Effective from: 18 May 2026 Processor: Ovysion Technologies Ltd, registered in England & Wales under company number [COMPANY NUMBER], registered office [REGISTERED ADDRESS] ("Ovysion" or "Processor"). Controller: the customer named in the corresponding Order Form ("Customer" or "Controller").
This DPA forms part of the contract between Customer and Ovysion for the Delia service ("Service Agreement"). In case of conflict between this DPA and the Service Agreement on data-protection matters, this DPA governs. A signed Order Form or an executed Service Agreement constitutes Customer's signature on this DPA without separate execution being required, provided Customer is satisfied with these terms. Customers who require a separately executed copy can request one from legal@ovysion.com.
1. Scope and roles
This DPA governs the Processing of Personal Data by Ovysion on behalf of Customer as part of the Delia service.
- Customer is the Controller: Customer determines the purposes and means of the Processing.
- Ovysion is the Processor: Ovysion Processes Personal Data only on documented instructions from Customer, as described in this DPA, the Service Agreement, and the Order Form.
This DPA applies to UK GDPR and EU GDPR Processing. Where local data protection law of a Customer's country imposes additional requirements, the parties will negotiate a country-specific addendum in good faith.
2. Definitions
Terms defined in the UK GDPR or EU GDPR (e.g. "Personal Data", "Processing", "Data Subject", "Supervisory Authority", "Personal Data Breach") have the meanings given in those Regulations. The following additional definitions apply:
- "Applicable Data Protection Law" — UK GDPR, EU GDPR, the UK Data Protection Act 2018, the ePrivacy Directive as implemented in each Member State (PECR in the UK), and any other data protection or privacy law applicable to a party's Processing.
- "Customer Personal Data" — Personal Data submitted to or processed through the Delia service by Customer or by End Users interacting with Customer's deployment of Delia.
- "End User" — an individual who interacts with Customer's deployment of Delia (e.g. a website visitor speaking to Delia on Customer's site).
- "Sub-processor" — any third party engaged by Ovysion to Process Customer Personal Data on Ovysion's behalf.
- "Standard Contractual Clauses" / "SCCs" — the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
- "UK IDTA" — the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018.
3. Details of Processing (UK GDPR Art. 28(3) / EU GDPR Art. 28(3))
| Element | Description |
|---|---|
| Subject matter | Provision of the Delia voice AI concierge service to Customer. |
| Duration | The term of the Service Agreement plus the post-termination data return / deletion period (Section 11). |
| Nature and purpose | Hosting and operating a voice AI assistant that interacts with End Users on Customer's behalf, including audio capture, speech-to-text transcription, LLM-based response generation, text-to-speech voice synthesis, conversation logging, lead and intent capture, and (where configured) calendar booking. |
| Type of Personal Data | (a) Audio recordings of End User voice conversations; (b) transcripts of those conversations; (c) End User-provided contact details (name, phone, email, business context); (d) derived metadata (intent classification, sentiment, lead score, booking status); (e) technical data (IP address, browser, device); (f) names and contact details of Customer's Authorized Users. |
| Categories of Data Subjects | (a) End Users interacting with Customer's Delia deployment; (b) Customer's Authorized Users and other personnel administering the deployment. |
| Special category data | None expected. If Customer's sector or deployment results in incidental special category data (e.g. health mentions on an aesthetic clinic widget), Customer is responsible for the additional Article 9 lawful basis. A separate addendum is required for any deployment that systematically processes special category data. |
4. Customer obligations
Customer warrants and undertakes that:
- It has all necessary legal bases under Applicable Data Protection Law to Process Customer Personal Data and to instruct Ovysion to Process it.
- Its instructions to Ovysion comply with Applicable Data Protection Law.
- Where required, it has provided End Users with all transparency information required by UK GDPR Articles 13 and 14, including informing them they are interacting with an AI and that audio is recorded.
- It will not use Delia in a way that requires Ovysion to Process special category data, criminal offence data, or data of children under 16, unless an additional written agreement specifically permitting this is in place.
- It will maintain the knowledge base and persona configuration accurately and lawfully.
5. Ovysion obligations as Processor
Ovysion will:
5.1 Process only on Customer's instructions
Ovysion will Process Customer Personal Data only on documented instructions from Customer. The Service Agreement, Order Form, this DPA, and use of the configuration tools in the Customer dashboard constitute such instructions. If Ovysion considers an instruction to violate Applicable Data Protection Law, Ovysion will inform Customer.
5.2 Confidentiality of personnel
Ovysion will ensure that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations (contractual, professional, or statutory).
5.3 Security measures (Art. 32)
Ovysion will implement and maintain the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk.
5.4 Sub-processors
Ovysion engages Sub-processors as set out in Annex III. Customer hereby gives general written authorisation under UK GDPR Article 28(2) / EU GDPR Article 28(2) for the engagement of the Sub-processors listed in Annex III, and for the engagement of new Sub-processors, subject to the following process:
(a) Ovysion will give Customer at least 30 days' notice of any addition or replacement of a Sub-processor by updating Annex III at /dpa/annex-iii or by direct notification to a Customer-nominated email.
(b) Customer may object within 14 days of notice on reasonable, data-protection-related grounds.
(c) If Customer objects, the parties will discuss in good faith. If no resolution is reached within 30 days, Customer may terminate the affected Service Agreement on 30 days' notice without further liability for fees that would have been payable after termination.
(d) Ovysion remains fully liable to Customer for the acts and omissions of its Sub-processors.
5.5 Cooperation with Data Subject rights
Ovysion will assist Customer in responding to requests from Data Subjects exercising their rights under Chapter III of UK GDPR / EU GDPR (access, rectification, erasure, restriction, portability, objection). Ovysion will:
- Promptly forward to Customer any Data Subject request received directly by Ovysion.
- Provide functionality in the Delia dashboard for Customer to export, correct, and delete End User Personal Data without unnecessary delay.
- On Customer's reasonable request, assist with responses Customer cannot complete using the dashboard, at no additional charge for reasonable requests.
5.6 Cooperation with Customer's compliance obligations
Ovysion will assist Customer with:
- Data Protection Impact Assessments (DPIAs) where Customer is required to conduct them.
- Prior consultation with Supervisory Authorities under Article 36 where required.
- Demonstration of compliance with Article 32 (security).
5.7 Personal Data Breaches
Ovysion will notify Customer of a confirmed Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 48 hours of becoming aware. The notification will include, to the extent then known:
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The likely consequences.
- The measures taken or proposed to address it and to mitigate possible adverse effects.
Ovysion will cooperate with Customer to enable Customer to meet its own notification obligations under Articles 33 and 34. Notification is not an admission of fault or liability.
5.8 Audits
Customer (or an independent auditor retained by Customer and reasonably acceptable to Ovysion) may audit Ovysion's compliance with this DPA once per calendar year, on at least 30 days' written notice, during business hours, and subject to confidentiality undertakings appropriate to a third-party auditor. Audits should normally be satisfied by:
(a) Ovysion's most recent independent security assessment or SOC 2 / ISO 27001 report (when available), or
(b) Ovysion's written responses to a reasonable security questionnaire.
On-site audits are reserved for cases where (a) and (b) are insufficient to resolve a documented compliance concern. The audit must not disturb the security or operation of services to other Ovysion customers; the auditor must comply with Ovysion's reasonable security protocols on-site. Each party bears its own costs unless the audit reveals a material breach of this DPA, in which case Ovysion bears the auditor's reasonable costs.
Supervisory Authorities exercising statutory audit powers may audit Ovysion in accordance with their statutory mandate, not subject to the limitations above.
5.9 Return or deletion at end of services
On termination of the Service Agreement, and subject to Customer's instructions:
- Ovysion will, within 14 days of Customer's request, make Customer Personal Data available for export in a portable format (JSON or CSV).
- Within 30 days of termination (or sooner on Customer's instruction), Ovysion will delete Customer Personal Data from production systems.
- Backups containing Customer Personal Data are deleted within a further 30 days, except where Applicable Data Protection Law requires longer retention (in which case Ovysion will inform Customer and continue to protect the data).
6. International transfers
Where Ovysion transfers Customer Personal Data outside the UK or EEA to a country that is not the subject of an adequacy decision applicable to Customer's transfer, Ovysion will use:
- The EU SCCs (Module 2: Controller to Processor, or Module 3: Processor to Sub-processor as applicable) for transfers subject to EU GDPR; and
- The UK IDTA issued by the ICO, appended to the SCCs as required, for transfers subject to UK GDPR.
Both parties agree that, by executing the Service Agreement and this DPA, they enter into the SCCs and IDTA as if they had been signed by both parties, with:
- The selected modules as appropriate;
- Optional clauses selected as set out in Annex IV;
- The Annexes of the SCCs populated by reference to this DPA and its Annexes.
Where any third country implements a new adequacy framework (such as the EU-US Data Privacy Framework), Ovysion will rely on its sub-processors' certification under such framework where appropriate, in addition to the SCCs as a fallback.
7. Liability
Liability for breaches of this DPA is governed by the limitation of liability provisions in the Service Agreement, save that:
- The liability cap does not apply to a party's obligation to indemnify the other against fines imposed by a Supervisory Authority directly arising from that party's breach of Applicable Data Protection Law, where the breach is attributable solely to that party.
- Nothing in this DPA limits or excludes either party's liability under Article 82 UK GDPR / EU GDPR to a Data Subject for compensation. As between the parties, each party is liable in proportion to its responsibility for the damage caused.
8. Conflict and order of precedence
In the event of conflict between this DPA and other parts of the Service Agreement on data-protection matters, this DPA prevails. In the event of conflict between this DPA and the SCCs / UK IDTA, the SCCs / UK IDTA prevail.
9. General
- Duration: this DPA remains in force for as long as Ovysion Processes Customer Personal Data.
- Modifications: changes required by Applicable Data Protection Law or by Supervisory Authority decisions may be incorporated by Ovysion on 30 days' notice; other modifications require both parties' agreement.
- Notices: as set out in the Service Agreement.
- Governing law: as set out in the Service Agreement, save that the SCCs are governed by the law of the EU Member State chosen in Clause 17, and the UK IDTA by the laws of England and Wales.
Annex I — List of parties
Data Exporter (Controller): Customer as identified in the Order Form. Data Importer (Processor): Ovysion Technologies Ltd, [REGISTERED ADDRESS], company number [COMPANY NUMBER], represented by [SIGNATORY NAME, ROLE].
Activities relevant to the data transferred: as described in Section 3.
Annex II — Technical and organisational measures
Ovysion implements at least the following measures, in proportion to the risk:
A. Confidentiality
- Access control to systems: multi-factor authentication required for all administrative access; SSO with conditional access policies for staff.
- Access control to data: role-based access; least-privilege principle; access reviews quarterly.
- Pseudonymisation: End User identifiers are pseudonymised in analytics and aggregated reporting.
- Encryption: - In transit: TLS 1.2+ between all components, including to Sub-processors. - At rest: AES-256 encryption for stored audio recordings, transcripts, and database fields containing Personal Data.
B. Integrity
- Input validation: validation and sanitisation of all data submitted via the dashboard and API.
- Logging: tamper-evident audit logs of administrative actions, retained for at least 12 months.
- Code review: peer review required before changes are merged to production branches.
- Vulnerability management: dependency scanning; production patches applied within 7 days of public CVE disclosure for high/critical severity.
C. Availability and resilience
- Backups: encrypted backups taken daily; restore drills conducted at least annually.
- High availability: production services deployed with redundancy in production.
- Business continuity: documented procedures for the loss of any single Sub-processor of comparable function.
D. Process for regular testing
- Penetration testing: at least annual, by an independent third party, with findings remediated according to risk.
- Internal review: quarterly review of this Annex against actual practice.
E. Personnel
- Confidentiality undertakings: all personnel sign confidentiality undertakings on joining.
- Training: data-protection training on joining and annually thereafter; additional training for personnel with elevated access.
F. Sub-processor management
- Due diligence: each Sub-processor is vetted for technical and organisational measures equivalent to those above.
- Contracts: each Sub-processor is bound by written contract containing data-protection terms substantively equivalent to those in this DPA.
G. AI-specific measures
- No training on Customer Data: Ovysion does not use Customer Personal Data to train its own models. Sub-processors are contracted (where they offer the option) to confirm that Customer Personal Data is not used to train their foundation models.
- Prompt injection defences: system-level controls against attempts to extract Ovysion's or Customer's instructions via Delia conversations.
- AI disclosure: the Delia widget includes an AI disclosure modal that End Users must accept before a call begins.
Annex III — List of Sub-processors
This list is current as of 18 May 2026. Updates are published at /dpa/annex-iii at least 30 days before they take effect (see Section 5.4).
| Sub-processor | Function | Location | Transfer basis |
|---|---|---|---|
| Vapi Inc. | Real-time voice orchestration | United States (EU routing available) | UK IDTA + EU SCCs |
| OpenAI Ireland Ltd / OpenAI LLC | LLM inference for response generation | EU and US | EU-based primary; UK IDTA + EU SCCs for US; OpenAI zero-retention API tier |
| Anthropic PBC | LLM inference (alternative provider) | United States | UK IDTA + EU SCCs |
| ElevenLabs Inc. | Text-to-speech voice synthesis | United States | UK IDTA + EU SCCs |
| Deepgram Inc. | Speech-to-text transcription | United States | UK IDTA + EU SCCs |
| Hostinger International Ltd | Application hosting and Postgres database | Lithuania (EU) | EU-based, no transfer mechanism required |
| Stripe Payments Europe Ltd | Subscription billing | Ireland (EU) primary; US fallback | EU-based primary; SCCs for US fallback |
| Google Workspace (Google Ireland Ltd) | Internal email and document collaboration containing Customer point-of-contact emails | EU and US | EU-based primary; SCCs and UK IDTA for US infrastructure |
Sub-processors are reviewed quarterly. Notifications of changes go to the Customer-nominated email registered in the dashboard at /admin/dpa-notifications, or, in the absence of a registered email, to the billing email on file.
Annex IV — SCCs and UK IDTA options
For the purposes of the EU SCCs (Commission Implementing Decision (EU) 2021/914):
- Modules: Module 2 (Controller-to-Processor) for direct transfers between Customer and Ovysion; Module 3 (Processor-to-Sub-processor) for onward transfers from Ovysion to its US-based Sub-processors.
- Clause 7 (docking): applicable.
- Clause 9(a) (sub-processor authorisation): Option 2 — general written authorisation with 30 days' notice as set out in Section 5.4 of this DPA.
- Clause 11 (independent dispute resolution): not selected (parties retain ordinary court jurisdiction).
- Clause 17 (governing law): the law of the EU Member State of the Customer (where applicable); failing that, the law of Ireland.
- Clause 18 (forum): the courts of the EU Member State of the Customer; failing that, the courts of Ireland.
- Annex I (parties): as set out in Annex I of this DPA.
- Annex II (technical and organisational measures): as set out in Annex II of this DPA.
- Annex III (sub-processors): as set out in Annex III of this DPA.
For the UK IDTA: the Mandatory Clauses apply; the Tables are populated by reference to this DPA and its Annexes. The IDTA governing law is England and Wales.