Convexa AI
ContactBook a call
Voice AgentsDesigned and deployed for youVoice StudioHow we design your agentsCall LibraryRecordings, transcripts, QALive InspectorReal-time monitoringPost-Call AnalyticsOutcomes, sentiment, driversKnowledge BaseGround answers in your docsBatch CallingOutbound campaigns at scale
HealthcareHIPAA-ready patient flowsFinancial ServicesLoans, cards, collectionsReal EstateInbound leads, showingsLogisticsDispatch, tracking, ETAInsuranceFNOL, renewals, quotesHospitalityBookings, concierge, recovery
Lead QualificationScore & route at first touchAppointment SchedulingBook, reschedule, remindCustomer SupportL1 resolution, 24/7Debt CollectionCompliant recovery at scaleSurvey & ResearchVoice CSAT, NPS, panelsOrder ManagementStatus, changes, returns
Call TransferWarm, cold, agentic hand-offMultilingual40+ languages, mid-call switchFunction CallingTool use over your APIsVoicemail DetectionDrop or leave a messageInterruption HandlingNatural barge-in & recoverySentiment AnalysisTone & emotion in every turn
PricingAbout usContact
Book a call
Home/Data Processing Addendum
Legal

Data processing addendum

Last updated 31 May 2026 · forms part of the agreement between Convexa and the customer

On this page

This Data Processing Addendum ("DPA") forms part of the agreement between Convexa AI Ltd ("Convexa", "processor") and the customer ("controller") for the provision of the Convexa managed AI voice-agent service("the service"). It sets out how Convexa processes personal data on the customer's behalf, in line with UK GDPR and the Data Protection Act 2018. Where it conflicts with the rest of the agreement on data protection matters, this DPA prevails.

1. Scope & roles

For personal data processed in delivering the service, the customer is the controller and Convexa is the processor. Convexa processes personal data only to provide, support, secure, and improve the service for the customer, and only as described here or otherwise instructed in writing.

2. Processing instructions

Convexa processes personal data on the customer's documented instructions, including the configuration agreed during implementation. Convexa will tell the customer if, in its opinion, an instruction breaches applicable data-protection law. Convexa does not use customer call content — audio, transcripts, or knowledge sources — to train its own or third-party models.

3. Details of processing

Subject matterProvision of the managed AI voice-agent service.
DurationFor the term of the agreement, plus the retention period configured for the customer.
Nature & purposeHandling inbound and outbound calls — booking, qualification, support, routing, and human handoff where needed.
Categories of dataCaller contact details, call audio and transcripts, call metadata and outcomes, and any data the customer's configuration brings into a call.
Data subjectsThe customer's callers, customers, prospects, and other individuals who interact with the service.

4. Security measures

Convexa maintains technical and organisational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, automated redaction of personal and sensitive identifiers from transcripts, tamper-evident audit logging, and tested incident response. These are described in more detail in our trust centre.

5. Sub-processors

The customer authorises Convexa to engage sub-processors to help deliver the service. A current list is maintained in the trust centre. Convexa imposes data-protection terms on each sub-processor no less protective than this DPA, and remains responsible for their performance. We give at least 30 days' notice before adding or replacing a sub-processor, during which the customer may object on reasonable data-protection grounds.

6. Data subject rights

Taking into account the nature of the processing, Convexa assists the customer with appropriate measures to respond to requests from individuals exercising their rights — access, correction, deletion, restriction, portability, and objection. Where a request reaches Convexa directly, we forward it to the customer rather than responding on the customer's behalf.

7. Breach notification

Convexa notifies the customer without undue delay, and within 72 hours of confirming a personal-data breach affecting the customer's data (24 hours for health- and finance-scoped engagements). Notice includes the information the customer reasonably needs to meet its own obligations to regulators and individuals.

8. International transfers

Where personal data is transferred outside the UK or EEA, Convexa relies on an appropriate safeguard — the UK International Data Transfer Addendum or Standard Contractual Clauses, with supplementary measures where needed. Customers can choose a regional deployment (UK, EU, US, and others) during implementation; we keep call data in the chosen region, including for processing.

9. Return & deletion

On termination, or on the customer's written request, Convexa returns or deletes personal data in line with the configured retention period, unless retention is required by law. Deletion covers recordings, transcripts, and derived records, subject to standard backup cycles.

10. Audits

Convexa makes available the information reasonably necessary to demonstrate compliance with this DPA, including our latest third-party audit reports under NDA. Where a customer reasonably requires further audit, the parties agree timing and scope in advance to avoid disruption to the service or to other customers.

To request a signed copy of this DPA for your engagement, contact privacy@convexaai.com.

Built to scale,
human by design.

See the full set of security and compliance artefacts in the trust centre.

Security & compliance