​

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Agreement between Intavia LTD (“Processor”, “Provider”, “we”) and any Customer entering into an Order Form or using the Services (“Controller”, “Customer”, “you”). The current version of this DPA is always available at:
Data Processing Agreement This DPA reflects the parties’ obligations under the UK GDPR, EU GDPR, and applicable data protection laws governing the processing of Personal Data in connection with the Services.

---

​

1. Definitions

Capitalised terms have the meanings set out in the Agreement unless defined here. “Agreement” means the MSA, this DPA, all Order Forms, and any applicable addenda. “Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in the United Kingdom and, where applicable, the European Union, including without limitation the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), the EU GDPR, and any successor or implementing legislation. “Personal Data” means any information relating to an identified or identifiable natural person. “Personal Data Breach” has the meaning given in Data Protection Laws and includes any loss, accidental or unlawful destruction, damage, corruption, alteration, disclosure of, or access to Personal Data. “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in Data Protection Laws. “Customer Data” means all data (including Personal Data) submitted or generated by Customer via the Services. “Customer Systems” means systems, CRMs, telephony providers, infrastructure, and tools Customer owns or controls. “Sub-Processor” means any third party engaged by Provider to process Customer Data. “Services” means the functionality described in the Order Form and Documentation. Any functionality not expressly described in the Order Form or Documentation is excluded. “Term” has the meaning given in clause 3.3 of this DPA. Any functionality not expressly described in the Order Form or Documentation is excluded.

---

​

2. Roles of the Parties

​

2.1 Controller–Processor

For Customer Data processed through the Services, Customer is the Controller and Provider is the Processor.

​

2.2 Independent Controller Activities

For Provider’s own processing (billing, account management, fraud prevention, product analytics using aggregated/anonymised data), Provider acts as an independent Controller.

​

2.3 Instructions

Provider will only process Personal Data on documented instructions from Customer:

• this DPA
• the Agreement
• any applicable Order Form
• any written instructions consistent with the Agreement

If Provider believes an instruction violates Data Protection Laws, it shall notify Customer.

---

​

3. Subject Matter, Nature, Purpose, Duration

​

3.1 Subject Matter

Processing of Customer Data in connection with the provision of the Services.

​

3.2 Nature & Purpose

Provider processes Personal Data to:

• receive, handle, route, and manage inbound calls
• place outbound calls (if enabled)
• generate call metadata, logs, transcripts, and analytics
• surface data into dashboards
• integrate with Customer Systems
• provide configuration, support, and quality assurance
• improve the Services using anonymised/aggregated data
• comply with legal obligations

​

3.3 Duration

Processing continues for the term of the Agreement, plus applicable retention periods. Detailed processing information appears in Annex 1.

---

​

4. Types of Personal Data & Data Subjects

​

4.1 Categories of Personal Data

Categories include (without limitation):

​

4.2 Special Categories

Not intended to process special category data. If callers voluntarily share such data, Controller is responsible for:

• lawful basis
• notices
• retention
• deletion configuration

​

4.3 Data Subjects

Data Subjects may include:

• Customer’s callers, clients, patients, and leads
• Customer employees or contractors
• Other individuals whose data appears in Customer Data

---

​

5. Processor Obligations

Provider shall:

​

5.1 Records of Processing

Provider shall maintain records of processing activities to the extent required by Data Protection Laws.

​

5.2 Confidentiality

Ensure all authorised persons are under confidentiality obligations.

​

5.3 Security

Implement appropriate technical and organisational safeguards (see Annex 2).

​

5.4 Assistance with Data Subject Rights

Assist Customer (at Customer’s cost where applicable) with Data Subject rights requests.

​

5.5 Assistance with Compliance

Assist Customer with:

• security obligations
• Personal Data Breach notifications
• DPIAs and supervisory consultations

​

5.6 Breach Notification

Provider shall notify Customer without undue delay (and where feasible within 72 hours) of any Personal Data Breach affecting Customer Data, including any loss, unintended destruction, corruption, alteration, unauthorised access to, or disclosure of Personal Data. Provider will supply sufficient information to enable Customer to meet its legal obligations.

​

5.7 Deletion or Return at Termination

Upon termination:

• Provider retains Customer Data for 90 days for backup/legal purposes
• After 90 days, data is deleted or anonymised
• Customer may request earlier deletion where feasible
• Customer may export data via available tools

---

​

6. AI Output Behaviour

​

6.1 Nature of AI Outputs

The Services use machine-learning models that may:

• generate inaccurate or fictional (“hallucinated”) content
• misinterpret caller intent
• incorrectly infer Personal Data
• generate synthetic content not based on actual Personal Data

​

6.2 AI Output Is Not a Data Breach

AI hallucination, synthetic generation, or inaccurate inference does not constitute a Personal Data Breach unless caused by an underlying security incident.

​

6.3 Controller Responsibility

Customer remains responsible for:

• all inputs, prompts, flows, scripts, and business logic provided
• verifying outputs where accuracy is important
• ensuring no unlawful, inaccurate, or harmful instructions are given to the AI

​

6.4 Sensitive Data

Customer must not require AI to generate, infer, or process special category data unless they have a lawful basis and configure retention/controls accordingly.

---

​

7. Sub-Processors

​

7.1 Authorisation

Customer authorises the Sub-Processors listed in Annex 3.

​

7.2 Additions & Changes

Provider may add or replace Sub-Processors.
Customer will be notified of material changes.

​

7.3 Objection Right

If Customer objects on reasonable data protection grounds, parties will seek a solution.
If none is found, Customer may terminate only the affected Services.

​

7.4 Sub-Processor Obligations

Provider ensures Sub-Processors are bound by obligations no less protective than this DPA. Provider remains liable for Sub-Processor actions.

---

​

8. International Transfers

Provider and Sub-Processors may process Personal Data in the UK, EEA, US, or other jurisdictions. Where required, Provider relies on:

• Standard Contractual Clauses
• UK IDTA
• or other authorised transfer mechanisms

---

​

9. Security Measures

Provider implements:

• encryption in transit and at rest (where applicable)
• access controls, authentication, least-privilege
• logging, monitoring, incident response
• secure development practices
• vulnerability management
• staff training

Detailed overview: Annex 2.

---

​

10. Data Storage, Recordings, and Retention

​

10.1 Call Recordings & Transcripts

Where enabled:

• call audio and transcripts are processed and stored by Sub-Processors such as ElevenLabs
• recordings may be stored indefinitely unless Customer instructs otherwise
• Provider may stream or surface recordings without retaining raw audio internally

​

10.2 Customer Responsibility

Customer is responsible for:

• selecting lawful retention periods
• providing required caller notices
• configuring deletion or disabling recording if needed

​

10.3 Deletion at Request

Provider will act on Customer deletion instructions where technically feasible.

---

​

11. Use of Data for Service Improvement

Provider may use anonymised or aggregated data to:

• improve models
• test features
• benchmark performance
• conduct analytics

Customer may opt out by written notice, acknowledging performance may degrade. Provider does not sell Personal Data or use it for third-party marketing.

---

​

12. Audits & Information

​

12.1 Documentation

Provider will make available information demonstrating compliance, including:

• security documentation
• summaries of controls
• Sub-Processor information
• transfer mechanism details

​

12.2 Audits

Where required by law, Customer may conduct audits:

• with reasonable notice
• during normal business hours
• without undue disruption

Limited to one audit per year, unless required by a Supervisory Authority or following a confirmed breach. Costs: Customer bears its own costs and Provider’s reasonable costs unless Provider is in material breach.

---

​

13. Data Subject Requests

If a Data Subject submits a request or complaint directly to Provider, Provider will, where feasible, redirect the individual to Customer or notify Customer without undue delay. Customer is responsible for responding to Data Subject rights requests and complaints. Provider will assist Customer to the extent required by Data Protection Laws and technically feasible, and may charge for such assistance where permitted by law.

---

​

14. Priority & Conflict

If this DPA conflicts with other parts of the Agreement, this DPA prevails solely for Personal Data Processing. All other terms remain in full force.

---

​

15. Governing Law

This DPA is governed by the laws of England and Wales.
Courts of England and Wales have exclusive jurisdiction.

---

​

16. Liability

Liability arising under or in connection with this DPA is governed exclusively by the liability provisions set out in the Agreement (MSA). No additional liabilities are created by this DPA.

---

​

Annex 1 — Data Processing Details

This Annex provides the detail required by Article 28(3) GDPR regarding the nature, scope, purpose, and duration of processing carried out by Provider on behalf of Customer.

​

1. Subject Matter of Processing

Processing of Customer Data (including Personal Data contained in inbound and outbound calls, transcripts, metadata, booking information, logs, and any data surfaced into the Platform) for the purpose of providing the Services.

---

​

2. Duration of Processing

Processing occurs for:

• the term of the Agreement;
• any period during which Customer uses or accesses the Services;
• a 90-day post-termination retention window for backup, dispute resolution and legal compliance;
• any retention configured by Customer at Sub-Processor level (e.g., ElevenLabs call recording storage);
• any legally required additional retention period.

Customer may request earlier deletion where technically feasible.

---

​

3. Nature and Purpose of Processing

Processing activities include:

​

Inbound Call Handling

• receiving, answering, routing, forwarding and managing inbound calls;
• executing Customer-defined flows, scripts, menus, or logic;
• interacting with callers using AI voice models;
• identifying, confirming or retrieving caller details.

​

Outbound Calling (if enabled)

• placing calls triggered by Customer actions, workflows, integrations or business logic;
• appointment reminders, lead follow-up, scheduling tasks, or other permitted non-spam use cases.

​

AI-Generated Outputs

• generating synthetic audio responses;
• creating, inferring, or transforming text or metadata;
• producing summaries, tags, labels, classifications, or other derived content;
• streaming this data back to the Platform.

​

Data Surfacing and Storage

• displaying or streaming call recordings, transcripts, metadata, tags, summaries and analytics to Customer;
• caching audio/transcript segments for operational use;
• generating usage logs, billing metrics, reporting data.

​

Integrations with Customer Systems

• syncing bookings, appointments, customer details or tags;
• writing or reading data in Customer Systems as configured.

​

Support & Quality Assurance

• troubleshooting call quality, flows, misrouting, or integration failures;
• verifying correct system operation during onboarding.

​

Service Improvement (aggregated/anonymised)

• improving accuracy, latency, robustness and performance of the Services;
• improving routing, detection, ASR/STT/TTS models;
• testing new features;
• analytics and benchmarking.

Customer may opt out of improvement processing (beyond operational necessity) by written notice.

---

​

4. Categories of Personal Data

The following categories may be processed (non-exhaustive, depending on Customer configuration):

---

​

5. Categories of Data Subjects

• Customer’s callers, clients, patients, prospects, or leads;
• Customer’s employees, staff, contractors or authorised users;
• individuals referenced in free-text notes or bookings;
• any other person whose data appears in Customer Data.

---

​

6. Special Categories of Data

Provider does not intend to process special category data. However, callers may voluntarily disclose such data during conversations (e.g., minor health information such as “I have back pain”). If Customer configures flows that lead to such disclosures, Customer is responsible for:

• having a lawful basis;
• appropriate notices;
• configuring retention and deletion;
• ensuring compliance with GDPR Article 9 requirements.

Provider will process such data only as necessary to fulfil Customer instructions.

---

​

Annex 2 — Security Measures

Provider implements technical and organisational measures appropriate to the risk, in accordance with Articles 28, 32 and 5(1)(f) GDPR. A high-level summary of measures is outlined below.

​

1. Organisational Measures

​

1.1 Information Security Policies

• documented security, privacy, access control and incident response policies;
• regular review and approval by leadership;
• all employees and contractors receive mandatory training on confidentiality, data protection, and security obligations, and are required to comply with Provider’s internal security and confidentiality policies.

​

1.2 Access Control & Authentication

• role-based access control (RBAC);
• least-privilege access for all internal users;
• MFA enforced for staff with access to production systems;
• periodic access review and revocation during offboarding.

​

1.3 Confidentiality Obligations

• all employees and contractors are bound by confidentiality agreements;
• access granted only to those requiring it for support or troubleshooting.

​

1.4 Secure Development Practices

• code reviews, version control, CI/CD pipelines;
• vulnerability scanning and dependency monitoring;
• separation of development, staging, and production environments.

---

​

2. Technical Measures

​

2.1 Encryption

• encryption of data in transit using TLS 1.2+;
• encryption of data at rest by Sub-Processors (e.g., AWS EBS, S3, RDS, depending on subsystem);
• hashed and salted credentials;
• secure key management by cloud providers (KMS).

​

2.2 Infrastructure Security

• hosting on Amazon Web Services (AWS), with physical/data centre protections;
• network segmentation and security groups;
• automated backups;
• firewalls and DDoS mitigation.

​

2.3 Monitoring & Logging

• application and infrastructure logging (Datadog, Sentry, CloudWatch);
• anomaly detection and alerting;
• audit trails for access to data and systems;
• rate limiting and abuse detection for telephony endpoints.

​

2.4 Incident Response

• documented incident response procedures;
• processes for triage, containment, remediation, and reporting;
• GDPR-compliant breach notification workflows.

​

2.5 Data Minimisation & Retention Controls

• only storing operationally necessary metadata;
• raw audio stored primarily by ElevenLabs as Sub-Processor;
• minimal internal caching;
• Customer-configurable retention where supported.

---

​

3. Telephony & AI Model Security

​

3.1 Telephony Security (Twilio)

• secure SIP/TLS signalling where applicable;
• fraud detection and abuse prevention controls;
• carrier-level encryption where supported.

​

3.2 AI Model Security

• AI models hosted by authorised Sub-Processors;
• Provider does not use Customer Data for training unless anonymised/aggregated;
• input/output logs controlled and access-restricted.

---

​

4. Third-Party Sub-Processor Controls

Provider ensures Sub-Processors:

• comply with security requirements that are no less protective than this DPA;
• use secure infrastructure and encryption;
• are bound by confidentiality;
• are audited or certified where applicable (e.g. AWS SOC 2/ISO 27001).

---

​

5. Business Continuity & Resilience

• regular backups;
• multi-region redundancy for critical services;
• recovery plans aligned with cloud-provider continuity guarantees;
• ongoing evaluation of infrastructure reliability.

---

These measures are reviewed periodically and updated to reflect evolving risks, best practices, and operational needs.

---

​

Annex 3 — Sub-Processors

Provider uses certain Sub-Processors to support the delivery of the Services. The current list of Sub-Processors, including their roles and processing locations, is maintained at: Sub-Processors Provider may update this list in accordance with Section 7 of this DPA (Sub-Processors). Customer will be notified of any material changes in accordance with the Agreement.

---

​

Contact us

Email: loic@intavia.ai
Controller: Intavia LTD
Registered address: Charilaou Xyloforou 13, Agios Athanasios, 4103, Limassol, Cyprus.