Schedule 1: Data Processing Addendum (UK GDPR)
1. Definitions
1.1 In this Schedule:
1.1 1.UK GDPR Terms: "Controller", "Processor", "Personal Data", "Processing", "Personal Data Breach", "Data Subject", and "Supervisory Authority" have the meanings given in the UK GDPR.
1.1 2.Services: "Services" has the meaning set out in the Terms.
1.1 3.Sub-processor: "Sub-processor" means any third party engaged by Voxd to process Personal Data on behalf of the Client.
2. Roles of the Parties
2.1 The parties acknowledge that, for the purposes of the UK GDPR: the Client is the Controller of Personal Data processed in connection with the Services; and Voxd is the Processor, except where otherwise agreed in writing.
2.2 Voxd shall process Personal Data only on documented instructions from the Client, including as set out in these Terms and this Schedule, unless required to do otherwise by applicable law.
3. Details of the Processing
3.1 Provision of AI-powered chatbot configuration, integration, and related services.
3.2 For the duration of the Services and any applicable retention period set out in these Terms or agreed in writing.
3.3 Processing Personal Data as necessary to configure, operate, and support chatbot interactions and integrations as instructed by the Client.
3.4 May include the Client's customers, prospective customers, employees, contractors, and other end users who interact with the chatbot.
3.5 May include names, contact details, message content, identifiers, and any other Personal Data submitted by or on behalf of the Client through use of the Services.
4. Processor Obligations
4.1 Voxd shall:
4.1 1.Process on Instructions: process Personal Data only in accordance with the Client's documented instructions;
4.1 2.Confidentiality: ensure that persons authorised to process Personal Data are subject to confidentiality obligations;
4.1 3.Security Measures: implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage;
4.1 4.Personnel Reliability: take reasonable steps to ensure the reliability of personnel with access to Personal Data.
4.2 Voxd does not determine the purposes or means of processing and does not independently validate the lawfulness of the Client's instructions.
5. Sub-processing
5.1 The Client authorises Voxd to engage Sub-processors for the provision of the Services, including hosting providers, infrastructure providers, and AI or messaging platform providers.
5.2 Voxd shall ensure that any Sub-processor is subject to data protection obligations substantially similar to those set out in this Schedule.
5.3 A list of current Sub-processors may be made available by Voxd via the client portal or upon reasonable request.
5.4 Voxd may add or replace Sub-processors from time to time. Where reasonably practicable, Voxd shall provide notice of material changes. Continued use of the Services constitutes acceptance of such changes.
6. International Transfers
6.1 The Client acknowledges that Personal Data may be transferred to, stored, or processed outside the UK in connection with the Services, including by Sub-processors.
6.2 Voxd shall ensure that any such transfers are subject to appropriate safeguards in accordance with the UK GDPR, such as the UK International Data Transfer Agreement (IDTA) or other approved transfer mechanisms.
7. Security Measures
7.1 Voxd shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the nature of the processing and the Services.
7.2 Such measures may include, where appropriate, access controls, encryption in transit, logical separation of environments, and incident response procedures.
7.3 The Client acknowledges that no system is completely secure and that Voxd does not guarantee absolute security.
8. Personal Data Breaches
8.1 Voxd shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client.
8.2 Voxd shall provide reasonable assistance to enable the Client to comply with its notification obligations under the UK GDPR.
9. Assistance to the Client
9.1 Voxd shall provide reasonable assistance to the Client, taking into account the nature of the processing, in responding to: Data Subject rights requests; and regulatory inquiries or investigations relating to the processing.
9.2 Voxd may charge reasonable fees for assistance that requires material effort or is outside the scope of the Services.
10. Data Retention and Deletion
10.1 Upon termination or expiry of the Services, Voxd shall, at the Client's option and subject to applicable law, delete or return Personal Data processed on behalf of the Client.
10.2 Voxd may retain Personal Data where required by law or for legitimate business purposes such as backups, audit logs, or dispute resolution, provided that such data remains subject to appropriate safeguards.
11. Audits
11.1 The Client may, on reasonable written notice and no more than once in any twelve (12) month period, audit Voxd's compliance with this Schedule.
11.2 Audits shall be: limited to information reasonably necessary to demonstrate compliance; conducted during normal business hours; and subject to confidentiality obligations.
11.3 Voxd may satisfy audit requests by providing relevant certifications, summaries, or third-party audit reports where available.
12. Liability
12.1 Each party's liability arising out of or in connection with this Schedule shall be subject to the limitations and exclusions of liability set out in the Terms.
© 2026 Voxd AI Ltd. All rights reserved.
Voxd AI Ltd is a company registered in England and Wales (Company No. 16911937).
Registered Office: Wharf Cottage, Daneway, Sapperton, Gloucestershire, GL7 6LN
Voxd AI Ltd is a company registered in England and Wales (Company No. 16911937).
Registered Office: Wharf Cottage, Daneway, Sapperton, Gloucestershire, GL7 6LN