This Data Processing Agreement ("DPA") forms part of the agreement for services (the "Agreement") between the customer ("Customer") and ZEN AI RESEARCH LTD, trading as GOJE AI, a company registered in [England and Wales] under company number [Company No. ________], whose registered office is at [registered address] ("GOJE AI", "we", "us"). It records the terms on which we process personal data on the Customer's behalf in connection with the services.
1. Definitions
"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018, and all other data protection laws applicable to the processing. The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Sub-processor" have the meanings given in Applicable Data Protection Law.
2. Roles of the Parties
For the personal data processed under the Agreement, the Customer is the Controller and GOJE AI is the Processor. The Customer is responsible for establishing a lawful basis for the processing (including, where required, obtaining consents and providing notices to Data Subjects — for example in relation to call recording).
3. Processing Instructions
GOJE AI shall process personal data only on the Customer's documented instructions, which comprise the Agreement, this DPA, and the Customer's use and configuration of the platform, unless required to do otherwise by law (in which case we will inform the Customer unless legally prohibited). We will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law.
4. Details of Processing
The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of Data Subjects are set out in Annex 1.
5. Confidentiality
We ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality.
6. Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR. A summary of these measures is set out in Annex 2 and described further on our Security page.
7. Sub-processors
The Customer provides general authorisation for GOJE AI to engage the Sub-processors listed in Annex 3. We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give the Customer prior notice of the addition or replacement of any Sub-processor, giving the Customer the opportunity to object on reasonable data protection grounds. [FOR LEGAL REVIEW: notice period and objection process.]
8. Data Subject Rights
Taking into account the nature of the processing, we assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If we receive such a request directly, we will forward it to the Customer.
9. Personal Data Breach & Assistance
We notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's personal data, and provide reasonable information to assist the Customer in meeting its own obligations. We also provide reasonable assistance with data protection impact assessments and prior consultations with the supervisory authority, taking into account the nature of the processing and the information available to us.
10. International Transfers
Where processing involves a transfer of personal data outside the United Kingdom, such transfers are made subject to an appropriate transfer mechanism as set out in Annex 4. [FOR LEGAL REVIEW: confirm the current applicable mechanism — e.g. the UK International Data Transfer Agreement / Addendum to the EU SCCs, or reliance on a relevant adequacy / data protection framework — for each non-UK Sub-processor.]
11. Audits
We make available to the Customer information reasonably necessary to demonstrate compliance with our obligations under this DPA and allow for and contribute to audits, including inspections, subject to reasonable confidentiality, security, scope, frequency and cost arrangements. [FOR LEGAL REVIEW: audit scope, notice, and cost allocation.]
12. Deletion or Return
On termination or expiry of the Agreement, we delete or return the personal data at the Customer's choice, and delete existing copies, unless we are required to retain it by law. [FOR LEGAL REVIEW: retention period for backups and any statutory retention.]
13. Liability & Governing Law
Liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. [FOR LEGAL REVIEW.] This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
Annex 1 — Details of Processing
- Subject matter: provision of the GOJE AI voice-agent platform.
- Duration: the term of the Agreement, plus any period required for deletion or return.
- Nature and purpose: processing personal data to operate inbound and outbound AI voice calling, lead management, scheduling, and related platform features on the Customer's behalf.
- Types of personal data: names, telephone numbers, email addresses, call recordings, call transcripts, and contact / lead records provided or generated through the Customer's use of the platform. [FOR LEGAL REVIEW / Customer to confirm.]
- Categories of Data Subjects: the Customer's authorised users (agents), and the Customer's contacts, leads, prospects and customers who are called via, or who call, the platform.
Annex 2 — Technical & Organisational Measures
Measures include encryption in transit and at rest, encryption of stored integration credentials, row-level data isolation between customers, role-based access controls, authentication with email verification, hardened HTTP security headers, and rate limiting. A fuller description is maintained on our Security page, which forms part of this Annex.
Annex 3 — Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (AWS eu-west-1, Ireland) |
| Vercel | Application hosting and delivery | Global edge / EU |
| Retell AI | AI voice agent processing | United States |
| Twilio | Telephony and phone numbers | United States / EU |
| Stripe | Payment processing | United States / EU |
| Cloudflare | Bot and spam protection | Global |
| Axiom | Performance analytics (consent-gated) | United States |
| Sentry | Error tracking (consent-gated) | EU (Frankfurt) |
Annex 4 — International Transfer Mechanisms
For Sub-processors located outside the United Kingdom, transfers are made under an appropriate safeguard recognised by Applicable Data Protection Law. [FOR LEGAL REVIEW: specify the mechanism relied upon for each non-UK Sub-processor and confirm it reflects current law.]
This is a template and must be reviewed by qualified legal counsel before use. Last updated 1 June 2026.
© 2026 Goje AI. All rights reserved.