This Data Processing Addendum (“DPA”) forms part of the agreement between Vyacheslav Lukin, sole trader (“Processor”) and the customer that has accepted our Service Terms and Pilot Agreement (“Customer”, “Controller”).
We process personal data to provide the Service, including:
We process such data only to provide, support, and secure the Service, and as instructed by Customer.
We will process personal data only on documented instructions from Customer. Customer’s use of the Service and configuration choices constitute instructions. We will not use personal data for our own purposes (e.g. marketing, product improvement using identifiable data) unless Customer has agreed or applicable law requires it. If we are required by law to process data beyond Customer’s instructions, we will inform Customer in advance unless the law forbids it. Customer acknowledges that certain technical and organisational parameters of the Service (e.g. retention defaults, security measures) are determined by the Processor as part of providing a standardised service and do not affect Customer's role as Controller.
We will ensure that persons authorised to process personal data are bound by confidentiality. We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with Article 32 GDPR (or equivalent under applicable law).
We use the sub-processors listed in our current Sub-Processor List (published at https://pilot.lukin.uk/gdpr-processors.html). We have contracts in place with each sub-processor that impose equivalent obligations to those in this DPA. We will inform Customer of any intended change (new or replacement sub-processor) by posting an updated list and, where required by law or our agreement, by giving Customer an opportunity to object within a reasonable time. If Customer objects on reasonable grounds relating to data protection, we will use reasonable efforts to offer an alternative (e.g. different sub-processor or configuration) or, if not possible, Customer may terminate the affected part of the Service without penalty. Where the sub-processor is essential to the provision of the Service (e.g. telecom or hosting providers), Customer's sole remedy shall be termination of the Service.
Customer is responsible for responding to requests from data subjects (e.g. callers). We will assist Customer in responding to such requests (e.g. access, rectification, erasure, portability, objection, restriction) insofar as this is possible with the means we have and to the extent required by applicable law. We will not respond directly to data subjects unless Customer has authorised us to do so or we are required by law.
We will notify Customer without undue delay after becoming aware of a personal data breach that affects Customer’s data. We will provide information that Customer reasonably needs to meet its own notification obligations to supervisory authorities and data subjects. We will not notify data subjects or authorities on Customer’s behalf unless Customer has asked us to or the law requires us to.
We do not retain call metadata or call content beyond the short retention period described below. Personal data processed in connection with the Service (including data processed by our sub-processors) is automatically deleted within 7 days after the call. If Customer needs the processed data (e.g. a copy or return), Customer must request it from us at least 48 hours before the scheduled deletion; we will then provide or return the data as reasonably practicable. At the end of the agreement, we will ensure any remaining personal data is deleted within 7 days, unless we are required to retain it by law. We may retain copies to the extent required for legal compliance; such data will remain protected in accordance with this DPA.
We will make available to Customer the information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections in line with Article 28(3)(h) GDPR (or equivalent), subject to reasonable notice, confidentiality, and frequency limits. Any audit will be at Customer’s expense unless otherwise agreed.
Where personal data is transferred from the EEA, UK, or Switzerland to a country not recognised as adequate, we will ensure appropriate safeguards (e.g. Standard Contractual Clauses, or EU–US Data Privacy Framework where applicable) are in place. Where required, the EU Standard Contractual Clauses (Controller-to-Processor or Processor-to-Processor, as applicable) are hereby incorporated by reference. Our sub-processors are required to do the same where they receive such data.
Our total liability under this DPA (together with the Service Terms and Pilot Agreement) is limited to £100 (one hundred pounds sterling) in aggregate in total, except where the law does not allow such limitation (e.g. death or personal injury caused by our negligence, or fraud). Nothing in this DPA limits liability where such limitation is prohibited by applicable data protection law, including administrative fines imposed by supervisory authorities. This DPA is governed by the law of England and Wales, unless otherwise required by mandatory data protection law.