Schedule 1: Data Processing Addendum (UK GDPR)
1. Definitions
1.1 In this Schedule:
1.1 1.UK GDPR Terms: "Controller", "Processor", "Personal Data", "Processing", "Personal Data Breach", "Data Subject", and "Supervisory Authority" have the meanings given in the UK GDPR.
1.1 2.Services: "Services" has the meaning set out in the Terms.
1.1 3.Sub-processor: "Sub-processor" means any third party engaged by Voxd to process Personal Data on behalf of the Client.
2. Roles of the Parties
2.1 For the purposes of the UK GDPR, the Client is the Controller of Personal Data processed in connection with the Services and Voxd is the Processor, unless otherwise agreed in writing.
2.2 Voxd shall process Personal Data only on documented instructions from the Client, including as set out in the Terms and this Schedule, unless required to do otherwise by applicable law.
2.3 The Client acknowledges that Voxd does not control the content of AI model outputs and processes Personal Data solely to provide the Services as configured and instructed by the Client.
3. Details of the Processing
3.1 Provision of chatbot configuration, integration and related services.
3.2 For the duration of the Services and any applicable retention period agreed in writing or required by law.
3.3 Processing Personal Data as necessary to configure, operate and support chatbot interactions and integrations as instructed by the Client.
3.4 May include the Client’s customers, prospective customers, employees, contractors and other end users who interact with the chatbot.
3.5 May include names, contact details, message content, identifiers and any other Personal Data submitted by or on behalf of the Client through use of the Services.
4. Processor Obligations
4.1 Voxd shall:
4.1 1.Process on Instructions: process Personal Data only in accordance with the Client’s documented instructions;
4.1 2.Confidentiality: ensure persons authorised to process Personal Data are subject to confidentiality obligations;
4.1 3.Security: implement appropriate technical and organisational measures to protect Personal Data;
4.1 4.Personnel Reliability: take reasonable steps to ensure the reliability of personnel with access to Personal Data.
4.2 Voxd does not determine the purposes of processing and relies on the Client to ensure its instructions comply with applicable data protection laws.
5. Sub-processing
5.1 The Client authorises Voxd to engage Sub-processors for provision of the Services. Sub-processors may include hosting, infrastructure, AI, messaging providers and delivery or technical service partners engaged to support the Services.
5.2 Voxd shall ensure Sub-processors are subject to data protection obligations substantially similar to those in this Schedule.
5.3 A current list of Sub-processors may be provided via the client portal or upon reasonable request.
5.4 Voxd may add or replace Sub-processors from time to time and will provide prior notice of material changes where reasonably practicable. The Client may object on reasonable data protection grounds within 14 days, and the parties will discuss a resolution in good faith.
6. International Transfers
6.1 Personal Data may be transferred or processed outside the UK in connection with the Services.
6.2 Voxd shall ensure appropriate safeguards such as the UK International Data Transfer Agreement or other approved mechanisms are in place.
7. Security Measures
7.1 Voxd shall implement technical and organisational measures designed to provide security appropriate to risk.
7.2 The Client acknowledges that no system is completely secure.
8. Personal Data Breaches
8.1 Voxd shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on the Client’s behalf.
8.2 Voxd shall provide reasonable assistance to enable the Client to comply with UK GDPR breach notification obligations.
9. Assistance
9.1 Taking into account the nature of processing, Voxd shall provide reasonable assistance with data subject requests, regulatory inquiries, data protection impact assessments (DPIAs), and consultations with the UK Information Commissioner’s Office where required.
9.2 Voxd may charge reasonable fees for assistance requiring material effort or outside the scope of the Services.
10. Retention and Deletion
10.1 On termination, Voxd shall delete or return Personal Data at the Client’s option, subject to applicable law.
10.2 Voxd may retain Personal Data where required by law or for legitimate purposes such as backups or dispute resolution, and such data will remain protected and deleted in accordance with Voxd’s standard retention policies.
11. Audits
11.1 The Client may audit Voxd’s compliance once per 12 months on reasonable notice.
11.2 Audits must be reasonable in scope, during business hours, subject to confidentiality, and limited to information necessary to demonstrate compliance.
11.3 Voxd may satisfy audit requests by providing certifications or third-party audit reports where available.
11.4 The Client bears its own audit costs and shall reimburse Voxd for reasonable time spent supporting any audit.
12. Liability
12.1 Liability arising under this Schedule is subject to the limitations and exclusions set out in the Terms.
© 2026 Voxd AI Ltd. All rights reserved.
Voxd AI Ltd is a company registered in England and Wales (Company No. 16911937).
Registered Office: Wharf Cottage, Daneway, Sapperton, Gloucestershire, GL7 6LN
Voxd AI Ltd is a company registered in England and Wales (Company No. 16911937).
Registered Office: Wharf Cottage, Daneway, Sapperton, Gloucestershire, GL7 6LN