Data Processing Addendum

Version 1.0  |  Effective: February 2026  |  DLX SOLUTIONS GROUP LIMITED  |  Company No: 17033961

This DPA is included as standard at onboarding

This Data Processing Addendum ("DPA") forms part of the Agreement between DLX Solutions Group Limited ("DLX", "Processor") and each business client ("Client", "Controller"). It applies automatically when a Client begins using the DLX AI Receptionist service. No separate signature is required unless the Client requests a countersigned copy, which DLX will provide on request.

1. Definitions

  • "Agreement" means the Terms of Service between DLX and the Client, together with this DPA.
  • "Controller" means the Client — the business that has contracted with DLX to receive the AI Receptionist service.
  • "Processor" means DLX Solutions Group Limited, which processes personal data on behalf of the Controller.
  • "Personal Data" has the meaning given in UK GDPR — any information relating to an identified or identifiable living person.
  • "Processing" has the meaning given in UK GDPR — any operation performed on personal data.
  • "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.
  • "Sub-processor" means any third party engaged by DLX to process personal data in connection with the service.
  • "Data Subject" means an individual whose personal data is processed — in this context, primarily callers who contact the Client's forwarded phone number.

2. Subject Matter, Nature, and Duration of Processing

  • Subject matter: DLX processes personal data of callers who ring the Client's forwarded telephone number, for the purpose of capturing lead information and delivering it to the Client.
  • Nature: Collection (via voice call), storage (in a secure database), extraction (using AI), transmission (via SMS to the Client), and deletion (on schedule or on request).
  • Duration: For the duration of the Agreement, plus any period required to fulfil legal obligations or resolve disputes, after which data is deleted in accordance with Section 9 of this DPA.

3. Types of Personal Data Processed

DLX processes the following categories of personal data on behalf of the Controller:

  • Caller name (as provided by the caller during the call)
  • Caller telephone number (as provided by the caller, or from Twilio Caller ID)
  • Reason for calling and nature of the enquiry
  • Urgency level and preferred callback time
  • Audio recording of the call (where call recording is active)
  • Call metadata: date, time, duration, call reference number

DLX does not intentionally process special category data (as defined in Article 9 UK GDPR) on behalf of the Controller. If a caller volunteers sensitive information during a call, it may be captured in a recording or transcript and is subject to the same deletion schedule as other call data.

4. Categories of Data Subjects

Individuals who call the Client's forwarded telephone number, including existing customers, prospective customers, and members of the public making enquiries.

5. Processing Instructions

DLX shall process personal data only:

  • On the documented instructions of the Controller (as set out in this DPA and the Agreement), unless required to do so by applicable law;
  • For the purposes of delivering the AI Receptionist service — capturing caller information and delivering lead summaries to the Client;
  • In accordance with UK GDPR and applicable data protection law.

DLX shall inform the Controller immediately if, in its opinion, an instruction from the Controller infringes UK GDPR or applicable data protection law.

6. Confidentiality

DLX shall ensure that all personnel authorised to process personal data under this DPA are subject to binding confidentiality obligations (whether contractual or statutory) and process personal data only as necessary to provide the service.

7. Security Measures

DLX implements the following technical and organisational measures to protect personal data:

  • Encryption in transit: TLS encryption for all data transmitted between callers, Twilio, and DLX servers.
  • Encryption at rest: AES-256 encryption for data stored in the Supabase/PostgreSQL database.
  • Access controls: Database access restricted to the application server via service role keys. No public access to raw data. Admin access limited to authorised personnel.
  • Automatic deletion: Call audio recordings and transcripts are automatically deleted after 60 days.
  • Audit logging: All call events are logged with timestamps for dispute resolution purposes.
  • Sub-processor controls: All sub-processors are bound by their own data protection agreements (see Section 8).

8. Sub-processors

The Controller authorises DLX to engage the following sub-processors. DLX has entered into (or will enter into) appropriate data processing agreements with each sub-processor.

Sub-processor Location Purpose Transfer safeguard
Twilio Inc. United States (with UK/EU data handling options) Voice call handling, call routing, SMS delivery, call recording storage Standard Contractual Clauses (SCCs) / UK Addendum
Supabase AWS EU-West-1 (Ireland) Secure database storage for call records, lead data, and client configuration EU storage; SCCs where applicable
OpenAI United States Intent classification and field extraction from caller speech responses OpenAI DPA / SCCs / UK Addendum
Cloud hosting provider
(Railway or Render)		 United States or EU (varies) Application server hosting — routes calls and writes records to Supabase; does not itself store personal data persistently SCCs where applicable

DLX will notify the Controller of any intended changes to this sub-processor list (additions or replacements) by updating this DPA and notifying active clients. The Controller may object to a new sub-processor within 14 days of notification; if a reasonable objection cannot be resolved, either party may terminate the Agreement on 30 days' notice.

9. Data Retention and Deletion

  • Call audio recordings: automatically deleted after 60 days
  • Call transcripts: automatically deleted after 60 days
  • Call metadata: retained for 90 days
  • Lead records (name, phone, reason): automatically deleted after 180 days, or within 30 days of Agreement termination (whichever is sooner), unless the Controller requests earlier deletion or applicable law requires otherwise

Upon termination of the Agreement (or on written request from the Controller), DLX will delete or return all personal data processed on behalf of the Controller and certify in writing that deletion has been completed, unless applicable law requires continued retention.

10. Assistance with Data Subject Rights

DLX will, taking into account the nature of the processing and to the extent possible, assist the Controller to respond to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). Where DLX receives a data subject rights request that clearly relates to the Controller's data, DLX will promptly forward it to the Controller.

11. Assistance with Security and Breach Obligations

DLX will:

  • Notify the Controller without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach affecting personal data processed on the Controller's behalf, providing sufficient information to allow the Controller to meet its own ICO reporting obligations (72 hours from awareness).
  • Assist the Controller with data protection impact assessments (DPIAs) where required and where the processing is likely to result in a high risk to data subjects.
  • Provide reasonable assistance with the Controller's obligations under UK GDPR regarding security of processing.

12. Audits and Inspections

DLX shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor appointed by the Controller, subject to:

  • Reasonable prior written notice (minimum 14 days)
  • The audit being conducted during normal business hours and in a manner that minimises disruption
  • The auditor being bound by confidentiality obligations
  • The Controller bearing the reasonable costs of any audit it requests

DLX may satisfy audit requests by providing up-to-date third-party security certifications or audit reports where available.

13. International Transfers

Where personal data is transferred outside the UK/EEA to sub-processors (Twilio and OpenAI in the United States, hosting provider where US-based), DLX ensures appropriate safeguards are in place including UK GDPR standard contractual clauses or the UK International Data Transfer Agreement (IDTA), as applicable. Details of transfer mechanisms are listed in the sub-processor table in Section 8.

14. Compliance and Liability

Each party shall comply with its obligations under UK GDPR. The Controller remains responsible as data controller for the lawfulness of its instructions to DLX and for the lawful basis on which caller data is processed. DLX is responsible for processing personal data only in accordance with this DPA and applicable law.

Liability under this DPA is subject to the limitations set out in the Terms of Service.

15. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from it are subject to the exclusive jurisdiction of the courts of England and Wales.

16. Contact

For any queries about this DPA or to request a countersigned copy:
Email: support@dlxsolutions.co.uk
DLX SOLUTIONS GROUP LIMITED, 11 Rhodfa Brenig, Colwyn Bay, LL29 6EA