Data Processing Agreement (DPA)
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
This Data Processing Agreement ("DPA") is entered into between the client identified in the applicable order or agreement (the "Controller") and Amaigo (the "Processor") and governs the processing of personal data by Amaigo in providing the Whistle service. It is drafted to satisfy Article 28 of the EU GDPR and the UK GDPR.
1. Roles and scope
1.1 The Controller determines the purposes and means of processing the personal data of its website visitors and prospective clients. Amaigo acts as processor and processes that personal data only as described in this DPA and the Controller's documented instructions.
1.2 Automatic incorporation. This DPA forms part of the agreement between the parties and applies automatically, without signature, from the moment Amaigo processes personal data on the Controller's behalf. A signable, client-specific copy is available on request via the onboarding pack (see /legal/onboarding-sop).
1.3 References to "GDPR" mean the EU GDPR and the UK GDPR as applicable to the processing concerned. Where the UK GDPR applies, references to EU institutions, laws, and mechanisms are read with the corresponding UK equivalents.
2. Details of processing (Article 28(3) chapeau)
| Item | Description |
|---|---|
| Subject matter | AI-assisted client intake, qualification, and appointment booking via the Whistle chat widget deployed on the Controller's website |
| Duration | The term of the agreement, plus the deletion or return period in clause 9 |
| Nature and purpose | Receiving visitor enquiries; qualifying them against the Controller's configured criteria; capturing contact details through structured fields; booking appointments; sending lead alerts and booking confirmations to the Controller |
| Types of personal data | Name, email address, phone number, enquiry category, enquiry summary, booking details, consent records; free-text chat content, which may include special-category data volunteered during intake, such as health details or criminal allegations |
| Categories of data subjects | The Controller's website visitors and prospective clients |
3. Documented instructions, including transfers (Article 28(3)(a))
3.1 Amaigo processes personal data only on the Controller's documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or EU member state law, or UK law, to which Amaigo is subject. In that case Amaigo will inform the Controller of the legal requirement before processing, unless that law prohibits it on important grounds of public interest.
3.2 The Controller's documented instructions consist of: this DPA, the agreement, the Controller's service configuration (including the configured retention period, transcript setting, and qualification criteria), and any further written instructions consistent with the agreement.
3.3 Amaigo will inform the Controller without undue delay if, in its opinion, an instruction infringes the EU GDPR or the UK GDPR or other applicable data-protection law.
4. Confidentiality (Article 28(3)(b))
Amaigo ensures that every person it authorises to process the Controller's personal data (including employees and contractors) is bound by a contractual or statutory duty of confidentiality, and processes the data only as needed to provide the service.
5. Security (Article 28(3)(c))
Amaigo implements and maintains the technical and organisational measures described in Annex B, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by Article 32 of the EU GDPR and the UK GDPR. Amaigo may update Annex B from time to time provided the updates do not materially reduce the overall level of protection. The current security overview is published at /security.
6. Sub-processing (Article 28(3)(d))
6.1 General written authorisation. The Controller grants Amaigo general written authorisation to engage the sub-processors listed on the public list at /sub-processors, which forms Annex C of this DPA.
6.2 Advance notice. Amaigo will give the Controller at least 30 days advance notice by email of any intended addition or replacement of a sub-processor, per the notification policy at /legal/subprocessor-changes.
6.3 Objection. The Controller may object in writing within the notice period on reasonable data-protection grounds. The parties will work in good faith to resolve the objection, which may include Amaigo not deploying the new sub-processor for the Controller's data where feasible. If no resolution is reached before the change takes effect, the Controller may terminate the affected service and Amaigo will refund any prepaid fees for the period after termination on a pro-rata basis. This is the Controller's remedy for an unresolved objection.
6.4 Flow-down. Amaigo imposes on each sub-processor, by way of contract, data-protection obligations equivalent to those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
6.5 Liability. Amaigo remains fully liable to the Controller for the performance of each sub-processor's obligations.
6.6 Chain transparency. Consistent with EDPB Opinion 22/2024, Amaigo maintains and makes available to the Controller the information needed to identify the entire sub-processing chain (names, establishment addresses, and contact points), keeps the list at /sub-processors current, and will supply chain details on request.
7. Data-subject rights assistance (Article 28(3)(e))
7.1 Taking into account the nature of the processing, Amaigo assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to data-subject requests under Chapter III of the EU GDPR and the UK GDPR (access, rectification, erasure, restriction, portability, objection). Amaigo actions the Controller's assistance requests (such as export or erasure of a data subject's records) within 5 business days.
7.2 If a data subject contacts Amaigo directly about personal data processed for the Controller, Amaigo will not respond substantively (except to direct the data subject to the Controller) and will forward the request to the Controller without undue delay. The operational procedure is at /legal/dsar.
8. Assistance with Articles 32 to 36 (Article 28(3)(f))
8.1 Amaigo assists the Controller in ensuring compliance with Articles 32 to 36 of the EU GDPR and the UK GDPR (security, breach notification, data-protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Amaigo. Supporting materials are published at /legal/dpia and /legal/breach.
8.2 Personal data breach. Amaigo will notify the Controller of a personal data breach affecting the Controller's personal data without undue delay, and in any event within 48 hours of becoming aware of it. Where full details are not yet available, Amaigo will notify in phases, providing initial notice first and updates as the investigation progresses. Notifications will include, so far as known, the information described in Article 33(3): the nature of the breach, the categories and approximate numbers of data subjects and records concerned, a contact point, the likely consequences, and the measures taken or proposed. This is intended to enable the Controller to meet its own 72-hour notification obligation to its supervisory authority.
9. Deletion or return of data (Article 28(3)(g))
9.1 During the term. Personal data is retained per the Controller's configured retention period (default 365 days from capture, configurable per client) and is purged automatically when that period expires. Raw chat transcripts are not stored by default; the Controller may enable transcript storage in its configuration, in which case transcripts are subject to the same retention period. See /legal/retention.
9.2 At termination. On termination or expiry of the agreement, Amaigo will, at the Controller's choice, delete or return all personal data processed for the Controller within 30 days, and delete existing copies, providing written confirmation of deletion, unless EU, EU member state, or UK law requires continued storage. Any legally retained data remains protected by this DPA and is deleted once the legal requirement lapses.
10. Information and audit (Article 28(3)(h))
10.1 Amaigo makes available to the Controller all information necessary to demonstrate compliance with Article 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
10.2 Reports first. Amaigo will first satisfy audit requests by providing available security documentation, third-party assessment reports where held (SOC-style reports or equivalent attestations, once obtained; none are currently certified, see /compliance), the completed security questionnaire at /legal/security-questionnaire, and written answers to reasonable follow-up questions.
10.3 Audits. Where the documentation is insufficient to demonstrate compliance, the Controller may conduct one audit in any 12-month period, on at least 30 days written notice, during normal business hours, at the Controller's cost, in a manner that does not unreasonably disrupt Amaigo's operations. Audits must not give access to other controllers' data or to information whose disclosure would breach Amaigo's obligations to third parties; Amaigo will provide equivalent evidence in redacted or aggregated form where needed. A shorter notice period applies where a supervisory authority requires it or following a personal data breach affecting the Controller's data.
11. International transfers
11.1 EU hosting by default. The Whistle application, database, lead data, and booking data are hosted in the EU. Contact and identity data captured through structured fields is stored in the EU and is not sent to the AI sub-processor by design.
11.2 The AI sub-processor. Redacted free-text chat content is processed by Anthropic in the United States. For this transfer:
- (a) Primary mechanism: the EU-US Data Privacy Framework and its UK Extension, for as long as Anthropic's certification and the relevant adequacy decisions remain valid;
- (b) Automatic fallback: the EU Standard Contractual Clauses (Module 3, processor to processor) and the UK International Data Transfer Addendum, as incorporated in Amaigo's data-processing terms with Anthropic, apply automatically, without further action by either party, if the adequacy basis in (a) is invalidated or the certification lapses;
- (c) a transfer risk assessment is maintained and reviewed per /legal/tra.
11.3 Any other transfer of the Controller's personal data outside the EU or UK requires a valid transfer mechanism under Chapter V of the EU GDPR or the UK GDPR and will be reflected on the sub-processor list before it occurs.
12. Precedence
In the event of conflict: this DPA prevails over the agreement in respect of data-protection matters; where Standard Contractual Clauses apply to a transfer, the SCCs prevail over this DPA to the extent of any conflict.
13. Governing law
This DPA is governed by the law governing the agreement. [Lawyer review required: confirm the governing-law and jurisdiction clause, including its interaction with SCC Clauses 17 and 18 and the UK Addendum, before commercial use.]
Annex A: Processing details
Structured in the style of Annex I to the EU Standard Contractual Clauses; also serves as the description of processing for Annex D.
A.1 List of parties
- Data exporter: the Controller (the client law firm or business deploying Whistle), acting as controller. Contact: as stated in the agreement or order.
- Data importer: Amaigo, acting as processor. Contact: [email protected].
A.2 Description of processing
- Categories of data subjects: the Controller's website visitors and prospective clients.
- Categories of personal data: name, email address, phone number, enquiry category, enquiry summary, booking details (date, time, meeting type), consent records (timestamp and policy version), free-text chat content.
- Special-category data: not requested, but may be volunteered by data subjects during intake, such as health details or criminal allegations. Handled with the safeguards in Annex B (structured non-AI capture of identity data, automated redaction of free text before AI processing, no raw transcripts stored by default, bounded retention).
- Sensitive-data restrictions applied: data minimisation by design; the widget instructs users not to share sensitive details; the retention period is configurable and shorter periods are recommended for sensitive intake.
- Frequency of the transfer or processing: continuous, as visitors use the widget.
- Nature of the processing: collection, storage, structuring, analysis for qualification, transmission to the Controller, erasure.
- Purpose: AI-assisted client intake, qualification, and appointment booking on the Controller's behalf.
- Retention period: the Controller's configured retention period, default 365 days, with automated purge; deletion or return within 30 days of termination per clause 9.
- Sub-processing: per Annex C; the AI sub-processor receives redacted free text only, under no-training terms with short bounded retention.
A.3 Competent supervisory authority
Determined per SCC Clause 13 by reference to the data exporter's establishment or representative. [Complete per client in the signable copy.]
Annex B: Technical and organisational measures
Measures implemented and maintained by Amaigo. Full detail at security-questionnaire grain is available at /legal/security-questionnaire.
- Encryption in transit: all traffic between the widget, the chat server, and sub-processors uses TLS.
- Encryption at rest: the production PostgreSQL database is a managed service with encryption at rest.
- Tenant isolation: per-tenant isolation enforced in the application layer; every data access is scoped by client identifier.
- Structured capture of identity data: contact details (name, email, phone) are captured through structured, non-AI form fields and stored in the EU; they are not sent to the AI sub-processor by design.
- Automated PII redaction: free-text user messages pass through automated best-effort redaction before any AI processing, replacing email addresses, phone numbers, and long digit runs (9 or more digits, such as card-like or reference numbers) with redaction placeholders. This is defence in depth, not a guarantee, since a free-text box can contain anything.
- AI sub-processor safeguards: the AI sub-processor is bound by commercial terms prohibiting training on customer content, with short bounded retention.
- No raw transcripts by default: chat transcripts are not stored unless the Controller enables transcript storage in its configuration.
- Audit logging: an append-only audit log records system events without personal data.
- Rate limiting and bot mitigation: applied at the network edge and the application layer.
- Secrets management: API keys and credentials are held server-side only, never in the widget or browser; continuous integration includes automated secret scanning.
- Least privilege: the application connects to the database with a least-privilege database user; administrative access is restricted.
- Backups: managed database backups through the hosting provider, retained in the EU.
- Retention enforcement: an automated job purges personal data when the configured retention period expires.
- Administrative endpoints: protected by token authentication and not exposed to the public widget.
Amaigo may update these measures provided updates do not materially reduce the overall level of protection.
Annex C: Approved sub-processors
The approved sub-processors, their locations, functions, the personal data involved, and transfer mechanisms are published at /sub-processors and are incorporated into this DPA by reference. Changes are governed by clause 6 and the 30-day notice regime described at /legal/subprocessor-changes.
Annex D: UK Addendum
Where the UK GDPR applies to a transfer, the parties adopt the ICO's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022), which is incorporated by reference and completed as follows:
- Table 1 (Parties): the parties and contact details set out in Annex A, section A.1.
- Table 2 (Selected SCCs, Modules and Clauses): the EU SCCs as executed under clause 11.2(b), Module 3 (processor to processor), including the module selections, optional-clause choices, and appendix information referenced in this DPA.
- Table 3 (Appendix Information): Annex A (list of parties and description of processing), Annex B (technical and organisational measures), and Annex C (approved sub-processors).
- Table 4 (Ending the Addendum when the Approved Addendum changes): neither party may end the Addendum as set out in Section 19 of the Addendum.
The ICO has signalled updates to its transfer tools during 2026; Amaigo will adopt the updated Addendum on republication and reflect the change via /legal/changelog.
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.