Legal
Data Processing Agreement
Last updated: 22 June 2026
This Data Processing Agreement ("DPA") sets out the terms on which ISLTech ("ISLTech") processes personal data on behalf of its clients. It forms part of our Terms of Service and applies whenever we handle personal data in the course of running a voice agent for you. A signed copy is provided with every paid engagement.
1. Roles
For the personal data processed through your voice agent, you (the client) are the data controller and ISLTech is the data processor. We process personal data only on your documented instructions.
2. Scope and purpose
We process personal data solely to deliver the voice agent service described in your Service Agreement — for example handling calls, taking and managing bookings, answering caller questions, and routing requests to your team. Categories of data typically include caller names, phone numbers, booking details, and call recordings and transcripts. By default, call recordings and transcripts are retained for 90 days and then deleted, unless a different retention period is agreed in your Service Agreement.
3. Sub-processors
We use a limited set of sub-processors — including voice platform vendors, language-model providers, telephony providers, and hosting infrastructure. Some of these sub-processors are located outside the European Economic Area. Each is bound by data protection terms at least as protective as this DPA. The current list for your engagement is provided in your engagement-specific addendum, and we will give you advance notice of any new sub-processor so you can object.
4. Security measures
We protect personal data with encryption in transit and at rest, role-based access controls, audit logging, and an annual review of our security measures. Personnel with access to personal data are bound by confidentiality obligations.
5. International transfers
Our core hosting is located within the European Union. Some sub-processors — including elements of our voice and AI platforms and the call recordings and transcripts they generate — process personal data outside the European Economic Area, including in the United States. Any such transfer relies on an adequacy decision or the European Commission's Standard Contractual Clauses. The processing locations for your engagement are set out in your engagement-specific addendum.
6. Data subject rights
We assist you in responding to data subject access requests and other rights requests, and will action your reasonable instructions to access, correct, or delete specific records within 30 days.
7. Breach notification
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any event within 48 hours, together with the information you need to meet your own notification obligations.
8. Return and deletion
On termination, we will make your data available for export within 7 days and delete it within 30 days, unless we are required by law to retain it. We will confirm deletion in writing on request.
9. Audit
On reasonable notice, and no more than once a year unless required by a regulator, we will provide the information you need to demonstrate our compliance with this DPA.
10. Contact
To request a signed DPA or ask a data processing question, email privacy@isltech.ai.