Data Processing Agreement
This Data Processing Agreement ("DPA") applies where HomeServiceReply, operated by Justin Karahan (the "Processor"), processes personal data on behalf of a business customer (the "Controller") when providing the Service. It forms part of the Terms of Service.
1. Roles
The Controller determines the purposes and means of processing the personal data of its callers and leads. The Processor processes that data only to provide the Service. Each party complies with the GDPR for its role.
2. Subject matter, nature, and purpose
The Processor processes personal data to detect missed calls, send automated text replies, qualify enquiries, propose and record appointments, and present results to the Controller. Processing lasts for the term of the Service and the wind-down period below.
3. Categories of data subjects and personal data
| Data subjects | Personal data |
|---|---|
| People who call the Controller's business (callers, prospective and existing customers) | Phone number, name where provided, the content of messages exchanged, enquiry and service details, appointment date, time and address, and related metadata such as timestamps |
4. Processing on instructions
The Processor processes personal data only on the documented instructions of the Controller, including the configuration the Controller sets in the Service, unless required otherwise by law. The Processor will inform the Controller if an instruction appears to infringe data protection law.
5. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by confidentiality.
6. Security
The Processor implements appropriate technical and organisational measures to protect the personal data, as summarised in Annex A.
7. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed in Annex B. The Processor imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains responsible for their performance. The Processor will give advance notice of intended changes and the Controller may object on reasonable data-protection grounds.
8. Assistance to the Controller
Taking into account the nature of processing, the Processor assists the Controller with appropriate measures to respond to requests from data subjects (access, rectification, erasure, restriction, portability, objection), and to meet the Controller's obligations regarding security, breach notification, and data protection impact assessments.
9. Personal data breaches
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with the information the Controller needs to meet its own notification duties.
10. Audits
The Processor makes available the information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice and subject to confidentiality.
11. International transfers
Where personal data is transferred outside the EU/EEA (for example to sub-processors in the USA), the Processor ensures an appropriate transfer mechanism such as the EU Standard Contractual Clauses applies.
12. Deletion or return
On termination of the Service, the Processor deletes or returns the personal data at the Controller's choice, and deletes existing copies, unless storage is required by law.
13. Precedence
In case of conflict between this DPA and the Terms of Service regarding data protection, this DPA prevails.
Annex A - Technical and organisational measures
- Encryption of data in transit (TLS) and encryption of data at rest where supported by the infrastructure.
- Access control: least-privilege access, individual authentication, and access only for staff who need it.
- Hosting with reputable providers; preference for EU data residency where available.
- Separation of customer data and ability to delete a customer's data on request.
- Logging and monitoring to detect and respond to misuse and incidents.
- Regular review of these measures as the Service evolves.
[Refine these measures to match your actual production setup before signing with customers.]
Annex B - Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| GitHub, Inc. | Website hosting | USA |
| [Twilio or your telephony/SMS/WhatsApp provider] | Phone number, call handling, message delivery | [USA / EU] |
| [Anthropic, or your AI provider / local model] | Generating the conversation replies | [USA / self-hosted] |
| [Stripe, when billing is live] | Payment processing | USA / EU |