DATA PROCESSING AGREEMENT
TJP365 Ltd t/a RingDesk · June 2026
>
This Agreement is incorporated into and forms part of the RingDesk Customer Service Agreement. It governs the processing of personal data by TJP365 Ltd on behalf of the Customer in connection with the RingDesk platform.
THIS DATA PROCESSING AGREEMENT is entered into on the date the Customer accepts the Customer Service Agreement
BETWEEN:
1. TJP365 Ltd, a company incorporated in England and Wales (Company No. 15457512), whose registered office is at 55-57 Station Road, Edgware, England, HA8 7HX, trading as RingDesk ("the Processor"); and
2. The customer entity identified in the RingDesk account ("the Controller")
DEFINITIONS
"Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and any successor legislation.
"Controller" has the meaning given in Applicable Data Protection Law.
"Data Subject" means an identified or identifiable natural person whose personal data is processed under this Agreement - principally callers who interact with the AI agent.
"Personal Data" has the meaning given in Applicable Data Protection Law, and in this context includes call audio recordings, transcripts, SMS and text-message content, caller-provided information (name, phone number, enquiry content), returning-caller history, and any other information that relates to an identified or identifiable individual.
"Processing" has the meaning given in Applicable Data Protection Law.
"Processor" has the meaning given in Applicable Data Protection Law.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this Agreement.
"Services" means the RingDesk AI communication platform (handling inbound telephone calls and SMS text messages) provided under the Customer Service Agreement.
"Sub-processor" means any processor engaged by TJP365 Ltd to process Personal Data on behalf of the Controller.
1. ROLES AND SCOPE
1.1 The parties acknowledge that for the purposes of Applicable Data Protection Law:
(a) The Controller is the Data Controller in respect of Personal Data processed in connection with the Services;
(b) The Processor acts as a Data Processor, processing Personal Data only on behalf of and on the documented instructions of the Controller.
1.2 This Agreement applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the Services, as described in Schedule A.
1.3 The Controller warrants that it has a valid lawful basis under Applicable Data Protection Law for each Processing activity described in Schedule A, and that its instructions to the Processor are lawful.
1.4 Third-party integrations. Where the Controller enables an integration with a third-party system (such as a booking, calendar, or CRM platform), the Controller instructs the Processor to transmit relevant Personal Data to that system. Such third-party systems are engaged by, and act on behalf of, the Controller (not the Processor) and are not Sub-processors under this Agreement. The Controller is responsible for the lawfulness of that transfer and for its own arrangements with each such third party.
2. PROCESSOR OBLIGATIONS
The Processor shall, in relation to any Personal Data processed in connection with the Services:
2.1 Process only on instructions. Process Personal Data only on the documented instructions of the Controller (as set out in this Agreement and the Customer Service Agreement), except where required to do so by UK law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law.
2.2 Confidentiality. Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
2.3 Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data against a Security Incident, taking into account the nature of the data and the risks involved. Current security measures are described in Schedule B.
2.4 Sub-processors. Not engage a new Sub-processor without giving the Controller at least 30 days' prior written notice, allowing the Controller a reasonable opportunity to object. Current Sub-processors are listed in Schedule C. If the Controller objects on reasonable data protection grounds, the parties shall attempt to resolve the objection in good faith. If resolution is not possible within 30 days, either party may terminate the Services on 30 days' notice.
2.5 Data Subject rights. Taking into account the nature of the Processing, assist the Controller by implementing appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligations to respond to Data Subject rights requests (access, erasure, rectification, restriction, portability).
2.6 Article 32–36 assistance. Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation with the ICO) having regard to the nature of Processing and the information available to the Processor.
2.7 Deletion or return. On termination of the Services, at the Controller's choice, delete or return all Personal Data and delete existing copies, except to the extent the Processor is required by UK law to retain the data. The Processor's standard retention period is set out in Schedule A.
2.8 Audit. Make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement, and allow for and contribute to audits (including inspections) conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice (minimum 30 days) and agreement on scope and confidentiality.
2.9 ICO notification. Promptly notify the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.
3. SECURITY INCIDENTS
3.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Security Incident involving Personal Data processed under this Agreement.
3.2 The notification shall include, to the extent available at the time:
(a) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
(b) The likely consequences of the Security Incident;
(c) The measures taken or proposed to address the Security Incident.
3.3 The Controller is responsible for notifying the ICO of any reportable Security Incident within 72 hours of becoming aware of it (UK GDPR Article 33). The Processor's notification under clause 3.1 is intended to assist the Controller in meeting this obligation.
3.4 The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of any Security Incident.
4. INTERNATIONAL DATA TRANSFERS
4.1 The Processor shall not transfer Personal Data outside the United Kingdom except:
(a) To a country or territory subject to UK adequacy regulations;
(b) Using the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses; or
(c) With the Controller's prior written consent.
4.2 The Processor currently uses Sub-processors outside the UK as set out in Schedule C. The applicable transfer mechanism for each is identified in that Schedule.
4.3 If the transfer mechanism for any Sub-processor ceases to be valid, the Processor shall notify the Controller and the parties shall cooperate to identify an alternative mechanism or, if none is available, the Processor shall cease the transfer.
5. DATA SUBJECT RIGHTS
5.1 The Processor shall promptly forward to the Controller any Data Subject rights requests received that relate to Personal Data processed under this Agreement.
5.2 The Processor shall not respond to Data Subject rights requests directly, except with the prior written authorisation of the Controller, or as required by law.
5.3 The Processor shall assist the Controller to respond to Data Subject rights requests within statutory timescales by providing relevant information about the Personal Data held and the Processing carried out.
6. RECORDS OF PROCESSING
6.1 The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller as required by Article 30(2) of the UK GDPR.
7. TERM AND TERMINATION
7.1 This Agreement comes into force on the date the Customer accepts the Customer Service Agreement and remains in force until that Agreement is terminated.
7.2 On termination of the Customer Service Agreement, this Agreement terminates automatically except for provisions that by their nature should survive (including obligations relating to Personal Data retained during the statutory retention period and Security Incident notification).
8. LIABILITY
8.1 Each party's liability under this Agreement is subject to the limitations and exclusions set out in the Customer Service Agreement, except where such limitations are not permitted by Applicable Data Protection Law.
8.2 As between the parties, the Controller shall be responsible for any fines, penalties, or third-party claims arising from the Controller's failure to have a valid lawful basis for processing or to provide adequate notice to Data Subjects.
9. GENERAL
9.1 In the event of a conflict between this Agreement and the Customer Service Agreement, this Agreement shall prevail in relation to data protection matters.
9.2 This Agreement is governed by the laws of England and Wales.
9.3 This Agreement may only be varied by written agreement signed by both parties.
9.4 This Agreement does not confer any rights on third parties under the Contracts (Rights of Third Parties) Act 1999.
SCHEDULE A - DESCRIPTION OF PROCESSING
| Field | Detail |
|---|---|
| Subject matter | Processing of personal data in connection with the provision of AI communication services (handling inbound telephone calls and SMS text messages) |
| Duration | For the term of the Customer Service Agreement plus statutory retention periods |
| Nature of processing | Recording, transcription, storage, retrieval, analysis (sentiment, intent), AI-generated responses, identification of returning callers, transmission to Controller-enabled integrations, and deletion of call and text-message data |
| Purpose | Providing the AI communication service (calls and text messages); enabling the Controller to review and manage calls and messages via the admin dashboard; and, where the Controller enables integrations, transmitting relevant data to the Controller's chosen third-party systems on its instruction |
| Types of personal data | Voice recordings; call and message transcripts; SMS/text-message content; caller-provided information (name, contact number, enquiry content); returning-caller history; metadata (call/message duration, timestamp, outcome) |
| Categories of data subjects | Third-party callers and texters who contact the phone number(s) assigned to the Controller's account |
| Retention period | 90 days from the date of the call or message by default (configurable at account level), then automatic deletion. Transcripts: same. Account configuration data: retained for 90 days post-termination of the Services, then deleted |
| Special category data | The Processor does not intentionally process special category data. The Controller must not configure the Service to solicit or record health, financial, or other special category data from callers unless it has explicit consent from those callers and has notified the Processor in writing |
SCHEDULE B - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
| Category | Measure |
|---|---|
| Access control | Admin app access requires authenticated login (Supabase Auth). Row-level security restricts each tenant to their own data. Super-admin access is restricted to named individuals. |
| Encryption | All data in transit is encrypted via TLS 1.2+. Call recordings and transcripts are stored encrypted at rest. |
| Infrastructure | Platform hosted on Fly.io (EU-West region), Supabase (EU-West), and Netlify (CDN). All providers maintain SOC 2 certifications. |
| Data minimisation | Only call and message data necessary to provide the service is retained. Recordings and transcripts are automatically deleted after 90 days by default. |
| Incident response | The Processor maintains an incident response procedure. Security Incidents are escalated to the Controller within 48 hours. |
| Sub-processor security | All Sub-processors are contractually bound to maintain appropriate security measures and are listed in Schedule C. |
| Personnel | Staff and contractors with access to personal data are subject to confidentiality obligations. |
| Vulnerability management | Dependencies are regularly updated. Access credentials are managed via a password manager. |
SCHEDULE C - SUB-PROCESSORS
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Twilio Inc. | Telephone number provisioning, call routing, call audio transport, and SMS message routing | USA | UK IDTA |
| Deepgram Inc. | Speech-to-text transcription of call audio | EU (Ireland) | UK adequacy regulations (EEA) |
| Anthropic PBC | AI language model (generates agent call and message responses) | USA | UK IDTA |
| Amazon Web Services, Inc. (Bedrock) | Managed hosting and inference for the AI language model | EU (Ireland) | UK adequacy regulations (EEA) |
| Cartesia Inc. | Text-to-speech (generates agent voice) | USA | UK IDTA |
| Supabase Inc. | Database hosting, authentication, and data storage | EU (West Europe) | UK adequacy regulations (EEA) |
| Stripe Inc. | Payment processing and subscription management | USA | UK IDTA |
| Netlify Inc. | Admin dashboard hosting (no personal call data) | USA | UK IDTA |
| Resend Inc. | Transactional email delivery | USA | UK IDTA |
The Processor will provide 30 days' prior written notice before adding or replacing any Sub-processor.
TJP365 Ltd · Registered in England and Wales · Company No. 15457512 · Registered office: 55-57 Station Road, Edgware, England, HA8 7HX