Data Processing Agreement (DPA)
Last updated: 8th May 2025
  • This Data Processing Agreement (“Agreement”) forms part of the contract for services (“Service Agreement”) between:
  • (1) [Client Name], the “Data Controller”
  • and
  • (2) utomat.com, the “Data Processor”
  • Email: info@utomat.com
  • Address: 118 Tomb of the Kings Road, Paphos, Cyprus, 8015
  • together, the “Parties”.

1. Subject Matter and Duration

  • This Agreement governs the processing of personal data by utomat.com on behalf of the Data Controller in connection with the provision of AI-powered outbound calling and lead reactivation services, for the duration of the Service Agreement unless otherwise required by law.

2. Nature and Purpose of Processing

  • Managing and facilitating AI-driven phone communications, including recording, transcribing, and analyzing voice data to enhance communication services.
  • Collecting, storing, and processing contact information for the purpose of lead reactivation and reporting.
  • Integrating with third-party services (e.g., telephony, CRM, analytics) as needed to deliver the contracted services.

3. Types of Personal Data and Data Subjects

  • Categories of Data Subjects:
  • Customers and leads of the Data Controller
  • End-users contacted on behalf of the Data Controller
  • Employees or agents of the Data Controller (if relevant)
  • Categories of Personal Data:
  • Contact information (name, phone number, email address)
  • Voice recordings and transcriptions
  • Communication metadata (time, date, duration)
  • Any other data provided during phone communications

4. Obligations of the Data Processor (utomat.com)

  • utomat.com shall:
  • Process personal data only on documented instructions from the Data Controller.
  • Ensure all persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures to ensure data security.
  • Assist the Data Controller in responding to data subject requests and in ensuring compliance with GDPR obligations (including security, breach notification, and impact assessments).
  • Notify the Data Controller without undue delay after becoming aware of a personal data breach.
  • At the choice of the Data Controller, delete or return all personal data after the end of the provision of services, unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow for audits.

5. Subprocessing

  • utomat.com may engage subprocessors (e.g., telephony, AI, CRM providers) with prior general written authorization from the Data Controller.
  • A list of current subprocessors is available upon request.
  • utomat.com shall impose the same data protection obligations on subprocessors as set out in this Agreement.
  • The Data Controller will be notified of any intended changes concerning the addition or replacement of subprocessors, with at least 14 days to object.

6. International Transfers

  • If personal data is transferred outside the European Economic Area (EEA), utomat.com will ensure appropriate safeguards are in place in accordance with GDPR Chapter V (e.g., Standard Contractual Clauses).

7. Data Controller Obligations

  • The Data Controller shall:
  • Ensure that it has all necessary consents and legal bases for processing personal data and for instructing utomat.com.
  • Provide documented instructions for processing.
  • Inform utomat.com of any data subject requests or regulatory requirements.

8. Term and Termination

  • This Agreement remains in effect for the duration of the Service Agreement or as long as utomat.com processes personal data on behalf of the Data Controller.

9. Governing Law

  • This Agreement shall be governed by the laws of Cyprus.

10. Signatures

  • For the Data Controller:
  • Name: ___________________
  • Title: ____________________
  • Date: ____________________
  • For utomat.com:
  • Name: ___________________
  • Title: ____________________
  • Date: ____________________