Records of Processing Activities (ROPA) Template
Version 2.0 - Effective 2026-07-08 - Change log
Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
Article 30 of the EU GDPR and UK GDPR requires both controllers and processors to maintain records of processing activities. Amaigo maintains two records: one as processor for client firms using Whistle (Art. 30(2)), and one as controller for amaigo.com (Art. 30(1)). Both are reproduced below in a format acceptable to the ICO and EU supervisory authorities.
Record 1: Amaigo as processor for client firms (Art. 30(2))
| Art. 30(2) field | Entry |
|---|---|
| Processor and contact details | Amaigo, [email protected] |
| Controller(s) on whose behalf processing occurs | Each client firm; the controller's name and contact are held per engagement in the client configuration and executed DPA |
| Controller's representative / DPO | As recorded per engagement in the executed DPA |
| Categories of processing carried out for each controller | AI-assisted intake qualification of website enquiries; lead capture (name, contact details, enquiry category, outcome, de-identified summary); appointment booking; lead notifications to the controller |
| Transfers to third countries | Personal data stored in the EU; AI sub-processor in the US under the EU-US Data Privacy Framework plus UK Extension, with SCCs Module 3 plus UK Addendum as fallback (see /legal/tra and /sub-processors) |
| Technical and organisational measures (Art. 32(1)) | As described in the DPA Annex B and the Security Overview |
Record 2: Amaigo as controller for amaigo.com (Art. 30(1))
| Art. 30(1) field | Entry |
|---|---|
| Controller and contact details | Amaigo, [email protected] |
| Purposes of processing | Responding to enquiries and demo requests; marketing communications with consent |
| Categories of data subjects | amaigo.com site visitors and business prospects |
| Categories of personal data | Contact details (name, email, phone, firm); enquiry summaries |
| Categories of recipients | Sub-processors listed at /sub-processors (hosting, email delivery, AI processing where the site widget is used) |
| Transfers to third countries | As per the sub-processor list; DPF plus UK Extension primary, SCCs fallback |
| Retention | Per the Retention Policy |
| Technical and organisational measures (Art. 32(1)) | As described in the Security Overview |
Maintaining the record
- Each record is reviewed when a processing activity, sub-processor or transfer mechanism changes, and at least annually.
- Sub-processor changes flow through the change-notification procedure, which triggers a ROPA review at the same time.
- The record must be made available to a supervisory authority on request (Art. 30(4)); keeping it current is part of the accountability principle (Art. 5(2)).
Dual-jurisdiction note
The EU GDPR and UK GDPR both impose the record-keeping duty in materially identical terms; a single well-kept record satisfies both. The ICO's ROPA format and the formats published by EU supervisory authorities are each acceptable; the tables above carry the mandatory fields for either.
Guidance for client firms
As the controller for your Whistle deployment, your firm needs its own ROPA entry covering the widget. Record 1 above doubles as your template: copy it into your ROPA from the controller's side (your firm as controller, Amaigo as processor, purposes of intake and booking, data subjects "website visitors and prospective clients", retention per your configured retentionDays). Your onboarding pack and the Client Onboarding Compliance SOP list the deployment-specific values to fill in.
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.