Legal

Data Processing Addendum

Demand Connect legal documentation for customers, partners, and platform users.

Last Updated: 31-03-2026

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“Agreement”) between Demand Connect (“Processor”) and the Customer (“Controller”).

This DPA applies where Demand Connect processes Personal Data on behalf of the Customer.

1. Definitions

  • “Controller” means the entity determining purposes and means of processing
  • “Processor” means the entity processing data on behalf of Controller
  • “Personal Data” means any information relating to an identifiable individual
  • “Processing” means any operation performed on Personal Data
  • “Sub-processor” means any third party engaged by Processor

Applicable laws include:

  • GDPR (EU 2016/679)
  • UK Data Protection Act 2018
  • Any applicable privacy regulations

2. Roles of the Parties

  • Customer acts as the Data Controller
  • Demand Connect acts as the Data Processor

Processor processes Personal Data solely on behalf of Controller.

3. Scope of Processing

Subject Matter

Provision of:

  • Cloud dialing services
  • SMS/MMS messaging
  • AI-based analytics and transcription

Categories of Data Subjects

  • Customers
  • Leads / prospects
  • Employees
  • Business contacts

Categories of Personal Data

  • Names and identifiers
  • Phone numbers and email addresses
  • Call metadata (timestamps, duration)
  • Audio recordings and voicemails
  • AI-generated transcripts and summaries

Duration

Processing continues for the duration of the Agreement unless otherwise required by law.

4. Processing Instructions

Processor shall:

  • Process data only on documented instructions from Controller
  • Not use data for its own purposes

Controller warrants:

  • It has lawful basis (e.g., consent or legitimate interest)
  • Data collection complies with applicable laws

5. Sub-Processors

Controller authorizes Processor to engage sub-processors including:

  • Cloud infrastructure providers
  • Telecom carriers
  • AI/ML service providers

Processor obligations:

  • Maintain updated sub-processor list
  • Ensure equivalent data protection obligations
  • Notify Controller of changes

6. Security Measures

Processor implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Role-based access control (RBAC)
  • Audit logs and monitoring
  • Secure data isolation per tenant

7. Data Subject Rights

Processor shall assist Controller in responding to requests such as:

  • Access
  • Rectification
  • Erasure (Right to be Forgotten)
  • Data portability
  • Restriction of processing

Processor will:

  • Notify Controller of requests
  • Not respond directly unless authorized

8. Personal Data Breach

In case of a breach:

  • Processor will notify Controller without undue delay
  • Notification will occur within 48 hours where feasible
  • Processor will provide:
  • Nature of breach
  • Affected data categories
  • Mitigation steps

9. Data Retention & Deletion

Upon termination:

  • Data will be deleted or returned at Controller’s request
  • Copies will be securely erased unless required by law

10. International Data Transfers

Where data is transferred outside the EEA/UK:

  • Standard Contractual Clauses (SCCs) will apply
  • Adequate safeguards will be ensured

11. AI & Data Processing Restrictions

Strict Data Protection Policy:

  • Customer data is NOT used to train AI models
  • No data is used for public or shared model training
  • Processing is limited to:
  • Transcription
  • Analysis
  • Feature delivery

All processing occurs in secure environments.

12. Confidentiality

Processor ensures:

  • All personnel are bound by confidentiality obligations
  • Access to data is limited to authorized personnel

13. Audit Rights

Controller may:

  • Request information regarding compliance
  • Conduct audits (subject to reasonable notice)

Processor may:

  • Provide third-party certifications instead of direct audits

14. Liability

Liability is governed by the main Agreement.

Processor is not responsible for:

  • Data unlawfully collected by Controller
  • Non-compliance with consent or telemarketing laws

15. Governing Law

This DPA shall be governed by:

[Insert Jurisdiction – Recommended: Delaware, USA or Ireland for GDPR-heavy clients]

16. Contact

For data protection inquiries:

📧 Email: [Insert Email]

ANNEX I – DETAILS OF PROCESSING

Nature of Processing

  • Collection
  • Storage
  • Analysis
  • Transmission

Purpose

  • Communication services
  • Campaign execution
  • AI analytics

ANNEX II – SECURITY MEASURES

  • Encryption (TLS 1.3, AES-256)
  • Access control policies
  • Logging and monitoring
  • Incident response procedures
  • Regular security audits