← Back to home

Data Processing Agreement

Last updated: 8 April 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the service agreement between Deskless Ltd (“Processor”) and you (“Controller”) pursuant to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This DPA applies to all personal data processed by Deskless on your behalf in the course of providing our AI agent services.

2. Definitions

  • Controller: You, the client, who determines the purposes and means of processing personal data
  • Processor: Deskless Ltd, who processes personal data on behalf of the Controller
  • Data subjects: Your customers, leads, suppliers, and other individuals whose data is processed through our services
  • Personal data: Any information relating to an identified or identifiable natural person

3. Scope of processing

Deskless processes personal data on your behalf for the following purposes:

  • Receiving and responding to WhatsApp messages from your customers
  • Qualifying leads and routing enquiries
  • Scheduling appointments and managing calendar entries
  • Sending invoice reminders and payment follow-ups
  • Managing supplier communications

Categories of data processed:

  • Names and contact details (phone numbers, email addresses)
  • Message content (WhatsApp conversations)
  • Appointment and scheduling data
  • Invoice and payment information
  • Location data (postcodes, service areas)

4. Processor obligations

Deskless shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process the data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without prior written consent of the Controller
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

5. Security measures

We implement the following technical and organisational measures:

  • Encryption at rest: AES-256 full-disk encryption on all servers
  • Encryption in transit: TLS 1.3 for all data transfers
  • Access controls: Role-based access, multi-factor authentication for all staff
  • Infrastructure: EU-hosted servers (Hetzner, Germany), ISO 27001 certified data centres
  • Monitoring: 24/7 automated monitoring with alerting within 60 seconds
  • Backups: Encrypted daily backups with 30-day retention
  • Incident response: Documented incident response procedure with 72-hour breach notification

6. Sub-processors

We use the following sub-processors:

ProviderPurposeLocation
AnthropicAI model processing (Claude)US (EU data processing)
HetznerServer infrastructureGermany, EU
VercelWebsite hostingGlobal CDN (EU primary)
WhatsApp (Meta)Messaging platformEU/US

We will notify you of any changes to sub-processors at least 14 days in advance.

7. Data transfers

Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

8. Data breach notification

In the event of a personal data breach, Deskless shall:

  • Notify the Controller without undue delay and in any event within 72 hours
  • Provide full details of the breach, including categories and approximate number of data subjects affected
  • Describe the likely consequences and measures taken or proposed to mitigate
  • Cooperate fully with the Controller and the ICO in investigating the breach

9. Data retention and deletion

  • WhatsApp message data: retained for 90 days, then securely deleted
  • CRM and business data: retained for the duration of the service agreement
  • Upon termination: all data exported to Controller and securely deleted within 90 days
  • Backup data: purged within 30 days of primary deletion

10. Audit rights

The Controller has the right to audit Deskless's compliance with this DPA. We will provide reasonable access to relevant documentation, systems, and personnel. Audits shall be conducted with reasonable notice and during business hours.

11. Governing law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.

12. Contact

For questions about this DPA or to request a signed copy, contact us at [email protected].