Data Processing Agreement

Last updated: 9 July 2026

1. Parties

This DPA forms part of the Terms of Service between Ringby UK ("Processor") and the Customer ("Controller"). Both parties agree to comply with their respective obligations under UK GDPR, the Data Protection Act 2018, and other applicable data protection laws.

2. Scope & Duration

This DPA applies to the processing of personal data by Ringby on behalf of the Customer when providing the Service. It remains in effect for the duration of the Customer's subscription and for a reasonable period afterward to allow for data retrieval or deletion.

3. Categories of Data Processed

  • End User Personal Data. Names, phone numbers, email addresses, and any other personal information disclosed during AI phone calls or web chat conversations.
  • Call Recordings and Transcripts. Audio recordings and AI-generated transcripts of phone calls handled by the AI agent.
  • Chat Messages. Text content of web chat interactions including any personal data voluntarily provided.
  • Appointment Data. Scheduled appointments, service requests, and related communications.

4. Data Subjects

The personal data processed concerns the Customer's end users, customers, and prospective customers. Typically individuals contacting the Customer for home service enquiries, appointments, or support.

5. Processor Obligations

Ringby will:

  • Process personal data only on documented instructions from the Customer, unless required to do otherwise by applicable law.
  • Ensure that persons authorised to process the data are subject to a duty of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 8).
  • Not engage any sub-processor without prior notice and the option for the Customer to object.
  • Assist the Customer in fulfilling their obligations regarding data subject rights, data breach notifications, and data protection impact assessments.
  • Delete or return all personal data at the end of the Service, at the Customer's choice.
  • Make available all information necessary to demonstrate compliance with this DPA.

6. Controller Obligations

The Customer will:

  • Ensure that the processing of personal data, and the instructions given to Ringby, comply with applicable data protection laws.
  • Obtain all necessary consents from End Users for the recording of calls and processing of their personal data through the Service.
  • Provide clear privacy notices to End Users explaining how their data is collected and processed through Ringby.
  • Maintain a record of processing activities under its own responsibility.

7. Sub-processors

The Customer authorises Ringby to engage the following sub-processors:

  • Clerk. Authentication and user identity management (USA). SCCs in place.
  • Neon. Postgres database hosting (USA/EU). SCCs in place.
  • Vercel Inc.. Hosting and infrastructure (USA/EU). SCCs in place.
  • Stripe Inc.. Payment processing (USA). SCCs in place.
  • Twilio Inc.. Telephony and call routing services (USA). SCCs in place.
  • ElevenLabs. Text to speech processing for AI voice (USA). SCCs in place (applicable only when AI phone agent feature is active).

Ringby will notify the Customer at least 14 days before adding or replacing any sub-processor, giving the Customer an opportunity to object.

8. Technical & Organisational Security Measures

  • Encryption at rest. All data stored in Neon is encrypted using AES-256.
  • Encryption in transit. All API traffic is TLS 1.3 encrypted.
  • Access controls. Strict role-based access to production systems. Multi-factor authentication required for all infrastructure access.
  • Incident response. 24/7 security monitoring with documented incident response procedures.
  • Regular audits. Annual security assessments and penetration testing.
  • Data minimisation. We collect and retain only the data necessary to provide the Service.
  • Staff training. All employees receive data protection and security awareness training.

9. Data Breach Notification

Ringby will notify the Customer without undue delay upon becoming aware of a personal data breach affecting the Customer's data. We will provide reasonable information to assist the Customer in meeting their own breach notification obligations under Article 33 of UK GDPR.

10. Data Subject Rights

Ringby will assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). Where an End User contacts Ringby directly with a request, we will forward it to the Customer promptly.

11. International Transfers

Where personal data is transferred outside the UK or EEA to sub-processors, we have implemented Standard Contractual Clauses (SCCs) and, where necessary, supplementary measures and Transfer Impact Assessments to ensure an equivalent level of protection.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

Data Protection enquiries: dpo@ringby.co.uk