Data Processing Agreement (“DPA”)

Last Updated: 1 October 2025

1. Definitions

1.1 Capitalised terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalised terms used in this DPA will be defined as follows:

“Adequate Jurisdiction” means the UK, European Economic Area (“EEA”) or a country or territory deemed to provide adequate protection for the rights and freedoms of individuals, as set out in: (a) the Data Protection Act 2018 or regulations made by the UK Secretary of State under the Data Protection Act 2018; and (b) with respect to Data Subjects in the EEA, a decision of the European Commission.

“Analytics Data” means anonymised statistics, benchmarking and analytics regarding the performance and use of the Communications Services.

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.

“Authorised Users” means your employees, contractors, agents and authorised users of the Platform.

“Analytics Data” means anonymised statistics, benchmarking and analytics regarding the performance and use of the Communications Services;

“Data Protection Laws” means all applicable laws, rules, regulations and governmental requirements relating to the privacy, confidentiality or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR and the US Data Protection Laws.

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.

“Communications Data” means data collected by us from Customers in connection with the provision of the Communications Services, including call recordings, conversation transcripts and other records of communications.

“Communication Services“, means a multi-channel conversational transaction service which may include voice virtual agent (‘Virtual Agent’), chat, website or SMS text automation supported by machine learning technology provided to you through our Platform.

“Controller” has the meaning given to the terms “controller”, “business” or any equivalent term used under Data Protection Laws to refer to a natural or legal person that determines the purposes and means of Processing Personal Data.

“Controller Purposes” means the purposes identified in the Details of Data Processing.

“Covered Data” means Personal Data that is contained in the Service Data, in each case as further described in the Details of Data Processing and the Agreement.

“Customers” means your current, former and prospective customers that use the Communication Services.

“Data Subject” means a natural person whose Personal Data is Processed.

“Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.

“Details of Data Processing” means the details of Processing of Personal Data under the Agreement and this DPA available at https://app.eu.vanta.com/poly.ai/trust/m9icyuy0ko2kq0ibijb7t/resources?s=2ppskhy5tz47z4s2rvh53m&name=details-of-processing .

“Feedback” any ideas, know-how, improvements, or suggestions that we may receive from you in connection with the Services.

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR“, as defined in section 3 of the Data Protection Act 2018.

“Personal Data” means any data or information that: (a) relates to, is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Data Protection Laws.

“Platform” means our proprietary communications handling platform which is made up of our software and any third-party software that may be necessary for its functionality.

“PolyAI” means PolyAI Limited or its affiliate that has entered into the Agreement with you.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process“, “Processes” and “Processed” will be interpreted accordingly.

“Processor” has the meaning given to the terms “processor”, “service provider” or any equivalent term used under Data Protection Laws to refer to a natural or legal person that Processes Personal Data on the instructions of a Controller.

“Restricted Use Data” means: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions; (b) any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Data Protection Laws; (c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard); (d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999; (e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver’s license or passport numbers or other governmentally-issued identification numbers); (f) information relating to individuals under the age of 13; (g) education records, as defined under the Family Educational Rights and Privacy Act of 1974; (h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act or consumer health data as defined under the US Data Protection Laws; and (i) biometric information or biometric identifiers as defined under the US Data Protection Laws.

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.

“Services” means the Communication Services, the Platform and any professional services and any other services specified in the Agreement;

“Service Data” means any information, data and other content that:

1.1.1 is Communications Data;

1.1.2 You, your Customers or your Authorised Users upload to the Services or otherwise make available in connection with your or their use of the Services; and

1.1.3 is not Feedback, Analytics Data or Usage Data;

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

“Sub-processor” means, with respect to any Processing performed by PolyAI as a Processor, an entity appointed by PolyAI to Process Covered Data on its behalf.

“Usage Data” means data related to your Authorised Users’ use of the Platform.

“US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the California Invasion of Privacy Act, Cal. Penal Code § 630, et seq. (“CIPA“), the Illinois Biometric Information Privacy Act 740 ILCS 14 et seq., the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).

2. Data and Interaction with the Agreement

2.1. Personal Data . In case of contradictions, this DPA supersedes the Agreement with respect to any Processing of Covered Data.

2.2 Ownership of Service Data. As between you and PolyAI, you and we acknowledge that you are the owner or licensee of all rights (including any intellectual property rights) in and to any Service Data. To the extent that any rights in and to the Service Data vest in PolyAI in the course of performing the Services, we hereby assign to you such rights, by way of future assignment, absolutely and with full title guarantee. 

2.3 Licence. You hereby grant PolyAI:

2.3.1 a non-transferable, sublicensable, royalty-free licence to use the Service Data for the Term as necessary to provide the Services or as otherwise required to comply with applicable law;

2.3.2 a non-transferable, sublicensable, royalty-free, perpetual, irrevocable licence to use the Communications Data to: (a) create Analytics Data; and (b) monitor the performance of, develop and improve the Communications Services.

2.4 Usage Data and Analytics Data . PolyAI may create and use Usage Data and Analytics Data in order to monitor the performance of the Services, develop and improve the Services and develop new products and services. The parties acknowledge and agree that all Analytics Data and any Usage Data shall be owned by PolyAI.

3. Roles

3.1 The parties agree that:

3.1.1 subject to paragraph 3.1.2, PolyAI Processes Covered Data as a Processor on your behalf;

3.1.2 to the extent that the GDPR applies to the Processing of Covered Data by PolyAI or you, PolyAI Processes Covered Data for the Controller Purposes as a Controller.

4. Processing of Personal Data

4.1 The details of the Processing of Personal Data under the Agreement and this DPA are described in the Details of Data Processing and the relevant Agreement.

4.2 Save with respect to any Processing of Covered Data for the Controller Purposes, PolyAI shall only Process Covered Data on your behalf and under your instructions, unless Processing is permitted under Data Protection Laws or required to comply with applicable law in the United Kingdom (in which case PolyAI shall inform you of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).

4.3 The Agreement and this DPA shall constitute your instructions for the Processing of Covered Data. 

4.4 Without limiting the foregoing, PolyAI is prohibited from:

4.4.1 selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;

4.4.2 sharing Covered Data with any third party for cross-context behavioural advertising;

4.4.3 retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Data Protection Laws;

4.4.4 retaining, using, or disclosing Covered Data outside of the direct business relationship between the parties; and

4.4.5 except as otherwise permitted by Data Protection Laws, combining Covered Data with Personal Data that PolyAI receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

4.5 PolyAI will:

4.5.1 provide you with information to enable you to conduct and document any data protection assessments required under Data Protection Laws; and

4.5.2 promptly inform you, if in our opinion, your instructions infringe Data Protection Laws.

5. Compliance

5.1 Each party shall comply with its obligations under Data Protection Laws, including as set out in the remainder of this paragraph 5.

5.2 You agree that you shall:

5.2.1 provide Data Subjects with such information regarding the Processing of their Covered Data as required under Data Protection Laws, including any information made available by PolyAI regarding PolyAI’s Processing of Covered Data for the Controller Purposes;

5.2.2 to the extent required for the lawful Processing of Covered Data under Data Protection Laws, obtain valid consents from Data Subjects for such Processing in the form required under Data Protection Laws, including:

5.2.2.1 any Processing of Covered Data by PolyAI for the Controller Purposes; and

5.2.2.2 where applicable, the placing of any outbound calls using the Communications Services.

5.3 PolyAI shall notify you promptly if we determine that we can no longer meet our obligations under Data Protection Laws.

5.4 You may take reasonable and appropriate steps to:

5.4.1 ensure that we use Covered Data in a manner consistent with your obligations under Data Protection Laws; and

5.4.2 upon reasonable notice, stop and remediate unauthorised use of Covered Data.

6. Restricted Use Data

6.1 You acknowledge and agree that, save as otherwise agreed in the Agreement, you shall not provide to us, and we shall not be required to collect in the course of providing the Services, any Restricted Use Data.

7. Confidentiality and disclosure

7.1 PolyAI shall:

7.1.1 limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and

7.1.2 ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.

8. Sub-processors

8.1 You grant us general authorisation to engage any of the Sub-processors listed at https://app.eu.vanta.com/polyai/trust/m9icyuy0ko2kq0ibijb7t/resources?s=km1mf28r1avpzvdcza4kvv&name=subprocessor-list , as amended in accordance with paragraph 8.3 (the “ Authorised Sub-processors “), to Process Covered Data.

8.2 PolyAI shall:

8.2.1 enter into a written agreement with each Authorised Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than our obligations under this DPA; and

8.2.2 remain liable for each Authorised Sub-processor’s compliance with the obligations under this DPA.

8.3 Subject to you subscribing to receive notices of any changes to the Authorised Sub-processors by registering your details, PolyAI shall provide you with at least fifteen (15) days’ notice of any proposed changes to the Authorised Sub-processors. You must notify us if you object to the proposed change to the Authorised Sub-processors by providing us with written notice of the objection within fifteen (15) days after PolyAI has provided notice to you of such proposed change (an “ Objection “).

8.4 In the event of an Objection, the parties shall work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, you may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to us.

9. Data Subject Rights Requests

9.1 PolyAI shall notify you without undue delay of any request received by us or any Authorised Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Data Protection Laws (a “ Data Subject Request “).

9.2 Other than in respect of any Processing of Covered Data for the Controller Purposes, you shall have sole discretion in responding to the Data Subject Request, and we shall not respond to the Data Subject Request other than to advise the Data Subject that their request has been forwarded to you.

9.3 PolyAI will provide you with reasonable assistance as necessary for you to fulfil your obligations under Data Protection Laws to respond to Data Subject Requests.

10. Security

10.1 We will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorised or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.

10.2 When assessing the appropriate level of security, we shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

10.3 The parties agree that such technical and organisational security measures shall include the measures set out at https://app.eu.vanta.com/poly.ai/trust/m9icyuy0ko2kq0ibijb7t/resources?s=curs5mzgaubi0ptiu2sci&name=poly-ai-security-schedule .

11. Audits

11.1 You may, not more than once a year, audit our compliance with this DPA. The parties agree that all such audits will be conducted:

11.1.1 upon reasonable written notice to PolyAI;

11.1.2 only during PolyAI’s normal business hours; and

11.1.3 in a manner that does not materially disrupt PolyAI’s business or operations.

11.2 With respect to any audits conducted in accordance with paragraph 11.1:

11.2.1 you may engage a third-party auditor to conduct the audit on your behalf;

11.2.2 we shall not be required to facilitate any such audit unless and until the parties have agreed in writing the scope and timing of such audit.

11.3 You shall promptly notify us of any non-compliance discovered during an audit.

11.4 The results of the audit shall be our confidential information and you agree to maintain confidentiality and not to disclose, copy or modify the results without our prior written consent.

11.5 We shall provide to you upon request, or may provide to you in response to any audit request submitted by you to us, the following:

11.5.1 data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or

11.5.2 such other documentation reasonably evidencing the implementation of the technical and organisational data security measures in accordance with industry standards.

11.6 If an audit requested by you is addressed in the documents or certification provided by us in accordance with paragraph 11.5, and:

11.6.1 the certification or documentation is dated within twelve (12) months of your audit request; and

11.6.2 we confirm that there are no known material changes in the controls audited,

you agree to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.

12. Security Incidents

12.1 We shall notify you in writing without undue delay, and in any event within forty-eight (48) hours, after becoming aware of any Security Incident.

12.2 We shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send you timely information about the Security Incident, to the extent known to us or as the information becomes available to us, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.

12.3 We shall provide you with reasonable assistance with your investigation of any Security Incidents and any of your obligations in relation to the Security Incident under Data Protection Laws, including any notification to Data Subjects or supervisory authorities.

12.4 Our notification of or response to a Security Incident under this paragraph 12 shall not be construed as an acknowledgement by us of any fault or liability with respect to the Security Incident.

13. Term, Deletion and Return

13.1 This DPA shall commence on the date the Agreement is signed by both parties and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, our deletion or anonymisation of all Covered Data as described in this DPA.

13.2 We shall:

13.2.1 if requested to do so by you within ninety (90) days of expiry of the Agreement (the “ Retention Period “), provide a copy of all Covered Data in such commonly used format as requested by you, or provide you with a self-service functionality allowing you to download such Covered Data; and

13.2.2 without undue delay following the Retention Period, delete all copies of Covered Data Processed by us or any Authorised Sub-processors, other than any Covered Data Processed for the Controller Purposes.

14. International Transfers

14.1 PolyAI may Process Covered Data anywhere that we or our Sub-processors maintain facilities, subject to the remainder of this paragraph 14.

14.2 Where the Services are provided by PolyAI Limited (as identified in the Agreement):

14.2.1 PolyAI shall not transfer any Covered Data to a recipient outside of the UK unless: (a) the recipient is in an Adequate Jurisdiction; or (b) the transfer is governed by an agreement incorporating: (i) standard data protection clauses approved under Section 119A of the Data Protection Act 2018; and with respect to Data Subjects in the EEA, the Standard Contractual Clauses; and

14.2.2 if you are not in an Adequate Jurisdiction, the Approved Addendum shall, as further set out in Annex 1, apply to and form part of this DPA in relation to the transfer of any Covered Data from PolyAI (as data exporter) to you (as data importer).

14.3 To the extent that PolyAI is not in an Adequate Jurisdiction, and your Processing of Covered Data is subject to the GDPR or the transfer of Covered Data from you to PolyAI is an “onward transfer” (as defined in the Standard Contractual Clauses), the Standard Contractual Clauses shall, as further set out in Annex 1, apply to and form part of this DPA in respect of any transfer of Covered Data from you (as data exporter) to PolyAI (as data importer).

14.4 The parties agree that execution of the Agreement shall, where applicable, have the same effect as signing the Standard Contractual Clauses and Approved Addendum.

15. Deidentified Data

If we receive Deidentified Data from you or on your behalf, or create such Deidentified Data from Covered Data, we shall:

15.1.1 take reasonable measures to ensure the information cannot be associated with a Data Subject;

15.1.2 publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and

15.1.3 contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Data Protection Laws.

16. General

16.1 The parties hereby certify that they understand the requirements in this DPA and will comply with them.

16.2 The parties agree that any limitations on either party’s liability under the Agreement shall apply to any claims, losses or damages arising in respect of a breach of this DPA, other than any claims, losses or damages arising from a breach by you of paragraph 5.2 of this DPA.

16.3 The parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Data Protection Laws.

16.4 We may modify this DPA at any time by posting a revised version on our website or by otherwise notifying you via email; provided, however, we will provide advance notice for material adverse changes to the or DPA. Subject to the advance notice requirement with respect to such material adverse changes, the modified terms will become effective upon posting or, if we notify you by email, as stated in the email message. By continuing to use the Services after the effective date of any modifications, you agree to be bound by the modified terms. It is your responsibility to check the website regularly for modifications to the DPA. We last modified these on the date listed at the beginning of them.

Annex 1 – International Transfers

1. Transfers from PolyAI to you under paragraph 14.2

With respect to any transfers referred to in paragraph 14.2, the Approved Addendum shall be completed as follows:

2. Transfers from you to PolyAI under paragraph 14.3

With respect to any transfers referred to in paragraph 14.3, the Standard Contractual Clauses shall be completed as follows:

To the extent the UK GDPR applies to your processing of Covered Data when you transfer such Covered Data to us, or the transfer is an “onward transfer” as defined in the Approved Addendum, the Approved Addendum shall be completed as follows: