This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and SectorScript ("Processor") and applies when we process personal data on your behalf. It is designed to satisfy Article 28 of the UK GDPR.
1. Scope and roles
We act as Processor for prospect, contact, call recording, transcript and CRM data you upload or generate in the Service. You are the Controller and determine the purposes of processing.
2. Subject matter and duration
Processing lasts for the term of your subscription plus the retention period set out below. Subject matter is the provision of the SectorScript platform.
3. Nature, purpose and categories
- Nature: hosting, transcription, AI analysis, storage, transmission.
- Purpose: to deliver call scoring, coaching, scripts and CRM sync.
- Data subjects: your sales reps and the business prospects they contact.
- Categories: names, business contact details, voice recordings, transcripts, meeting outcomes.
4. Processor obligations
- Process personal data only on your documented instructions.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organisational measures (Annex II).
- Assist you with data subject requests, DPIAs and breach notifications.
- Notify you without undue delay of any personal data breach.
- Delete or return personal data on termination, per your choice.
- Make available information needed to demonstrate compliance.
5. Sub-processors
You authorise us to engage sub-processors to deliver the Service. We will give notice of any intended additions and you may object on reasonable grounds. Our current sub-processors include cloud hosting, AI model providers, transcription services, email delivery and payment processing. A current list is available at privacy@sectorscriptai.com.
6. International transfers
Customer data is stored in the United Kingdom. Transfers outside the UK rely on UK International Data Transfer Agreements or Standard Contractual Clauses with the UK Addendum.
7. Retention and deletion
On termination we will delete personal data within 30 days unless you request export first. Backups are purged on rolling 90-day cycles.
8. Audit
On reasonable notice and no more than once per year, you may audit our compliance with this DPA, including by reviewing third-party certifications and reports.
Annex I, Processing details
As described in sections 2 and 3 above.
Annex II, Technical and organisational measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls and SSO/SAML on Business plans.
- Least-privilege production access with full audit logging.
- Annual penetration tests and continuous vulnerability scanning.
- Documented incident response and breach notification procedures.
- Backups encrypted and retained on rolling 90-day cycles.
- Staff training on data protection on hire and annually.