1. Definitions
In this DPA the following terms have the meanings set out below. All other capitalised terms have the meanings given in the Terms of Service.
- Controller
- The Customer — the natural or legal person who determines the purposes and means of processing Talent Data.
- Processor
- jaluru — processing Talent Data on behalf of the Controller in accordance with this DPA.
- Sub-processor
- Any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the Services.
- Data Subject
- Any identified or identifiable natural person to whom Talent Data or Platform user data relates.
- Personal Data Breach
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- UK GDPR
- The UK General Data Protection Regulation (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended) and the UK Data Protection Act 2018.
- Standard Contractual Clauses / UK IDTA
- The International Data Transfer Agreement approved by the UK Information Commissioner's Office, or equivalent transfer mechanism approved under UK GDPR, used to safeguard transfers of personal data to third countries.
2. Scope and Instructions
2.1 The Processor will process Talent Data only on the documented instructions of the Controller. The Controller's instructions are: (a) these Terms of Service and this DPA; (b) the Customer's configuration of the Platform (including survey setup, Talent records, and retention settings); and (c) any additional written instructions provided by the Customer from time to time.
2.2 If the Processor is required by applicable law to process Talent Data other than in accordance with the Controller's instructions, the Processor will inform the Controller of that requirement before processing (unless the law prohibits such notification on grounds of public interest).
2.3 The Processor will promptly inform the Controller if, in the Processor's reasonable opinion, an instruction infringes UK GDPR or other applicable data protection law. In such a case, the Processor may suspend processing pending clarification.
3. Details of Processing
The following table sets out the details of processing required by Article 28(3) UK GDPR.
| Element | Detail |
|---|---|
| Subject matter | HR voice AI services: inbound absence tracking calls, outbound survey calls, call transcription, AI analysis, reporting, and talent management |
| Nature of processing | Collection, recording, storage, transmission, transcription, AI-assisted analysis and scoring, aggregation, generation of reports, and deletion of personal data |
| Purpose | To provide the Services to the Controller as described in the Terms of Service; to generate AI summaries, PDF reports, and analytics on behalf of the Controller |
| Duration | For the term of the Agreement, plus the 30-day export period following termination, plus up to 30 days for secure deletion (subject to any legal retention obligations) |
| Data subjects | Talent: employees, workers, and contractors of the Customer whose data is processed through the Platform |
| Categories of personal data | Names; mobile telephone numbers; employment details (Store, role, tenure); voice recordings of AI-conducted calls; call transcripts; AI-generated conversation summaries and scores; survey responses and performance data; absence records (type, dates, duration, reasons); PDF reports including SSP reports; preferred call language |
| Special categories of data (Article 9 UK GDPR) | Health data: sickness absence records and self-reported health information provided voluntarily by Talent during absence tracking calls. The Controller is responsible for establishing and documenting the lawful basis for processing special category data (e.g. Schedule 1 DPA 2018, employment and occupational medicine purposes). |
4. Confidentiality of Processing
4.1 The Processor will ensure that all personnel who have access to Talent Data are subject to binding confidentiality obligations (whether contractual or statutory) and are trained on their data protection responsibilities.
4.2 Access to Talent Data is granted on a strict need-to-know basis. The Processor will revoke access promptly when it is no longer required.
5. Security Measures
5.1 The Processor will implement and maintain appropriate technical and organisational security measures in accordance with Article 32 UK GDPR, taking into account the nature of the processing and the risks to Data Subjects. Current measures include:
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest using AES-256 (AWS-managed keys)
- Role-based access controls; multi-factor authentication enforced for all Platform users
- Identity and access management via a managed cloud authentication service (AWS Cognito)
- HMAC-SHA256 signature verification for all inbound webhook data (transcripts and call status updates)
- Logically segregated AWS environments for development and production (separate AWS accounts)
- Regular review of access permissions; access removed upon personnel departure
- Periodic penetration testing; findings remediated on a risk-prioritised basis
- Documented incident response procedure
5.2 The Processor reserves the right to update security measures over time, provided the level of protection is not materially reduced.
6. Sub-processors
6.1 Authorisation. The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in section 6.3. The Processor will ensure each Sub-processor is bound by data processing obligations equivalent to those in this DPA.
6.2 New Sub-processors. The Processor will give the Controller at least 30 days' written notice before engaging any new Sub-processor that will process Talent Data. The Controller may object in writing within 14 days of that notice. If the Processor cannot accommodate the objection without materially altering the Services, the Controller may terminate the Agreement on written notice.
6.3 Approved Sub-processors.
| Sub-processor | Country | Service provided | Data processed |
|---|---|---|---|
| Amazon Web Services (AWS) | United Kingdom (eu-west-2, London) | Cloud infrastructure: compute (Lambda), database (DynamoDB), object storage (S3), queuing (SQS), authentication (Cognito), content delivery (CloudFront) | All Talent Data and Platform user data |
| ElevenLabs Inc. | United States | AI voice conversation engine; call transcript generation | Voice recordings, call transcripts, AI conversation outputs |
| Twilio Inc. | United States | Telephony infrastructure: inbound and outbound voice calls | Talent phone numbers, call metadata, call audio |
| Amazon Web Services — AWS Bedrock | United States (us-east-1) | AI analysis and scoring of call transcripts (Claude Haiku large language model) | Call transcripts |
6.4 The Processor remains responsible to the Controller for the performance of Sub-processor obligations under this DPA.
7. Data Subject Rights
7.1 The Processor will, upon becoming aware that a Data Subject has submitted a request to exercise a right under UK GDPR (such as a right of access, erasure, restriction, rectification, or portability) directly to the Processor, promptly notify the Controller.
7.2 The Processor will provide reasonable technical and organisational assistance to enable the Controller to fulfil its obligations to respond to Data Subject requests, including by providing access to, or deletion of, specific Talent records on the Controller's written instruction.
7.3 The Controller is responsible for responding to Data Subjects within the timescales required by UK GDPR (generally one calendar month from receipt of the request).
8. Assistance with Controller's Obligations
Taking into account the nature of the processing and the information available to it, the Processor will provide reasonable assistance to the Controller in complying with its obligations under UK GDPR in relation to:
- Security (Article 32) — by maintaining the measures described in section 5 and providing relevant security information on request;
- Breach notification (Articles 33–34) — by notifying the Controller promptly as described in section 9;
- Data Protection Impact Assessments (Article 35) — by providing reasonably requested information about the Platform's processing activities where the Controller identifies a high-risk processing activity requiring a DPIA; and
- Prior consultation (Article 36) — by providing information to support any consultation with the ICO where required.
9. Personal Data Breach Notification
9.1 Upon becoming aware of a confirmed Personal Data Breach affecting Talent Data, the Processor will notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware.
9.2 The notification will include, to the extent then known:
- a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
- the name and contact details of the Processor's data protection contact;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to address the breach, including to mitigate its possible adverse effects.
9.3 Where all required information is not available at the time of initial notification, the Processor will provide it in phases as soon as reasonably practicable.
9.4 The Processor will not make any public statement or communication regarding a breach involving Talent Data without the Controller's prior written consent, except as required by applicable law.
9.5 Notification under this section does not constitute an acknowledgement of fault or liability by the Processor.
10. Retention and Deletion
10.1 The Processor will retain Talent Data for the periods set out below and will securely delete it thereafter:
| Data type | Default retention period | Customer-configurable? |
|---|---|---|
| Voice recordings | 90 days from the date of the call | Yes — the Customer may reduce the retention window in Platform settings. Recordings are automatically and permanently deleted after the configured period. |
| Call transcripts and AI summaries | Duration of the account | No (deleted on account closure) |
| PDF reports (including SSP reports) | Duration of the account | No |
| Absence and survey records | Duration of the account | No |
| Talent profile records | Duration of the account | Individual records may be deleted by the Customer at any time via the Platform |
10.2 Deletion on termination. Following termination of the Agreement, the Customer will have a 30-day export period to download Customer Data via the Platform's export function. After that period, the Processor will securely delete all remaining Talent Data within 30 days.
10.3 Certification. On written request, the Processor will provide written confirmation that deletion has been completed.
10.4 Exceptions. The Processor may retain Talent Data beyond the periods above only to the extent required by applicable law (for example, financial records required for tax purposes). In such cases the Processor will retain only the minimum data necessary and will continue to protect it in accordance with this DPA.
11. Audit Rights
11.1 Upon reasonable written notice of at least 30 days, the Processor will make available to the Controller (or its authorised auditors) the information reasonably necessary to demonstrate compliance with this DPA. Audits may be conducted no more than once per 12-month period, unless required by a supervisory authority.
11.2 The Processor may satisfy audit obligations by providing relevant third-party audit reports, penetration test summaries, security certifications, or equivalent documentation in lieu of granting on-site access, at its reasonable discretion.
11.3 The Controller shall bear its own costs of exercising audit rights. The Processor may charge reasonable costs to the Controller for significant time spent facilitating an audit.
12. International Data Transfers
12.1 Talent Data is stored primarily on AWS infrastructure in the United Kingdom (eu-west-2, London). No Talent Data is transferred outside the UK for primary storage.
12.2 Certain Sub-processors are located in the United States and require transfers of Talent Data outside the UK for the specific processing functions described in section 6.3. The Processor ensures that all such transfers are made under appropriate safeguards as required by UK GDPR, specifically:
- International Data Transfer Agreements (UK IDTAs) or equivalent Standard Contractual Clauses approved by the UK Information Commissioner's Office; or
- Any other legally permitted transfer mechanism applicable under UK GDPR.
12.3 The Controller, by entering into this DPA, authorises the transfers to the Sub-processors listed in section 6.3 subject to the safeguards described in section 12.2. The Controller may request further information about the specific transfer mechanisms in place by contacting privacy@jaluru.com.
13. Governing Law
13.1 This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
13.2 This clause takes precedence over clause 17.8 of the Terms of Service solely in respect of matters relating to data protection and this DPA.
14. General
14.1 Order of precedence. In the event of a conflict between this DPA and the Terms of Service on matters relating to the processing of personal data, this DPA will prevail.
14.2 Entire agreement on data processing. This DPA constitutes the complete agreement between the parties in respect of jaluru's processing of Talent Data and supersedes all prior agreements, representations, or understandings on that subject.
14.3 Amendments. jaluru may update this DPA by giving the Customer at least 30 days' written notice where changes are necessary to reflect changes in applicable data protection law or the Sub-processor list. Continued use of the Platform after the effective date of the changes constitutes acceptance.
14.4 Contact. Data protection enquiries relating to this DPA should be directed to privacy@jaluru.com.