Legal
Data Processing Agreement
Last updated: 3 July 2026
1. Purpose and scope
This Data Processing Agreement ("DPA") forms part of the agreement between Answered and each business customer ("Customer") that uses the service. It applies whenever Answered processes personal data on the Customer's behalf — in particular, personal data relating to the Customer's own callers, collected through phone calls handled by the Customer's AI agent (call recordings, transcripts, caller phone numbers, and any booking or message details a caller shares).
For this data, the Customer is the data controller and Answered is the data processor, each within the meaning of UK GDPR. For Answered's own account and billing relationship with the Customer, Answered acts as an independent controller — that is covered by our Privacy Policy, not this DPA.
2. Customer's instructions
Answered will process caller personal data only to provide the service — answering calls, extracting bookings and messages, generating call summaries, and surfacing knowledge gaps — which together constitute the Customer's documented instructions.Answered will not use caller personal data for any other purpose, including training general-purpose AI models, without the Customer's written consent.
3. Subprocessors
The Customer authorises Answered to engage the following subprocessors, each bound by contractual terms providing an equivalent standard of data protection:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Retell AI | Voice/telephony platform — places and receives calls | Call audio, recordings, live transcripts |
| Anthropic (Claude) | Generates and refines the agent's conversational knowledge | Business facts; call transcripts for gap detection |
| Supabase | Primary database, row-level-security enforced per business | All business, agent, call, booking, and message records |
| Twilio | SMS delivery and phone number provisioning | Caller phone number, booking/message content sent by text |
| Resend | Transactional email delivery | Owner email, notification content |
| Stripe | Subscription billing and in-call payment links, where enabled | Payment details, processed directly by Stripe |
We will notify Customers of any new subprocessor with a reasonable opportunity to object before it begins processing Customer data, unless the change is required for urgent security or operational reasons.
4. Security measures
Answered implements the following technical and organisational measures:
- Encryption in transit — all traffic between callers, the Answered platform, subprocessors, and the Customer's dashboard is encrypted with TLS.
- Encryption at rest — data stored in our Supabase database and object storage is encrypted at rest by the underlying infrastructure provider.
- Row-level security (RLS) — every table that holds Customer or caller data (
businesses,agents,knowledge_facts,calls,bookings,messages,knowledge_gaps,payment_requests, andusage_ledger) has row-level security enabled in Postgres, scoping access by business. The Answeredbackend uses a service role for operational access; dashboard-level policies are tightened further as customer authentication is rolled out. - Least-privilege access — internal access to production data is limited to personnel who need it to operate or support the service.
- Isolation by business — every record is scoped to a
business_id, so one Customer's data is never mixed with another's.
5. Data retention and deletion
Call recordings and transcripts are retained for 90 days by default, configurable per Customer on request. When a Customer closes their account or requests deletion, we perform a cascade delete of every record tied to that business's business_id — agents, knowledge facts, calls, bookings, messages, knowledge gaps, payment requests, and usage records — and call the Retell data deletion API to remove any call audio, recordings, or transcripts held on Retell's infrastructure. On request, we will confirm in writing once deletion is complete.
6. Assistance with data subject requests
Where a caller exercises a data-protection right (access, deletion, correction) directly with Answered rather than the Customer, we will promptly forward the request to the relevant Customer, and provide reasonable technical assistance to help the Customer respond, given our role as processor.
7. Breach notification
If Answered becomes aware of a personal data breach affecting Customer or caller data, we will notify the affected Customer without undue delay, and in any event within 72 hours of becoming aware, with the information reasonably available to us at that time, including the nature of the breach, the data and individuals likely affected, and the steps we are taking in response. We will cooperate with the Customer's own obligations to notify the ICO and affected individuals where required.
8. International transfers
Where a subprocessor listed in section 3 processes data outside the UK, the transfer is governed by the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an equivalent adequacy mechanism.
9. Audit and compliance
On reasonable written request, and no more than once per year, Answered will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA, including a summary of relevant security measures and subprocessor agreements.
10. Precedence and contact
This DPA supplements, and does not replace, our Terms of Service and Privacy Policy. Where this DPA conflicts with those documents on the processing of caller personal data, this DPA controls. Questions about this DPA can be sent to privacy@answered.co.uk. (Placeholder address — update once the production domain is finalised.)