Data Processing Agreement
Parties: WHOZA AI LTD ("Processor") and the Customer ("Controller")
Company: WHOZA AI LTD, registered in Scotland (Company Number: SC874716)
ICO Registration: ZC077271
Address: 6 Atholl Crescent, 6, Perth, PH1 5JN, Scotland
Contact: [email protected]
1. Background
This Data Processing Agreement ("DPA") forms part of the Terms of Service between WHOZA AI LTD and the Customer. It sets out how we process personal data on your behalf under UK GDPR Article 28.
Key point: You (the tradesperson or business) are the Data Controller for your customers' personal data. We (WHOZA AI LTD) are the Data Processor. We only process caller data as instructed by you.
2. What Data We Process
| Category | Examples | Source |
|---|---|---|
| Caller phone number | CLI (calling line identity) | Incoming call |
| Caller name | If provided during call | Caller verbal |
| Caller address/postcode | If provided during call | Caller verbal |
| Call recording | Audio recording of conversation | AI system |
| Call transcript | Text transcription of conversation | AI system |
| Enquiry details | Job type, urgency, estimated value | AI-extracted |
| WhatsApp delivery | Confirmation of message sent | WhatsApp API |
We do NOT process: payment card data (handled by Stripe), special category data, or criminal records data.
3. Sub-Processors
We use the following sub-processors to deliver the service:
| Sub-Processor | Location | Function | Transfer Safeguard |
|---|---|---|---|
| Trillet.ai | United Kingdom | AI voice agent, transcription | UK-based |
| Stripe | United States | Payment processing | SCCs + UK Addendum |
| Supabase | United Kingdom / EU | Database hosting, auth | UK/EU adequacy |
| Twilio | United States | Telephony, SMS routing | SCCs + UK Addendum |
| Meta (WhatsApp) | United States / EU | WhatsApp message delivery | SCCs + UK Addendum |
| Netlify | United States | Website hosting | SCCs + UK Addendum |
Consent to sub-processors: By using Whoza, you consent to our use of these sub-processors. If we add a new sub-processor, we will notify you at least 14 days in advance. You may object within that period if you have a legitimate data protection concern.
4. Security Measures
We implement the following technical and organisational measures:
- •Encryption: TLS 1.3 in transit; AES-256 at rest
- •Access controls: Role-based access; multi-factor authentication for staff
- •Data separation: Row-level security ensures your data is isolated from other customers
- •Audit logging: All access to personal data is logged
- •SOC 2 Type II: Independently audited security controls
- •Penetration testing: Annual third-party security assessment
5. Data Subject Rights
We will assist you with data subject requests (DSARs) from your customers:
- •Response time: Within 15 business days of your request
- •Format: Data provided in structured, machine-readable format (JSON or CSV)
- •Deletion: We can delete specific caller records on your instruction
- •Portability: We can export your caller data for transfer to another service
Your customers should contact YOU (their tradesperson) to exercise their GDPR rights, as you are the Data Controller.
6. Data Breaches
If we discover a personal data breach:
- We will notify you within 24 hours of discovery
- We will notify the ICO within 72 hours if the breach is reportable
- We will provide: breach description, categories of data affected, approximate number of people affected, likely consequences, measures taken
7. Data Return and Deletion
When your subscription ends:
- •Option A: We export all your caller data in CSV format within 7 days
- •Option B: We delete all personal data within 30 days of account closure
- •We provide a deletion certificate on request
8. Audit Rights
You have the right to audit our data processing once per year with 30 days' notice. As an alternative, we will provide our latest SOC 2 Type II report.
9. International Transfers
Primary data processing occurs in the United Kingdom. Where data is transferred to the United States (for sub-processors), we use Standard Contractual Clauses (SCCs) incorporating the UK International Data Transfer Agreement (IDTA) issued by the ICO.
10. Term and Termination
This DPA remains in force for the duration of your subscription and 30 days thereafter. Sections 6 (breaches), 7 (return/deletion), and 8 (audit) survive termination.
11. Changes
Material changes to this DPA require 30 days' notice. Continued use = acceptance.
12. Contact
Data Protection Officer
Email: [email protected]
Post: WHOZA AI LTD, 6 Atholl Crescent, Perth, PH1 5JN, Scotland