Data Processing Agreement
Dilr.Ai LtdLast Updated: 30 December 2025
GDPR Article 28 Compliant
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: You, the customer using the Dilr platform ("Controller")
- Data Processor: Dilr.Ai Ltd, a company registered in England and Wales (Company No. 16842656), with its registered office at 92 East Croft House, 86 Northolt Road, Harrow, HA2 0ES, England ("Processor")
2. Subject Matter and Duration
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of voice AI services through the Dilr platform.
The duration of this DPA corresponds to the duration of the Service Agreement between the parties. Upon termination, the Processor shall delete or return all personal data as specified in Section 10.
3. Nature and Purpose of Processing
The Processor processes personal data for the following purposes:
- Provision of voice AI calling services
- Speech-to-text transcription of voice calls
- Text-to-speech voice synthesis
- AI-powered conversation management
- Call recording and storage (when enabled by Controller)
- Analytics and reporting
- Billing and account management
4. Categories of Personal Data
The personal data processed includes:
- Contact Information: Names, phone numbers, email addresses
- Voice Data: Call recordings, voice patterns
- Communication Content: Transcripts, call summaries
- Technical Data: IP addresses, device information
- Usage Data: Call metadata, platform interactions
- Any additional data uploaded by the Controller
5. Categories of Data Subjects
Data subjects may include:
- Controller's customers and contacts
- Controller's employees and agents
- Recipients of calls made through the platform
- Any individuals whose data is uploaded to the platform
6. Processor Obligations
The Processor shall:
- 6.1 Process personal data only on documented instructions from the Controller, unless required by applicable law
- 6.2 Ensure that persons authorized to process personal data have committed to confidentiality
- 6.3 Implement appropriate technical and organizational security measures
- 6.4 Engage sub-processors only with prior written consent of the Controller
- 6.5 Assist the Controller in responding to data subject requests
- 6.6 Assist the Controller in ensuring compliance with GDPR Articles 32-36
- 6.7 Delete or return all personal data upon termination
- 6.8 Make available information necessary to demonstrate compliance
7. Security Measures
The Processor implements the following security measures:
- Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Control: Role-based access, multi-factor authentication
- Logging: Comprehensive audit logging of all data access
- Infrastructure: Secure cloud infrastructure on Google Cloud Platform
- Data Isolation: Logical separation of customer data
- Backup: Regular encrypted backups with defined retention
- Incident Response: 72-hour breach notification procedure
8. Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors, subject to the following conditions:
- The Processor shall inform the Controller of any intended changes
- Sub-processors shall be bound by equivalent data protection obligations
- The Processor remains fully liable for sub-processor compliance
Current Sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud Platform | Cloud infrastructure and data storage | EU / US (with SCCs) | Standard Contractual Clauses |
| Twilio | Voice call infrastructure and phone numbers | US (with SCCs) | Standard Contractual Clauses, DPA |
| OpenAI | AI language model processing | US (with SCCs) | Standard Contractual Clauses, DPA |
| Deepgram | Speech-to-text transcription | US (with SCCs) | Standard Contractual Clauses |
| ElevenLabs | Text-to-speech voice synthesis | EU | GDPR compliant |
| Stripe | Payment processing and billing | US (with SCCs) | Standard Contractual Clauses, PCI-DSS |
| Resend | Transactional email delivery | US (with SCCs) | Standard Contractual Clauses |
9. International Data Transfers
Where personal data is transferred outside the European Economic Area:
- Transfers to countries with adequacy decisions are permitted
- For other transfers, Standard Contractual Clauses (SCCs) apply
- The Processor has implemented supplementary measures where required
- Transfer Impact Assessments are conducted for high-risk transfers
10. Data Deletion and Return
Upon termination of the Service Agreement or upon request:
- The Controller may request return of personal data in a machine-readable format
- The Processor shall delete all personal data within 30 days
- Backup copies shall be deleted within 90 days
- Certain data may be retained for legal compliance (anonymized)
11. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject requests including:
- Access: Providing copies of personal data (Article 15)
- Rectification: Correcting inaccurate data (Article 16)
- Erasure: Deleting data upon request (Article 17)
- Restriction: Limiting processing (Article 18)
- Portability: Data export in machine-readable format (Article 20)
- Objection: Ceasing processing upon objection (Article 21)
12. Personal Data Breach Notification
In the event of a personal data breach:
- The Processor shall notify the Controller without undue delay (within 24 hours)
- Notification shall include nature of breach, categories of data affected, approximate number of data subjects, and remediation measures
- The Processor shall assist in notification to supervisory authority (within 72 hours)
- The Processor shall assist in communication to data subjects if required
13. Audits and Inspections
The Processor shall:
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller
- Immediately inform the Controller if an instruction infringes GDPR
- Provide security documentation and compliance reports upon request
14. Liability
Each party shall be liable for damages caused by processing that does not comply with GDPR or this DPA. The parties agree to indemnify each other for any regulatory fines or damages awarded to data subjects arising from the other party's breach of this DPA.
15. Governing Law
This DPA shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the rights of data subjects to lodge complaints with supervisory authorities.
Contact Information
For questions about this DPA or data protection matters:
Data Protection Contact:
Dilr.Ai Ltd
92 East Croft House, 86 Northolt Road
Harrow, HA2 0ES, England
Email: privacy@dilr.ai
Dilr.Ai Ltd
92 East Croft House, 86 Northolt Road
Harrow, HA2 0ES, England
Email: privacy@dilr.ai
This DPA is incorporated into and forms part of the Terms of Service and is supplemented by our Privacy Policy.