NEUTROPY — DATA PROCESSING AGREEMENT (DPA)

Last updated: 05 January 2026

SCOPE

This DPA applies where Neutropy processes personal data on behalf of a business customer as part of the Services.

Parties
(1) The customer identified in the order/subscription (“Customer”, “Controller”); and
(2) Neutropy, operating from Ireland (“Neutropy”, “Processor”).
Contact (for this DPA)

1) DEFINITIONS

“Customer Data” means personal data processed by Neutropy on behalf of Customer in providing the Services.

Terms “personal data”, “processing”, “controller”, “processor”, “data subject”, “personal data breach” have the meanings in GDPR.

2) SUBJECT MATTER, DURATION, NATURE, PURPOSE

Subject matter: provision of AI receptionist / conversational automation services, including call handling, transcription, routing, messaging, booking actions, and analytics.

Duration: the term of the Services plus deletion/return period described in Section 10.

Nature of processing: recording, transcription, storage, structuring, retrieval, use, disclosure (to Customer and authorised sub-processors), deletion.

Purpose: to provide and support the Services as instructed by Customer.

3) ROLES

Customer is the Controller of Customer Data.

Neutropy is the Processor of Customer Data.

4) PROCESSOR OBLIGATIONS

4.1 Instructions

Neutropy processes Customer Data only on documented instructions from Customer (including those inherent in Customer’s configuration and use of the Services), unless required by law.

4.2 Confidentiality

Neutropy ensures persons authorised to process Customer Data are bound by confidentiality.

4.3 Security

Neutropy implements appropriate technical and organisational measures (TOMs) described in Annex 2.

4.4 Sub-processing

Customer authorises Neutropy to engage sub-processors listed in Annex 3 and on the published Sub-Processors List.

Neutropy will impose data protection obligations on sub-processors that are no less protective than this DPA.

4.5 Assistance

Neutropy will assist Customer (taking account of the nature of processing) with:

  • data subject requests;
  • breach response obligations;
  • DPIAs/consultations where applicable;
  • information reasonably required to demonstrate compliance.

4.6 Breach notification

Neutropy will notify Customer without undue delay after becoming aware of a personal data breach involving Customer Data, and provide information reasonably required for Customer’s notifications.

4.7 International transfers

Where Customer Data is transferred outside the EEA/UK, Neutropy will ensure appropriate safeguards (such as Standard Contractual Clauses) are in place.

4.8 No sale

Neutropy will not sell Customer Data.

4.9 Training and improvement (Customer choice locked to 7A)

Neutropy will NOT use Customer Data to train models or systems for the benefit of other customers.

Neutropy may use Customer Data only to:

  • (a) provide the Services to Customer; and
  • (b) maintain and improve the Services for Customer’s instance (e.g., fixing issues, improving flows), while minimising personal data and using aggregated metrics where possible.

5) CONTROLLER OBLIGATIONS

Customer warrants that it:

  • provides appropriate notices to callers/end-users (including any call recording/AI notice where required);
  • has a lawful basis for processing (including special category data where applicable);
  • will only instruct Neutropy to process Customer Data in compliance with GDPR and applicable ePrivacy rules;
  • will not provide unlawful instructions.

6) DATA SUBJECT REQUESTS

If Neutropy receives a request directly from a data subject relating to Customer Data, Neutropy will (unless legally prohibited) promptly notify Customer and not respond except on Customer’s instructions.

7) AUDITS

On reasonable prior notice, Customer may audit Neutropy’s compliance with this DPA no more than once per 12 months, subject to confidentiality and minimal disruption. Neutropy may satisfy audits by providing independent security materials where available.

8) DELETION / RETURN

Upon termination, Customer may request return or deletion of Customer Data. Neutropy will delete or return Customer Data unless retention is required by law.

9) LIABILITY

Liability allocation follows the main agreement, unless prohibited by law.

10) RETENTION DEFAULTS (PROCESSOR DATA)

Default retention (unless Customer configures otherwise):

  • call audio/transcripts: 90 days
  • call metadata (timestamps, routing/outcomes): 12 months
  • backups (where applicable): 30 days

11) ANNEX 1 — CATEGORIES OF DATA, DATA SUBJECTS, PROCESSING

Data subjects

  • Customer’s callers and end-users
  • Customer’s staff and authorised users of the platform
  • Customer’s leads/contacts stored in CRM/booking systems

Categories of personal data

  • identity/contact: name, phone number, email (where captured)
  • call content: audio and transcript
  • metadata: timestamps, call duration, routing, outcome, telephony identifiers
  • booking details: requested date/time, notes, preferences
  • configuration data: scripts/prompts/business rules and integration tokens (where applicable)

Special categories (possible)

health or other sensitive information spoken during calls (depending on Customer’s industry)

Processing operations

recording, transcription, summarisation, routing, messaging, booking actions, analytics, storage, deletion.

12) ANNEX 2 — TECHNICAL AND ORGANISATIONAL MEASURES (TOMS)

Measures include:

  • encryption in transit (TLS)
  • access controls and least-privilege access
  • multi-factor authentication for administrative access
  • logging/monitoring and incident handling processes
  • vendor due diligence and contractual safeguards
  • controlled retention and deletion practices

13) ANNEX 3 — APPROVED SUB-PROCESSORS

The approved sub-processors are those listed in Neutropy’s published Sub-Processors List (as updated):

  • Twilio
  • Stripe
  • Google Analytics
  • Meta (Facebook/Instagram)
  • OpenAI
  • Anthropic (Claude)
  • Google (Gemini)

Contact: luke@neutropy.ai