Data Processing Addendum
Last Updated: October 10, 2025
This Data Processing Addendum (“DPA”) forms part of the Eloquent AI Services Agreement (the “Agreement”) between Eloquent AI, Inc. (“Eloquent AI,” “we,” “us,” or “our”) and the customer identified in the Agreement (“Customer”). This DPA governs the processing of personal data by Eloquent AI on behalf of the Customer and ensures compliance with applicable data protection laws.
Precedence. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail only to the extent necessary to comply with Applicable Data Protection Laws; otherwise, the Agreement shall govern.
1. Definitions
1.1. Applicable Data Protection Laws: Refers to all laws and regulations applicable to the processing of personal data under this DPA, including but not limited to the General Data Protection Regulation (GDPR), UK Data Protection Act 2018, Swiss Federal Data Protection Act, California Consumer Privacy Act (CCPA), and any amendments or successors to these laws.
1.2. Controller: The entity that determines the purposes and means of processing personal data.
1.3. Processor: The entity that processes personal data on behalf of the Controller.
1.4. Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
1.5. Subprocessor: Any third-party service provider engaged by Eloquent AI to process Personal Data on behalf of the Customer.
1.6. Standard Contractual Clauses (SCCs): Clauses adopted by the European Commission or other applicable authorities for ensuring adequate safeguards in international data transfers.
1.7. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.8. EEA: The European Economic Area, including the European Union, Iceland, Liechtenstein, and Norway.
2. Roles and Responsibilities
2.1. Customer as Controller: The Customer acts as the Controller and ensures compliance with all applicable data protection laws, including obtaining necessary consents and providing notices to data subjects.
2.2. Eloquent AI as Processor: Eloquent AI acts as the Processor and will process Personal Data only on the Customer’s documented instructions unless required by law.
2.3. Compliance Cooperation. Each party will cooperate in good faith as reasonably necessary to meet its respective legal obligations under Applicable Data Protection Laws.
2.4 Dual Role. For account management, billing, and analytics data, Eloquent AI acts as an independent Controller.
3. Scope of Processing
3.1. Subject Matter: The processing of Personal Data is required to deliver the services specified in the Agreement.
3.2. Duration: Personal Data will be processed for the term of the Agreement unless otherwise required by law.
3.3. Nature and Purpose: Eloquent AI processes Personal Data for the purposes of delivering, maintaining, and improving its services, as well as ensuring legal compliance.
3.4. Categories of Data Subjects: Data subjects include the Customer’s employees, contractors, and end-users who interact with Eloquent AI’s services.
3.5. Categories of Personal Data: Include contact information, account credentials, communication records, and other data provided by the Customer.
4. Subprocessing
4.1. Authorized Subprocessors: A list of authorized Subprocessors, including their services and geographic processing locations, is maintained and made available at https://eloquentai.co/legal/subprocessors. Eloquent AI ensures that all Subprocessors comply with data protection obligations consistent with GDPR, UK DPA 2018, and CCPA/CPRA, and only engage in data transfers with adequate safeguards in place, such as Standard Contractual Clauses (SCCs).
4.2. Notification of Changes: Eloquent AI will notify the Customer of any additions or replacements to the Subprocessor list. The Customer may object to such changes within ten (10) business days. If the Customer does not object within the ten (10) business-day notice period, the change shall be deemed accepted.
4.3. Subprocessor Obligations: Eloquent AI ensures all Subprocessors are contractually bound by data protection obligations no less stringent than those in this DPA. Customer’s sole remedy for any breach by a Subprocessor shall be against Eloquent AI only to the extent arising from Eloquent AI’s proven negligence or wilful misconduct.
5. Security Measures
5.1. Technical and Organizational Measures: Eloquent AI implements measures aligned with industry standards, including:
- Data encryption (AES-256 at rest, TLS 1.2 or higher in transit).
- Role-based access control and multi-factor authentication.
- Regular penetration testing and vulnerability assessments.
These measures are designed to provide a level of security appropriate to the risk and shall not be interpreted as a guarantee of absolute security or uninterrupted service.
5.2. Data Breach Notification: Eloquent AI will notify the Customer within 48 hours of confirmation of any Personal Data Breach and provide sufficient details for regulatory reporting and mitigation.
Such notification shall not constitute an admission of fault or liability and will be limited to information reasonably available at the time of notice.
6. Data Subject Rights
6.1. Assistance: Eloquent AI will assist the Customer in responding to data subject requests, including access, rectification, deletion, or portability of Personal Data, where feasible.
6.2. Redirection of Requests: If Eloquent AI receives a data subject request directly, it will promptly notify the Customer unless prohibited by law.
6.3. Personally identifiable information (PII), whether collected from data subjects within the United Kingdom, the European Economic Area, or the United States, will be deleted or de-identified once it no longer serves a lawful business purpose. Verified deletion requests will be honoured in accordance with data protection laws such as GDPR (UK and EU) and CCPA/CPRA (US), unless Eloquent AI has a continuing legal or regulatory obligation to retain such data. Specific retention timelines are outlined in Eloquent AI’s Data Management Policy.
7. International and Cross-Border Data Transfers
7.1. Transfers of Personal Data outside the EEA or UK shall rely on the EU Standard Contractual Clauses (2021/914, Modules Two and Three) and, where applicable, the UK International Data Transfer Addendum.
7.2. Eloquent AI implements supplementary technical and organisational safeguards consistent with EDPB Recommendations 01/2020.
7.3. For data processed or stored within the United States, Eloquent AI complies with applicable U.S. state privacy laws, including the CCPA/CPRA, and acts as a Service Provider as defined therein.
7.4. The Customer acknowledges and consents to such transfers as necessary for the provision of the Services.
8. Retention and Deletion
8.1. Upon termination of the Agreement, the Customer may request the return or deletion of all Personal Data. Eloquent AI will comply with such requests unless retention is required by applicable laws or contractual obligations, including but not limited to the UK Data Protection Act 2018, General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA) and its amendments (e.g., CPRA).
8.2. Eloquent AI’s data retention periods are defined in its internal Data Management Policy and the Data Retention Matrix (Appendix B). For example, customer data stored in SaaS platforms is retained for up to sixty (60) days post-termination, while support-related records (e.g. tickets, call recordings) may be retained indefinitely where necessary to meet compliance, operational, or audit requirements under applicable UK or US law.
9. Audits and Compliance
9.1. Third-Party Audits: Eloquent AI undergoes regular third-party audits and will provide audit reports upon request.
9.2. Customer Audits: The Customer may conduct one audit per calendar year upon thirty (30) days’ prior written notice, subject to a mutually agreed scope and reasonable cost allocation. Nothing in this Section requires Eloquent AI to disclose proprietary information, trade secrets, or data relating to other customers.
10. Amendments
Eloquent AI may update this DPA to reflect changes in Applicable Data Protection Laws or subprocessor arrangements by providing thirty (30) days’ prior written notice. Continued use of the Services following such notice constitutes acceptance of the updated DPA.
11. CCPA / CPRA Service-Provider Commitments
For California data subjects, the parties acknowledge that Eloquent AI acts as a Service Provider under the CCPA/CPRA. Eloquent AI shall not sell, share, or retain Personal Data for any purpose other than performing the Services or as otherwise permitted by law.
12. General Provisions
12.1. Governing Law: This DPA is governed by the laws specified in the Agreement.
12.2. Costs: Additional compliance activities beyond Eloquent AI’s obligations under this DPA may incur reasonable costs, to be agreed upon in writing.
Annex 1: Details of Processing
- Purpose: To deliver and improve Eloquent AI’s services.
- Duration: For the term of the Agreement or as required by law.
- Categories of Data Subjects: Employees, contractors, and end-users.
- Categories of Personal Data: Contact details, account information, communication records.
Annex 2: Security Measures
Eloquent AI’s security measures include:
- Access Controls: Role-based and least-privilege access.
- Encryption: AES-256 for data at rest and TLS 1.2 or higher for data in transit.
- Incident Management: 24/7 monitoring and a formal incident response program.
- Annual SOC 2 Type II and ISO 27001 audits and penetration testing form part of Eloquent AI’s ongoing compliance programme.
- These controls are reviewed at least annually and updated as necessary to maintain effectiveness.