Data Protection Addendum
Governing the processing of personal data by Tactful Ltd as data processor
Last updated: January 5, 2024
1. Key Parties and Roles
Data Processor: Tactful Ltd, The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB (Company No: 10279888).
Data Controller: The Customer, as identified in the relevant Order Form.
This Data Protection Addendum ("DPA") forms part of the agreement between the parties and governs the processing of personal data by Tactful Ltd on behalf of the Customer in connection with the Product(s) specified in the Order Form. It is effective from January 5, 2024.
2. Scope of Data Processing
The following categories of personal data may be processed under this DPA, depending on the Product(s) in use:
| Service | Personal Data Processed |
|---|---|
| Greeting Bot | Name |
| Ordering Bot | Name, address, email address, phone number, order details |
| FAQ & Search Services | No personal data processed |
3. Customer Obligations
The Customer, as Data Controller, must:
- Comply with all applicable Data Protection Legislation in respect of the personal data processed under this DPA;
- Ensure that all instructions given to Tactful Ltd regarding the processing of personal data are lawful; and
- Ensure that the personal data is accurate and that its transfer to Tactful Ltd for processing is permitted under applicable law.
4. Data Security Measures
Tactful Ltd implements appropriate technical and organisational measures to protect personal data, including:
- Role-based access controls limiting access to authorised personnel only;
- Background checks on employees with access to personal data;
- Encryption of personal data in transit and at rest;
- Annual security training for all relevant staff;
- Regular vulnerability assessments and penetration testing; and
- Multi-layered security controls across infrastructure and applications.
5. Data Breach Notification
In the event of a personal data breach, Tactful Ltd will:
- Notify the Customer within 48 hours of becoming aware of the breach;
- Provide information in accordance with Article 33(3) of the UK GDPR, including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
6. Sub-processors
A current list of sub-processors is maintained at tactful.ai/sub-processors.
Tactful Ltd will provide 30 business days' notice prior to engaging any new sub-processor or making material changes to existing sub-processors. Customers have the right to object to new sub-processors during this notice period.
Tactful Ltd remains responsible for ensuring that all sub-processors provide equivalent data protection guarantees and comply with obligations equivalent to those set out in this DPA.
7. International Data Transfers
Where personal data is transferred outside the UK or the European Economic Area, Tactful Ltd will ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTA);
- EU Commission Standard Contractual Clauses; and/or
- Such other supplementary measures as are required to ensure an equivalent level of protection.
8. Data Subject Rights
Tactful Ltd will assist the Customer in fulfilling its obligations to respond to data subject rights requests under applicable Data Protection Legislation, including requests to access, correct, erase, restrict, or transfer personal data.
9. Return and Deletion of Data
Upon termination or expiry of the agreement, or upon request from the Customer, Tactful Ltd will, at the Customer's election:
- Return all personal data to the Customer in a structured, commonly used, and machine-readable format; or
- Securely delete or destroy all personal data processed on behalf of the Customer,
and certify in writing that it has done so, unless applicable law requires continued storage of the personal data.
10. Liability Limits
Tactful Ltd's total liability under this DPA in respect of direct damages is capped at €500,000.
Indirect and consequential damages are excluded to the fullest extent permitted by applicable law.
11. Audit Rights
The Customer (or its appointed auditor) may, upon reasonable prior written notice and no more than once per calendar year, audit Tactful Ltd's compliance with this DPA. Tactful Ltd will cooperate with such audits and provide access to all information reasonably necessary to demonstrate compliance.
12. Governing Law
This DPA is governed by the laws of the United Kingdom. The courts of the United Kingdom shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
Related documents
Tactful Ltd trading as Tactful AI. Registered in England — Company No: 10279888. The Venture Centre, Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, United Kingdom, CB25 9PB.