.png)
This Data Processing Agreement (“Agreement”) forms part of the Terms of Service or other written agreement (“Principal Agreement”) between:
The Client (“Controller”), and
CallPad Ltd. (“Processor”).
1. Subject Matter
1.1. The Controller engages the Processor to process personal data on its behalf in connection with the Principal Agreement.
1.2. The Processor shall process personal data only for the purposes of providing the CallPad services (call handling, messaging, booking integration, customer support).
2. Roles and Responsibilities
2.1. The Controller determines the purposes and means of processing.
2.2. The Processor acts only on documented instructions from the Controller, unless required by law.
3. Categories of Data
Data subjects: Controller’s clients, prospects, and staff.
Data types: Names, contact details, booking details, communication logs, and any personal information voluntarily shared in messages/calls.
4. Processor Obligations
The Processor shall:
a) Process personal data only on documented instructions from the Controller.
b) Ensure persons authorised to process the data are bound by confidentiality.
c) Implement appropriate technical and organisational security measures.
d) Assist the Controller in responding to data subject requests.
e) Assist with compliance under Articles 32–36 GDPR (security, breach notifications, DPIA, etc.).
f) At the choice of the Controller, delete or return all personal data after the end of services, unless retention is required by law.
g) Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-Processors
5.1. The Controller authorises the use of sub-processors listed at [link to CallPad’s subprocessors page].
5.2. The Processor must impose GDPR-equivalent obligations on sub-processors.
5.3. The Processor shall inform the Controller of any intended changes regarding sub-processors, giving the Controller the opportunity to object.
6. International TransfersAny transfer of personal data outside the UK/EU will only occur under appropriate safeguards (e.g., adequacy decision, Standard Contractual Clauses).
7. SecurityThe Processor shall implement measures including, but not limited to: Data encryption in transit and at rest
Access controls and authenticationLogging and monitoringRegular security testing
8. Data BreachIn the event of a personal data breach, the Processor shall notify the Controller without undue delay and provide sufficient information to support compliance with notification obligations.
9. LiabilityLiability is governed by the Principal Agreement. This Agreement does not expand or reduce either party’s liability beyond that.
10. Term and TerminationThis Agreement remains in force as long as the Processor processes personal data for the Controller under the Principal Agreement.
