top of page

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement (“Agreement”) between:

Collaborative Conveyancing Ltd (“Processor”)
and
The Client Law Firm (“Controller”).

This DPA governs the processing of personal data by the Processor on behalf of the Controller when delivering Voice AI services.

 

1. Definitions

For the purposes of this DPA:

Controller
means the organisation determining the purposes and means of processing personal data.

Processor
means the organisation processing personal data on behalf of the Controller.

Personal Data
has the meaning given in the UK GDPR.

Processing
means any operation performed on personal data including collection, storage, use, transmission or deletion.

Data Protection Laws
means all applicable data protection legislation including:

  • UK GDPR

  • Data Protection Act 2018

 

2. Subject Matter of Processing

The Processor provides Voice AI services that assist the Controller with telephone enquiry management and information capture.

Processing activities may include:

  • answering telephone calls

  • transcribing speech

  • generating conversational responses

  • capturing structured information

  • routing calls or scheduling callbacks

  • producing transcripts, recordings and call summaries.

 

3. Duration of Processing

Processing will occur for the duration of the Agreement between the Controller and Processor unless otherwise agreed.

Upon termination of the Agreement, personal data will be deleted or returned in accordance with Section 10 of this DPA.

 

4. Nature and Purpose of Processing

The purpose of the processing is to enable the delivery of Voice AI services supporting client communication workflows.

This may include:

  • handling routine enquiries

  • capturing client information

  • routing calls to appropriate staff

  • providing transaction updates where configured.

The system is designed to support operational capacity and does not provide legal advice.

 

5. Types of Personal Data

Personal data processed may include:

  • name

  • telephone number

  • email address

  • property address

  • details relating to a legal matter or enquiry if authorised by law firm

  • call recordings

  • call transcripts

  • call metadata.

Special category data is not intentionally collected as part of the system design.

 

6. Categories of Data Subjects

Data subjects may include:

  • prospective clients

  • existing clients

  • third parties involved in property transactions

  • individuals making enquiries to the law firm or business

 

7. Processor Obligations

The Processor shall:

  1. process personal data only on documented instructions from the Controller

  2. ensure personnel authorised to process personal data are subject to confidentiality obligations

  3. implement appropriate technical and organisational measures to protect personal data

  4. assist the Controller in meeting its obligations under data protection law where reasonably required.

 

8. Security Measures

The Processor implements appropriate technical and organisational security measures including:

  • encryption in transit using TLS

  • encrypted storage environments

  • role-based access controls

  • multi-factor authentication for administrative systems

  • secure hosting within Microsoft Azure infrastructure.

 

9. Sub-Processors

The Controller authorises the Processor to engage sub-processors necessary to deliver the services.

A current list of approved sub-processors is provided in the Sub-Processor Register.

Where sub-processors are used, the Processor will ensure appropriate contractual safeguards are in place.

The Controller will be notified of any material changes to the sub-processor list.

 

10. Data Subject Rights

The Processor will assist the Controller, where reasonably possible, in responding to requests from data subjects exercising their rights under data protection law.

Such rights may include:

  • access requests

  • rectification requests

  • erasure requests

  • restriction of processing.

 

11. Personal Data Breaches

The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller’s data.

The notification will include information reasonably required for the Controller to assess the impact of the breach.

 

12. International Transfers

Certain sub-processors used to deliver the services operate infrastructure outside the United Kingdom.

Where personal data is transferred internationally, appropriate safeguards are relied upon including:

  • Standard Contractual Clauses (SCCs) or equivalent contractual safeguards.

Further details are provided in the International Data Transfer Statement.

 

13. Data Retention and Deletion

Voice AI services apply the following default retention periods:

Call recordings - 30 days

Call transcripts - 30 days

Logs / metadata - 30 days

Retention periods may be customised by the Controller.

Upon termination of services:

  1. personal data may be exported to the Controller

  2. remaining system data will be securely deleted.

 

14. Audits

The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

 

15. Governing Law

This DPA shall be governed by the laws of England and Wales.

bottom of page