all information reasonably required by the Customer to fulfil its own breach notification obligations.

12. Data Protection Impact Assessments

We provide reasonable assistance to the Customer in conducting DPIAs and consultations with supervisory authorities, taking into account the nature of processing and information available to us.

13. International transfers

Where personal data is transferred outside the UK or EEA, we rely on the UK IDTA, EU SCCs, or another lawful transfer mechanism as set out in our Privacy Policy.

14. Audit rights

The Customer may, at its own cost and on reasonable notice (no more than once per year except after a breach), audit our compliance through:

• Reviewing our latest SOC 2 Type II / ISO 27001 attestation (when available)
• Submitting a written security questionnaire (we respond within 30 days)
• On-site inspection at our premises by mutual agreement

15. Return or deletion of data

On termination, the Customer may export all personal data via the dashboard within 30 days. Thereafter, we delete personal data within 60 days, except where retention is required by law (e.g. tax records).

16. Liability

Each party's liability under this DPA is governed by the limitation of liability provisions in the Terms of Service.

17. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data protection matters.

18. Contact

Data Protection contact: gdpr@missedcallhelpai.com (subject: "DPA")

Annex I — Sub-processors

See section 4 of our Privacy Policy for the current list, including identity, location, and processing purpose.