This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between Tradevoice Ltd ("Tradevoice", "Processor") and the customer ("Customer", "Controller") and applies whenever Tradevoice processes Personal Data on the Customer's behalf in connection with the Tradevoice service (the "Service").
This DPA is written to comply with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Terms used in this DPA have the meanings given to them in UK GDPR, including: "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-processor", "Personal Data Breach", and "Supervisory Authority".
In addition:
2.1 With respect to Caller Data processed through the Service, the Customer is the Controller and Tradevoice is the Processor.
2.2 With respect to the Customer's own account information (name, business details, billing data, etc.), Tradevoice is an independent Controller and processes that data in accordance with the Privacy Policy — that processing is outside the scope of this DPA.
2.3 The Customer must have a lawful basis under UK GDPR for the Processing it instructs Tradevoice to carry out, must inform Callers as required by Articles 13 and 14 UK GDPR, and is responsible for the legitimacy of its own processing operations.
3.1 Subject matter: answering, recording, transcribing and structuring inbound business calls; producing call summaries and structured leads; generating quotes from voice dictations.
3.2 Duration: for the term of the Customer's subscription plus any retention period set out in the Privacy Policy.
3.3 Nature and purpose of processing: providing the Service to the Customer.
3.4 Categories of Data Subjects:
3.5 Categories of Personal Data:
Tradevoice will:
4.1 Process Caller Data only on the Customer's documented instructions, including those given via the dashboard, in writing, or set out in this DPA. If Tradevoice believes an instruction infringes UK GDPR, it will notify the Customer and may decline to act on it.
4.2 Ensure that staff with access to Caller Data are bound by appropriate confidentiality obligations.
4.3 Implement appropriate technical and organisational security measures (set out in Annex A) to protect Caller Data against unauthorised access, disclosure, alteration or destruction.
4.4 Engage Sub-processors only as set out in clause 5.
4.5 Assist the Customer, taking into account the nature of the Processing and the information available, in fulfilling the Customer's obligations to respond to Data Subject rights requests.
4.6 Assist the Customer in complying with its obligations under Articles 32–36 UK GDPR (security, breach notification, DPIAs and consultation).
4.7 At the Customer's choice, delete or return all Caller Data to the Customer at the end of the Service, and delete existing copies (subject to any obligation to retain data under applicable law).
4.8 Make available to the Customer information necessary to demonstrate compliance with Article 28 UK GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (subject to clause 11).
5.1 The Customer authorises Tradevoice to engage Sub-processors to support delivery of the Service. The current list of Sub-processors is published at https://tradevoice.uk/sub-processors and covers application hosting and storage, call transcription, natural-language understanding and voice generation, SMS delivery, email delivery, billing, and service health monitoring.
5.2 Tradevoice will give at least 14 days' notice of any new Sub-processor or replacement, by email or via the dashboard. The Customer may object on reasonable data protection grounds within that notice period; if the parties cannot resolve the objection, the Customer's sole remedy is to terminate the Service for the affected feature with a pro-rata refund of prepaid fees.
5.3 Tradevoice will impose data protection terms on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of its Sub-processors.
6.1 Caller Data is stored on infrastructure located in the United Kingdom and the European Economic Area (EEA).
6.2 Where any Sub-processor is located outside the UK or EEA (e.g. for AI inference), Tradevoice ensures an appropriate transfer mechanism is in place — typically the UK IDTA, the UK Addendum to the EU Standard Contractual Clauses, or another mechanism recognised under UK GDPR — supported by a transfer risk assessment.
6.3 By signing up to the Service, the Customer authorises Tradevoice to make these transfers and, where applicable, enter into Standard Contractual Clauses with Sub-processors on the Customer's behalf.
7.1 Tradevoice's technical and organisational measures are set out in Annex A and are reviewed periodically. Tradevoice may update them, provided the overall level of security is not reduced.
8.1 Tradevoice will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Caller Data.
8.2 The notification will include, to the extent then known:
8.3 Tradevoice will reasonably cooperate with the Customer's investigation and any obligation to notify the Supervisory Authority or affected Data Subjects.
8.4 Notification to the Customer does not constitute an admission of fault or liability by Tradevoice.
9.1 Tradevoice will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by Data Subjects exercising their rights under Chapter III of UK GDPR.
9.2 If a Data Subject contacts Tradevoice directly with a request relating to Caller Data, Tradevoice will refer the Data Subject to the Customer (without revealing the Customer's identity if doing so would itself create a risk) and notify the Customer where possible.
10.1 Tradevoice will provide the Customer with reasonable assistance in carrying out Data Protection Impact Assessments and prior consultations with the Supervisory Authority, where required by Articles 35 and 36 UK GDPR.
11.1 Tradevoice will provide the Customer with reasonable evidence of compliance with this DPA, including, on request, copies of relevant certifications, audit summaries, or completed security questionnaires.
11.2 Where the above is not sufficient, the Customer (or an independent third-party auditor mandated by the Customer and reasonably acceptable to Tradevoice) may, on at least 30 days' prior written notice, audit Tradevoice's compliance with this DPA. Audits must:
12.1 On termination of the Service, the Customer may instruct Tradevoice in writing to return or delete Caller Data within 30 days.
12.2 If the Customer does not provide such instructions, Tradevoice will delete Caller Data in accordance with the retention periods in the Privacy Policy.
12.3 Tradevoice may retain Caller Data to the extent required by applicable law, securely isolated from active processing.
13.1 The liability of each party under this DPA is subject to the limitations set out in the Terms and Conditions, except where UK GDPR expressly provides otherwise.
13.2 Each party is responsible for paying the share of any administrative fine or compensation award that reflects its part of the responsibility for the infringement.
14.1 In the event of conflict between this DPA and the Terms and Conditions, this DPA prevails on data protection matters.
14.2 In the event of conflict between this DPA and the Standard Contractual Clauses (where they apply), the Standard Contractual Clauses prevail.
15.1 Tradevoice may update this DPA from time to time to reflect changes in the law, in Sub-processors, or in the Service. For material changes affecting Customer rights, Tradevoice will give at least 30 days' notice.
16.1 This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales, in line with the Terms and Conditions.
Tradevoice maintains the following measures (this list is illustrative and may be updated as the Service evolves):
The current list of Sub-processors is maintained at https://tradevoice.uk/sub-processors. Material changes to this list will be notified per clause 5.2.
For any questions about this DPA:
Email: [email protected]
Post: Tradevoice Ltd, 87 Heeley Bank Road, Sheffield, South Yorkshire, S2 3GL, England