Legal

Data Processing Agreement

Last updated: 3 July 2026

1. Purpose and scope

This Data Processing Agreement ("DPA") forms part of the agreement between Answered and each business customer ("Customer") that uses the service. It applies whenever Answered processes personal data on the Customer's behalf — in particular, personal data relating to the Customer's own callers, collected through phone calls handled by the Customer's AI agent (call recordings, transcripts, caller phone numbers, and any booking or message details a caller shares).

For this data, the Customer is the data controller and Answered is the data processor, each within the meaning of UK GDPR. For Answered's own account and billing relationship with the Customer, Answered acts as an independent controller — that is covered by our Privacy Policy, not this DPA.

2. Customer's instructions

Answered will process caller personal data only to provide the service — answering calls, extracting bookings and messages, generating call summaries, and surfacing knowledge gaps — which together constitute the Customer's documented instructions.Answered will not use caller personal data for any other purpose, including training general-purpose AI models, without the Customer's written consent.

3. Subprocessors

The Customer authorises Answered to engage the following subprocessors, each bound by contractual terms providing an equivalent standard of data protection:

SubprocessorPurposeData involved
Retell AIVoice/telephony platform — places and receives callsCall audio, recordings, live transcripts
Anthropic (Claude)Generates and refines the agent's conversational knowledgeBusiness facts; call transcripts for gap detection
SupabasePrimary database, row-level-security enforced per businessAll business, agent, call, booking, and message records
TwilioSMS delivery and phone number provisioningCaller phone number, booking/message content sent by text
ResendTransactional email deliveryOwner email, notification content
StripeSubscription billing and in-call payment links, where enabledPayment details, processed directly by Stripe

We will notify Customers of any new subprocessor with a reasonable opportunity to object before it begins processing Customer data, unless the change is required for urgent security or operational reasons.

4. Security measures

Answered implements the following technical and organisational measures:

  • Encryption in transit — all traffic between callers, the Answered platform, subprocessors, and the Customer's dashboard is encrypted with TLS.
  • Encryption at rest — data stored in our Supabase database and object storage is encrypted at rest by the underlying infrastructure provider.
  • Row-level security (RLS) — every table that holds Customer or caller data (businesses, agents, knowledge_facts, calls, bookings, messages, knowledge_gaps, payment_requests, and usage_ledger) has row-level security enabled in Postgres, scoping access by business. The Answeredbackend uses a service role for operational access; dashboard-level policies are tightened further as customer authentication is rolled out.
  • Least-privilege access — internal access to production data is limited to personnel who need it to operate or support the service.
  • Isolation by business — every record is scoped to a business_id, so one Customer's data is never mixed with another's.

5. Data retention and deletion

Call recordings and transcripts are retained for 90 days by default, configurable per Customer on request. When a Customer closes their account or requests deletion, we perform a cascade delete of every record tied to that business's business_id — agents, knowledge facts, calls, bookings, messages, knowledge gaps, payment requests, and usage records — and call the Retell data deletion API to remove any call audio, recordings, or transcripts held on Retell's infrastructure. On request, we will confirm in writing once deletion is complete.

6. Assistance with data subject requests

Where a caller exercises a data-protection right (access, deletion, correction) directly with Answered rather than the Customer, we will promptly forward the request to the relevant Customer, and provide reasonable technical assistance to help the Customer respond, given our role as processor.

7. Breach notification

If Answered becomes aware of a personal data breach affecting Customer or caller data, we will notify the affected Customer without undue delay, and in any event within 72 hours of becoming aware, with the information reasonably available to us at that time, including the nature of the breach, the data and individuals likely affected, and the steps we are taking in response. We will cooperate with the Customer's own obligations to notify the ICO and affected individuals where required.

8. International transfers

Where a subprocessor listed in section 3 processes data outside the UK, the transfer is governed by the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an equivalent adequacy mechanism.

9. Audit and compliance

On reasonable written request, and no more than once per year, Answered will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA, including a summary of relevant security measures and subprocessor agreements.

10. Precedence and contact

This DPA supplements, and does not replace, our Terms of Service and Privacy Policy. Where this DPA conflicts with those documents on the processing of caller personal data, this DPA controls. Questions about this DPA can be sent to privacy@answered.co.uk. (Placeholder address — update once the production domain is finalised.)