Data Processing Agreement (DPA)
Effective Date: January 5, 2026
Last Updated: January 5, 2026
Version: 1.0
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or Terms of Service (“Agreement”) between ALIM Ltd (Company Number 14528810), trading as Voice AI Portal (“Voice AI Portal,” “Processor,” “we”), and the subscribing customer (“Customer,” “Controller,” “you”) when UK GDPR, EU GDPR, or other applicable Data Protection Laws govern Customer’s use of Voice AI Portal Services to process Customer Personal Data.
This DPA supplements the Agreement and remains in effect for as long as Voice AI Portal processes Personal Data on behalf of Customer. In the event of conflict between this DPA and the Agreement, this DPA prevails.
SECTION 1: DEFINITIONS
1.1 “Agreement” means the Master Subscription Agreement, Terms of Service, or other governing contract between Voice AI Portal and Customer under which Services are provided.
1.2 “Controller” or “Customer” means the entity that determines the purposes and means of processing Customer Personal Data. For Voice AI Portal, this is typically the AI agency or business subscribing to Services.
1.3 “Customer Personal Data” means any Personal Data provided by or on behalf of Customer and processed by Voice AI Portal pursuant to the Agreement. This includes:
- Agency account holder information (names, emails, billing details)
- Workspace user credentials and RBAC permissions
- End-customer data in client workspaces (names, emails, phone numbers)
- Call metadata and analytics from voice AI providers
- Usage data and platform interactions
1.4 “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR) (Regulation 2016/679)
- Data Protection Act 2018 (UK)
- Privacy and Electronic Communications Regulations (PECR)
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Any successor or replacement legislation
1.5 “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA, including Customer’s employees, authorized users, and end-customers in client workspaces.
1.6 “Personal Data” has the meaning given in Article 4(1) UK GDPR: any information relating to an identified or identifiable natural person.
1.7 “Processing” has the meaning given in Article 4(2) UK GDPR: any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
1.8 “Processor” or “Voice AI Portal” means ALIM Ltd, which processes Personal Data on behalf of and under the documented instructions of the Controller.
1.9 “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
1.10 “Services” means Voice AI Portal’s white-label SaaS analytics platform including dashboard analytics, workspace management, voice AI integrations, white-label branding, and related services as defined in the Agreement.
1.11 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2: Controller to Processor), attached as Annex I.
1.12 “Sub-processor” means any third-party entity engaged by Voice AI Portal to process Customer Personal Data on behalf of Customer.
1.13 “Supervisory Authority” means:
- For UK data subjects: The UK Information Commissioner’s Office (ICO)
- For EU data subjects: The relevant data protection authority in the EU Member State where the Controller is established or where data subjects are located
1.14 “Third-Party Voice AI Providers” means voice AI platforms (Retell AI, VAPI, ElevenLabs, and others) with which Customer maintains direct accounts and which are not Sub-processors of Voice AI Portal. Customer acts as Controller and Voice AI Providers act as separate Processors for voice data.
1.15 “UK IDTA” means the UK International Data Transfer Agreement (version B1.0 or later) issued by the ICO under Section 119A of the Data Protection Act 2018, attached as Annex II.
SECTION 2: DATA PROCESSING
2.1 Roles and Responsibilities
2.1.1 Controller Obligations
Customer is the Data Controller for all Customer Personal Data and determines the purposes and means of processing. Customer is responsible for:
- Providing lawful processing instructions to Voice AI Portal
- Ensuring lawful basis exists for all processing activities
- Obtaining necessary consents from data subjects
- Providing privacy notices to data subjects
- Responding to data subject rights requests
- White-label client compliance (where Customer provides branded portals to end-customers)
2.1.2 Processor Obligations
Voice AI Portal is the Data Processor and processes Customer Personal Data only on documented instructions from Customer. Voice AI Portal will:
- Process Customer Personal Data solely to provide Services as defined in the Agreement
- Implement appropriate technical and organizational security measures (Article 32 UK GDPR)
- Assist Customer in fulfilling data subject rights requests
- Notify Customer of Security Incidents
- Engage Sub-processors in accordance with Section 4
- Delete or return Customer Personal Data upon termination
2.2 Scope of Processing
2.2.1 Subject Matter
Voice AI Portal’s provision of white-label voice AI analytics and workspace management Services to Customer.
2.2.2 Duration
Processing continues for the term of the Agreement plus any retention period required by law or specified in the Privacy Policy (typically 30 days post-termination for data deletion).
2.2.3 Nature of Processing
Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, restriction, erasure, and destruction of Customer Personal Data.
2.2.4 Purpose of Processing
Voice AI Portal processes Customer Personal Data for the following purposes only:
- Providing platform Services (authentication, workspace management, analytics display)
- Maintaining platform security and preventing fraud
- Providing customer support and technical assistance
- Billing and payment processing (via Stripe)
- Compliance with legal obligations
- Improving Services (aggregated, anonymized analytics only)
2.2.5 Categories of Data Subjects:
- Customer’s employees and authorized users (agency account holders)
- Customer’s workspace administrators and users
- Customer’s end-customers (individuals accessing client workspaces)
- Individuals whose call data is displayed in analytics (phone numbers, names)
- Customer support contacts
2.2.6 Categories of Personal Data Processed:
Authentication & Account Data (Supabase eu-central-1):
• Email addresses, password hashes (bcrypt)
• Authentication tokens (JWT), session identifiers
• Multi-factor authentication (MFA) configurations
• Role-Based Access Control (RBAC) permissions
Business & Billing Data (GCP europe-west1, Stripe):
• Company names, business addresses, VAT numbers
• Billing addresses, payment methods (via Stripe)
• Subscription plans, usage metrics, invoices
Call Analytics Metadata (GCP europe-west1):
• Phone numbers (caller/recipient)
• Call duration, timestamps, status codes
• Cost data, ROI calculations
• Reference URLs to recordings/transcripts (hosted by voice AI providers)
Usage & Platform Data:
• IP addresses, device information, browser type
• Platform navigation, feature usage, API calls
• Support tickets, chat communications
White-Label Configuration:
• Custom domain names, SSL certificates (Cloudflare)
• Branding assets (logos, colors)
• Workspace configurations
Special Category Data: Voice AI Portal does not intentionally process special category data (health, race, religion, etc.). If Customer uploads such data, Customer remains solely responsible for compliance with Article 9 UK GDPR.
2.3 Processing Instructions
2.3.1 Documented Instructions
This DPA and the Agreement constitute Customer’s complete documented instructions for processing Customer Personal Data. Voice AI Portal will not process Customer Personal Data except as instructed by Customer unless required by law.
2.3.2 Unlawful Instructions
If Voice AI Portal believes any Customer instruction violates UK GDPR or other Data Protection Laws, Voice AI Portal will immediately inform Customer in writing and may suspend processing until Customer modifies or confirms the lawfulness of the instruction.
2.3.3 Compliance with Laws
Each party will comply with all applicable laws. Customer is responsible for ensuring its instructions comply with Data Protection Laws applicable to Customer’s business. Voice AI Portal is responsible for compliance with laws applicable to Voice AI Portal as a processor.
SECTION 3: CUSTOMER (CONTROLLER) OBLIGATIONS
3.1 Lawful Processing Basis
Customer warrants that it has established a lawful basis under Article 6 UK GDPR for all processing activities and has obtained all necessary consents, authorizations, and permissions from data subjects
3.2 Privacy Notices
Customer is responsible for providing transparent privacy information to data subjects in accordance with Articles 13-14 UK GDPR, including informing data subjects that Voice AI Portal processes their Personal Data as a processor on Customer’s behalf.
3.3 Data Subject Rights Requests
Customer is responsible for responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection). Voice AI Portal will assist Customer as described in Section 5.4
3.4 Supervisory Authority Communications
Customer is responsible for all communications with Supervisory Authorities relating to Customer Personal Data. Customer will notify Voice AI Portal of any relevant Supervisory Authority inquiries, orders, or enforcement actions
3.5 White-Label Client Obligations
Where Customer uses Voice AI Portal’s white-label services to provide branded portals to end-customers:
- Customer acts as Data Controller for end-customer Personal Data
- Customer must provide appropriate privacy notices to end-customers
- Customer must obtain necessary consents (e.g., call recording consent)
- Customer is responsible for end-customer data subject rights requests
- Voice AI Portal acts as Customer’s Processor for such data
3.6 Voice AI Provider Relationships
Customer acknowledges that Third-Party Voice AI Providers (Retell AI, VAPI, ElevenLabs) are not Sub-processors of Voice AI Portal. Customer is responsible for:
- Executing Data Processing Agreements directly with voice AI providers
- Configuring provider security and data retention settings
- Obtaining call recording consents where required by law
- Ensuring voice AI provider compliance with applicable Data Protection Laws
Voice AI Portal retrieves only call metadata via APIs and does not store actual voice recordings or full transcripts.
SECTION 4: VOICE AI PORTAL (PROCESSOR) OBLIGATIONS
4.1 Security Measures (Article 32 UK GDPR)
Voice AI Portal implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures:
Encryption:
• Data at rest: AES-256 (Supabase, GCP)
• Data in transit: TLS 1.3 (HSTS enforced)
• Database: Supabase Row Level Security (RLS) + GCP Cloud SQL encryption
Access Controls:
• Supabase authentication (bcrypt + JWT)
• Role-Based Access Control (RBAC) with least privilege
• Multi-Factor Authentication (MFA) for administrators
• Session timeouts and automatic logout
Network Security:
• GCP VPC with private subnets
• Cloudflare WAF and DDoS protection
• Private Service Connect for Supabase
• No public database exposure
Monitoring:
• 24/7 security monitoring (GCP Security Command Center, Cloudflare Analytics)
• Automated threat detection
• Audit logging (Supabase, GCP Cloud Logging)
Organizational Measures:
• Background checks for personnel with data access
• Confidentiality agreements for all staff
• Annual security awareness training
• Quarterly access reviews
• Incident response procedures
• Business continuity and disaster recovery plans
Full details available in the Voice AI Portal Security Policy at voiceaiportal.com/legal/security-policy.
4.2 Confidentiality of Processing
Voice AI Portal ensures that all personnel authorized to process Customer Personal Data:
- Have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality
- Receive appropriate security awareness training
- Have access only to the minimum Personal Data necessary to perform their duties
4.3 Data Subject Rights Assistance
4.3.1 Request Handling
If Voice AI Portal receives a data subject rights request directly from a data subject, Voice AI Portal will:
- Forward the request to Customer within 2 business days
- Not respond to the request without Customer’s prior written authorization
- Assist Customer in fulfilling the request as described below
4.3.2 Tools and Assistance
Voice AI Portal provides Customer with tools and technical assistance to enable Customer to respond to data subject rights requests:
| Right | Voice AI Portal Assistance |
|---|---|
| Access (Article 15) | Data export in JSON/CSV format via dashboard; copy of Personal Data within 5 business days of request |
| Rectification (Article 16) | Self-service editing tools in dashboard; manual updates within 3 business days |
| Erasure (Article 17) | Account deletion via dashboard; full deletion (including backups) within 30 days |
| Restriction (Article 18) | Temporary account suspension; flagging data for restricted processing |
| Portability (Article 20) | Machine-readable export (JSON) via dashboard |
| Objection (Article 21) | Assistance with cease processing; opt-out mechanisms |
Voice AI Portal will respond to Customer’s assistance requests within 5 business days unless urgent circumstances require faster response.
4.4 Security Incident Notification
4.4.1 Notification Timeline
Voice AI Portal will notify Customer of any Security Incident within 72 hours of becoming aware of the incident (aligned with Article 33 UK GDPR notification requirements to Supervisory Authorities).
4.4.2 Notification Content
Notification will include (to the extent available):
- Nature of the Security Incident (categories and approximate number of data subjects/records affected)
- Name and contact details of Voice AI Portal’s data protection officer or contact point
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident and mitigate potential adverse effects
4.4.3 Cooperation
Voice AI Portal will cooperate with Customer and provide reasonable assistance to enable Customer to comply with obligations to notify Supervisory Authorities (Article 33) and data subjects (Article 34).
4.5 Data Protection Impact Assessment (DPIA) Assistance
Voice AI Portal will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) required under Article 35 UK GDPR, including:
- Providing information about processing operations
- Sharing relevant security documentation
- Describing technical and organizational measures
- Identifying risks and mitigation strategies
DPIAs are Customer’s responsibility as Controller. Voice AI Portal assistance is subject to reasonable notice (14 days) and scope limitations.
4.6 Prior Consultation Assistance
Voice AI Portal will reasonably assist Customer in consultations with Supervisory Authorities under Article 36 UK GDPR where required following a DPIA that indicates high risk.
4.7 Data Retention and Deletion
4.7.1 Retention Periods
Voice AI Portal retains Customer Personal Data as follows:
• Active account data: Subscription duration
• Post-termination: 30 days (grace period)
• Billing records: 7 years (UK tax law requirement)
• Backup data: 7 days (then securely overwritten)
• Audit logs: 12 months
4.7.2 Deletion Upon Termination
Upon termination of the Agreement or upon Customer’s written request, Voice AI Portal will:
- Delete or return all Customer Personal Data (Customer’s choice) within 30 days
- Delete Customer Personal Data from all systems including backups (within 7-day backup rotation)
- Provide written confirmation of deletion upon request
- Exception: Data required by law may be retained (e.g., billing records for 7 years)
4.7.3 Deletion Certification
Upon request, Voice AI Portal will provide a certificate of deletion signed by an authorized officer confirming secure deletion of Customer Personal Data.
4.8 Records of Processing Activities (Article 30 UK GDPR)
Voice AI Portal maintains records of all processing activities carried out on behalf of Customer, including:
- Name and contact details of Voice AI Portal and Customer
- Categories of processing
- Categories of data subjects and Personal Data
- Categories of recipients (Sub-processors)
- International data transfers and safeguards
- Security measures (general description)
Records available to Customer and Supervisory Authorities upon request.
4.9 Audit Rights
4.9.1 Information Provision
Voice AI Portal will make available to Customer all information necessary to demonstrate compliance with Article 28 UK GDPR obligations, including:
- SOC 2 Type II audit reports (under NDA)
- Security Policy documentation
- Sub-processor lists
- DPA compliance documentation
- Security incident reports
4.9.2 Audits and Inspections
Customer has the right to conduct audits and inspections (or appoint independent third-party auditor) to verify Voice AI Portal’s compliance with this DPA. Audit terms:
• Frequency: Once per 12-month period (additional audits if Security Incident or regulatory requirement)
• Notice: 30 days' advance written notice
• Scope: Processing operations, security measures, Sub-processor management
• Timing: During business hours (9 AM - 6 PM GMT, Monday-Friday)
• Confidentiality: Auditor must execute NDA
• Cost: Customer bears audit costs; Voice AI Portal may charge reasonable support fees for audits exceeding 2 days
• Report: Customer provides audit report within 30 days; Voice AI Portal has 60 days to remediate findings
For enterprise customers, audit rights may be satisfied by reviewing Voice AI Portal’s SOC 2 Type II reports in lieu of on-site audits.
SECTION 5: SUB-PROCESSORS
5.1 General Authorization
Customer provides general written authorization for Voice AI Portal to engage Sub-processors to process Customer Personal Data, subject to the terms of this Section.
5.2 Current Sub-Processors
Voice AI Portal currently engages the following Sub-processors:
| Sub-Processor | Service | Data Processed | Location |
|---|---|---|---|
| Supabase | Authentication database, RBAC | Email, password hashes, auth tokens, RBAC permissions | eu-central-1 (Germany – EU) |
| Google Cloud Platform | Application hosting, storage | All application data, call metadata, workspace configs | europe-west1 (Belgium – EU) |
| Cloudflare | WAF, DDoS, SSL, CDN | IP addresses, security logs, domain configs | Global (EU-primary) |
| Resend | Email delivery | Email addresses, names, email content | EU region |
| Stripe | Payment processing | Billing info, payment cards, transactions | United States |
| Google Analytics | Usage analytics | Anonymized usage data, device info | United States |
Complete list maintained at: voiceaiportal.com/legal/service-providers
5.3 Sub-Processor Requirements
Voice AI Portal ensures that all Sub-processors:
- Execute written Data Processing Agreements containing substantially the same obligations as this DPA (Article 28(4) UK GDPR)
- Implement appropriate technical and organizational security measures
- Provide sufficient guarantees of GDPR compliance
- Hold relevant security certifications (SOC 2, ISO 27001)
- Agree to data breach notification within 24 hours
5.4 Changes to Sub-Processors
5.4.1 Notification
Voice AI Portal will notify Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance. Notification provided via:
- Email to Customer’s account administrator
- Update to Sub-processor list (voiceaiportal.com/legal/service-providers)
- In-platform notification
5.4.2 Objection Right
Customer may object to the appointment of a new Sub-processor on reasonable data protection grounds by notifying Voice AI Portal in writing within 30 days of notification.
5.4.3 Resolution Process
If Customer objects:
- Customer and Voice AI Portal will discuss the objection in good faith
- Voice AI Portal will use reasonable efforts to:
- Address Customer’s concerns with additional safeguards, or
- Propose alternative Sub-processor, or
- Modify Services to avoid using objected Sub-processor
- If no resolution within 30 days, Customer may terminate affected Services without penalty
5.5 Sub-Processor Liability
Voice AI Portal remains fully liable to Customer for the performance of Sub-processor obligations. Voice AI Portal is liable for acts and omissions of Sub-processors to the same extent as if performed by Voice AI Portal directly.
5.6 Voice AI Providers Are NOT Sub-Processors
Customer acknowledges that Third-Party Voice AI Providers (Retell AI, VAPI, ElevenLabs) are not Sub-processors of Voice AI Portal. Customer maintains direct contractual relationships and Data Processing Agreements with voice AI providers. Voice AI Portal accesses only call metadata via APIs under Customer’s authorization.
SECTION 6: INTERNATIONAL DATA TRANSFERS
6.1 Primary EU Data Processing
Voice AI Portal prioritizes EU-based infrastructure to minimize international data transfers:
✓ Supabase: eu-central-1 (Frankfurt, Germany) - No transfer
✓ GCP: europe-west1 (Belgium) - No transfer
✓ Resend: EU region - No transfer
✓ Cloudflare: EU data centers prioritized - Minimal transfer
For data subjects located in the UK or EU, the majority of processing occurs within the European Economic Area.
6.2 Transfers to Third Countries
6.2.1 Transfers Requiring Safeguards
The following Sub-processors are located in or transfer data to the United States:
- Stripe (payment processing) – United States
- Google Analytics (usage analytics) – United States
6.2.2 Transfer Mechanisms
For transfers to third countries without adequacy decisions, Voice AI Portal implements the following safeguards:
Standard Contractual Clauses (SCCs):
- EU Commission Decision 2021/914 (Module 2: Controller to Processor) – Annex I
- UK International Data Transfer Agreement (IDTA) or UK Addendum – Annex II
Additional Safeguards:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Contractual obligations limiting government access
- IP address anonymization (Google Analytics)
- Transfer Impact Assessments (TIAs) for high-risk transfers
- Monitoring of adequacy decisions and legal developments
6.2.3 Adequacy Monitoring
Voice AI Portal continuously monitors:
- Changes to adequacy decisions (UK, EU Commission)
- Legal developments in third countries (Schrems II implications)
- Supervisory Authority guidance on international transfers
If an adequacy decision is revoked or deemed insufficient, Voice AI Portal will implement supplementary measures or migrate data to alternative providers within the EU/UK.
6.3 Standard Contractual Clauses (Annex I)
The Standard Contractual Clauses attached as Annex I apply to transfers of Customer Personal Data from the EU/EEA to Voice AI Portal’s Sub-processors in third countries. The SCCs are incorporated into this DPA and form an integral part of this agreement.
SCC Details:
- Module: Module 2 (Controller to Processor)
- Parties: Customer (data exporter) and Voice AI Portal (data processor)
- Docking Clause: Available for Sub-processors with Customer consent
- Competent Supervisory Authority: As specified in Annex I, Section C
6.4 UK International Data Transfer Agreement (Annex II)
The UK IDTA (or UK Addendum to EU SCCs) attached as Annex II applies to transfers of Customer Personal Data from the UK to third countries. The UK IDTA incorporates the EU SCCs with UK-specific modifications.
UK IDTA Details:
- Version: B1.0 (21 March 2022) or later
- Importer: Voice AI Portal and authorized Sub-processors
- Exporter: Customer (UK-based or UK data subjects)
- Governing Law: England and Wales (or Scotland/Northern Ireland if specified)
SECTION 7: LIABILITY AND INDEMNIFICATION
7.1 Liability Cap
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except where Data Protection Laws prohibit such limitations.
7.2 Voice AI Portal Liability
Voice AI Portal is liable to Customer for any damages caused by Voice AI Portal’s breach of this DPA or Data Protection Laws, subject to Section 7.1.
7.3 Sub-Processor Liability
Voice AI Portal is liable for the acts and omissions of its Sub-processors to the same extent as if such acts were performed by Voice AI Portal directly.
7.4 Customer Indemnification
Customer agrees to indemnify and hold Voice AI Portal harmless from any claims, damages, or liabilities arising from:
- Customer’s breach of this DPA or Data Protection Laws
- Customer’s unlawful or improper processing instructions
- Customer’s failure to obtain necessary consents or provide privacy notices
- Claims by Customer’s end-customers or data subjects arising from Customer’s data protection violations
7.5 Data Subject Claims
Data subjects have third-party beneficiary rights under the Standard Contractual Clauses (Annex I) and may bring claims directly against Voice AI Portal for breaches of the SCCs.
SECTION 8: TERM AND TERMINATION
8.1 Term
This DPA takes effect on the Effective Date and continues for as long as Voice AI Portal processes Customer Personal Data on behalf of Customer.
8.2 Termination
This DPA terminates automatically upon:
- Termination or expiration of the Agreement
- Completion of all Services and deletion/return of all Customer Personal Data
8.3 Survival
The following provisions survive termination:
- Section 4.7 (Data Retention and Deletion)
- Section 6 (International Data Transfers – for data in transit at termination)
- Section 7 (Liability and Indemnification)
- Section 9 (Governing Law and Dispute Resolution)
- Any provisions necessary to give effect to the above
SECTION 9: GOVERNING LAW AND DISPUTE RESOLUTION
9.1 Governing Law
This DPA is governed by and construed in accordance with:
- English law (for UK-based Customers or UK data transfers)
- The law of the EU Member State where Customer is established (for EU-based Customers)
- As specified in the Agreement (if different)
9.2 Jurisdiction
Disputes arising under this DPA will be subject to:
- Exclusive jurisdiction of the courts of England and Wales (for UK Customers)
- Jurisdiction of the courts of the EU Member State where Customer is established (for EU Customers)
- Data subject claims: Data subjects may bring claims in their habitual residence (per SCCs)
9.3 Supervisory Authority Jurisdiction
Nothing in this Section limits the jurisdiction of the UK Information Commissioner’s Office (ICO) or EU Supervisory Authorities to investigate complaints and enforce Data Protection Laws.
SECTION 10: MISCELLANEOUS
10.1 Amendments
Voice AI Portal may update this DPA periodically to reflect:
- Changes in Data Protection Laws
- New Sub-processors or service changes
- Supervisory Authority guidance
- Security enhancements
Material Changes: Voice AI Portal will provide 30 days’ advance notice via email and website posting. Continued use of Services after the effective date constitutes acceptance.
10.2 Severability
If any provision of this DPA is found invalid or unenforceable, the remaining provisions continue in full effect. Invalid provisions will be replaced with valid provisions achieving similar intent.
10.3 Order of Precedence
In case of conflict:
- Standard Contractual Clauses (Annex I) and UK IDTA (Annex II) prevail over this DPA
- This DPA prevails over the Agreement
- Mandatory provisions of Data Protection Laws prevail over all contractual terms
10.4 Entire Agreement
This DPA, together with the Agreement and Annexes, constitutes the entire agreement between the parties regarding processing of Customer Personal Data.
10.5 Execution
This DPA is deemed executed upon Customer’s acceptance of the Agreement or subscription to Services. No separate signature required unless requested by Customer (execution page available upon request).
SECTION 11: CONTACT INFORMATION
Voice AI Portal Data Protection Officer:
Email: [email protected]
Address: ALIM Ltd, Company Number 14528810, England and Wales
General Data Processing Inquiries:
Email: [email protected]
Phone: +44 7725 999 798
Security Incident Reporting:
Email: [email protected]
Customer Support:
Email: [email protected]
ANNEX I: STANDARD CONTRACTUAL CLAUSES (SCCs)
Module 2: Transfer Controller to Processor (EU Commission Decision 2021/914)
[Full SCCs incorporated – available as separate document upon request]
ANNEX I.A – LIST OF PARTIES
Data Exporter (Controller):
- Name: [Customer Legal Entity Name]
- Address: [Customer Address]
- Contact: [Customer Contact Person, Email, Phone]
- Role: Data Controller
- Signature: [Electronic acceptance via Agreement]
Data Importer (Processor):
- Name: ALIM Ltd, trading as Voice AI Portal
- Address: [Company Number 14528810, England and Wales]
- Contact: [email protected]
- Role: Data Processor
- Signature: Pre-signed (v1.0, January 5, 2026)
ANNEX I.B – DESCRIPTION OF TRANSFER
Categories of Data Subjects:
- Customer employees, authorized users, workspace administrators
- Customer’s end-customers accessing client workspaces
- Individuals whose call data appears in analytics
- Support contacts
Categories of Personal Data:
- Contact data: Names, emails, phone numbers, business addresses
- Authentication data: Email, password hashes, tokens, RBAC permissions
- Billing data: Payment info (via Stripe), invoices, VAT numbers
- Call metadata: Phone numbers, timestamps, durations, costs
- Usage data: IP addresses, device info, platform interactions
- Support data: Tickets, chat logs, communications
Sensitive Data: None intentionally processed (Customer responsible if uploaded)
Frequency of Transfer: Continuous during subscription term
Nature of Processing: Collection, storage, organization, retrieval, consultation, use, disclosure, deletion
Purpose: Provision of voice AI analytics platform Services
Retention Period: As specified in Section 4.7 (subscription term + 30 days; billing 7 years)
ANNEX I.C – COMPETENT SUPERVISORY AUTHORITY
UK Customers: Information Commissioner’s Office (ICO), ico.org.uk
EU Customers: Supervisory Authority of the EU Member State where Customer is established
If Customer not established in EU but GDPR applies: Supervisory Authority where data subjects are located
ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES
Detailed security measures described in:
Voice AI Portal Security Policy (voiceaiportal.com/legal/security-policy)
Summary of key measures:
✓ AES-256 encryption (data at rest)
✓ TLS 1.3 encryption (data in transit)
✓ Supabase Row Level Security (RLS) for multi-tenant isolation
✓ RBAC with least privilege access
✓ MFA for administrators
✓ 24/7 security monitoring
✓ Incident response procedures (<72h breach notification)
✓ Employee confidentiality agreements
✓ Backup and disaster recovery (RTO 4h, RPO 1h)
ANNEX II: UK INTERNATIONAL DATA TRANSFER AGREEMENT (IDTA)
UK IDTA Version B1.0 (or UK Addendum to EU SCCs)
[Full UK IDTA incorporated – available as separate document upon request]
TABLE 1: PARTIES
Data Exporter: Customer (as specified in Annex I.A)
Data Importer: ALIM Ltd, Voice AI Portal (as specified in Annex I.A)
TABLE 2: SELECTED SCCs, MODULES AND SELECTED CLAUSES
SCCs: EU Commission Decision 2021/914
Module: Module 2 (Controller to Processor)
Clauses: All mandatory clauses apply
TABLE 3: APPENDIX INFORMATION
Reference: See Annex I.B (Description of Transfer) above
TABLE 4: ENDING THE ARRANGEMENT
Notice Period: 30 days written notice (unless Agreement terminates)
DOCUMENT EXECUTION
For Customers Requiring Signed DPA:
If you require a signed copy of this DPA (e.g., for enterprise procurement), please request via:
- Email: [email protected] with subject “DPA Signature Request – [Company Name]”
- Include: Company name, signatory details, purchase order number (if applicable)
- Response time: 5 business days
Standard Acceptance:
For most customers, this DPA is incorporated into the Agreement and deemed accepted upon subscription to Services. No separate signature required.
Document Version: 1.0
Effective Date: January 5, 2026
Next Review: January 5, 2027