Data processing

Under the General Data Protection Regulation, controllers are required to have in place a contract with each of their processors. That contract must contain certain things to be valid.

Where, for the purposes of data protection law, you are the controller of personal data, and we process those personal data on your behalf as a processor, the data processing agreement below applies to that processing.

The type of personal data for which we are your processor, and the categories of data subjects, will depend on the services in question. They are likely to include any personal data you transmit or receive via the service or store on the service, including all call recordings and voicemail. You are responsible for these.

We are not your processor in respect of any personal data which we process for our own purposes, such as for billing, customer support, or network operation and security. Where we are the controller, you can find our privacy notice here.

Data processing agreement

References in these terms to a Regulation are to regulation 2016/679/EC. References to an Article are to an Article of the Regulation. Capitalised terms in this data processing agreement have the meaning defined by the Regulation.

If, in the course of providing the services, you are a Controller and we are your Processor in respect of any Personal Data, and the Regulation or other applicable data protection law requires you or us to have these terms in place, and provided that you remain a subscriber of the services in question and are up to date with all payments due to us, we will:

• Process the Personal Data in accordance with all applicable law;
• Process the Personal Data only on your documented instructions as evidenced by your configuration of the services, including with regard to transfers of Personal Data to a third country or an international organisation;
• Unless prohibited by law, notify you if we are required by any law of the European Union or the law of one of the Member States of the European Union to act other than in accordance with your instructions or if, in our opinion, any of your instructions infringes the Regulation or other Union or Member State data protection provisions;
• Have your general authorisation to obtain other Processors and shall respect the conditions referred to in paragraphs 2 and 4 of Article 28 for any such engagement. Subject to the limitations of liability set out here, we shall be liable for the acts and omissions of our Sub-processors, and we shall ensure that the Sub-processor contract (as it relates to the Processing of Personal Data) is on terms which are substantially the same as, and in any case no less onerous than, these terms;
• Treat the Personal Data as confidential information;
• Take all measures required pursuant to Article 32;
• Taking into account the nature of the Processing, assist you, at your cost, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the Regulation;
• Provide, at your cost, reasonable assistance on written request by you in ensuring compliance with your obligations pursuant to Articles 32 to 36, taking into account the nature of Processing and the information available to us;
• At your choice and cost, delete or return all the Personal Data to you after the end of the provision of the Services relating to the Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. Where the services automatically delete data, your choice is for us to delete the data, including any Personal Data;
• At your cost and following written agreement as to the details, make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, including inspections, conducted by your or another auditor mandated by you; and
• Notify you without undue delay if we become aware of a Personal Data Breach for which we are responsible.

You are responsible for ensuring that your configuration of the services, your use of our services, and any services that you provide (whether to yourself or others), comply with your obligations under data protection law and any other applicable laws. You indemnify us for any breach of this term.