> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getsmartalex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data processing & the DPA

> How SmartAlex processes customer personal data as a processor: controller and processor roles, purposes, the no model training commitment, security, international transfer safeguards, breach notification, sub-processors and data subject requests. The signed DPA is the authoritative instrument.

When you use SmartAlex to place, receive, record, transcribe and analyse calls, you remain the controller of the personal data in those interactions, and SmartAlex processes that data on your behalf as your processor. Our Data Processing Addendum (DPA) records the commitments that govern that processing. This page summarises it so you can evaluate it quickly. It is a summary, not the contract.

<Info>
  The full DPA at [getsmartalex.com/legal/data-processing-addendum-dpa](https://getsmartalex.com/legal/data-processing-addendum-dpa) is the authoritative version and prevails over anything on this page. It is version 1.1, effective 1 June 2026, and is incorporated into the SmartAlex Terms of Service.
</Info>

## Scope and applicable law

The DPA applies wherever SmartAlex processes personal data on your behalf. It is built to satisfy Article 28 of the GDPR and the equivalent requirements of the other laws it covers, including:

* the Personal Data Protection Act 2012 of Singapore (PDPA)
* the EU General Data Protection Regulation and the UK GDPR
* the Swiss Federal Act on Data Protection (FADP)
* the Protection of Personal Information Act 2013 of South Africa (POPIA)

Where you are yourself a processor acting for a third-party controller, SmartAlex acts as a sub-processor and the same obligations apply on that basis.

## Controller and processor roles

The DPA draws a clear line between the data SmartAlex handles on your instructions and the limited data it handles for its own operational purposes.

| SmartAlex as your processor (governed by the DPA)        | SmartAlex as an independent controller (governed by the [Privacy Policy](https://getsmartalex.com/legal/smartalex-privacy-policy)) |
| -------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Call audio, recordings and transcripts                   | Account administration and authentication                                                                                          |
| Derived analyses, summaries, qualifications and outcomes | Billing and payment                                                                                                                |
| Contacts, contact lists and messages                     | Security and fraud prevention                                                                                                      |
| Campaign, configuration and knowledge-base content       | Service operation and support                                                                                                      |
| Call and message metadata                                | Product analytics on aggregated or de-identified data                                                                              |

The two roles stay separate: SmartAlex does not repurpose data it holds as your processor for its own controller purposes, and it does not treat your instructions as the basis for that controller processing.

<Note>
  As your processor, SmartAlex will not sell or share your personal data, will not retain, use or disclose it for any purpose other than performing the Services, and will not combine it with data from another source, except on your documented instructions or where required by law.
</Note>

## Purposes of processing

SmartAlex processes personal data on your behalf only to operate the Services as you configure them. That includes:

* placing and receiving calls over the public telephone network, and carrying real-time call media
* recording, transcribing and analysing call audio, and synthesising agent speech
* managing contacts and contact lists, and running outbound calling and messaging campaigns
* generating call outcomes, summaries, qualifications and analytics, and storing and retrieving the above

Your complete instructions are the Agreement, the DPA, and the configuration and feature choices you make in the product. SmartAlex will not process outside those instructions unless the law requires it.

## The model-training wall

<Note>
  The speech and language AI providers that transcribe, synthesise and analyse your calls do not use the customer data passed through the Services to train their models. Where such a provider retains data at all, it does so only for the limited period recorded in the sub-processor list, after which it is deleted at that provider's layer.
</Note>

This commitment is stated in the DPA itself and is reinforced in its sub-processor annex. It applies to the categories of provider that carry, transcribe, synthesise and interpret call content.

## Security measures

SmartAlex maintains appropriate technical and organisational measures, calibrated to the state of the art, the nature of the processing and the risk to individuals. The measures are set out in full in Annex 2 of the DPA.

<AccordionGroup>
  <Accordion title="Encryption">
    Personal data is encrypted in transit using current TLS, and at rest in databases, object storage and backups using strong, industry-standard algorithms. Call media is carried over encrypted channels.
  </Accordion>

  <Accordion title="Access control and least privilege">
    Access is restricted to authorised personnel on a need-to-know basis, using role-based access controls, unique credentials, least privilege, and multi-factor authentication for administrative access. Rights are reviewed periodically and revoked promptly on role change or departure.
  </Accordion>

  <Accordion title="Tenant isolation">
    The platform is multi-tenant and enforces logical separation of each customer's data, including row-level controls that scope every data access to the authorised tenant.
  </Accordion>

  <Accordion title="Network, logging and monitoring">
    Production systems sit behind network controls, firewalls and segmentation, and are not directly exposed except through controlled interfaces. Access to and changes affecting personal data are logged, logs are protected against tampering, and systems are monitored for security events and anomalies.
  </Accordion>

  <Accordion title="Resilience, backups and secure development">
    Data is backed up to support timely restoration after an incident, and restoration is tested periodically. Changes follow a secure development lifecycle with code review, dependency and vulnerability management, and separation of duties between development and production.
  </Accordion>

  <Accordion title="Minimisation, personnel and sub-processor assurance">
    Data is minimised to what the Services require, and pseudonymised or de-identified where practicable for testing and analytics. Personnel are bound by confidentiality and trained for their role. Sub-processors are assessed before engagement and bound to equivalent obligations by written contract.
  </Accordion>
</AccordionGroup>

On certifications, the DPA is precise: our infrastructure sub-processors maintain SOC 2 or ISO/IEC 27001 attestations, and SmartAlex is working towards SOC 2 readiness for its own operations. SmartAlex does not represent that it currently holds its own SOC 2 or ISO/IEC 27001 certification.

<Card title="Security overview" href="/security">
  Read how the platform is secured, end to end.
</Card>

## International data transfers

SmartAlex and its sub-processors may process personal data in countries other than the one in which it was collected. Where a transfer is a restricted transfer, an appropriate safeguard is put in place so the data receives protection essentially equivalent to that in the country of export, supported by encryption in transit and at rest and strict access controls.

| Jurisdiction of export | Safeguard relied on                                                                                            |
| ---------------------- | -------------------------------------------------------------------------------------------------------------- |
| EU and EEA             | EU Standard Contractual Clauses, Module Two (controller to processor) or Module Three (processor to processor) |
| United Kingdom         | The UK International Data Transfer Addendum, appended to the EU SCCs                                           |
| Switzerland            | The EU SCCs with FADP adaptations                                                                              |
| Singapore              | The Transfer Limitation Obligation under section 26 of the PDPA                                                |
| South Africa           | Section 72 of POPIA                                                                                            |

Where the destination benefits from an adequacy decision, or where a provider is certified under a recognised transfer framework, that mechanism may be relied on instead for as long as it remains valid. If a mechanism is invalidated, the parties work in good faith to put an alternative in place without undue delay. A copy of the relevant safeguards, with commercially sensitive terms redacted, is available on request from [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com).

## Personal data breach notification

<Steps>
  <Step title="Notify within 72 hours">
    SmartAlex notifies you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data it processes on your behalf.
  </Step>

  <Step title="Describe what is known">
    The notice describes the nature of the breach, the categories and approximate number of data subjects and records concerned where known, the likely consequences, and the measures taken or proposed to address it and mitigate its effects.
  </Step>

  <Step title="Follow up and cooperate">
    Further detail follows in phases as the investigation progresses. SmartAlex documents the facts and cooperates so you can meet your own notification obligations to authorities and data subjects.
  </Step>
</Steps>

This is the single breach-notification standard in the DPA. A notification is not an acknowledgement of fault or liability.

## Sub-processors and your objection right

You give SmartAlex general written authorisation to engage sub-processors, each bound by written contract to data-protection obligations equivalent in substance to those in the DPA. SmartAlex remains fully responsible to you for each sub-processor's performance.

* The current sub-processors, the processing each performs, the categories of data each handles and the safeguards that apply are published and kept current.
* SmartAlex updates that list and emails your designated contact at least 30 days before a new or replacement sub-processor begins processing personal data.
* You may object on reasonable data-protection grounds within 30 days. The parties work in good faith to resolve the objection. If it cannot be resolved, you may terminate the part of the Services that cannot be provided without the sub-processor in question, as your sole and exclusive remedy.

<Card title="Sub-processor list" href="/trust/subprocessors">
  See the current sub-processors by category and the safeguards applied to each.
</Card>

## Data subject requests

Taking into account the nature of the processing, SmartAlex assists you in responding to requests from individuals to exercise their rights of access, rectification, erasure, restriction, portability and objection, and rights relating to solely automated decisions. If an individual contacts SmartAlex directly, SmartAlex notifies you without undue delay, directs the individual to you, and does not respond itself except on your instructions or where the law requires it.

The DPA also confirms that SmartAlex does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. You remain responsible for how you use the outputs of the Services in your own workflows.

<Card title="Compliance and data subject requests" href="/trust/compliance">
  How rights requests are handled and where to direct them.
</Card>

## Retention and deletion

SmartAlex retains personal data processed on your behalf only for as long as needed to provide the Services. On expiry or termination, and at your election made before or within 30 days after termination, it deletes or returns that data and deletes existing copies within 90 days, except where the law requires continued retention. Data held in routine encrypted backups is removed as those backups are overwritten on a rolling cycle that does not exceed 180 days.

## Signing the DPA

The DPA is incorporated into the SmartAlex Terms of Service and takes effect when you accept the Agreement, so its protections apply to every customer without separate paperwork. A signable copy is available for enterprise customers that require an executed instrument for their procurement or compliance records.

<Info>
  The signed DPA at [getsmartalex.com/legal/data-processing-addendum-dpa](https://getsmartalex.com/legal/data-processing-addendum-dpa) is the authoritative instrument for these commitments. To execute a copy or request the transfer safeguards, contact [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com).
</Info>
