Data Processing Agreement

Last updated: 2 May 2026

This Data Processing Agreement (“DPA”) supplements the BookedCalls.ai Terms of Service and applies whenever Epic Software Labs Ltd trading as BookedCalls.ai (“Processor”) processes Personal Data on behalf of a Customer (“Controller”) in connection with the BookedCalls Service.

Capitalised terms not defined here have the meanings given in the UK GDPR.

1. Roles and scope

The Customer is the Controller of the Personal Data of its prospects, leads, and other third-party contacts uploaded to or sourced through the Service. BookedCalls is the Processor with respect to that Personal Data.

For Personal Data of the Customer’s own staff (account users) and billing contacts, BookedCalls is the Controller; that processing is governed by the Privacy Policy, not this DPA.

2. Subject matter, duration, and nature of processing

  • Subject matter: provision of the BookedCalls Service.
  • Duration: for the term of the underlying Service contract plus 30 days for return or deletion.
  • Nature: collection, enrichment, segmentation, AI-assisted message generation, sending of emails, dialer calls, recording of activity and outcomes.
  • Purpose: to operate B2B outreach campaigns on the Customer’s instruction.
  • Categories of Personal Data: business contact details (name, business email, phone, job title, employer), enrichment data (company size, industry, public professional profile), engagement data (opens, replies, call outcomes, bookings).
  • Categories of Data Subjects: the Customer’s prospects and leads.
  • Special category data: none collected or processed.

3. Processor obligations

BookedCalls will:

  • Process Personal Data only on documented instructions from the Customer (the underlying contract, the in-app intake form, and lawful written instructions thereafter).
  • Ensure persons authorised to process the Personal Data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Schedule A below).
  • Engage sub-processors only as set out in section 5.
  • Assist the Controller with data subject requests (section 6) and with security, breach notification, DPIA, and prior consultation obligations.
  • At the Controller’s choice, return or delete Personal Data after the end of the Service (subject to legally mandated retention).
  • Make available all information necessary to demonstrate compliance with this DPA and allow audits per section 7.

4. Controller obligations

The Customer warrants that:

  • It has a lawful basis under UK GDPR Article 6 (and where applicable, Article 9) for the processing it instructs BookedCalls to perform.
  • It has provided any required transparency information to data subjects.
  • Its instructions to BookedCalls comply with applicable data protection law.
  • It will promptly notify BookedCalls of any data subject opt-out / suppression / erasure requests so the global suppression list can be updated.

5. Sub-processors

The Customer authorises BookedCalls to engage the sub-processors listed at bookedcalls.ai/sub-processors for the purposes set out there. BookedCalls will notify the Customer of any new sub-processor at least 14 days before they begin processing Personal Data; the Customer may object on reasonable data protection grounds, in which case BookedCalls will work in good faith to find a resolution (including, if appropriate, allowing the Customer to terminate the affected portion of the Service without penalty).

BookedCalls remains liable to the Customer for the acts and omissions of its sub-processors as if they were its own.

6. Data subject requests

BookedCalls will, by appropriate technical and organisational measures, assist the Customer (insofar as possible) to fulfil its obligation to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection.

If a data subject contacts BookedCalls directly, we will route the request to the Customer without undue delay and respond to the data subject only at the Customer’s instruction.

7. Audits

BookedCalls will make available to the Customer, on reasonable written request, the information necessary to demonstrate compliance with this DPA. Once per twelve-month period, the Customer (or an independent third-party auditor it appoints, subject to a confidentiality agreement) may conduct an on-site or remote audit of BookedCalls’ compliance, on at least 30 days’ notice. Audits are at the Customer’s cost unless they reveal material non-compliance, in which case BookedCalls bears reasonable cost.

8. International transfers

Personal Data is hosted in the European Union by default. Where it is transferred outside the UK or EEA (e.g. to AI sub-processors in the United States), transfers rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other valid transfer mechanisms. BookedCalls will provide evidence of these mechanisms on request.

9. Security

BookedCalls implements the technical and organisational measures described in Schedule A below. These may evolve over time provided the overall protection of Personal Data is not materially diminished.

10. Personal data breaches

BookedCalls will notify the Customer without undue delay (and in any event within 48 hours) of becoming aware of any Personal Data breach affecting the Customer’s Personal Data, with sufficient detail for the Customer to meet its own notification obligations.

11. Term and termination

This DPA continues for as long as BookedCalls processes Personal Data on behalf of the Customer. On termination of the underlying Service contract, BookedCalls will, at the Customer’s choice, return or delete the Personal Data within 30 days, except where retention is required by law.

12. Liability and governing law

Liability arising under this DPA is subject to the limitations in the underlying Terms of Service. This DPA is governed by the laws of England and Wales.

Schedule A — Technical and organisational measures

  • Encryption in transit: TLS 1.2 or higher for all network traffic.
  • Encryption at rest: AES-256 for sensitive fields and database storage.
  • Access control: role-based access; least-privilege defaults; multi-factor authentication required for all staff with production access.
  • Network security: hosted on Convex (managed cloud); ingress through TLS endpoints only; private subnets for backend services.
  • Audit logging: structured logs of authentication events, administrative actions, and data access; retained for 90 days.
  • Secrets management: API keys held in Convex environment variables; rotated on personnel change or suspected compromise.
  • Backups: daily; encrypted; retained for 30 days.
  • Secure development: code review on all changes; type-checked; staged through development → production with testing gates.
  • Vendor management: sub-processors selected for SOC 2 / ISO 27001 / GDPR compliance.
  • Personnel: confidentiality clauses in employment contracts; data protection awareness training annually.
  • Incident response: documented runbook; on-call rotation; 48-hour breach notification commitment.
  • Physical security: no on-premises data; relies on the physical security of Convex’s underlying cloud provider (currently AWS, EU regions).

Contact

DPA enquiries: dpo@bookedcalls.ai
Address: Epic Software Labs Ltd, 85 Great Portland Street, First Floor, London W1W 7LT, United Kingdom.