Data Processing Agreement

Last updated: February 2026

1. Introduction

This Data Processing Agreement ("DPA") supplements the TradeHalo Terms of Service and governs the processing of personal data where TradeHalo Ltd acts as a data processor on behalf of the customer (the data controller).

This DPA is governed by the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. Both parties commit to comply with all applicable data protection laws and regulations.

2. Definitions

For the purposes of this DPA:

Controller means the tradesperson or business using TradeHalo who determines the purposes and means of processing personal data.
Processor means TradeHalo Ltd, which processes personal data on behalf of the Controller.
Data Subject means the Controller's customers whose calls are handled by TradeHalo and whose personal data is processed.
Personal Data means any information relating to Data Subjects, including but not limited to: customer names, phone numbers, addresses, call recordings, appointment details, and any other information provided during calls or interactions.
Sub-processor means any third party engaged by TradeHalo to process personal data on behalf of the Controller.

3. Scope of Processing

TradeHalo processes personal data solely to provide the TradeHalo service to the Controller. This includes:

Answering phone calls from the Controller's customers
Creating and managing appointment bookings
Sending SMS notifications to customers
Syncing appointments with the Controller's calendars
Generating call summaries and transcripts
Storing call recordings and related metadata

TradeHalo will not process personal data for any purpose other than as instructed by the Controller through the use of the TradeHalo service.

4. Obligations of the Processor

TradeHalo undertakes to:

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by UK law.
Ensure that persons authorised to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 7 of this DPA.
Assist the Controller in responding to requests from Data Subjects exercising their rights under data protection law.
Assist the Controller in ensuring compliance with obligations regarding security, breach notifications, and data protection impact assessments.
Delete or return all personal data to the Controller on termination of services, subject to legal retention requirements.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 10.

5. Sub-processors

The Controller provides general authorisation for TradeHalo to engage sub-processors to assist in providing the service. TradeHalo's current sub-processors are:

Twilio Inc (USA) — Phone call handling and SMS messaging
Stripe Inc (USA) — Payment processing
Google LLC (USA) — Calendar synchronisation and Maps API services
Anthropic PBC (USA) — AI conversation processing and call understanding
Twilio SendGrid (USA) — Transactional email delivery
Functional Software Inc / Sentry (USA) — Error monitoring and application performance

TradeHalo will notify the Controller of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to such changes within 14 days of notification on reasonable grounds relating to data protection.

All sub-processors are bound by written agreements that impose data protection obligations equivalent to those in this DPA, including appropriate technical and organisational security measures.

6. International Transfers

Personal data may be transferred to sub-processors located in the United States of America and other countries outside the United Kingdom.

All international transfers of personal data are protected by appropriate safeguards, including:

UK International Data Transfer Agreement (IDTA)
Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
UK adequacy decisions where applicable

Supplementary measures to protect data during international transfers include encryption in transit (TLS 1.2 or higher) and encryption at rest for all personal data stored by sub-processors.

7. Security Measures

TradeHalo implements appropriate technical and organisational measures to protect personal data, including:

Encryption: TLS 1.2 or higher for data in transit; AES-256 encryption for data at rest
Tenant Data Isolation: Separate database instances per tenant to prevent cross-contamination of data
Access Controls: Multi-factor authentication and role-based access controls for administrative access
Backups: Regular automated backups with encryption and secure storage
Monitoring: Continuous incident monitoring and alerting via Sentry error tracking
Security Updates: Regular application of security patches and updates to infrastructure

These measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

8. Data Breach Notification

In the event of a personal data breach, TradeHalo will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The notification will include, to the extent known:

The nature of the personal data breach, including the categories and approximate number of Data Subjects and personal data records affected
The likely consequences of the breach
The measures taken or proposed to be taken to address the breach and mitigate its potential adverse effects
The name and contact details of TradeHalo's data protection contact point

TradeHalo will cooperate with the Controller and provide reasonable assistance in investigating and mitigating the breach.

9. Data Subject Rights

TradeHalo will assist the Controller in responding to requests from Data Subjects exercising their rights under data protection law, including:

Right of access to their personal data
Right to rectification of inaccurate personal data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing

TradeHalo will not respond directly to Data Subject requests unless instructed to do so by the Controller. All Data Subject requests received by TradeHalo will be forwarded to the Controller promptly.

The Controller is responsible for verifying the identity of Data Subjects making requests and determining the appropriate response under applicable law.

10. Audit Rights

The Controller may request information from TradeHalo to demonstrate compliance with the obligations in this DPA.

The Controller may conduct audits, including inspections, at the Controller's own expense and with reasonable advance notice (at least 30 days). Such audits must not unreasonably interfere with TradeHalo's business operations.

TradeHalo may provide SOC 2 Type II reports, ISO 27001 certifications, or equivalent third-party audit reports in lieu of an on-site audit, where such reports adequately address the Controller's audit requirements.

11. Term and Termination

This DPA is effective for the duration of the TradeHalo service agreement between the parties.

Upon termination of the service agreement, TradeHalo will delete all personal data within 30 days, unless:

The Controller requests return of the data in a commonly used format
UK law requires TradeHalo to retain certain data (such as for tax or accounting purposes)
The data has been anonymised and can no longer identify Data Subjects

TradeHalo will provide written confirmation of data deletion upon request.

12. Contact

For all data protection enquiries, including questions about this DPA, sub-processor changes, or data subject requests, please contact:

TradeHalo Ltd
Email: hello@tradehalo.co.uk

We aim to respond to all data protection enquiries within 48 hours during business days.