Handlet Data Processing Addendum
This Data Processing Addendum ("DPA") applies where HANDLET LIMITED ("Handlet", "we", "us") processes personal data on behalf of a business customer through the Handlet service.
This DPA forms part of the Terms of Service. It is intended to meet the UK GDPR Article 28 contract requirements for controller-to-processor processing.
If this DPA conflicts with the Terms on the protection or processing of customer personal data, this DPA takes priority. Defined terms have the meanings given in UK data protection law unless the context requires otherwise.
1. Roles
For account, billing, security, support, and platform administration data, Handlet is usually a controller.
For customer communication data that a business customer brings into Handlet, the business customer is usually the controller and Handlet is the processor. This may include message content, customer contact details, connected-channel metadata, job or quote details, review content, call transcripts, call recordings, call summaries, call outcomes, and call metadata.
The business customer is responsible for ensuring that it has a lawful basis for processing its customers' personal data and for providing any required privacy notices, AI voice-assistant notices, call-recording notices, marketing notices, and opt-out mechanisms.
2. Processing Details
| Item | Details |
|---|---|
| Subject matter | Providing the Handlet platform and related support, security, automation, AI-assistance, messaging, and call-agent features. |
| Duration | The term of the customer's Handlet account plus any retention period described in the Terms, Privacy Policy, retention tables, or required by law. |
| Nature of processing | Collection, ingestion, storage, hosting, retrieval, display, organisation, classification, summarisation, drafting, sending or preparing communications, transcription, recording storage, analysis, deletion, and support access where required. |
| Purpose | To provide Handlet features requested or configured by the customer, create account-specific intelligence for that customer, keep the service secure and reliable, support the customer, and meet legal or compliance obligations. |
| Data subjects | Customer's customers, leads, contacts, callers, staff, contractors, account users, and other people who communicate with the customer's business. |
| Personal data categories | Names, contact details, message content, attachments, message metadata, job or quote information, review content, call audio, call transcripts, call metadata, call outcomes, technical identifiers, audit data, and support records. |
| Special category or criminal offence data | Not intentionally requested by Handlet. If it appears in connected communications, Handlet processes it only as needed to provide the service and under the customer's instructions. |
3. Customer Instructions
Handlet will process customer communication data only on documented instructions from the customer. Those instructions include:
- this DPA;
- the Terms of Service;
- the customer's use of product settings and connected integrations;
- support requests submitted by the customer; and
- any written instructions agreed between Handlet and the customer.
Handlet will tell the customer if, in our opinion, an instruction infringes applicable data protection law, unless the law prevents us from doing so.
Handlet may create operational statistics and account-bounded derived outputs where needed to provide the service under the customer's instructions.
Handlet will not use identifiable customer communication data for its own cross-customer model improvement, external benchmarking, partner insight products, or another independently determined purpose unless the customer has explicitly authorised that separate processing. Where Handlet independently determines the purpose and means of processing personal data, Handlet acts as controller for that processing and will identify an applicable lawful basis and provide the transparency required by data protection law.
Creating anonymised information from customer personal data for a separate Handlet purpose is itself processing. Handlet will therefore not use processor data to create cross-customer benchmarks, external examples, partner products, or cross-customer model improvements unless that source processing is covered by the customer's separate, explicit instruction or authorisation. Once information has lawfully been rendered irreversibly anonymous, it is no longer personal data. Pseudonymised data remains personal data and is not treated as anonymous.
4. Confidentiality
Handlet will ensure that people authorised to process personal data are subject to appropriate confidentiality obligations.
5. Security
Handlet will use appropriate technical and organisational measures designed to protect personal data, taking into account the nature of the data, the risks of processing, the state of the art, implementation costs, and the service context.
These measures may include access controls, tenant-scoped permissions, encryption in transit, secure hosting, operational logging, audit records, role-based access, monitoring, and incident-response procedures.
6. Subprocessors
The customer gives Handlet general authorisation to use subprocessors needed to provide and support the service.
Handlet maintains a current list of active subprocessors at Handlet Subprocessors. Under the customer's general written authorisation, Handlet will give customers at least 30 days' prior written notice before an intended addition or replacement of a subprocessor that will process customer communication data, unless an urgent security, legal, or service-continuity issue makes that period impracticable. In an urgent case, Handlet will give notice as soon as reasonably possible.
During the notice period, the customer may object on reasonable data-protection grounds by contacting privacy@handlet.ai. Handlet will work in good faith to address the objection, including by considering a commercially reasonable configuration change or alternative. If the parties cannot resolve the objection, the customer may terminate the affected service before the new subprocessor begins processing that customer's data.
Handlet will impose data-protection obligations on each subprocessor that provide materially equivalent protection for the relevant processing. Handlet remains responsible to the customer for the performance of its subprocessors' processor obligations.
7. Assistance
Taking into account the nature of the processing and information available to Handlet, we will provide reasonable assistance with:
- data subject access, correction, deletion, objection, restriction, portability, and related requests;
- security obligations under UK GDPR Article 32;
- personal data breach obligations under UK GDPR Articles 33 and 34;
- data protection impact assessments under UK GDPR Article 35; and
- prior consultation with a supervisory authority under UK GDPR Article 36, where applicable.
The customer remains responsible for deciding how to respond to requests from its own customers unless Handlet is independently required by law to respond.
8. Personal Data Breaches
Handlet will notify the customer without undue delay after becoming aware of a personal data breach affecting customer communication data processed by Handlet as processor.
The notice will include information reasonably available to Handlet to help the customer meet its own breach-assessment and notification obligations.
Where reasonably available, the notice will describe the nature of the breach, affected data and data subjects, likely consequences, containment or remediation measures, and a contact for follow-up. Information may be supplied in phases where it is not all available at the same time.
9. Deletion and Return
At the customer's choice, Handlet will delete or return customer communication data after the end of the relevant services and delete existing copies, unless UK law requires Handlet to retain specified data. The customer should communicate its choice before termination or within 30 days afterwards. If no choice is received, Handlet may delete the data in accordance with its documented retention process.
Deletion from backups may follow documented technical backup cycles. Until overwritten or deleted, backup copies will remain protected, isolated from ordinary use, and processed only where needed for restoration, security, or compliance with law. Handlet may retain limited records that it processes as controller where required for tax, security, complaint handling, legal claims, or regulatory accountability. Primary-store deletion or redaction of customer communication data is immediate in Handlet's database; copies may remain recoverable from infrastructure backups (including Supabase point-in-time recovery and daily backups) until those backup windows expire, as recorded in Handlet's operational retention schedule.
The current retention criteria for processor data are set out in the Privacy Policy and How we process personal data. Where call-agent recording is enabled, call recording audio defaults to 90 days unless the workspace configures another valid period, keeps a specific recording, or disables recording. Call transcript text, summaries, outcomes, and related call metadata default to 24 months (730 days) unless the workspace configures another valid period or keeps a specific transcript; after that period Handlet automatically redacts transcript text and related call insights from primary storage. Recording audio and transcript text follow separate retention windows. Voice and telephony subprocessors (including Vapi) may retain provider-side recordings or transcripts under their own retention unless manually erased through Handlet's documented erasure paths.
10. Audits and Compliance Information
Handlet will make all information reasonably necessary to demonstrate compliance with UK GDPR Article 28 available to the customer. This may include summaries of security measures, subprocessor information, relevant audit records, policies, or written responses to reasonable security and privacy questions.
Handlet will allow for and contribute to audits, including inspections, conducted by the customer or an independent auditor mandated by the customer. Audits must be reasonable, proportionate, subject to appropriate confidentiality and security controls, and designed to avoid unnecessary disruption or access to another customer's data. Unless a personal data breach or substantiated compliance concern justifies otherwise, the parties will ordinarily use current third-party reports and written evidence before requiring an on-site inspection.
11. International Transfers
Where processing involves international transfers, Handlet will use appropriate transfer safeguards such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, Standard Contractual Clauses where appropriate, or another lawful transfer mechanism.
Handlet will conduct or obtain an appropriate transfer-risk assessment where required and will implement supplementary measures where reasonably necessary. The customer authorises transfers required to provide enabled features subject to these safeguards and the current subprocessor register. Handlet does not promise that all processing will remain in the UK unless a signed order form expressly provides otherwise.
12. Intelligence and Benchmarking Outputs
Handlet does not sell raw customer communication data, raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.
Where Handlet produces aggregated, anonymised, transformed, or synthetic intelligence products, those outputs are governed by the Intelligence & Benchmarking Policy. Customers remain responsible for ensuring their own customer notices accurately describe how communications may be handled through Handlet.
13. Customer Responsibilities
The customer is responsible for:
- having a lawful basis for processing personal data it brings into Handlet;
- giving required privacy notices to its customers, callers, staff, and contacts;
- complying with electronic marketing, AI voice-assistant disclosure, call-recording, telecoms, and sector-specific rules that apply to its business;
- giving any required notice that communications may be analysed for account-specific intelligence, service improvement, and privacy-protected benchmarking;
- ensuring connected channels and Auto-Send settings are configured lawfully;
- keeping account access limited to authorised users; and
- avoiding unnecessary special category or criminal offence data.
14. Contact
Privacy and DPA questions should be sent to privacy@handlet.ai.
Schedule 1: Processing Instructions
The processing details in section 2, the customer's enabled product settings and integrations, support requests, and written instructions accepted by Handlet form the documented processing instructions. Processing is continuous or as initiated by the customer during the service term. The frequency depends on feature use and connected-channel activity.
Schedule 2: Technical and Organisational Measures
Handlet's measures include, as appropriate to the service and risk:
- logical tenant isolation using account-scoped database controls and row-level security;
- role-based access, least-privilege administration, and protected support access;
- encryption in transit using HTTPS/TLS and provider-managed encryption at rest;
- authentication controls, secure credential storage, and multi-factor authentication for privileged administration where configured;
- audit logging and restricted access to compliance and security records;
- data minimisation, including PII redaction before specified external AI or workflow processing;
- secure development review, dependency maintenance, testing, and controlled deployment;
- monitoring, incident response, backup, restoration, and continuity measures provided by Handlet and its infrastructure providers;
- retention and deletion controls, including workspace deletion workflows and configurable call-recording retention; and
- confidentiality obligations for authorised personnel and equivalent contractual protections for subprocessors.
These measures may evolve to address changes in risk, technology, and the service, provided the overall level of protection is not materially reduced.
Schedule 3: Liability and General Terms
Liability arising under this DPA is subject to the liability provisions in the Terms unless mandatory data protection law requires otherwise. Nothing in this DPA limits a data subject's rights or a supervisory authority's powers.