‍1. Introduction

1.1 This agreement regarding processing of personal data (the ”Data Processor Agreement” or “DPA”) regulates Talkative Ltd’s (the ”Data Processor”) processing of personal data on behalf of the Purchaser (the ”Data Controller”) and is attached as an addendum to any existing Agreement between the two parties, outlining the terms for the Data Processor’s delivery of services to the Data Controller. This DPA is required to facilitate the Talkative application (the ”Services”).

2. Legislation

2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation, including in particular the UK General Data Protection Regulation, which includes the Data Protection Act 2018 (UK GDPR) and the General Data Protection Regulation (Regulation (EU) 2016/679) (the "Applicable Law").

3. Processing of Personal Data

3.1 Purpose: The purpose of the processing under the Agreement is the provision of the Services by the Data Processor as specified in the Agreement.  

3.2 In connection with the Data Processor’s delivery of the Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller, as well as personal data from consumers, for example chat logs that contain email addresses of the Data Controller’s website visitors.

3.3 ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.

3.4  The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).

4. Instruction

4.1  The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Services as described in the Agreement. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.

4.2  The Data Controller guarantees to process Personal Data in accordance with the requirements of The Applicable Law. The Data Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

4.3  The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.

5. Data Processor’s Obligations

5.1 Confidentiality

5.1.1  The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.

5.1.2  The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.

5.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Services and this Data Processor Agreement.

5.2 The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.

5.3 Security

5.3.1 The Data Processor shall implement the appropriate technical and organisational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.

5.4 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

5.5 Data protection impact assessments and prior consultation

5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

5.6 Rights of the data subjects

5.6.1  If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.6.2  If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

5.7 Personal Data Breaches

5.7.1  The Data Processor shall give immediate notice to the Data Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

5.7.2  The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.

5.8 Documentation of compliance and Audit Rights

5.8.1  Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. In the absence of any breach of this Data Processor Agreement by the Data Processor, any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.

5.9 Data Transfers

5.9.1  The Data Processor will not transfer any Personal Data to countries outside of the UK. Personal data will only be saved on storage solutions that have within the UK (Amazon Web Services). Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.

6. Sub-Processors

6.1 The Data Processor is given authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) as listed in Sub-appendix B. Any changes to Sub-appendix B require written, specific authorisation from the Data Controller. The Data Processor will notify the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) at least one month before the proposed appointment date. Each notice will be sent to the Designated Contact at the Data Controller via email, and will contain contain information describing the detail of the personal data that is being processed. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice in writing within ten (10) business days from receiving the notice from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.

6.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.

6.3 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub- Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

6.4  The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

6.5  The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B.

7. Limitation of Liability

7.1 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Agreement, if applicable.

7.2 Nothing in this DPA will relieve the Data Processor of its own direct responsibilities and liabilities under the GDPR.

8. Duration

8.1 The Data Processor Agreement shall remain in force until the Agreement is terminated.

8.2 The Data Processor will delete all Personal Data after 6 (six) months unless otherwise agreed or configured by the Data Controller within the Talkative application. Data Controller is able to set different data processing durations for different media types, e.g. 1 month for video chat recordings, 2 days for web chat transcripts.

9. Termination

9.1 Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

Sub-appendix A

1. Personal Data

The Data Processor processes the following types of Personal Data in connection with its delivery of the Services:

• Information on relevant employees from the Data Controller relevant for the use and administration of supervisor and agent accounts. Namely:some text
  • Name and email address.
• Chat transcripts. This data is stored by the Data Processor in AWS.
• Video chat recordings. This data is stored by the Data Processor in AWS. The Data Controller is able to disable video recording if required.
• Interaction metadata (optional). Typically:some text
  • Name and email address. This data is stored by the Data Processor in AWS.

2. Categories of data subjects

The Data Processor processes personal data about the following categories of data subjects on behalf of the Data Controller:

• Employees of the Data Controller.
• End users of the Services, i.e. website visitors and clients of the Data Controller. This data is stored by the Data Processor.

Sub-appendix B

Approved Sub-Processors

The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:

1. Amazon Web Services, Inc. https://aws.amazon.com/compliance/gdpr-center/  Talkative uses Amazon Web Services to host its Engage Solution. Talkative uses AWS for data storage and application hosting.
2. Pusher Ltd. https://pusher.com/legal/data-protection  Talkative uses Pusher for its WebSocket messaging functionality.
3. Mailgun Technologies, Inc. https://www.mailgun.com/gdpr  Talkative uses Mailgun to dispatch offline-messages from Mailgun email servers.
4. Twilio, Inc. https://www.twilio.com/gdpr [Optional] Talkative uses Twilio for standalone interaction routing and SMS.
5. Google, LLC. https://cloud.google.com/security/gdpr [Optional] Talkative uses Google for real-time translation. No data is stored with Google.
6. Meta Platforms Inc., https://www.facebook.com/business/business-messaging/compliance/whatsapp-gdpr [Optional] Talkative uses Meta’s APIs for Facebook Messenger chat integration and WhatsApp messaging chat integration.
7. OpenAI https://trust.openai.com/ [Optional] Talkative uses OpenAI for chatbot interactions and for summarising interactions. No data is stored with OpenAI.
8. Pluot Communications, Inc, doing business as Daily and/or daily.co. https://www.daily.co/security/gdpr-compliance/ [Optional] Talkative uses Daily for video chat calls and recordings. No data is stored with Daily once calls are completed.
9. Weaviate B.V https://weaviate.io/privacy [Optional] Talkative uses Weaviate for vector embeddings of knowledgebases for use with Generative AI queries.