Last updated: 2026-05-11
This Data Processing Agreement ("DPA") is entered into between:
(1) A1 Ergotech Limited, a company registered in England and Wales (the "Processor"):
| Company number (Companies House) | 10369880 |
| VAT registration | GB 465689729 |
| ICO data-controller registration | ZC141264 |
| Registered office | On record with Companies House under company number 10369880. |
| Trading name for the product | A1 Voice |
| Contact for this DPA | privacy@a1ergo.tech |
(2) The customer practice identified in the order form, Master Services Agreement, or Terms of Service to which this DPA is attached (the "Controller").
The Processor and the Controller are each a "Party" and together the "Parties". This DPA forms part of, and is governed by, the agreement between the Parties for the supply of the A1 Voice service (the "Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails on matters of data protection.
1.1 In this DPA, the following terms have the meanings given to them:
1.2 References to articles in this DPA are to articles of the UK GDPR unless otherwise stated.
2.1 The subject matter, duration, nature, and purpose of the Processor's processing of Customer Personal Data, together with the type of Personal Data and the categories of Data Subject, are as set out in Schedule 1 (Details of Processing).
2.2 The Processor processes Customer Personal Data solely for the purposes set out in Schedule 1 and as documented in the Principal Agreement, this DPA, or further written instructions from the Controller (including reasonable instructions issued through the dashboard, support channels, or the Controller's authorised personnel).
3.1 The categories of Personal Data and Data Subjects whose Personal Data is processed under this DPA are set out in Schedule 1, paragraphs 5 and 6.
3.2 The Parties acknowledge that some Customer Personal Data is Special Category Data within the meaning of UK GDPR Article 9 (in particular, health-related details that a patient may disclose in the course of a call). The lawful basis for the Controller's processing of such data is its provision of healthcare under UK GDPR Article 9(2)(h), executed under the Data Protection Act 2018 Schedule 1 Part 1 paragraph 2, or such other Article 9 basis as the Controller determines and notifies to the Processor.
4.1.1 The Processor shall process Customer Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do otherwise by UK or EU Member State law to which the Processor is subject. In that case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
4.1.2 The Principal Agreement, this DPA, the standard configuration of the Services, and instructions issued by the Controller through the dashboard or other channels agreed between the Parties together constitute the Controller's documented instructions.
4.1.3 The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
4.2.1 The Processor shall ensure that all personnel (employees, contractors, and authorised sub-processor personnel) authorised to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract, statute, or professional duty, that survive the termination of their engagement.
4.2.2 The Processor shall ensure that access to Customer Personal Data is limited to personnel who need access in order to perform their duties under the Principal Agreement.
4.3.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects.
4.3.2 The measures in place as at the date of this DPA are set out in Schedule 2 (Technical and Organisational Security Measures). The Processor may update these measures from time to time provided that the level of protection is not materially reduced.
4.4.1 The Controller grants the Processor general written authorisation under UK GDPR Article 28(2) to engage Sub-processors for the processing of Customer Personal Data, subject to this clause 4.4.
4.4.2 The Sub-processors authorised at the date of this DPA are listed in Schedule 3.
4.4.3 The Processor shall:
(a) impose on each Sub-processor, by way of a written contract, data-protection obligations that are no less protective than those set out in this DPA;
(b) remain fully liable to the Controller for the performance of each Sub-processor's obligations;
(c) carry out reasonable due diligence on each Sub-processor before engagement and on a periodic basis thereafter.
4.4.4 The Processor shall give the Controller at least 30 days' prior written notice of any intended addition or replacement of a Sub-processor that will process Customer Personal Data. Notice is given by (i) updating the versioned Sub-processor list at https://voice.a1ergo.tech/sub-processors, AND (ii) sending an email to the Controller's nominated technical / data-protection contact on the Order Form. The Controller may object on reasonable data-protection grounds within that 30-day period. If the Controller objects and the Parties cannot agree on a resolution within a further 30 days, the Controller may terminate the affected Services on reasonable notice, and the Controller shall not be charged for those Services after the effective termination date.
4.5.1 Taking into account the nature of the processing, the Processor shall provide the Controller with reasonable assistance, by appropriate technical and organisational measures, to enable the Controller to fulfil its obligation to respond to requests from Data Subjects exercising their rights under UK GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
4.5.2 If the Processor receives a request directly from a Data Subject, it shall not respond to the request itself (except to acknowledge receipt and direct the Data Subject to the Controller) and shall forward the request to the Controller without undue delay, and in any event within 5 working days of receipt.
4.5.3 The Processor shall provide the assistance referred to in clause 4.5.1 within 10 working days of the Controller's request, or sooner if reasonably required to enable the Controller to meet its statutory deadline.
4.6.1 The Processor shall notify the Controller of a Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware of the breach.
4.6.2 The notification shall, to the extent the information is then available, describe:
(a) the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and to mitigate its possible adverse effects;
(d) the name and contact details of a point of contact for further information.
4.6.3 Where the information is not all available within 72 hours, the Processor shall provide it in phases without further undue delay.
4.6.4 The Processor shall reasonably assist the Controller in meeting the Controller's own breach-notification obligations to the Supervisory Authority and to affected Data Subjects under UK GDPR Articles 33 and 34.
4.7.1 The Processor shall provide the Controller with reasonable assistance, taking into account the nature of the processing and the information available to the Processor, in carrying out:
(a) Data Protection Impact Assessments under UK GDPR Article 35; and
(b) prior consultation with the Supervisory Authority under UK GDPR Article 36, where applicable.
4.8.1 At the choice of the Controller, the Processor shall either return all Customer Personal Data to the Controller or delete it (and existing copies) on termination or expiry of the Services, unless retention is required by UK or EU Member State law.
4.8.2 The Controller shall communicate its choice in writing within 30 days of termination. If no instruction is received within that period, the Processor shall delete the Customer Personal Data, except for any copies held in routine, encrypted backups, which shall be deleted in line with the standard backup-rotation cycle (currently up to 90 days).
4.8.3 The Processor shall certify in writing that deletion has been carried out on the Controller's request.
4.9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4.9.2 The right of audit may be exercised:
(a) at most once per calendar year, on at least 30 days' prior written notice; and
(b) at any time on reasonable notice following a confirmed Personal Data Breach affecting the Controller's data, or where the Supervisory Authority requires it.
4.9.3 Audits shall be conducted during normal business hours, in a manner that does not unreasonably disrupt the Processor's operations, and subject to reasonable confidentiality undertakings. The Controller shall bear its own and the Processor's reasonable costs of any audit, except where the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear those costs.
4.9.4 The Processor may satisfy its obligations under this clause 4.9 by providing recent third-party audit reports, certifications (e.g. ISO 27001, SOC 2), or written responses to a reasonable security questionnaire, where these are sufficient to demonstrate compliance.
5.1 The Processor shall store and process the call-handling layer of Customer Personal Data (audio recordings, transcripts, dashboard, database, account records) in the United Kingdom or the European Economic Area (currently AWS region eu-west-2 London for primary infrastructure).
5.2 The AI-inference layer (LLM calls made by the Processor or its Sub-processors to support call handling) is region-pinned to the UK (London, europe-west2) via the Vertex AI EU regional endpoint of the Processor's LLM inference provider, on both the production and staging environments. (europe-west2 is Google Cloud's London region — a UK locality, included within the provider's "Vertex AI EU" product offering.) Speech-to-text transcripts and any prompt context derived from them remain within the UK during inference; no audio is sent to LLM providers. Where, exceptionally, a transfer of Customer Personal Data outside the UK / EEA is required (for example, if the region-pinned endpoint is unavailable and the Processor fails over to a non-UK / non-EEA endpoint to maintain service), the Processor relies on the safeguards in clause 5.3. The Processor maintains a Transfer Impact Assessment evidencing the supplementary safeguards behind those mechanisms (shared with Controllers on request).
5.3 The Processor shall not transfer, or permit any Sub-processor to transfer, Customer Personal Data outside the UK and EEA without:
(a) ensuring that the transfer is to a country, territory, or sector benefiting from a UK adequacy regulation or a European Commission adequacy decision; or
(b) implementing appropriate safeguards under UK GDPR Article 46, including the UK IDTA, the UK Addendum to the EU SCCs, or the EU SCCs, together with any supplementary measures required following a transfer-impact assessment.
5.4 The Sub-processors authorised under this DPA, and the regions in which they process Customer Personal Data, are set out in Schedule 3. Any new Sub-processor that would process Customer Personal Data outside the UK / EEA is subject to clause 4.4.4 (notice and objection) and to clause 5.3 (transfer safeguards). UK / EEA residency for AI inference is the default posture under this DPA (the AI-inference layer is currently pinned specifically to the UK — London europe-west2 — per clause 5.2). For a Controller that requires a tighter posture — for example refusal of the fail-over described in clause 5.2, or a requirement that the AI-inference layer never move out of the UK even on fail-over — the Processor can configure the tenant accordingly; contact privacy@a1ergo.tech.
6.1 Each Party acknowledges that, under UK GDPR Article 82, a Data Subject who has suffered material or non-material damage as a result of an infringement of UK GDPR has a direct statutory right of compensation against the Controller and/or the Processor. Statutory liability of either Party to a Data Subject under Article 82 cannot be limited or excluded by contract, and nothing in this DPA or the Principal Agreement purports to do so.
6.2 As between the Parties, the contractual liability of each Party arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, save that nothing in this DPA or the Principal Agreement excludes or limits liability that cannot lawfully be excluded or limited (including liability under UK GDPR Article 82, fraud, or death or personal injury caused by negligence).
6.3 Where one Party has paid compensation to a Data Subject under UK GDPR Article 82(4) in respect of damage for which the other Party is wholly or partly responsible, that Party shall be entitled to claim back from the other Party that part of the compensation corresponding to the other Party's share of responsibility, in accordance with UK GDPR Article 82(5).
7.1 This DPA comes into effect on the date of the Principal Agreement (or, if signed separately, the date of last signature) and continues for so long as the Processor processes Customer Personal Data on behalf of the Controller.
7.2 Clauses that by their nature should survive termination — including clauses 4.2 (confidentiality), 4.6 (breach notification, in respect of breaches occurring before termination), 4.8 (return or deletion), 4.9 (audit, in respect of the period before termination), 5 (international transfers), and 6 (liability) — survive termination of this DPA and the Principal Agreement.
8.1 Governing law and jurisdiction. This DPA is governed by the laws of England and Wales. The Parties submit to the exclusive jurisdiction of the courts of England and Wales, save that the Controller may bring proceedings in the courts of its place of establishment where required by law.
8.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions continue in full force and effect.
8.3 Notices. Notices under this DPA shall be given in writing to the contacts identified in the Principal Agreement, with a copy of any data-protection notice to privacy@a1ergo.tech.
8.4 Variation. The Parties may amend this DPA in writing, signed by authorised representatives of both Parties.
8.5 Entire agreement. This DPA, together with the Principal Agreement, constitutes the entire agreement between the Parties in respect of the processing of Customer Personal Data.
8.6 Order of precedence. In the event of a conflict between (a) this DPA, (b) the Principal Agreement, and (c) the Schedules to this DPA, the order of precedence (highest first) is: (i) the body of this DPA; (ii) the Schedules; (iii) the Principal Agreement; in each case only on matters of data protection.
| Item | Detail |
|---|---|
| 1. Subject matter | Provision of the A1 Voice AI receptionist service to the Controller, including handling of inbound and outbound calls on behalf of the Controller. |
| 2. Duration | The term of the Principal Agreement, plus any retention period set under clause 4.8 of this DPA. |
| 3. Nature of processing | Receiving inbound calls; speech-to-text transcription; AI-driven intent recognition and dialogue; appointment booking and rescheduling; call routing and triage; recording and storage of audio and transcripts (where the Controller has enabled recording); generation of dashboard metrics; and ancillary technical processing necessary to operate the Services (logging, monitoring, backup). |
| 4. Purpose of processing | Operating the Controller's reception function — answering patient calls, capturing intent, booking appointments into the Controller's practice-management system, escalating clinically urgent calls, and providing the Controller with management information about call volumes and outcomes. |
| 5. Type of Personal Data | (a) Caller identifiers: name, contact phone number, email address (where shared), date of birth (where shared for identity verification). (b) Call audio recordings (where recording is enabled by the Controller). (c) Call transcripts (speech-to-text output). (d) Special-category health data (UK GDPR Article 9): symptoms, treatment context, dental/medical history, medication, and any other health-related information that the caller voluntarily discloses in the course of the call. (e) Appointment metadata (date, time, treatment type, clinician). (f) Free-text notes captured by the Services in the course of handling the call. |
| 6. Categories of Data Subject | (a) Patients of the Controller (including prospective patients calling for the first time). (b) Family members, guardians, carers, or other third parties calling on behalf of a patient. (c) Other individuals who call the Controller's practice line for any reason (e.g. suppliers, professional contacts) — incidental processing only. |
| 7. Frequency of processing | Continuous, on a per-call basis, throughout the term of the Principal Agreement. |
| 8. Retention | Audio and transcripts retained for the period set by the Controller in the dashboard or order form (default: 30 days for audio, 90 days for transcripts, subject to the Controller's instruction). On termination, clause 4.8 applies. |
The Processor implements the following measures, mirroring § 8 of the A1 Voice Privacy Policy:
eu-west-2 (London) — patient call audio and transcripts are stored in the UK. The AI-inference layer (LLM calls to Google Gemini) is region-pinned to Google's London region (europe-west2) via the Vertex AI EU regional endpoint on both staging and production — so AI-inference also stays in the UK. Where, exceptionally, a transfer outside the UK / EEA is required (e.g. fail-over from the region-pinned endpoint to a non-UK / non-EEA endpoint), the safeguards in clause 5 apply (UK IDTA / SCCs as appropriate). No audio is sent to LLM providers — only speech-to-text transcripts and prompt context derived from them.The Sub-processors listed below are authorised at the date of this DPA. Each one processes Customer Personal Data on behalf of the Processor under a written contract imposing data-protection obligations no less protective than this DPA. Updates are made under clause 4.4.
| Sub-processor | Purpose | Region of processing |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, compute, storage, networking — including the call-handling pipeline (WebRTC, audio storage, transcripts, dashboard, database) | UK (eu-west-2, London) — all infrastructure pinned to AWS's London region |
| Google (Gemini API via Vertex AI) | Large-language-model inference for call handling | UK (europe-west2, London) — region-pinned via the Vertex AI EU regional endpoint (europe-west2-aiplatform.googleapis.com); auth via service-account ADC. europe-west2 is Google Cloud's London region — a UK locality, included in Vertex AI's "EU" product offering. Live on both staging and production since 2026-05-11 (PR #30 + PR #36). Where a fail-over outside the UK / EEA is exceptionally required, UK IDTA / SCCs apply. |
| OpenRouter (where configured) | Alternative LLM routing for some agent roles | Not currently configured in the production profile; this row is retained for transparency in case it is re-enabled. If re-enabled, OpenRouter would route to the underlying provider it judges best (no region pin); UK IDTA / SCCs would apply, and the Processor would re-notify Controllers per clause 4.4.4. |
Notes:
https://voice.a1ergo.tech/privacy § 4) lists the same Sub-processors. Schedule 3 and the Privacy Policy stay in lock-step — when one moves, the other moves.The services listed below are used by the Processor in connection with its business but do not process Customer Personal Data as defined in Schedule 1. They are independent data controllers of any data they collect from the Processor or from individuals interacting with the Processor's marketing pages, or they process operational metadata that does not include Customer Personal Data. They are listed here for transparency so the Controller has a full view of the third-party landscape.
| Service | What it does | Whose data they process | Their role |
|---|---|---|---|
Cal.com (EU instance, cal.eu) |
Hosts the Processor's demo-booking widget on voice.a1ergo.tech/dental and similar public marketing pages |
Name, email, and any details a visitor fills into the booking form on those marketing pages — not patient data, not call audio, not transcripts | Independent data controller under their own Privacy Policy. Cal.com EU's privacy notice and terms apply to the booking data; the Processor receives only the resulting calendar event sent to its internal calendar. |
| Stripe (Stripe Payments Europe Ltd, Ireland) | Customer billing payments for the Processor's own commercial relationship with the Controller | The Controller's own billing contact and card / direct-debit information — not patient data | Independent data controller for the billing data Stripe collects under its own Privacy Policy and PCI DSS scope. |
| Caddy / Let's Encrypt | TLS certificate provisioning for the Processor's web properties | No Customer Personal Data; certificate-issuance metadata only | Operational infrastructure. |
| GitHub (Microsoft) | Source code, CI / CD | No Customer Personal Data; source-code and CI metadata only | Operational infrastructure (US, with appropriate transfer safeguards under GitHub's terms). |
Notes:
https://voice.a1ergo.tech/privacy § 4.5 ("Independent third-party services we link to").Signed for and on behalf of A1 Ergotech Limited (Processor):
| Name | _______ |
| Title | _______ |
| Date | _______ |
| Signature | _______ |
Signed for and on behalf of the Controller:
| Name | _______ |
| Title | _______ |
| Practice / Company | _______ |
| Date | _______ |
| Signature | _______ |