Data Processing Agreement.
How we process personal data on your behalf as processor — obligations, sub-processors, safeguards, and transfers. UK GDPR and EU GDPR aligned.
§ 01Scope.
This Data Processing Agreement (“DPA”) forms part of the agreement between Dilr.ai Ltd (company no. 16842656, registered in England and Wales) and the Customer under the Terms of Service or a signed Order (together, the “Principal Agreement”). It applies whenever Dilr processes personal data on behalf of Customer in the course of delivering the Services.
This DPA reflects the parties' obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where Customer is established in the EEA or processes personal data subject to EU GDPR — Regulation (EU) 2016/679 (EU GDPR).
Where the Principal Agreement and this DPA conflict on matters of data protection, this DPA prevails.
§ 02Roles.
For the processing described in Annex A:
- Customer is the controller.
- Dilr is the processor.
- Dilr may engage sub-processors under the conditions of Section 5.
Where Customer acts as a processor for its own customers, Dilr acts as sub-processor; this DPA applies on equivalent terms, and Customer warrants it has authority to engage Dilr on its controller's behalf.
§ 03Processing.
The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are set out in Annex A. Any change to these particulars must be agreed in writing (including by signed Order).
§ 04Instructions.
Dilr will process personal data only on documented instructions from Customer, including with regard to international transfers, except where required to do so by Union or Member State law to which Dilr is subject. In such a case, Dilr will inform Customer of that legal requirement before processing, unless the law prohibits that notice.
The Principal Agreement (including this DPA, any Order, and Customer's use of the configuration options in the Services) constitutes Customer's documented instructions. Further instructions outside that scope must be agreed in writing and may be subject to additional fees if they cause material work.
Dilr will immediately inform Customer if, in its opinion, an instruction infringes applicable data protection law.
§ 05Sub-processors.
Customer grants Dilr general written authorisation to engage sub-processors, subject to the conditions below.
Dilr will:
- Maintain a current list of sub-processors (Annex C).
- Impose on each sub-processor data protection obligations no less protective than those in this DPA by written contract.
- Remain fully liable to Customer for the performance of its sub-processors.
- Give Customer at least 30 days' prior notice of any intended addition or replacement of a sub-processor (by email and via the updated Annex C on this page).
Customer may object in writing to a new sub-processor on reasonable data protection grounds within the notice period. If the parties cannot agree a solution, Customer may terminate the affected portion of the Services without penalty.
§ 06International transfers.
Where Dilr transfers personal data outside the UK or EEA, Dilr will ensure an adequate level of protection through one of the following mechanisms:
- A UK or EU adequacy decision covering the destination country.
- The UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses.
- The EU Standard Contractual Clauses (2021/914) in the appropriate module, with UK Mandatory Clauses.
Dilr conducts and documents transfer impact assessments for each destination and maintains supplementary technical and organisational measures — encryption, access controls, data minimisation — layered on top of contractual protections.
For EU-based Customers who require processing to remain within the EEA, Dilr can configure Services to be delivered from EU-region infrastructure. This must be specified in the Order.
§ 07Security.
Dilr implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, as set out in Annex B. These include measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability and access in a timely manner after an incident; and a process for regularly testing and evaluating the effectiveness of the measures.
Dilr personnel who process personal data are bound by written confidentiality obligations and trained on data protection.
§ 08Data subject rights.
Taking into account the nature of the processing, Dilr will assist Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights under UK GDPR / EU GDPR (access, rectification, erasure, restriction, portability, objection).
If a data subject contacts Dilr directly, Dilr will promptly notify Customer and will not respond to the request itself (except to acknowledge receipt and redirect) unless instructed by Customer.
§ 09Personal data breach.
Dilr will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer's personal data. The notification will include, to the extent available:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The likely consequences.
- The measures taken or proposed to address the breach and mitigate adverse effects.
- The name and contact of Dilr's data protection contact.
Dilr will cooperate with and provide reasonable assistance to Customer in fulfilling Customer's obligations to notify supervisory authorities and affected data subjects under Articles 33 and 34 of UK/EU GDPR.
§ 10Audit.
Dilr will make available to Customer all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice (at least 30 days, except in case of an ongoing incident), and no more than once per 12-month period (or as required by a supervisory authority):
- Dilr will respond to a reasonable security questionnaire.
- Dilr will provide the most recent copy of its penetration test summary and, where available, third-party attestation reports (e.g. SOC 2, ISO 27001) under NDA.
- At Customer's reasonable request and cost, Customer (or an independent auditor it mandates, subject to reasonable confidentiality and conflict-of-interest undertakings) may conduct an on-site audit, scoped to avoid disruption to Dilr's operations and respecting other customers' confidentiality.
§ 11Return or deletion.
On termination of the Services, and subject to the retention terms in the Principal Agreement, Dilr will (at Customer's choice):
- Return all personal data to Customer in a machine-readable format, and delete existing copies; or
- Delete all personal data.
Deletion is completed within 30 days of the end of the export period, except to the extent that Union or Member State law requires further storage — in which case Dilr will continue to ensure confidentiality and process the data only to the extent and for the duration required.
Encrypted backups continue on their normal rotation cycle (35 days) and are then overwritten in the ordinary course.
Details of processing.
| Subject matter | Processing of personal data as necessary to deliver the Services under the Principal Agreement (Dilr Voice, Seek Brilliance, Studio Precision, and/or Consulting Services). |
| Duration | For the term of the Principal Agreement plus any post-termination period required for export, deletion, or legal retention. |
| Nature & purpose | To operate, host, secure, and support the Services; to deliver Consulting Deliverables; to provide customer support. |
| Categories of data subjects | Customer's personnel and authorised users; Customer's end users and callers (Dilr Voice); Customer's learners (Seek Brilliance); Customer's content subjects (Studio Precision). |
| Categories of personal data | Identification data (name, email, role); authentication data; usage data; communication content (voice audio, transcripts, text); learning records; content generated or processed via the Services. Special category data only where specifically contracted. |
| Special categories | Not processed by default. Where contracted, additional safeguards under Article 9 UK/EU GDPR apply. |
| Frequency | Continuous for Products; project-based for Consulting. |
| Retention | As set out in the Privacy Policy and per-tenant configuration. |
Technical & organisational measures.
Access control
- Single sign-on with enforced MFA for all Dilr personnel accessing customer environments.
- Role-based access control; least-privilege defaults; just-in-time elevation for sensitive operations.
- Quarterly access reviews; immediate revocation on role change or departure.
Encryption
- TLS 1.2+ for data in transit. Certificate pinning where applicable.
- AES-256 for data at rest (object storage, databases, backups).
- Customer-managed keys available on request for Enterprise tiers.
Tenancy & isolation
- Logical multi-tenancy with row-level and container-level isolation.
- No cross-tenant queries permitted at the application layer.
- Dedicated-infrastructure tier available for regulated customers.
Monitoring & logging
- Centralised audit logging with 13-month retention.
- 24x7 automated alerting on anomalous access and integrity events.
- Regular log review and correlation.
Vulnerability management
- Continuous dependency scanning (SCA) and static analysis on CI.
- Annual penetration test by a CREST-accredited third party.
- Patch SLA: critical 48h, high 7 days, medium 30 days.
Business continuity
- Multi-AZ deployment for production workloads.
- Backups encrypted and tested; RTO 4h, RPO 1h for Tier 1 Services.
- Documented incident response plan, rehearsed annually.
Organisational
- Background checks for staff handling customer data.
- Written confidentiality agreements with all personnel.
- Annual security and data protection training.
- Documented onboarding / offboarding procedures.
- No offshore data access for EU/UK customer data unless explicitly agreed.
Approved sub-processors.
Current as of the effective date above. Changes notified 30 days in advance by email and via this page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Hosting, compute, storage | UK · EU · US |
| Google Cloud Platform | Hosting, storage (select workloads) | UK · EU |
| OpenAI, Inc. | Foundation model API (zero-retention) | US |
| Anthropic PBC | Foundation model API | US · EU |
| Twilio Inc. | Telephony for Dilr Voice | UK · EU · US |
| LiveKit, Inc. | Real-time voice infrastructure | EU · US |
| Datadog, Inc. | Observability, logging, APM | EU |
| Sentry (Functional Software, Inc.) | Error tracking | EU |
| Stripe, Inc. | Billing & payments | UK · EU · US |
| Google Workspace | Email, docs, internal collaboration | EU · US |
| Plausible Insights OÜ | Privacy-respecting analytics (marketing site) | EU |
Foundation model providers are engaged under API-grade zero-training / zero-retention terms where available. Customer data is not used to train general-availability models.
Questions about this DPA or to request a signed, countersigned version: privacy@dilr.ai. For enterprise customers, we're happy to negotiate reasonable customisations in the Order.