Handlet Data Processing Addendum
This Data Processing Addendum ("DPA") applies where HANDLET LIMITED ("Handlet", "we", "us") processes personal data on behalf of a business customer through the Handlet service.
This DPA forms part of the Terms of Service. It is intended to meet the UK GDPR Article 28 contract requirements for controller-to-processor processing.
1. Roles
For account, billing, security, support, and platform administration data, Handlet is usually a controller.
For customer communication data that a business customer brings into Handlet, the business customer is usually the controller and Handlet is the processor. This may include message content, customer contact details, connected-channel metadata, job or quote details, review content, call transcripts, call recordings, call summaries, call outcomes, and call metadata.
The business customer is responsible for ensuring that it has a lawful basis for processing its customers' personal data and for providing any required privacy notices, AI voice-assistant notices, call-recording notices, marketing notices, and opt-out mechanisms.
2. Processing Details
| Item | Details |
|---|---|
| Subject matter | Providing the Handlet platform and related support, security, automation, AI-assistance, messaging, and call-agent features. |
| Duration | The term of the customer's Handlet account plus any retention period described in the Terms, Privacy Policy, retention tables, or required by law. |
| Nature of processing | Collection, ingestion, storage, hosting, retrieval, display, organisation, classification, summarisation, drafting, sending or preparing communications, transcription, recording storage, analysis, deletion, and support access where required. |
| Purpose | To provide Handlet features requested or configured by the customer, create account-specific intelligence, keep the service secure and reliable, support the customer, improve the service, and meet legal or compliance obligations. |
| Data subjects | Customer's customers, leads, contacts, callers, staff, contractors, account users, and other people who communicate with the customer's business. |
| Personal data categories | Names, contact details, message content, attachments, message metadata, job or quote information, review content, call audio, call transcripts, call metadata, call outcomes, technical identifiers, audit data, and support records. |
| Special category or criminal offence data | Not intentionally requested by Handlet. If it appears in connected communications, Handlet processes it only as needed to provide the service and under the customer's instructions. |
3. Customer Instructions
Handlet will process customer communication data only on documented instructions from the customer. Those instructions include:
- this DPA;
- the Terms of Service;
- the customer's use of product settings and connected integrations;
- support requests submitted by the customer; and
- any written instructions agreed between Handlet and the customer.
Handlet will tell the customer if, in our opinion, an instruction infringes applicable data protection law, unless the law prevents us from doing so.
Handlet may create aggregated, anonymised, transformed, or synthetic outputs from processing activities where permitted by the Terms, this DPA, the Intelligence & Benchmarking Policy, and applicable law. Such outputs must not be designed to identify individual users, customers, businesses, accounts, messages, or calls.
4. Confidentiality
Handlet will ensure that people authorised to process personal data are subject to appropriate confidentiality obligations.
5. Security
Handlet will use appropriate technical and organisational measures designed to protect personal data, taking into account the nature of the data, the risks of processing, the state of the art, implementation costs, and the service context.
These measures may include access controls, tenant-scoped permissions, encryption in transit, secure hosting, operational logging, audit records, role-based access, monitoring, and incident-response procedures.
6. Subprocessors
The customer gives Handlet general authorisation to use subprocessors needed to provide and support the service.
Handlet maintains a current list of subprocessors at Handlet Subprocessors. Handlet will update that page when major subprocessors are added or removed. Subprocessors are required to process personal data under appropriate contractual and data protection safeguards.
If a customer has a reasonable data-protection objection to a new major subprocessor, the customer should contact privacy@handlet.ai. Handlet will review the objection in good faith.
7. Assistance
Taking into account the nature of the processing and information available to Handlet, we will provide reasonable assistance with:
- data subject access, correction, deletion, objection, restriction, portability, and related requests;
- security obligations under UK GDPR Article 32;
- personal data breach obligations under UK GDPR Articles 33 and 34;
- data protection impact assessments under UK GDPR Article 35; and
- prior consultation with a supervisory authority under UK GDPR Article 36, where applicable.
The customer remains responsible for deciding how to respond to requests from its own customers unless Handlet is independently required by law to respond.
8. Personal Data Breaches
Handlet will notify the customer without undue delay after becoming aware of a personal data breach affecting customer communication data processed by Handlet as processor.
The notice will include information reasonably available to Handlet to help the customer meet its own breach-assessment and notification obligations.
9. Deletion and Return
At the end of the service, Handlet will delete or return customer communication data where reasonably possible, unless continued retention is required or permitted by law, security, dispute handling, backup lifecycle, or legitimate compliance purposes.
Deletion may be subject to technical backup and audit-log retention cycles. Where data is retained in backups, it will remain protected and will not be actively used except for recovery, security, or legal purposes.
The current retention criteria for processor data are set out in the Privacy Policy and How we process personal data. Call recordings default to 30 days unless the workspace configures another valid period or disables recording.
10. Audits and Compliance Information
Handlet will make reasonable information available to demonstrate compliance with this DPA. This may include summaries of security measures, subprocessor information, audit logs, policies, or written responses to reasonable security and privacy questions.
Any audit or information request must be reasonable, proportionate, and designed to avoid unnecessary disruption or risk to other customers.
11. International Transfers
Where processing involves international transfers, Handlet will use appropriate transfer safeguards such as adequacy decisions, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, Standard Contractual Clauses where appropriate, or another lawful transfer mechanism.
12. Intelligence and Benchmarking Outputs
Handlet does not sell raw customer communication data, raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.
Where Handlet produces aggregated, anonymised, transformed, or synthetic intelligence products, those outputs are governed by the Intelligence & Benchmarking Policy. Customers remain responsible for ensuring their own customer notices accurately describe how communications may be handled through Handlet.
13. Customer Responsibilities
The customer is responsible for:
- having a lawful basis for processing personal data it brings into Handlet;
- giving required privacy notices to its customers, callers, staff, and contacts;
- complying with electronic marketing, AI voice-assistant disclosure, call-recording, telecoms, and sector-specific rules that apply to its business;
- giving any required notice that communications may be analysed for account-specific intelligence, service improvement, and privacy-protected benchmarking;
- ensuring connected channels and Auto-Send settings are configured lawfully;
- keeping account access limited to authorised users; and
- avoiding unnecessary special category or criminal offence data.
14. Contact
Privacy and DPA questions should be sent to privacy@handlet.ai.