Skip to main content

Data Processing Agreement

Last updated: 24 May 2026

1. Parties

Data Controller: You ("Customer") — the AI deployer, agency, or platform using Audact services.

Data Processor: Audact AI Ltd, 71-75 Shelton Street, London WC2H 9JQ, United Kingdom ("Audact" or "Audact AI Ltd") — processing interaction metadata on your behalf as a Processor under GDPR Article 28. Commercial relationships will transition to Audact (Ireland) Ltd (in formation, expected Q3 2026) once incorporated; this DPA will assign to that entity by written notice, with no degradation of Customer rights.

2. Scope of Processing (GDPR Art. 28(3))

Subject matter & duration: Provision of the Audact compliance platform; duration equal to the underlying service agreement plus any retention period mandated by law.

Nature & purpose: Compliance validation, evidence-chain generation, and audit-trail maintenance as instructed by the Customer through the platform configuration.

Data categories: Call metadata (timestamps, jurisdiction identifiers, policy decisions, validation results, evidence hashes, consent records).

Data subjects: End-users / callers / chat participants of the Customer’s AI deployment.

Not processed: Conversation content, audio recordings, PII beyond what is necessary for compliance validation. All PII is encrypted with per-subject keys and subject to crypto-shredding on erasure request.

Processor obligations (Art. 28(3)): Audact (a) processes only on documented Customer instructions; (b) ensures personnel are bound by confidentiality; (c) implements Art. 32 security measures (section 5); (d) engages sub-processors only on the terms in section 3; (e) assists the Customer with data-subject rights and Art. 32-36 obligations; (f) deletes or returns Customer Data on termination (section 8); (g) makes available information necessary to demonstrate compliance and allows audits as set out in section 10.

3. Sub-processors

All third parties that process data on behalf of Audact or our clients. This list is maintained as required under GDPR Article 28.

Sub-processorPurposeData processedLocation
AWS (Frankfurt)Infrastructure hostingAll platform dataEU (Frankfurt)
CloudflareCDN, DNS, DDoS protectionRequest metadataEU + global edge
TelnyxSIP telephonyCall audio in transit, telephony metadataEU PoPs — SCCs
LiveKit CloudWebRTC transport, turn detectionAudio in transit (no retention)EU region
Deepgram Nova-3Speech-to-text (default)Audio in transit (no retention configured)US (EU endpoint) — SCCs
ElevenLabs FlashText-to-speech (default)LLM-generated textUS/EU — SCCs
OpenAI / AnthropicLLM inference (GPT-4o-mini default, Claude Sonnet premium)Conversational text (no retention configured)US (EU endpoint where available) — SCCs
Google WorkspaceEmail, docsBusiness communicationsUS/EU — SCCs
SlackInternal communicationsInternal messagesUS — SCCs
NotionWiki / project managementInternal operational dataUS — SCCs
1PasswordCredential managementEncrypted credentialsCanada/EU
Stripe (when live)Payment processingBilling dataUS/IE — SCCs

Customer compliance data is processed exclusively in the EU; certain US-based sub-processors handle limited operational data under Standard Contractual Clauses (SCCs) as the transfer mechanism in accordance with GDPR Chapter V. No international transfer of Customer compliance evidence occurs — the evidence chain is EU-resident only.

The current sub-processor list is also published on our Trust Center.

We will notify you at least 30 days before adding or replacing a sub-processor. You may object in writing within that period on reasonable grounds; if no acceptable solution is found you may terminate the affected service.

Sub-processor list last updated: 24 May 2026

4. Data Residency

All Customer compliance data (interaction metadata, evidence chains, audit logs) is stored and processed exclusively within the European Economic Area (EEA) on AWS eu-central-1 (Frankfurt) primary and AWS eu-west-1 (Ireland) backup. Migration to Hetzner Frankfurt is planned for July 2026 (no Customer data leaves the EEA during or after migration).

Certain sub-processors listed above are based in the US and process limited operational data under Standard Contractual Clauses (SCCs). No Customer compliance data leaves the EEA at any time — the evidence chain is structurally EU-only.

5. Security Measures (GDPR Art. 32)

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Per-subject encryption keys for PII (crypto-shredding capability)
  • SHA-256 hash chains for evidence integrity
  • Role-based access control (RBAC)
  • SOC 2 Type II planned 2027
  • Regular penetration testing and vulnerability scanning

6. Data Subject Rights

Audact assists the Customer in fulfilling data subject requests (access, rectification, erasure, portability) within 72 hours of notification. Erasure is implemented via crypto-shredding: the per-subject encryption key is destroyed, rendering personal data permanently unreadable while preserving evidence chain integrity.

7. Breach Notification (GDPR Art. 33(2))

Audact will notify the Customer of any personal data breach without undue delay and in any event no later than 72 hours after becoming aware. Notification includes: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate its effects. Audact will provide reasonable assistance to enable the Customer to fulfil its Art. 33 / 34 obligations toward supervisory authorities and data subjects.

8. Term & Termination

This DPA is effective for the duration of the service agreement. Upon termination, Audact will delete or return all Customer Data within 30 days, except where retention is required by EU or Member-State law (EU AI Act evidence retention; up to 10 years for regulated financial-services use). Cryptographic evidence chains may be retained in non-personal, hash-only form to preserve audit integrity for the period mandated by applicable law.

9. International Transfers

Customer compliance data (interaction metadata, evidence chains, audit logs) is not transferred outside the EEA. Where limited operational data is processed by US-based sub-processors listed in section 3, the transfer mechanism is Standard Contractual Clauses (Module 3 — processor-to-processor, EU 2021/914) supplemented by appropriate technical and organisational measures.

10. Audit Rights

Audact will make available to the Customer, on reasonable written request and no more than once per 12-month period, the information necessary to demonstrate compliance with this DPA, including third-party audit reports (ISO 27001, SOC 2 Type II once available). Where the Customer reasonably requires further audit, the parties will agree scope, timing and cost; audits must not disrupt other customers and are subject to confidentiality.

11. Contact

DPA inquiries: dpo@audact.ai