The full DPA at getsmartalex.com/legal/data-processing-addendum-dpa is the authoritative version and prevails over anything on this page. It is version 1.1, effective 1 June 2026, and is incorporated into the SmartAlex Terms of Service.
Scope and applicable law
The DPA applies wherever SmartAlex processes personal data on your behalf. It is built to satisfy Article 28 of the GDPR and the equivalent requirements of the other laws it covers, including:- the Personal Data Protection Act 2012 of Singapore (PDPA)
- the EU General Data Protection Regulation and the UK GDPR
- the Swiss Federal Act on Data Protection (FADP)
- the Protection of Personal Information Act 2013 of South Africa (POPIA)
Controller and processor roles
The DPA draws a clear line between the data SmartAlex handles on your instructions and the limited data it handles for its own operational purposes.
The two roles stay separate: SmartAlex does not repurpose data it holds as your processor for its own controller purposes, and it does not treat your instructions as the basis for that controller processing.
As your processor, SmartAlex will not sell or share your personal data, will not retain, use or disclose it for any purpose other than performing the Services, and will not combine it with data from another source, except on your documented instructions or where required by law.
Purposes of processing
SmartAlex processes personal data on your behalf only to operate the Services as you configure them. That includes:- placing and receiving calls over the public telephone network, and carrying real-time call media
- recording, transcribing and analysing call audio, and synthesising agent speech
- managing contacts and contact lists, and running outbound calling and messaging campaigns
- generating call outcomes, summaries, qualifications and analytics, and storing and retrieving the above
The model-training wall
The speech and language AI providers that transcribe, synthesise and analyse your calls do not use the customer data passed through the Services to train their models. Where such a provider retains data at all, it does so only for the limited period recorded in the sub-processor list, after which it is deleted at that provider’s layer.
Security measures
SmartAlex maintains appropriate technical and organisational measures, calibrated to the state of the art, the nature of the processing and the risk to individuals. The measures are set out in full in Annex 2 of the DPA.Encryption
Encryption
Personal data is encrypted in transit using current TLS, and at rest in databases, object storage and backups using strong, industry-standard algorithms. Call media is carried over encrypted channels.
Access control and least privilege
Access control and least privilege
Access is restricted to authorised personnel on a need-to-know basis, using role-based access controls, unique credentials, least privilege, and multi-factor authentication for administrative access. Rights are reviewed periodically and revoked promptly on role change or departure.
Tenant isolation
Tenant isolation
The platform is multi-tenant and enforces logical separation of each customer’s data, including row-level controls that scope every data access to the authorised tenant.
Network, logging and monitoring
Network, logging and monitoring
Production systems sit behind network controls, firewalls and segmentation, and are not directly exposed except through controlled interfaces. Access to and changes affecting personal data are logged, logs are protected against tampering, and systems are monitored for security events and anomalies.
Resilience, backups and secure development
Resilience, backups and secure development
Data is backed up to support timely restoration after an incident, and restoration is tested periodically. Changes follow a secure development lifecycle with code review, dependency and vulnerability management, and separation of duties between development and production.
Minimisation, personnel and sub-processor assurance
Minimisation, personnel and sub-processor assurance
Data is minimised to what the Services require, and pseudonymised or de-identified where practicable for testing and analytics. Personnel are bound by confidentiality and trained for their role. Sub-processors are assessed before engagement and bound to equivalent obligations by written contract.
Security overview
Read how the platform is secured, end to end.
International data transfers
SmartAlex and its sub-processors may process personal data in countries other than the one in which it was collected. Where a transfer is a restricted transfer, an appropriate safeguard is put in place so the data receives protection essentially equivalent to that in the country of export, supported by encryption in transit and at rest and strict access controls.
Where the destination benefits from an adequacy decision, or where a provider is certified under a recognised transfer framework, that mechanism may be relied on instead for as long as it remains valid. If a mechanism is invalidated, the parties work in good faith to put an alternative in place without undue delay. A copy of the relevant safeguards, with commercially sensitive terms redacted, is available on request from privacy@getsmartalex.com.
Personal data breach notification
1
Notify within 72 hours
SmartAlex notifies you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data it processes on your behalf.
2
Describe what is known
The notice describes the nature of the breach, the categories and approximate number of data subjects and records concerned where known, the likely consequences, and the measures taken or proposed to address it and mitigate its effects.
3
Follow up and cooperate
Further detail follows in phases as the investigation progresses. SmartAlex documents the facts and cooperates so you can meet your own notification obligations to authorities and data subjects.
Sub-processors and your objection right
You give SmartAlex general written authorisation to engage sub-processors, each bound by written contract to data-protection obligations equivalent in substance to those in the DPA. SmartAlex remains fully responsible to you for each sub-processor’s performance.- The current sub-processors, the processing each performs, the categories of data each handles and the safeguards that apply are published and kept current.
- SmartAlex updates that list and emails your designated contact at least 30 days before a new or replacement sub-processor begins processing personal data.
- You may object on reasonable data-protection grounds within 30 days. The parties work in good faith to resolve the objection. If it cannot be resolved, you may terminate the part of the Services that cannot be provided without the sub-processor in question, as your sole and exclusive remedy.
Sub-processor list
See the current sub-processors by category and the safeguards applied to each.
Data subject requests
Taking into account the nature of the processing, SmartAlex assists you in responding to requests from individuals to exercise their rights of access, rectification, erasure, restriction, portability and objection, and rights relating to solely automated decisions. If an individual contacts SmartAlex directly, SmartAlex notifies you without undue delay, directs the individual to you, and does not respond itself except on your instructions or where the law requires it. The DPA also confirms that SmartAlex does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. You remain responsible for how you use the outputs of the Services in your own workflows.Compliance and data subject requests
How rights requests are handled and where to direct them.
Retention and deletion
SmartAlex retains personal data processed on your behalf only for as long as needed to provide the Services. On expiry or termination, and at your election made before or within 30 days after termination, it deletes or returns that data and deletes existing copies within 90 days, except where the law requires continued retention. Data held in routine encrypted backups is removed as those backups are overwritten on a rolling cycle that does not exceed 180 days.Signing the DPA
The DPA is incorporated into the SmartAlex Terms of Service and takes effect when you accept the Agreement, so its protections apply to every customer without separate paperwork. A signable copy is available for enterprise customers that require an executed instrument for their procurement or compliance records.The signed DPA at getsmartalex.com/legal/data-processing-addendum-dpa is the authoritative instrument for these commitments. To execute a copy or request the transfer safeguards, contact privacy@getsmartalex.com.

