Data Processing Addendum
This Data Processing Addendum (DPA) applies where RINGBACKAI LTD processes personal data on behalf of a business customer while providing AI voice receptionist, call handling, booking and portal services. It supplements the signed RingBack Service Agreement. If a signed service agreement contains a customer-specific DPA schedule, that signed schedule prevails for that customer.
1. Roles and definitions
The customer is the controller of personal data captured during calls made to the customer's business number. RINGBACKAI LTD is the processor for that call data. Terms defined in the UK GDPR have the same meaning in this DPA. Applicable Data Protection Laws means the UK GDPR, the Data Protection Act 2018, PECR 2003 and other UK laws protecting personal data.
2. Processing instructions
RingBack processes personal data only on the customer's documented instructions, including the Service Agreement, this DPA, portal settings and lawful support requests, unless required by UK law. RingBack will inform the customer if an instruction appears to breach applicable data-protection law.
3. Processing details
| Subject matter | Provision of AI voice receptionist, booking and customer portal services. |
|---|---|
| Duration | The term of the customer service agreement and any post-termination deletion/export period. |
| Nature and purpose | Answering inbound calls, triaging enquiries, booking appointments, sending confirmations, providing call records, transcripts, recordings, support and security monitoring. |
| Personal data | Caller name, phone number, email if volunteered, postcode or address, enquiry details, voice recording, transcript, AI summary, booking details and call metadata. |
| Data subjects | Individuals calling the customer's assigned business telephone number and customer portal users. |
| Special-category data | None is intentionally sought. If sensitive or health-adjacent information is volunteered, RingBack routes it to the customer's human staff where configured and does not retain it beyond the standard retention windows unless legally required. |
4. RingBack processor obligations
- Process personal data only on documented instructions.
- Ensure authorised personnel are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures.
- Use only approved sub-processors under written data-processing terms imposing equivalent protections.
- Give at least 14 days' notice of material sub-processor changes and allow objections on reasonable data-protection grounds.
- Assist with data-subject requests under Articles 15-22 UK GDPR within 5 business days of the customer's request.
- Assist with Articles 32-36 UK GDPR, including security, breach assessment, DPIAs and prior consultation where relevant.
- Notify the customer without undue delay and no later than 72 hours after becoming aware of a personal data breach affecting customer call data.
- At the customer's choice, return or delete personal data at the end of the services unless UK law requires storage.
- Make available information reasonably necessary to demonstrate Article 28 compliance and contribute to reasonable audits no more than once per year at the customer's cost, except after a breach where reasonable costs are RingBack's.
5. Customer controller obligations
- Maintain a valid lawful basis for caller data processing.
- Publish and maintain an appropriate caller-facing privacy notice explaining AI call answering, recording, transcription, retention, sub-processors, international transfers and data-subject rights.
- Give RingBack lawful, accurate and up-to-date instructions and business information.
- Do not instruct RingBack to process special-category data, emergency dispatch, regulated advice or unlawful marketing unless a separate written agreement and risk assessment are in place.
- Respond to caller privacy requests and regulatory correspondence as controller, with RingBack's reasonable assistance.
6. Security measures
- TLS 1.2+ for data in transit and encryption at rest for database, object storage and secrets.
- Role-based access, least privilege and MFA on administrative accounts.
- Per-customer logical segregation in application data.
- Encrypted backups in UK/EU regions with limited retention.
- Audit logging for administrative actions and security-relevant events.
- Automated retention jobs for audio recordings and transcripts.
- Incident-response process with 72-hour customer and ICO assessment windows where required.
- Sub-processor due diligence, written DPAs and transfer safeguards.
7. Retention and deletion
- Call audio: 30 days by default unless a customer-specific setting applies.
- Transcripts and AI summaries: 365 days by default unless a customer-specific setting applies.
- Call metadata, contract and billing records: retained as needed for accounting, tax, legal and audit obligations.
- Google or Microsoft OAuth tokens: deleted within 24 hours of calendar disconnection or account closure.
Deletion from backups follows the backup-retention cycle. Backup copies are not restored for ordinary business use after deletion unless required by law.
8. International transfers
RingBack primarily hosts application data in Google Cloud's EU region europe-west1. Where a sub-processor processes personal data outside the UK or EEA, RingBack relies on a valid transfer mechanism such as a UK adequacy decision, the UK International Data Transfer Agreement, EU Standard Contractual Clauses with the UK Addendum, and supplementary measures where required.
9. Approved sub-processors
| Sub-processor | Role | Location | Safeguard |
|---|---|---|---|
| Google LLC | Cloud Run, Cloud SQL, Cloud Storage, Firebase Hosting, Secret Manager | EU region europe-west1 where configured | Google Cloud DPA; adequacy/SCCs as applicable |
| Vapi.ai, Inc. | Voice AI orchestration and call recordings | EU where available; US fallback | UK IDTA / SCCs |
| OpenAI, L.L.C. / OpenAI Ireland Ltd | LLM inference for call understanding | EU residency where available; US otherwise | Adequacy / UK IDTA / SCCs |
| Deepgram, Inc. | Real-time speech-to-text | US | UK IDTA / SCCs |
| Anthropic PBC | Optional fallback LLM inference | US | UK IDTA / SCCs |
| ElevenLabs Inc. | Optional text-to-speech | US | UK IDTA / SCCs |
| Twilio Inc. | Telephony, phone numbers and SMS | US / Ireland / UK | UK IDTA / SCCs / Twilio DPA |
| Stripe Payments UK Limited | Subscription billing and payment processing | UK / Ireland | Stripe DPA |
| Twilio SendGrid | Transactional email | US | UK IDTA / SCCs |
| PostHog Inc. | Product analytics | EU instance only | PostHog DPA |
| Google LLC or Microsoft Corp. customer accounts | Calendar booking integrations authorised by the customer | Customer account region/global | Customer's own DPA with Google or Microsoft |
10. Liability, term and governing law
Liability under this DPA is subject to the limits in the applicable Service Agreement, except that nothing limits either party's direct liability to a data subject or supervisory authority under UK GDPR. This DPA remains in force while RingBack processes personal data on behalf of the customer. It is governed by the laws of England and Wales.