Data Protection Addendum
Governing the processing of personal data by Tactful Ltd as data processor
Last updated: July 3, 2026
Version effective: 3 July 2026 (see Section 13 — Version and Applicability)
1. Key Parties and Roles
Data Processor: Tactful Ltd, The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB (Company No: 10279888).
Data Controller: The Customer, as identified in the relevant Order Form.
This Data Protection Addendum ("DPA") forms part of the agreement between the parties and governs the processing of personal data by Tactful Ltd on behalf of the Customer in connection with the Product(s) specified in the Order Form.
2. Scope of Data Processing
The following categories of personal data may be processed under this DPA, depending on the Product(s) in use:
| Service | Personal Data Processed |
|---|---|
| Unified Inbox & Ticketing | Name, contact identifiers (email address, phone number, social/messaging handles), message and conversation content, ticket content and attachments, and customer-provided identifiers (e.g. account, order or trip references) |
| AI Agents & Automation | Conversation content and the personal data contained within it, as submitted by or on behalf of the Customer's end users |
The Customer determines the categories of data subjects (e.g. its customers, end users, drivers, riders, agents and staff) and the personal data submitted to the Product(s).
3. Customer Obligations
The Customer, as Data Controller, must:
- Comply with all applicable Data Protection Legislation in respect of the personal data processed under this DPA;
- Ensure that all instructions given to Tactful Ltd regarding the processing of personal data are lawful; and
- Ensure that the personal data is accurate and that its transfer to Tactful Ltd for processing is permitted under applicable law.
4. Data Security Measures
Tactful Ltd implements appropriate technical and organisational measures to protect personal data, including:
- Role-based access controls limiting access to authorised personnel only;
- Background checks on employees with access to personal data;
- Encryption of personal data in transit and at rest;
- Annual security training for all relevant staff;
- Regular vulnerability assessments and penetration testing; and
- Multi-layered security controls across infrastructure and applications.
5. Data Breach Notification
In the event of a personal data breach, Tactful Ltd will:
- Notify the Customer within 48 hours of becoming aware of the breach;
- Provide information in accordance with Article 33(3) of the UK GDPR, including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
6. Sub-processors
A current list of sub-processors is maintained at tactful.ai/sub-processors.
Tactful Ltd will provide 30 business days' notice prior to engaging any new sub-processor or making material changes to existing sub-processors. Customers have the right to object to new sub-processors during this notice period.
Tactful Ltd remains responsible for ensuring that all sub-processors provide equivalent data protection guarantees and comply with obligations equivalent to those set out in this DPA.
7. International Data Transfers
Where personal data is transferred outside the UK or the European Economic Area, Tactful Ltd will ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTA);
- EU Commission Standard Contractual Clauses; and/or
- Such other supplementary measures as are required to ensure an equivalent level of protection.
8. Data Subject Rights
Tactful Ltd will assist the Customer in fulfilling its obligations to respond to data subject rights requests under applicable Data Protection Legislation, including requests to access, correct, erase, restrict, or transfer personal data.
9. Return and Deletion of Data
Upon termination or expiry of the agreement, or upon request from the Customer, Tactful Ltd will, at the Customer's election:
- Return all personal data to the Customer in a structured, commonly used, and machine-readable format; or
- Securely delete or destroy all personal data processed on behalf of the Customer,
and certify in writing that it has done so, unless applicable law requires continued storage of the personal data.
10. Liability Limits
10.1 Liability arising under or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in clause 15 of the EULA. Nothing in this DPA creates a separate or additional pool of liability.
10.2 Without prejudice to clause 10.1, Tactful Ltd's total aggregate liability arising out of or in connection with this DPA in respect of direct damages shall in no event exceed EUR 500,000 (the "DPA Ceiling"). For clarity: where the cap under clause 15.4 of the EULA (total Fees paid in the relevant Contract Year) is lower than the DPA Ceiling, that lower amount applies; the DPA Ceiling operates solely as the maximum amount recoverable in any event.
10.3 Indirect and consequential damages are excluded to the fullest extent permitted by applicable law.
10.4 Nothing in this DPA excludes or limits either party's liability which cannot be excluded or limited under applicable law, including liability for fraud or fraudulent misrepresentation, or for death or personal injury caused by negligence.
11. Audit Rights
The Customer (or its appointed auditor) may, upon reasonable prior written notice and no more than once per calendar year, audit Tactful Ltd's compliance with this DPA. Tactful Ltd will cooperate with such audits and provide access to all information reasonably necessary to demonstrate compliance.
12. Governing Law
This DPA, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims), is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
13. Version and Applicability
This version of the DPA is effective from 3 July 2026 and applies to:
- (a) Order Forms executed on or after 3 July 2026; and
- (b) Renewal Periods commencing on or after 3 July 2026.
Order Forms executed before 3 July 2026 remain governed, for the remainder of their then-current Term or Renewal Period, by the version of this DPA dated 5 January 2024, which remains available at tactful.ai/dpa/2024-01-05.
Version History
| Version | Effective | Changes |
|---|---|---|
| 3 July 2026 (this version) | 3 July 2026 | Clause 10 (Liability Limits) restated to clarify the interaction with clause 15 of the EULA — the EUR 500,000 figure operates as an overall ceiling, with liability otherwise subject to the EULA cap — and to state the statutory non-excludable liabilities. Clause 12 (Governing Law) restated as the laws of England and Wales with the exclusive jurisdiction of the courts of England and Wales. Section 2 (Scope of Data Processing) updated to describe the current Product(s). New Section 13 (Version and Applicability). |
| 5 January 2024 | 5 January 2024 | Prior version — applies to Order Forms executed before 3 July 2026 (see Section 13). |
Tactful Ltd trading as Tactful AI. Registered in England — Company No: 10279888. The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB.