ISLTech

Legal

Data Processing Agreement

Last updated: 22 June 2026

This Data Processing Agreement ("DPA") sets out the terms on which ISLTech ("ISLTech") processes personal data on behalf of its clients. It forms part of our Terms of Service and applies whenever we handle personal data in the course of running a voice agent for you. A signed copy is provided with every paid engagement.

1. Roles

For the personal data processed through your voice agent, you (the client) are the data controller and ISLTech is the data processor. We process personal data only on your documented instructions.

2. Scope and purpose

We process personal data solely to deliver the voice agent service described in your Service Agreement — for example handling calls, taking and managing bookings, answering caller questions, and routing requests to your team. Categories of data typically include caller names, phone numbers, booking details, and call recordings and transcripts. By default, call recordings and transcripts are retained for 90 days and then deleted, unless a different retention period is agreed in your Service Agreement.

3. Sub-processors

We use a limited set of sub-processors — including voice platform vendors, language-model providers, telephony providers, and hosting infrastructure. Some of these sub-processors are located outside the European Economic Area. Each is bound by data protection terms at least as protective as this DPA. The current list for your engagement is provided in your engagement-specific addendum, and we will give you advance notice of any new sub-processor so you can object.

4. Security measures

We protect personal data with encryption in transit and at rest, role-based access controls, audit logging, and an annual review of our security measures. Personnel with access to personal data are bound by confidentiality obligations.

5. International transfers

Our core hosting is located within the European Union. Some sub-processors — including elements of our voice and AI platforms and the call recordings and transcripts they generate — process personal data outside the European Economic Area, including in the United States. Any such transfer relies on an adequacy decision or the European Commission's Standard Contractual Clauses. The processing locations for your engagement are set out in your engagement-specific addendum.

6. Data subject rights

We assist you in responding to data subject access requests and other rights requests, and will action your reasonable instructions to access, correct, or delete specific records within 30 days.

7. Breach notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 48 hours, together with the information you need to meet your own notification obligations.

8. Return and deletion

On termination, we will make your data available for export within 7 days and delete it within 30 days, unless we are required by law to retain it. We will confirm deletion in writing on request.

9. Audit

On reasonable notice, and no more than once a year unless required by a regulator, we will provide the information you need to demonstrate our compliance with this DPA.

10. Contact

To request a signed DPA or ask a data processing question, email privacy@isltech.ai.