Data Processing Agreement
Version: 1.9 Date: April 2026
Parties
This Data Processing Agreement ("Agreement") is entered into between:
Processor: CALLCORE LTD Company No. 16406351 20 Wenlock Road, London, N1 7GU, England ("Processor")
Controller: The entity identified in the CallCore account registration and whose authorised representative accepted this Agreement on the date recorded in CallCore's systems ("Controller")
Together referred to as the "Parties".
By accepting this Agreement (whether by checkbox, clicking "I agree", or completing the onboarding process), the Controller's representative warrants that they have authority to bind the Controller to its terms.
Background
The Controller has engaged the Processor to provide call analytics, transcription, AI summarisation, and related services ("Services") under a separate Terms of Service agreement ("Main Agreement"). In connection with providing the Services, the Processor will process personal data on behalf of the Controller. This Agreement sets out the terms on which the Processor will do so, as required by Article 28 of the UK GDPR.
The Parties acknowledge that the Processor also operates a central administrative database (holding user accounts, terms of service acceptance records, DPA acceptance records, login history, and billing data) in respect of which the Processor acts as a data controller in its own right. That Processing is not governed by this Agreement — it is addressed separately in the Processor's Privacy Policy and internal data protection policies. This Agreement governs only the Processing carried out by the Processor as a processor on behalf of the Controller in connection with the Services.
1. Definitions
"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and any successor legislation, as amended from time to time.
"AI-Generated Output" means any transcript, summary, or other content produced by an automated speech-to-text or artificial intelligence system in connection with the Services, including transcripts generated by 3CX or a third-party transcription service, and AI summaries generated via the Controller's Azure OpenAI resource.
"Authorised User" means any individual granted access to the Services by the Controller, including administrators with authority to manage the Controller's Workspace.
"Container" means an isolated software execution environment within the Processor's cloud infrastructure, used to run discrete processing tasks. A container's local file storage is accessible only to processes running within that container and is destroyed when the container stops, restarts, or is evicted by the platform.
"Controller" has the meaning given in Applicable Data Protection Law.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" has the meaning given in Applicable Data Protection Law.
"Personal Data Breach" has the meaning given in Applicable Data Protection Law.
"Processing" has the meaning given in Applicable Data Protection Law, and "Process" and "Processed" shall be construed accordingly.
"Processor" has the meaning given in Applicable Data Protection Law.
"Salesforce Environment" means the Controller's Salesforce organisation, including any applications, integrations, automations, or third-party tools installed or connected to that organisation by or on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to Process Personal Data on the Controller's behalf.
"Synced Data" means Personal Data transmitted to the Controller's Salesforce Environment via the TX-3 managed package.
"Tenant" means the Controller's isolated instance of the Services, comprising a dedicated database and associated resources provisioned by the Processor for the Controller's exclusive use.
"Tenant Container" means the dedicated, isolated service container provisioned exclusively for the Controller's Tenant, within which all processing pipeline instances for that Controller operate. No runtime state, in-memory data, processing threads, or credentials are shared between Tenant Containers belonging to different Controllers.
"UK GDPR" means the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
"Workspace" means the Controller's Tenant as presented within the CallCore administration console. The terms Tenant and Workspace refer to the same isolated instance of the Services and are used interchangeably in this Agreement.
2. Appointment and Instructions
2.1 The Controller appoints the Processor to Process the Personal Data described in Schedule 1 for the purposes and duration set out therein, on the terms of this Agreement.
2.2 The Processor shall Process Personal Data only on the documented instructions of the Controller, including as set out in this Agreement and the Main Agreement, unless required to do otherwise by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law.
2.3 The Controller warrants that it has a lawful basis under Applicable Data Protection Law for each category of Processing described in Schedule 1 and that its instructions to the Processor are lawful.
2.4 If the Processor believes any instruction infringes Applicable Data Protection Law, it shall promptly notify the Controller. The Processor shall not be required to act on an instruction it reasonably believes to be unlawful.
2.5 Processor-as-controller carve-out. The Parties acknowledge that the Processor maintains a central administrative database holding data in respect of which the Processor acts as a data controller in its own right, including user account details, terms of service acceptance records, DPA acceptance records, login history, and billing data. The Processor's obligations as a controller for that central database are governed by the Processor's own Privacy Policy and internal data protection policies. Nothing in this Agreement imposes obligations on the Processor as a controller, and nothing in this Agreement limits or qualifies the Processor's rights and obligations in respect of that controller Processing.
2.6 Controller identity and authority over connected systems. The Controller warrants that:
(a) the entity identified as Controller in this Agreement is the data controller — within the meaning of Applicable Data Protection Law — for all Personal Data that will be processed by the Processor in connection with the Services, including call metadata, recordings (accessed transiently), transcripts, AI summaries, and Staff Data;
(b) the Controller owns or is the authorised operator of the telephone system (including any 3CX instance) connected to the Controller's CallCore Tenant, and has authority to instruct the Processor to access and process data originating from that system;
(c) where the Controller is part of a corporate group in which multiple legal entities share a common telephone system or Microsoft Entra tenant, the Controller has ensured that it — and not another group entity — is the data controller for the specific telephone system and call data connected to its Tenant;
(d) if any of the facts in this clause 2.6 change — including where the telephone system connected to the Tenant changes ownership or where the correct Controller entity changes — the Controller shall notify the Processor in writing without undue delay.
3. Confidentiality
3.1 The Processor shall ensure that all personnel authorised to Process Personal Data are subject to an enforceable obligation of confidentiality with respect to that Personal Data, whether by contract or professional obligation.
3.2 The Processor shall not disclose Personal Data to any person other than its authorised personnel or Sub-processors engaged in accordance with clause 6.
4. Security
4.1 The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to:
- the nature of the Personal Data Processed;
- the state of the art and cost of implementation;
- the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure.
4.2 The security measures maintained by the Processor as at the date of this Agreement are set out in Schedule 3. The Processor may update these measures from time to time provided that the overall level of protection is not materially reduced.
4.3 The Processor shall ensure that access to Personal Data is limited to personnel who require access to perform the Services, and that such personnel are subject to appropriate access controls.
5. Data Subject Rights
5.1 The Processor shall provide the Controller with reasonable assistance to enable the Controller to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
5.2 The Processor shall notify the Controller without undue delay if it receives any request directly from a Data Subject in respect of Personal Data Processed under this Agreement. The Processor shall not respond to any such request without the prior written authorisation of the Controller, except to confirm to the Data Subject that it should direct their request to the Controller.
6. Sub-processing
6.1 The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Schedule 2 to assist in the delivery of the Services.
6.2 The Processor shall:
(a) impose data protection obligations on each Sub-processor equivalent to those set out in this Agreement, by written contract;
(b) remain fully liable to the Controller for the performance of each Sub-processor's obligations;
(c) before engaging any new Sub-processor, or materially changing the role of an existing Sub-processor, notify the Controller in writing with at least 14 days' prior notice. The Controller may object to such change within that period on reasonable data protection grounds by notifying the Processor in writing. If the Parties cannot resolve the objection, the Controller may terminate the Main Agreement without penalty upon written notice.
6.3 The Processor shall maintain and make available to the Controller an up-to-date list of Sub-processors upon request.
7. International Transfers
7.1 The Processor shall not transfer Personal Data outside the United Kingdom except:
(a) to a country or territory subject to a UK adequacy regulation; or
(b) under appropriate safeguards as required by Chapter V of the UK GDPR, including UK International Data Transfer Agreements ("IDTAs") or UK Addenda to standard contractual clauses where applicable; or
(c) in accordance with an exception under Article 49 of the UK GDPR.
7.2 Where the Processor instructs a Sub-processor to Process Personal Data outside the United Kingdom, the Processor shall ensure that an appropriate transfer mechanism is in place.
8. Assistance to the Controller
8.1 The Processor shall provide the Controller with reasonable assistance in:
(a) meeting the Controller's obligations under Articles 32–36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation);
(b) responding to Data Subject requests as set out in clause 5;
(c) ensuring compliance with the Controller's obligations relating to security, breach notification, and record-keeping.
8.2 The Processor shall maintain records of Processing activities carried out on behalf of the Controller as required by Article 30(2) of the UK GDPR and shall make those records available to the Controller or any supervisory authority upon request.
9. Personal Data Breaches
9.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach affecting Personal Data Processed under this Agreement.
9.2 Such notification shall include, to the extent known at the time:
(a) a description of the nature of the breach, including categories and approximate number of Data Subjects and records affected;
(b) the name and contact details of the Processor's data protection point of contact;
(c) a description of the likely consequences of the breach;
(d) a description of the measures taken or proposed to address the breach and mitigate its effects.
9.3 The Processor shall cooperate with the Controller and take such steps as are reasonably directed by the Controller to assist in the investigation, mitigation, and remediation of the breach.
10. Data Protection Impact Assessments
10.1 Where the Controller is required to carry out a Data Protection Impact Assessment ("DPIA") in connection with the Services, the Processor shall provide the Controller with reasonable assistance, including by providing relevant information about the Processing and security measures in place.
11. Audit Rights
11.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and shall permit and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to:
(a) reasonable prior written notice of not less than 30 days;
(b) the audit being conducted during normal business hours and in a manner that minimises disruption to the Processor's operations;
(c) the auditor being subject to appropriate confidentiality obligations.
11.2 The Controller may exercise its audit rights under this clause no more than once per calendar year unless there are reasonable grounds to suspect a material breach of this Agreement.
11.3 The cost of any audit shall be borne by the Controller unless the audit reveals a material breach of this Agreement, in which case the cost shall be borne by the Processor.
12. Retention and Deletion
12.1 The Processor shall not retain Personal Data for longer than necessary for the purposes set out in Schedule 1, and in any event shall comply with the retention periods set out therein.
12.2 Tenant Personal Data processed under this Agreement is retained for the duration of the Main Agreement. Upon expiry or termination of the Main Agreement, or upon written request from the Controller, the Processor shall at the Controller's election:
(a) securely delete or destroy all Personal Data Processed under this Agreement (including copies held by Sub-processors); or
(b) return all Personal Data to the Controller in a SQL Server-compatible export file (.bacpac format), within 30 days of the request or termination date (whichever is earlier), and provide written confirmation that deletion or return has been completed. For the avoidance of doubt, the Processor has no independent obligation to retain tenant Personal Data beyond the term of the Main Agreement. Regulatory retention obligations (including any obligations under SYSC 10A) in respect of the data covered by this Agreement are the responsibility of the Controller as data controller.
12.3 The Processor may retain Personal Data beyond the period in clause 12.2 only to the extent required by applicable law, and only for the purposes and duration required by that law.
12.4 Self-serve Workspace deletion as Controller instruction. Where the Controller uses the Processor's administration console to initiate deletion of its entire tenant workspace (as described in Schedule 1, Section 6), that action constitutes the Controller's written instruction to the Processor to delete all Personal Data held in the Controller's tenant database. Upon completion of the deletion process, the Processor bears no obligation to maintain, preserve, or restore any backup copy of the Controller's tenant Personal Data on the Controller's behalf. The Controller is solely responsible for ensuring, before initiating self-serve deletion, that it has: (a) exported all Personal Data required for its own operational, legal, or regulatory purposes; and (b) complied with all applicable regulatory retention obligations (including, where applicable, SYSC 10A) in respect of records held in the tenant database. The Processor shall display a prominent irreversibility warning to the Controller's Authorised User before the deletion process completes, as described in Schedule 1, Section 6.
12.5 Right to erasure — backup copies. In the event that a Data Subject exercises their right to erasure under Article 17 of the UK GDPR in respect of Personal Data Processed under this Agreement, the Processor's obligation is to delete that Personal Data from its live systems. Consistent with the ICO's published guidance on the right to erasure and backup systems, the Processor is not obliged to restore backup infrastructure or take active steps to surgically remove a Data Subject's Personal Data from backup copies before their natural expiry. The Processor shall: (a) not actively access, use, or restore that Data Subject's Personal Data from any backup copy following receipt of a valid erasure instruction from the Controller; and (b) ensure that any backup copies containing that Data Subject's Personal Data are purged in the normal backup rotation cycle within the period set out in Schedule 1, Section 6. The Controller remains responsible for communicating any erasure obligation to the Processor in writing under clause 5.
13. Employee and Staff Data
13.1 The Parties acknowledge that in providing the Services, the Processor will Process personal data relating to the Controller's employees and staff ("Staff Data"), including names and call activity metrics, for the purposes of producing real-time visualisations and scheduled performance reports.
13.2 The Controller is the data controller for all Staff Data. The Controller warrants that:
(a) it has identified and documented a lawful basis under Article 6 of the UK GDPR for the Processing of Staff Data (which may include legitimate interests or performance of an employment contract);
(b) it has provided or will provide appropriate transparency information to affected staff, including notice of the Processing of their personal data for performance monitoring purposes, prior to enabling the relevant features of the Services.
13.3 The Processor shall Process Staff Data only as instructed by the Controller and solely for the purposes set out in Schedule 1.
14. Salesforce Sync, Post-Sync Responsibility, and Downstream Processing
14.1 Scope of Processor obligations. Where the Controller has installed the CallCore TX-3 managed package in its Salesforce organisation, the Processor's obligations under this Agreement are limited to the sync pipeline — being the transmission of Personal Data from the Processor's infrastructure to the Controller's Salesforce Environment via the TX-3 package, and the storage and processing of Personal Data within the Processor's own infrastructure as described in Schedule 1. The Processor's obligations do not extend to, and the Processor accepts no responsibility for, any Processing of Personal Data that occurs within or through the Controller's Salesforce Environment after sync, including by any third-party applications, integrations, automations, or services installed or permitted by or on behalf of the Controller.
14.2 Controller responsibility post-sync. Once Synced Data has been transmitted to and received by the Controller's Salesforce Environment, the Controller is solely responsible as data controller for all subsequent Processing of that data, including:
(a) access granted to any third-party tool, application, integration, or service operating within or connected to the Controller's Salesforce Environment;
(b) any automated or manual Processing of Synced Data carried out by or on behalf of the Controller within the Salesforce Environment;
(c) any outputs, inferences, assessments, or decisions generated from Synced Data by the Controller or any third party with access to the Controller's Salesforce Environment.
14.3 Special category data — acknowledgement and Controller obligations. The Controller acknowledges that call transcripts and AI-Generated Outputs synced to the Controller's Salesforce Environment may contain content from which special categories of personal data within the meaning of Article 9 of the UK GDPR can be inferred or identified, including but not limited to:
- health information or disability status (for example, inferences arising from communication difficulties or references to medical circumstances during a call);
- financial vulnerability or over-indebtedness (which, where processed systematically for profiling purposes, may engage Article 9 or Article 22 obligations).
The Controller warrants that:
(a) it will not use, permit, or enable the use of Synced Data for any Processing that involves or is likely to reveal special category data under Article 9 of the UK GDPR unless it has first identified and documented an appropriate condition under Article 9(2);
(b) it will conduct or procure a DPIA before enabling any use of Synced Data that is likely to result in a high risk to the rights and freedoms of Data Subjects, including any systematic profiling of, or automated inferences about, Data Subjects based on call content;
(c) it will not grant access to Synced Data to any third-party application or service without first assessing whether that application's intended use of the data complies with Applicable Data Protection Law, including in relation to special category data and automated decision-making.
14.4 Automated decision-making and profiling — all Controllers. The Controller warrants that it will not use, and will not permit any third party to use, Synced Data for automated decision-making or profiling of Data Subjects (including end-customers, prospects, or members of the public) that produces legal or similarly significant effects on those individuals, without:
(a) ensuring that the Processing complies with Article 22 of the UK GDPR, including providing Data Subjects with all rights required under that Article (right to human review, right to object, right to an explanation);
(b) conducting a DPIA where required by Article 35 of the UK GDPR;
(c) where the automated Processing involves special category data, identifying an explicit condition under both Article 9(2) and Article 22(4) of the UK GDPR before commencing such Processing.
14.5 No Processor liability for downstream use. The Processor shall have no liability to the Controller, any Data Subject, any regulatory authority, or any third party in respect of any Processing of Synced Data that occurs within or through the Controller's Salesforce Environment, including any claims arising from the use of Synced Data by third-party applications or services connected to the Controller's Salesforce Environment.
15. Accuracy of Transcription and AI-Generated Outputs
15.1 No warranty of accuracy. The Processor makes no representation and gives no warranty, express or implied, as to the accuracy, completeness, reliability, or fitness for any particular purpose of any AI-Generated Output produced or transmitted via the Services. The Controller acknowledges that:
(a) transcripts are generated by automated speech-to-text systems, which are inherently fallible and may contain errors, omissions, misheard words, or misattributions of speech;
(b) AI-generated summaries are produced by large language models, which may generate inaccurate, incomplete, or misleading content, including plausible-sounding inferences that do not accurately reflect the substance of the underlying call ("hallucinations");
(c) neither transcripts nor AI-generated summaries have been verified by the Processor for accuracy and are transmitted to the Controller as produced by the relevant automated system.
15.2 Outputs are not verbatim or certified records. AI-Generated Outputs do not constitute verbatim, legally certified, or authoritative records of any communication. The source recording, where available, is the ground truth. The Controller shall not treat, present, or rely upon transcripts or AI summaries as definitive records of what was said in any call, and shall not use them as such in any legal, regulatory, or dispute resolution context without independent verification against the source recording or other primary evidence.
15.3 Controller's accuracy obligations under Article 5(1)(d). The Controller, as data controller, is responsible under Article 5(1)(d) of the UK GDPR for ensuring that personal data it holds is accurate and, where necessary, kept up to date. The Controller warrants that:
(a) it will not rely solely on AI-Generated Outputs as accurate records of a communication where accuracy is material to a decision affecting a Data Subject, and will apply human review or other corroborating evidence before acting on such outputs in consequential decisions;
(b) it will implement processes to identify and correct inaccurate transcripts or AI summaries held in its systems — including within its Salesforce Environment — in response to rectification requests from Data Subjects under Article 16 of the UK GDPR;
(c) it will not use AI-Generated Outputs as the sole or primary basis for any decision that could adversely affect a Data Subject, including decisions relating to creditworthiness, employment, access to services, or any other matter of consequence to the individual.
15.4 Accuracy and special category data. The Controller acknowledges that errors or hallucinations in transcription or AI summarisation may produce false inferences about special categories of personal data, including health conditions, disability, or financial vulnerability. Where any Processing involves or may reveal special category data, the Controller warrants that it will apply heightened scrutiny to the accuracy of the underlying AI-Generated Output before acting on that data, and will not make adverse decisions about a Data Subject based on an unverified inference derived from an automated output.
15.5 Processor liability. The Processor shall not be liable to the Controller, any Data Subject, or any third party for any loss, damage, harm, or regulatory consequence arising from the Controller's reliance on inaccurate, incomplete, or misleading AI-Generated Outputs, except to the extent that such inaccuracy results directly from the Processor's failure to faithfully transmit data from the source system to the Controller.
16. DPA Updates and Version Control
16.1 Initial acceptance. This Agreement comes into force only upon explicit acceptance by the Controller as a deliberate act — either by handwritten or electronic signature of this Agreement, or by use of a designated acceptance mechanism provided by the Processor at or before the commencement of the Services. Continued use of the Services alone does not constitute initial acceptance of this Agreement for the purposes of this clause 16.1. The Processor shall retain a record of the version accepted by the Controller at the time of initial acceptance.
16.2 Future updates — notice. The Processor may update this Agreement from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, the Processor's processing activities, or Sub-processor arrangements. The Processor shall provide the Controller with at least 30 days' prior written notice of any material update, sent to the Controller's registered email address as held by the Processor at the time of notification. Each update notice shall identify the clauses being changed and summarise the nature of the change.
16.3 Deemed acceptance by continued use. If the Controller continues to use the Services after the effective date stated in an update notice issued under clause 16.2, the Controller shall be deemed to have accepted the updated Agreement as of that effective date. The Controller is responsible for ensuring that its registered email address held by the Processor is current and that update notices are not filtered or blocked.
16.4 Objection to updates. If the Controller objects to a proposed update, it must notify the Processor in writing before the effective date of the update. The Parties shall use reasonable endeavours to agree an alternative. If agreement cannot be reached within the notice period, the Controller may terminate the Main Agreement without penalty by providing written notice to the Processor before the effective date of the update.
16.5 Minor updates. Updates that do not materially affect the Controller's rights or obligations — such as correction of typographical errors, updated Sub-processor contact details, or clarificatory language that does not alter any substantive obligation — may be made with 14 days' prior written notice rather than 30 days. The Processor shall clearly identify such updates as minor in the notification.
16.6 Version history. The Processor shall maintain the current version of this Agreement at the following stable public URL: callcore.io/legal/dpa. Prior versions of this Agreement shall be accessible to Controllers via the CallCore administration console for the duration of their contractual relationship with the Processor, at a stable versioned URL within their tenant environment. The Processor shall ensure that each Controller can access all versions of this Agreement that were in force during their contractual relationship with the Processor, and that the version in force at any given date is identifiable from the acceptance records available to the Controller within the console.
17. Limitation of Liability
17.1 Aggregate liability cap
The total aggregate liability of either Party to the other under or in connection with this Agreement — whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise — shall not exceed the total fees paid or payable by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim.
17.2 Exclusion of consequential loss
Neither Party shall be liable to the other for any indirect or consequential loss, loss of profit, loss of revenue, loss of business, loss of anticipated savings, or loss of data arising under or in connection with this Agreement, whether or not such loss was foreseeable or the Party had been advised of its possibility.
17.3 Mandatory carve-outs
Nothing in this clause 17 limits or excludes either Party's liability for:
(a) death or personal injury caused by that Party's negligence;
(b) fraud or fraudulent misrepresentation; or
(c) any other liability that cannot be excluded or limited by applicable law.
17.4 Relationship with Main Agreement
The cap in clause 17.1 operates alongside, and not instead of, any liability cap in the Main Agreement (Terms of Service). Where both caps apply to the same claim, the lower cap shall govern. For the avoidance of doubt, data protection claims arising under this Agreement are subject to the cap in this clause 17.1.
18. Governing Law and Jurisdiction
18.1 This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales.
18.2 Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.
19. General
19.1 Entire Agreement. This Agreement, together with the Main Agreement and its Schedules, constitutes the entire agreement between the Parties relating to the Processing of Personal Data and supersedes all prior representations, agreements, and understandings.
19.2 Conflict. In the event of any conflict between this Agreement and the Main Agreement with respect to data protection matters, this Agreement shall take precedence.
19.3 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
19.4 Variation. No variation to this Agreement shall be effective unless (a) made in writing and signed by authorised representatives of both Parties, or (b) notified and accepted (including by deemed acceptance by continued use) in accordance with clause 16 (DPA Updates and Version Control).
19.5 Counterparts. This Agreement may be executed in any number of counterparts, each of which when executed shall constitute an original, and all of which together shall constitute one and the same agreement. Electronic signatures shall be binding.
Schedule 1 — Processing Details
1. Subject Matter
The Processor provides call analytics, transcription, AI summarisation, real-time visualisations, and reporting services to the Controller via the CallCore platform and, where applicable, the CallCore TX-3 Salesforce managed package.
2. Duration
The duration of Processing corresponds to the term of the Main Agreement, subject to any retention obligations set out below.
3. Nature and Purpose of Processing
| Purpose | Nature of Processing |
|---|---|
| Call analytics and dashboards | Collection, storage, and display of call metadata |
| Real-time visualisations | Collection and display of staff call activity metrics |
| Scheduled PDF reports | Compilation and transmission of staff call metrics by email |
| In-browser playback | Ephemeral, in-memory proxying of call recording streams from the Controller's 3CX system to the Authorised User's browser. The recording is not written to disk, cached, or stored by the Processor at any point during playback. |
| Transcription | Temporary storage and transmission of call recordings to transcription service; storage of resulting transcripts |
| AI summarisation | Transmission of transcripts or recordings to Azure OpenAI (customer-controlled) for summary generation; storage of summaries |
| Salesforce sync (TX-3 only) | Transmission of call data, transcripts, and summaries into the Controller's Salesforce organisation via the TX-3 managed package. The Processor's obligations extend to this transmission only. Processing within the Controller's Salesforce Environment after sync is outside the scope of this Agreement and is the Controller's sole responsibility. |
4. Categories of Personal Data
- Telephone numbers (inbound and outbound)
- Call metadata (duration, direction, timestamps, outcome)
- Full names of the Controller's employees and staff
- Call activity metrics of the Controller's employees and staff (call counts, durations, inbound/outbound breakdown)
- Call recording audio (accessed transiently during in-browser playback and, where transcription is enabled, during transcription — see Note 1)
- Full transcripts of calls
- AI-generated summaries of call content
Note 1 — Ephemeral recording storage: Where a call recording exceeds a defined size threshold and transcription is enabled, the Processor will temporarily store a compressed copy of the recording in its own Azure Storage account (UK South) for the duration of the transcription process. The recording is deleted from Azure Storage immediately upon transcription completion; in the event of any failure in the primary deletion path, a scheduled daily cleanup job ensures no recording persists in Azure Storage for more than 2 days. Additionally, during transcription, the recording may be written to a temporary folder within the Processor's container infrastructure; such files are deleted immediately upon completion or failure of the compression process, are inaccessible outside the owning container, and are destroyed on container shutdown, restart, or eviction. These transient copies are included within the scope of this Agreement and the security measures in Schedule 3 apply to them.
Note 2 — Special category data: The Processor does not knowingly collect or target special category data as defined in Article 9 of the UK GDPR. However, call transcripts and AI-generated summaries may contain content from which special categories of personal data could be inferred (including health information, disability status, or financial vulnerability). The Controller is responsible for ensuring that any use of transcripts or summaries that involves or reveals special category data is conducted in accordance with Article 9 of the UK GDPR. See clause 14.3 of this Agreement.
Note 3 — Accuracy of AI-Generated Outputs: Transcripts and AI-generated summaries are produced by automated systems and are not warranted for accuracy. The source recording is the ground truth. See clause 15 of this Agreement.
5. Categories of Data Subjects
- Employees and staff of the Controller
- Third parties who make or receive telephone calls with the Controller's employees (including end-customers, prospects, and members of the public)
6. Retention Periods
| Data Category | Default Retention Period |
|---|---|
| Call metadata | 365 days from the date of the call |
| Staff names and call metrics | 365 days from the date of the call |
| Transcripts | 365 days from the date of the call |
| AI summaries | 365 days from the date of the call |
| Call recording audio (ephemeral) | Deleted immediately upon transcription completion |
How these periods work — default maximum. The periods above are default maximum periods. The Processor will not retain Personal Data beyond the stated period without explicit Controller instruction. These periods do not constitute a minimum guarantee — the Controller may request earlier deletion at any time (including via tenant workspace deletion), and the Processor will comply. The Processor commits not to retain data beyond the default period without a documented legal or contractual basis for doing so.
Regulatory retention obligations. The Controller, as data controller, is solely responsible for identifying and meeting any regulatory retention obligations that apply to the data covered by this Agreement (including, where applicable, SYSC 10A minimum retention requirements). The default maximum retention periods above do not constitute a guarantee that the Processor will retain data for any minimum period. The Controller must not instruct deletion of data it is obliged to retain under any applicable regulatory requirement.
FCA-regulated Controllers. Where Schedule 4 applies, the Controller, as the FCA-regulated firm, is solely responsible for ensuring that any instruction to delete data — including via self-serve tenant workspace deletion — complies with its obligations under SYSC 10A. The Processor does not independently enforce regulatory retention periods on the Controller's behalf. The default maximum retention periods above apply to FCA-regulated Controllers in the same manner as to all other Controllers.
Tenant workspace deletion. The Controller may initiate deletion of their entire tenant workspace and associated database via the CallCore administration console. Before the deletion process completes, the Processor will display a prominent warning to the Controller's Authorised User, clearly stating that: (a) deletion is permanent and irreversible — once confirmed, all data will be deleted and cannot be recovered; (b) all Personal Data in the Controller's tenant database will be permanently deleted, including call metadata, transcripts, AI summaries, and all associated records; (c) the Controller is solely responsible for ensuring it has exported all Personal Data required to meet its own legal, regulatory, and operational obligations — including SYSC 10A retention requirements, where applicable — before proceeding; and (d) the Processor will retain no backup copy on the Controller's behalf after deletion completes. Where the Controller follows the deletion process and confirms in response to that warning, that action constitutes the Controller's written instruction to delete as described in clause 12.4.
Backup grace period. Following any deletion (whether by tenant workspace deletion, automated retention expiry, or individual deletion), Personal Data may persist within the Processor's backup infrastructure for up to 30 days as part of normal backup rotation. Such data is not actively processed during this period and is purged in the normal backup cycle. This grace period applies to the Processor's obligations under clause 12.5 (right to erasure — backup copies). This grace period does not apply to data subject to an FCA investigation preservation notice, which must be preserved immediately and completely.
Schedule 2 — Approved Sub-processors
| Sub-processor | Role | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Cloud hosting, tenant database storage, ephemeral transcription storage | All categories of Personal Data listed in Schedule 1 | UK South (United Kingdom) |
| SendGrid (Twilio Inc.) | Email delivery of scheduled PDF reports | Staff names, call activity metrics | United States — EU SCCs + UK Addendum (ICO-approved); DPF UK Extension |
| Sentry (Functional Software, Inc.) | Application error tracking and performance monitoring | May receive incidental Personal Data in error payloads; Processor maintains configuration to minimise Personal Data ingestion | United States — EU SCCs + UK Addendum (ICO-approved); DPF UK Extension |
Note — Customer-controlled Azure OpenAI: Where the Controller has enabled the AI summarisation feature, the Processor coordinates the transfer of call recording data and/or transcripts to the Controller's own Azure OpenAI resource. This resource is operated and controlled by the Controller, not the Processor. The Controller is the data controller for all processing carried out by its own Azure OpenAI resource. The Processor's role is limited to initiating the API call on the Controller's instruction.
The Processor shall update this Schedule upon engaging any new Sub-processor, in accordance with clause 6.2 of this Agreement.
Schedule 3 — Technical and Organisational Security Measures
The Processor maintains the following technical and organisational measures:
Infrastructure
- All tenant data is hosted in Microsoft Azure, UK South region
- Each customer is provisioned an isolated tenant database within an Azure SQL elastic pool; no cross-tenant data access is possible at the database layer
- All data in transit is encrypted using TLS 1.2 or above
- All data at rest is encrypted using Azure-managed encryption
Tenant Isolation
- Each customer's data is processed within a dedicated, isolated service container ("Tenant Container") provisioned exclusively for that customer. No runtime state, in-memory data, or processing threads are shared between Tenant Containers.
- Each Tenant Container runs dedicated instances of the Processor's internal processing pipeline. A given customer's call data, transcripts, and AI-Generated Outputs are processed only within their own Tenant Container — no processing resources are shared between customers.
- External credentials held by the Processor on behalf of each customer — including 3CX system credentials, Azure OpenAI endpoint configuration, and Salesforce connection details — are held exclusively within that customer's Tenant Container and are not accessible to any other customer's Tenant Container.
- A security incident, processing failure, or error condition affecting one Tenant Container is architecturally contained within that container. It cannot propagate to, read data from, or expose credentials belonging to any other customer's Tenant Container.
Access Controls
- Access to call data, transcripts, AI summaries, and recordings is permission-gated at the application layer
- Granular access tiers are enforced: own calls vs. all calls; separate permissions for view, summary, transcript, and recording access
- Staff authentication to the CallCore platform is via Microsoft account (OAuth)
Ephemeral Storage
- Where call recordings are temporarily stored in Azure Storage during transcription, access is restricted to the Processor's transcription pipeline
- Recordings are deleted from Azure Storage immediately upon transcription completion. In the event of any failure in the primary deletion path, a scheduled daily cleanup job ensures no recording persists in Azure Storage for more than 2 days.
- Temporary files written to container storage during transcription are deleted immediately upon completion or failure of the compression process; any residual files are inaccessible outside the owning container and destroyed on container shutdown, restart, or eviction.
Sub-processor Security
- All Sub-processors are subject to contractual data protection obligations equivalent to those in this Agreement
- The Processor reviews Sub-processor security certifications periodically
Incident Response
- The Processor maintains an internal incident response process
- Personal Data Breaches are notified to the Controller in accordance with clause 9 of this Agreement
Schedule 4 — FCA Regulatory Schedule
This Schedule applies only where the Controller is authorised and regulated by the Financial Conduct Authority ("FCA") and is subject to the FCA's Senior Management Arrangements, Systems and Controls sourcebook ("SYSC"), in particular SYSC 10A (taping and electronic communications).
1. Purpose
This Schedule supplements the base Agreement to address matters relevant to FCA-regulated Controllers in relation to the recording, retention, and integrity of relevant communications. For the avoidance of doubt, SYSC 10A obligations — including the obligation to record and retain relevant communications — sit with the Controller as the FCA-regulated firm. This Schedule does not transfer those obligations to the Processor, and nothing in this Schedule constitutes a representation by the Processor that the Controller's use of the Services satisfies any regulatory requirement.
2. Retention of Relevant Communications
2.1 SYSC 10A — standing obligation. SYSC 10A imposes a standing, continuous obligation on FCA-regulated firms to retain relevant telephone communications for a minimum of five (5) years from the date of the communication (or seven (7) years where the FCA specifically directs). This obligation arises automatically in respect of every relevant communication and is not triggered by any FCA investigation or specific supervisory action — it applies from the moment each call occurs. This obligation sits with the Controller as the FCA-regulated firm. The Processor has no independent obligation under SYSC 10A.
2.2 Call recordings. The Parties acknowledge that the Processor does not retain call recording audio in normal operation. Call recordings are stored on the Controller's own 3CX telephone system. The Controller is solely responsible for ensuring that its 3CX system (or such other recording infrastructure as the Controller uses) meets the retention, integrity, and accessibility requirements of SYSC 10A for call recordings.
2.3 Controller's SYSC 10A retention responsibility. The Controller, as the FCA-regulated firm, is solely responsible for ensuring that its use of the Services — including any instruction to the Processor to delete data — complies with its obligations under SYSC 10A. The Processor does not independently enforce regulatory retention periods on the Controller's behalf. In particular:
(a) the default maximum retention periods in Schedule 1 apply to FCA-regulated Controllers in the same manner as to all other Controllers — they are maximums, not minimums, and do not constitute a guarantee that data will be retained for any regulatory minimum period;
(b) the Controller must ensure, before instructing any deletion of data (including via self-serve tenant workspace deletion as described in clause 12.4), that it has complied with its SYSC 10A obligations in respect of that data;
(c) the irreversibility warning displayed before tenant workspace deletion (clause 12.4 and Schedule 1, Section 6) constitutes notice to the Controller of its responsibility to meet its own regulatory obligations before proceeding. The Processor will not conduct a compliance review on the Controller's behalf before processing any deletion instruction.
2.4 FCA investigation preservation notices. Separately from the standing SYSC 10A obligation, the FCA may, in the context of an active investigation or supervisory action, issue a formal notice to the Controller requiring preservation of specific records and prohibiting their destruction. If the Controller receives such a notice covering data held by the Processor, the Controller must notify the Processor in writing without delay. Upon receipt, the Processor shall implement a specific preservation hold on the identified data. The Processor shall not delete any data subject to such a hold without the written consent of the Controller confirmed against the terms of the preservation notice, or a formal direction from the FCA or a court of competent jurisdiction.
3. Tamper-Evidence
3.1 The Processor shall, upon written request from an FCA-regulated Controller, provide information about the technical measures in place to protect the integrity of stored transcripts and call metadata held in that Controller's tenant database.
3.2 The Processor shall not modify or delete data subject to an FCA investigation preservation hold (as described in clause 2.4) without the express written consent of the Controller confirmed against the terms of the preservation notice, or a formal direction from the FCA or a court of competent jurisdiction.
4. FCA Access
4.1 In the event that the Controller is required by the FCA to produce records held by the Processor, the Processor shall provide reasonable assistance to the Controller in extracting and providing such records in a timely manner.
4.2 The Controller shall give the Processor reasonable notice of any FCA production request. In urgent cases, the Processor shall use its reasonable endeavours to respond within 2 business days.
5. AI Summaries, Automated Processing, and Special Category Data
5.1 The Parties acknowledge that AI-Generated Outputs are stored in the Controller's tenant database and may be surfaced within the Controller's Salesforce CRM via the TX-3 package.
5.2 In addition to the obligations in clauses 14.4 and 15 of the base Agreement, the Controller warrants that it will not use AI-Generated Outputs as the sole basis for decisions that produce legal or similarly significant effects on Data Subjects without human review, and that it will implement appropriate safeguards if AI summaries are used in any automated decision-making process regulated under Article 22 of the UK GDPR.
5.3 The Controller acknowledges that it is responsible for assessing whether its use of AI-Generated Outputs constitutes automated profiling under Article 22 of the UK GDPR and for implementing any required safeguards. Where the Controller's use of call transcripts or AI summaries in connection with FCA-regulated activities (including consumer credit, loan assessment, or conduct monitoring) may involve the processing of special category data — including inferences about health, disability, or financial vulnerability — the Controller warrants that it has identified an appropriate condition under Article 9(2) of the UK GDPR before enabling such processing.
5.4 The Controller acknowledges that the FCA's Consumer Duty (PS22/9) requires firms to act to deliver good outcomes for retail customers. The Controller is solely responsible for ensuring that any use of CallCore-derived data, including transcripts and AI-Generated Outputs, in connection with Consumer Duty monitoring or assessment complies with both the FCA's Consumer Duty rules and Applicable Data Protection Law.
5.5 Accuracy in regulated contexts. In addition to the obligations in clause 15 of the base Agreement, where the Controller uses AI-Generated Outputs in connection with FCA-regulated activities, the Controller warrants that it will not present or rely upon a transcript or AI summary as an accurate record of a relevant communication in any FCA regulatory return, submission, or investigation without first verifying its accuracy against the original recording or other primary evidence.
End of Agreement