GDPR

This Data Processing Agreement ("DPA") sets out the terms on which technologE Ltd processes personal data on behalf of its customers. It forms part of the Master Terms and Conditions and all applicable Schedules and Order Forms (together, the "Agreement"). By entering into an Agreement with technologE Ltd, the Customer accepts the terms of this DPA.

 

 

Parties

 

Processor technologE Ltd (company number 14695531), 3000 Aviator Way, Manchester Business Park, Manchester M22 5TG.

 

Customer Any business that has entered into an Agreement with technologE Ltd, as identified in the relevant Order Form (the "Controller" for the purposes of Applicable Data Protection Law).

 

 

In this DPA, "Applicable Data Protection Law" means the UK GDPR and the Data Protection Act 2018. In the event of any conflict between this DPA and the Master Terms on a matter governed by Applicable Data Protection Law, this DPA shall prevail.

 

1. Purpose, Scope and Risk Acknowledgement

1.1 This DPA applies wherever technologE processes Personal Data on behalf of the Customer in connection with the provision of the Services.

1.2 The Customer is the data controller and technologE is the data processor for the purposes of Applicable Data Protection Law.

1.3 The parties acknowledge that certain Services involve elevated data protection risk, specifically:

(a) call recording and transcription services, which may capture communications content including Personal Data that neither party anticipated at the time of recording; and

(b) managed IT support and remote access services, under which technologE's personnel may obtain privileged or administrative access to the Customer's systems, networks, devices and data repositories.

Both parties accept heightened obligations as a result.

1.4 Nothing in this DPA prevents technologE from processing Personal Data as an independent data controller for its own purposes (including billing, account management, fraud prevention, network security, and compliance with legal obligations). Such processing is governed by technologE's Privacy Notice. For the avoidance of doubt, where technologE records calls to or from its own staff for training, quality assurance or complaint resolution, technologE acts as an independent data controller and that processing is outside the scope of this DPA.

1.5 AI-Assisted Processing. technologE uses artificial intelligence tools and platforms ("AI Tools") to assist in delivering the Services. This may include using AI Tools to process Personal Data for call transcription, summarisation, IT support triage, communications drafting and service analytics. Where AI Tools process Personal Data on behalf of the Customer, the relevant provider is engaged as a sub-processor under clause 9. technologE shall ensure that:

(a) no Personal Data is inputted into any AI Tool except where that tool is listed as an authorised sub-processor in Appendix 2 and is subject to appropriate data protection safeguards;

(b) call recordings or transcripts containing Personal Data are processed through AI Tools only where the Customer has been informed and appropriate access controls are in place; and

(c) staff are prohibited from inputting Customer Personal Data into consumer-grade, personal or unapproved AI tools at any time.

1.6 Automated Decision-Making. technologE does not make solely automated decisions that produce legal or similarly significant effects in respect of data subjects on behalf of the Customer, unless expressly agreed in a Schedule or Statement of Work. AI Tools used by technologE produce outputs that are reviewed by a human operator before any decision affecting a data subject is taken.

 

2. Duration

2.1 This DPA commences on the Master Terms Effective Date and continues until all processing of Personal Data by technologE on behalf of the Customer has ceased.

 

3. Subject Matter, Nature and Purpose of Processing

3.1 technologE shall process Personal Data solely for the purpose of delivering the Services under the Agreement, including customer support, billing, account management, connectivity, cloud, SaaS, IT support, consultancy, VoIP, mobile and related managed services, as further described in Appendix 1.

3.2 Processing may involve collection, recording, storage, retrieval, transmission, alteration, erasure and destruction of Personal Data, and may include processing by AI Tools where permitted under this DPA.

3.3 technologE shall not process Personal Data accessed in the course of delivering IT support or managed services for any purpose other than the resolution of the relevant incident, request or project.

 

4. Categories of Data Subjects

The Personal Data may relate to:

– the Customer's employees, workers, agents, and contractors;

– the Customer's customers, suppliers, and business contacts (where relevant to the Services);

– authorised end-users of the Services; and

– third parties whose Personal Data appears incidentally within the Customer's systems or communications, including individuals whose calls are recorded.

 

5. Types of Personal Data

5.1 The Personal Data may include:

– names, job titles and contact details (telephone, email, address);

– authentication credentials (usernames, account IDs, passwords in hashed form);

– usage, call, connectivity and billing records;

– device and technical identifiers (IP address, IMEI, SIM number, MAC address, device ID);

– communications metadata (call logs, CDRs, session data);

– communications content, including audio recordings, transcripts, voicemails and any Personal Data captured within them;

– IT systems data encountered by technologE's personnel during managed IT support or remote access; and

– any other Personal Data uploaded or provided by the Customer in using the Services.

5.2 Special Categories. The parties acknowledge that call recordings and access to IT systems carry an elevated risk of incidental exposure to special categories of Personal Data (as defined in Article 9 UK GDPR), including health information, financial data and personal communications. technologE shall: (a) implement controls to prevent unnecessary access to or retention of such data; (b) not process it for any purpose beyond the immediate service delivery requirement; and (c) alert the Customer promptly if significant volumes are encountered. Where the Customer specifically instructs technologE to process special category data, the Customer warrants it holds a valid lawful basis under Article 9 UK GDPR. AI Tools shall not be used to process special category Personal Data without express written agreement.

5A. PECR and Communications Data

5A.1 Where the Services involve the processing of communications data (including call records, traffic data, location data or communications content), the Privacy and Electronic Communications Regulations 2003 ("PECR") and, where applicable, the Investigatory Powers Act 2016, apply in addition to UK GDPR.

5A.2 The Customer is responsible for ensuring it has a lawful basis under PECR for any monitoring, recording or interception of communications and for providing appropriate notices to users. technologE shall process communications data only in accordance with the Customer's documented instructions.

5A.3 technologE shall comply with its own obligations under PECR as an electronic communications provider, including confidentiality of communications and traffic data under regulation 5 PECR.

 

6. Processor Obligations

technologE shall:

(a) process Personal Data only on documented instructions from the Customer, including in respect of transfers outside the UK;

(b) promptly inform the Customer if an instruction would, in technologE's reasonable opinion, infringe Applicable Data Protection Law;

(c) ensure authorised personnel are subject to binding confidentiality obligations and have received appropriate training, including in the acceptable use of AI Tools and handling of call recordings and privileged IT access;

(d) implement appropriate technical and organisational security measures as set out in Appendix 3;

(e) notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach, with a preliminary notification where all information is not yet available;

(f) assist the Customer, at the Customer's reasonable cost, in responding to data subject requests, including requests relating to recorded communications or data accessed during IT support;

(g) assist the Customer in complying with Articles 32-36 UK GDPR, including DPIAs and consultation with the ICO;

(h) make available all information reasonably necessary to demonstrate compliance and allow for audits under clause 14;

(i) not process Personal Data for its own purposes (other than as permitted by clause 1.4) or disclose it to any third party except as a sub-processor under clause 9 or as required by law; and

(j) where AI Tools are used: (i) apply data minimisation principles; (ii) treat AI-generated outputs involving Personal Data as Personal Data until human-reviewed; and (iii) not use AI Tools to process call recordings or IT systems data without informing the Customer in advance.

 

7. Privileged and Remote Access to Customer IT Systems

7.1 Scope of access. Where technologE's personnel obtain privileged, administrative or remote access to the Customer's IT systems in the course of managed IT support, such access shall be: (a) limited to the minimum privilege required; (b) used only for the purpose of delivering the agreed Services; and (c) conducted in accordance with the Customer's reasonable security policies where notified in advance.

7.2 Access logging. technologE shall maintain logs of privileged and remote access sessions, including the identity of the personnel, time, duration and systems accessed. Logs shall be retained for a minimum of twelve (12) months and made available to the Customer on request.

7.3 Data encountered incidentally. Where technologE's personnel encounter Personal Data incidentally, they shall: (a) not access, copy, read or retain such data beyond what is strictly necessary; (b) not disclose it to uninvolved colleagues; and (c) report to their line manager and data protection lead if they encounter significant volumes of Personal Data, special category data, or anything suggesting a pre-existing breach on the Customer's systems.

7.4 Serendipitous discovery. If technologE's personnel discover or reasonably suspect that the Customer is experiencing a Personal Data Breach or security incident (including one not caused by technologE), technologE shall notify the Customer within twenty-four (24) hours of that discovery. This obligation is in addition to technologE's own breach notification obligations under clause 6(e).

7.5 Separation of duties. technologE shall ensure that personnel with privileged access to Customer systems do not also have unsupervised access to AI Tools in a way that could cause Customer Personal Data to be inadvertently processed through those tools.

7A. Staff Vetting and Personnel Obligations

7A.1 technologE shall ensure that personnel with privileged access to Customer IT systems or call recordings have undergone appropriate pre-employment vetting, including identity verification, right to work check, and a basic DBS check or equivalent where the role involves routine access to sensitive Personal Data.

7A.2 technologE shall maintain a record of which personnel have been granted access to which Customer environments and shall promptly revoke access upon a member of staff leaving or changing role.

7A.3 All relevant personnel shall be bound by confidentiality obligations surviving termination of employment and shall receive role-specific training before being granted privileged access or access to call recordings.

7A.4 technologE shall notify the Customer if a member of personnel with access to the Customer's systems is subject to a disciplinary investigation, formal allegation or criminal proceeding that may be relevant to data security, subject to applicable employment law constraints.

 

8. Call Recording Provisions

8.1 Scope. This clause applies where technologE provides, manages or has access to call recording services on behalf of the Customer, including hosted call recording under Schedule 3.

8.2 Customer responsibility. The Customer is the data controller of all call recordings made using the Services and is responsible for: (a) ensuring all required notifications and consents are in place under Applicable Data Protection Law, PECR and the

Investigatory Powers Act 2016; (b) defining the required retention period; and (c) identifying and passing data subject rights requests to technologE.

8.3 Processor access. technologE shall access recordings only where strictly necessary for service delivery, fault resolution, quality assurance within agreed scope, or where required by law.

8.4 Retention and deletion. technologE shall retain recordings for the period specified in the Order Form or, where not specified, for no longer than ninety (90) days from the date of recording, unless the Customer provides written instructions requiring a different period. On expiry, recordings shall be securely deleted.

8.5 AI and transcription. Where AI Tools are used to transcribe or analyse recordings, technologE shall ensure: (a) the provider is an authorised sub-processor that does not use recording content for AI model training; (b) transcripts are treated as Personal Data subject to the same controls as recordings; and (c) the Customer has been informed in writing that AI transcription is in use.

8.6 Security. Recordings shall be stored with access controls restricting access to named, authorised personnel only. Access shall be logged and available to the Customer on request.

8A. Direct Contact by Data Subjects

8A.1 If a data subject contacts technologE directly about Personal Data processed under this DPA, technologE shall: (a) acknowledge receipt within three (3) Business Days; (b) forward the request to the Customer without undue delay; and (c) not respond substantively without the Customer's prior written instruction, unless required by law.

8A.2 technologE shall maintain a log of all direct data subject contacts received under this DPA and make it available to the Customer on request.

 

9. Sub-Processing

9.1 The Customer provides general authorisation for technologE to appoint sub-processors to deliver the Services, including AI Tool providers as listed in Appendix 2.

9.2 technologE shall: (a) ensure any sub-processor is bound by terms imposing data protection obligations at least equivalent to those in this DPA; (b) ensure AI Tool providers are contractually prohibited from using Customer Personal Data (including recordings) for AI model training; and (c) remain liable for the acts and omissions of each sub-processor as if its own.

9.3 A current list of authorised sub-processors is maintained by technologE and is available on request from help@technologe.co.uk or at www.technologe.co.uk. technologE will respond to requests within five (5) Business Days. The list identifies sub-processors by name, service category, country of processing and applicable transfer mechanism where data is processed outside the UK.

9.4 technologE shall give not less than thirty (30) days' direct written notice to the Customer before adding or replacing any sub-processor. Updating a website register alone is not sufficient notice for a new AI Tool provider or any sub-processor that will process call recordings or access Customer IT systems. The Customer may object in writing on reasonable data protection grounds within that period. If technologE proceeds despite a reasonable objection, the Customer may terminate the affected Service without early termination charges on fourteen (14) days' written notice.

 

10. International Transfers

10.1 technologE shall not transfer Personal Data outside the UK, nor permit it to be accessed from outside the UK, unless: (a) the transfer is to a country deemed adequate by the UK Government under section 74A of the Data Protection Act 2018; or (b) appropriate safeguards are in place, such as the UK IDTA, the UK Addendum to the EU SCCs, or another lawful mechanism.

10.2 The Customer acknowledges that certain sub-processors, including AI Tool providers and cloud infrastructure providers such as Microsoft Azure, may host or process data outside the UK, subject to the safeguards in clause 10.1. Details of transfer mechanisms are available from help@technologe.co.uk on request.

10.3 Call recordings and IT systems data shall not be transferred outside the UK without the Customer's prior written consent, save where required by law.

 

11. Legal Orders and Law Enforcement Requests

11.1 If technologE receives a court order, regulatory demand or law enforcement request requiring disclosure of the Customer's Personal Data, technologE shall: (a) notify the Customer promptly and, where legally permitted, before complying; (b) disclose only the minimum Personal Data strictly required; and (c) retain a record of the disclosure.

11.2 Where technologE is legally prohibited from notifying the Customer before disclosure, it shall notify the Customer as soon as that prohibition lifts, unless permanently prohibited from doing so.

 

12. Data Protection Impact Assessments

12.1 The parties acknowledge that the combination of call recording, AI-assisted transcription and privileged IT access described in this DPA is likely to require a DPIA under Article 35 UK GDPR.

12.2 The Customer is responsible for conducting any required DPIA. technologE shall provide reasonable assistance, including data flow information, security documentation and sub-processor details.

12.3 Where technologE identifies a material change to its processing that may give rise to a new or elevated risk, it shall notify the Customer promptly.

 

13. Return and Deletion of Personal Data

13.1 On termination or expiry of the Agreement, technologE shall, at the Customer's option and within thirty (30) days of a written request, either: (a) return all Personal Data in a commonly used machine-readable format; or (b) securely delete or destroy all Personal Data — unless Applicable Law requires retention, in which case technologE shall notify the Customer.

13.2 technologE shall confirm in writing that deletion or return has been completed, including confirmation that call recordings, transcripts and data accessed during IT support have been deleted from all storage systems and AI Tool platforms within technologE's control.

 

14. Audit Rights

14.1 The Customer may, on giving not less than fourteen (14) days' written notice, audit technologE's compliance with this DPA no more than once in any twelve (12) month period, except where a Personal Data Breach or material breach is suspected, in which case additional audits may be conducted on reasonable notice.

14.2 Audits shall be conducted during normal Business Hours in a manner that minimises disruption, subject to reasonable confidentiality requirements.

14.3 The Customer shall bear the costs of any audit, except where it identifies a material breach by technologE, in which case technologE shall bear its own reasonable costs.

14.4 Audit scope may include: IT system access logs; call recording access and retention records; AI Tool usage logs; sub-processor due diligence records; and staff data protection training records.

 

15. Liability

15.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement, save that nothing limits liability that cannot lawfully be excluded or limited under Applicable Data Protection Law.

 

16. Governing Law

16.1 This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

 

This DPA is published at www.technologe.co.uk. By entering into an Agreement with technologE Ltd, the Customer accepts these terms. This DPA is reviewed periodically; the current version will always be available at www.technologe.co.uk. For questions, contact help@technologe.co.uk.

​​

Appendix 1 — Details of Processing

 

​

Subject matter

Provision of Services under the Agreement

​

Duration

Term of the Agreement plus any retention period required by Applicable Law

 

Nature of processing

Collection, recording, storage, retrieval, transmission, alteration, deletion and destruction of Personal Data, including

processing of communications content and IT systems data, and processing via AI Tools where permitted

 

Purpose

Mobile, connectivity, VoIP/cloud telephony, call recording, SaaS, managed IT support, cloud backup, consultancy, device supply and related managed services

 

Categories of data subjects

Employees, contractors, end-users, customers, suppliers and business contacts of the Customer, and third parties whose data appears within recordings or IT systems

 

Types of personal data

Contact details, authentication identifiers, billing and usage data, communications metadata, communications content including recordings and transcripts, IT systems data encountered during managed support

 

Special categories

Not anticipated in ordinary course — see clause 5.2 if applicable

 

AI processing

Where in use: limited to authorised sub-processors; no model training on Customer data; human review of all AI outputs; recordings processed by AI only with advance notice to Customer

 

 

Appendix 2 — Authorised Sub-Processor Categories

 

The Customer provides general authorisation for technologE to appoint sub-processors within the following categories, solely for the purpose of delivering the Services. A current named list is available at www.technologe.co.uk or on request from help@technologe.co.uk.

 

 

1. Telecommunications & Connectivity

Mobile network services, fixed connectivity, SIP trunking, IoT, number routing and related telecoms infrastructure. Standard DPA equivalence

 

2. Cloud Software & SaaS Platforms

Cloud-based services including productivity software, collaboration tools, identity and access services, licensing and platform-as-a-service.

Standard DPA equivalence

 

3. Data Backup, BCP & Cybersecurity

Data backup, replication, disaster recovery, endpoint security, security monitoring and cybersecurity tooling.

Standard DPA equivalence

 

4. Secure IT Asset Disposal

Equipment collection, secure data sanitisation, physical destruction, recycling and issuance of destruction certificates.

Standard DPA equivalence

 

5. IT Hardware & Logistics

Distribution, warehousing, configuration, asset tagging and physical delivery of Equipment.

Standard DPA equivalence

 

6. AI Tool Providers

Providers of artificial intelligence platforms used in service delivery, including large language model providers, transcription services and analytics platforms. Must contractually prohibit use of Customer Personal Data (including recordings) for AI model training.

Must confirm compliance with Applicable Data Protection Law and international transfer safeguards. Direct written notice required before adding any new provider.

​

7. Specialist Service Partners

Specialist or accredited third parties required to deliver niche technical services, implementation, configuration or support for a specific product or solution.

Standard DPA equivalence

 

 

Appendix 3 — Technical and Organisational Security Measures

 

technologE shall implement and maintain the following measures, reviewed periodically to reflect changes in technology and the risk environment:

 

– Role-based access controls, multi-factor authentication and least-privilege principles — applied with particular rigour to personnel with privileged IT system access;

– Encryption of Personal Data at rest (AES-256 or equivalent) and in transit (TLS 1.2 or above), including call recordings in storage;

– Pseudonymisation of Personal Data where appropriate and technically practicable;

– Privileged Access Management (PAM) controls, including session logging and time-limited access tokens for remote IT support sessions where technically feasible;

– Network monitoring, firewalls and intrusion detection/prevention systems;

– Regular vulnerability scanning, penetration testing and patch management;

– Business continuity planning and disaster recovery procedures;

– Physical and environmental security controls for premises processing Personal Data;

– Staff training in data protection, security awareness, incident response, privileged access obligations and acceptable AI use — with role-specific training for engineers with IT access and staff handling call recordings;

– Documented incident response procedures, including Personal Data Breach escalation within 72 hours;

– An internal AI acceptable use policy specifying: which tools are approved; that Customer Personal Data may only be processed through approved business-tier AI tools and never personal consumer accounts; and that all AI outputs involving Personal Data require human review;

– Segregation of customer data environments to prevent cross-customer data exposure; and

– Progress towards or maintenance of ISO/IEC 27001 certification or an equivalent recognised standard.

 

 

Appendix 4 — Retention Periods

 

The following retention periods apply where the Order Form or Customer's written instructions do not specify otherwise. The Customer may instruct shorter periods in writing. Longer retention than specified is not permitted without documented justification.

 

​

Call recordings

6 years from date of recording

Limitation Act 1980 — potential contract or tortious claims arising from communications

 

Call transcripts and AI-generated summaries

6 years from date of creation

Limitation Act 1980 — transcripts may constitute evidence in a claim

 

IT support session logs and access records

6 years from date of session

Limitation Act 1980 — potential claims arising from IT access or support activity

 

Billing and usage records

7 years from date of invoice

HMRC requirements (VAT Act 1994; Finance Act 1998); Companies Act 2006 accounting records

 

Customer account and contact data

7 years from Agreement termination

HMRC and Companies Act requirements; Limitation Act 1980 for contract claims

 

Incident and Personal Data Breach records

6 years from date of incident closure

Limitation Act 1980; ICO enforcement window; Article 5(2) UK GDPR accountability obligation

 

Data subject rights request records

6 years from date of request closure

Limitation Act 1980; ICO enforcement and accountability obligations under Article 5(2) UK GDPR

 

Sub-processor notification and objection records

6 years from date of notification

Limitation Act 1980; Article 28 UK GDPR accountability obligation

 

Staff access and vetting records (privileged roles)

6 years from end of employment or engagement

Limitation Act 1980 — potential employment or data protection claims

 

DBS check results

Delete once recruitment decision taken; record of satisfactory outcome and date retained for duration of employment only

ICO DBS retention guidance — certificate must not be retained beyond the decision point

 

 

Regulated sector override: Where the Customer operates in a regulated sector requiring longer retention (e.g. FCA-regulated firms under MiFID II requiring up to 7 years, or legal firms under SRA requirements), the Customer shall notify technologE in writing and the applicable regulatory period shall override the default above.

Legal holds: All periods above are subject to override by any legal hold, regulatory requirement, ongoing dispute or investigation. technologE shall notify the Customer and retain relevant data until the hold is lifted.

​

V3 (160326)