Data Processing Agreement
Processor agreement between Acejack and Example Co Ltd.
Provider — Processor
Acejack
Client — Controller
Example Co Ltd.
Subject matter and scope
This Agreement governs the Processor's handling of personal data on behalf of the Controller in connection with the following: AI agent service for Example Co Ltd.'s customer support and lead-qualification operations. The Controller remains the controller of the personal data; the Processor processes personal data only on the Controller's documented instructions and for the purposes set out in § 2. Processing under this Agreement is subject to applicable data-protection law, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) where each applies to the personal data of Example Co Ltd.'s data subjects.
Processing details
- Categories of personal data
-
- Customer names
- Customer email addresses
- Conversation transcripts
- Prospect contact details
- Operational metadata associated with the above
- Categories of data subjects
-
- Client's customers
- Client's prospective customers
- Client's employees acting in their professional capacity
- Purposes of processing
-
- Conversational support delivery on the Controller's behalf
- Lead qualification and routing
- Operational analytics performed on the Controller's documented instructions
- Retention
- Active for the term of services plus 30 days post-termination, after which personal data is returned or deleted at the Controller's option.
Sub-processors
The Controller authorises the following sub-processors for the processing described in § 1. The Processor will give the Controller prior written notice of any intended addition or replacement of sub-processors so the Controller has a reasonable opportunity to object before that change takes effect.
Authorised sub-processors
- Cloudflare, Inc. — DNS, CDN, Workers compute, and R2 object storage for documents and operational artifacts. (San Francisco, CA, USA)
- Anthropic PBC — Large-language-model inference powering the AI-agent capabilities delivered to the Controller. (San Francisco, CA, USA)
- Twilio Inc. — Voice and SMS connectivity for the Call product. (San Francisco, CA, USA)
- ElevenLabs Inc. — Voice synthesis for the Call product. (New York, NY, USA)
- OpenAI, OpCo, LLC — Large-language-model inference for selected analytical and synthesis tasks. (San Francisco, CA, USA)
Security measures
The Processor implements the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures are reviewed periodically and updated as the threat landscape evolves.
Encryption in transit
Personal data is transmitted over TLS 1.2 or higher between Processor systems and Controller endpoints, and over TLS for service-to-service calls within Processor infrastructure.
Encryption at rest
Personal data stored on Processor infrastructure is encrypted at rest using AES-256 or vendor-managed equivalents. Encryption keys are rotated on vendor-default schedules.
Access control
Access to personal data is limited to authorised Processor personnel on a need-to-know basis. Multi-factor authentication is enforced on every account with access to Controller data.
Audit logging
Access to personal data is logged. Logs are retained for a minimum of 90 days and are made available to the Controller on request.
Incident response
Processor maintains a documented incident response plan covering triage, containment, notification, and post-incident review. The plan is exercised at least annually.
Sub-processor obligations
All sub-processors are bound by contractual data-protection terms equivalent to those in this Agreement. The current list is set out in § 3.
Data subject rights
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests by data subjects to exercise their rights under applicable law — including the rights of access, rectification, erasure, restriction, portability, and objection. The Processor will not respond directly to data subject requests unless instructed in writing by the Controller, and will forward any such request received to the Controller without undue delay.
Breach notification
The Processor will notify the Controller in writing without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting personal data processed under this Agreement. The notice will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and personal-data records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. The Processor will cooperate with the Controller's investigation and any required notifications to supervisory authorities or data subjects.
Return or deletion of data
On termination or expiry of the underlying services agreement, the Processor will, at the Controller's option, return all personal data to the Controller or delete it, and delete existing copies, within thirty (30) days of the termination effective date — unless retention is required by applicable law, in which case the Processor will continue to protect the retained personal data and limit further processing to what the law requires. The Processor will, on Controller request, certify in writing that the return or deletion has been completed.
Standard terms
Confidentiality
Each party will treat the other's non-public business, technical, and operational information as confidential, and will not disclose it to third parties without the other party's prior written consent. The Processor's confidentiality obligation extends to all personal data received from or on behalf of the Controller, and binds Processor's personnel and authorised sub-processors. This obligation survives termination of this Agreement for a period of two (2) years.
Limitation of liability
Each party's total liability under this Agreement is limited to the total fees paid by Controller to Processor under the underlying services agreement during the three (3) months preceding the event giving rise to the claim. Neither party is liable for indirect, incidental, consequential, or punitive damages. This limitation does not cap a party's liability for its own intentional misconduct or for breaches of confidentiality involving personal data.
Governing law
This Agreement is governed by the laws of the State of Tennessee, USA, without regard to its conflict-of-laws principles. Any dispute arising under this Agreement that cannot be resolved through good-faith discussion will be brought in a court of competent jurisdiction in Tennessee, USA.
Entire agreement
This Agreement, together with the underlying services agreement it is incorporated into, is the entire agreement between the parties on its subject matter and supersedes any prior or contemporaneous understandings. In the event of conflict between this Agreement and the underlying services agreement on the handling of personal data, this Agreement controls. Amendments must be in writing and signed by both parties.
Signed electronically via Acejack. See Certificate of Completion on the final page for the full attestation — signing timestamp, IP address, and envelope identifier.
For Example Co Ltd. (Controller)
Jane Example
Chief Privacy Officer
Date: ______________________
For Acejack (Processor)
Alec Sullivan
Principal, Acejack
Date: 2026-04-29