Data Processing Addendum 

Last Updated: February, 2026

This Data Processing Addendum (“DPA”) forms part of the Eloquent AI Services Agreement (the “Agreement”) between Eloquent AI, Inc. (“Eloquent AI,” “we,” “us,” or “our”) and the customer identified in the Agreement (“Customer”). This DPA governs the processing of personal data by Eloquent AI on behalf of the Customer and ensures compliance with applicable data protection laws.

Precedence. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail only to the extent necessary to comply with Applicable Data Protection Laws; otherwise, the Agreement shall govern.

1. Definitions

1.1. Applicable Data Protection Laws: Refers to all laws and regulations applicable to the processing of personal data under this DPA, including but not limited to the General Data Protection Regulation (GDPR), UK Data Protection Act 2018, Swiss Federal Data Protection Act, California Consumer Privacy Act (CCPA), and any amendments or successors to these laws.

1.2. Controller: The entity that determines the purposes and means of processing personal data.

1.3. Processor: The entity that processes personal data on behalf of the Controller.

1.4. Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

1.5. Subprocessor: Any third-party service provider engaged by Eloquent AI to process Personal Data on behalf of the Customer.

1.6. Standard Contractual Clauses (SCCs): Clauses adopted by the European Commission or other applicable authorities for ensuring adequate safeguards in international data transfers.

1.7. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.8. EEA: The European Economic Area, including the European Union, Iceland, Liechtenstein, and Norway.

2. Roles and Responsibilities

2.1. Customer as Controller: The Customer acts as the Controller and ensures compliance with all applicable data protection laws, including obtaining necessary consents and providing notices to data subjects.

2.2. Eloquent AI as Processor: Eloquent AI acts as the Processor and will process Personal Data only on the Customer’s documented instructions unless required by law.

2.3. Compliance Cooperation. Each party will cooperate in good faith as reasonably necessary to meet its respective legal obligations under Applicable Data Protection Laws.

2.4 Dual Role. For account management, billing, and analytics data, Eloquent AI acts as an independent Controller.

3. Scope of Processing

3.1. Subject Matter: The processing of Personal Data is required to deliver the services specified in the Agreement.

3.2. Duration: Personal Data will be processed for the term of the Agreement unless otherwise required by law.

3.3. Nature and Purpose: Eloquent AI processes Personal Data for the purposes of delivering, maintaining, and improving its services, as well as ensuring legal compliance.

3.4. Categories of Data Subjects: Data subjects include the Customer’s employees, contractors, and end-users who interact with Eloquent AI’s services.

3.5. Categories of Personal Data: Include contact information, account credentials, communication records, and other data provided by the Customer.

4. Subprocessing

4.1. Authorized Subprocessors: A list of authorized Subprocessors, including their services and geographic processing locations, is maintained and made available at https://eloquentai.co/legal/subprocessors. Eloquent AI ensures that all Subprocessors comply with data protection obligations consistent with GDPR, UK DPA 2018, and CCPA/CPRA, and only engage in data transfers with adequate safeguards in place, such as Standard Contractual Clauses (SCCs).

4.2. Notification of Changes: Eloquent AI will notify the Customer of any additions or replacements to the Subprocessor list. The Customer may object to such changes within ten (10) business days. If the Customer does not object within the ten (10) business-day notice period, the change shall be deemed accepted.

4.3. Subprocessor Obligations: Eloquent AI ensures all Subprocessors are contractually bound by data protection obligations no less stringent than those in this DPA. Customer’s sole remedy for any breach by a Subprocessor shall be against Eloquent AI only to the extent arising from Eloquent AI’s proven negligence or wilful misconduct.

5. Security Measures

5.1. Technical and Organizational Measures: Eloquent AI implements measures aligned with industry standards, including:

• Data encryption (AES-256 at rest, TLS 1.2 or higher in transit).
• Role-based access control and multi-factor authentication.
• Regular penetration testing and vulnerability assessments.

These measures are designed to provide a level of security appropriate to the risk and shall not be interpreted as a guarantee of absolute security or uninterrupted service.

5.2. Data Breach Notification: Eloquent AI will notify the Customer within 24 - 48 hours of becoming aware of a Personal Data Breach and provide sufficient details for regulatory reporting and mitigation.

Such notification shall not constitute an admission of fault or liability and will be limited to information reasonably available at the time of notice.

6. Data Subject Rights

6.1. Assistance: Eloquent AI will assist the Customer in responding to data subject requests, including access, rectification, deletion, or portability of Personal Data, where feasible.

6.2. Redirection of Requests: If Eloquent AI receives a data subject request directly, it will promptly notify the Customer unless prohibited by law.

6.3. Personally identifiable information (PII), whether collected from data subjects within the United Kingdom, the European Economic Area, or the United States, will be deleted or de-identified once it no longer serves a lawful business purpose. Verified deletion requests will be honoured in accordance with data protection laws such as GDPR (UK and EU) and CCPA/CPRA (US), unless Eloquent AI has a continuing legal or regulatory obligation to retain such data. Specific retention timelines are outlined in Eloquent AI’s Data Management Policy.

6.4 DPIA Assistance. Eloquent AI shall provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) and, where required, prior consultation with supervisory authorities under Article 36 GDPR.

7. International and Cross-Border Data Transfers

7.1. Transfers of Personal Data outside the EEA or UK shall rely on the EU Standard Contractual Clauses (2021/914, Modules Two and Three) and, where applicable, the UK International Data Transfer Addendum.

7.2. Eloquent AI implements supplementary technical and organisational safeguards consistent with EDPB Recommendations 01/2020.

7.3. For data processed or stored within the United States, Eloquent AI complies with applicable U.S. state privacy laws, including the CCPA/CPRA, and acts as a Service Provider as defined therein.

7.4. Where required under Applicable Data Protection Laws, the parties shall execute the relevant Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, which shall form part of this DPA.

7.5 Transfer Impact Assessment. Eloquent AI shall assess and document the impact of applicable third-country laws on the effectiveness of the transfer safeguards relied upon under this Section 7 and implement supplementary technical and organisational measures where necessary to ensure an essentially equivalent level of protection.

8. Retention and Deletion

8.1. Upon termination of the Agreement, the Customer may request the return or deletion of all Personal Data. Eloquent AI will comply with such requests unless retention is required by applicable laws or contractual obligations, including but not limited to the UK Data Protection Act 2018, General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA) and its amendments (e.g., CPRA).

8.2. Eloquent AI’s data retention periods are defined in the Data Retention Matrix (Appendix B) to the Data Management Policy. Personal Data shall be retained only for the defined periods specified therein and deleted or anonymised thereafter. Longer retention shall apply only where required by applicable law, regulatory obligation, or documented legal hold relating to dispute resolution or enforcement of legal rights.

8.3. In the event of any inconsistency between this DPA and Eloquent AI’s internal policies, including the Data Management Policy or Data Retention Matrix, the provisions of this DPA shall prevail to the extent of such inconsistency.

9. Audits and Compliance

9.1. Third-Party Audits: Eloquent AI undergoes regular third-party audits and will provide audit reports upon request.

9.2. Customer Audits: The Customer may conduct one audit per calendar year upon thirty (30) days’ prior written notice, subject to a mutually agreed scope and reasonable cost allocation. Nothing in this Section requires Eloquent AI to disclose proprietary information, trade secrets, or data relating to other customers. 

10. Amendments
Eloquent AI may update this DPA to reflect changes in Applicable Data Protection Laws or subprocessor arrangements upon thirty (30) days’ prior written notice to the Customer. Any such updates shall not materially reduce the Customer’s rights under this DPA without the Customer’s prior written agreement.

11. CCPA / CPRA Service-Provider Commitments
For California data subjects, the parties acknowledge that Eloquent AI acts as a Service Provider under the CCPA/CPRA. Eloquent AI shall not sell, share, or retain Personal Data for any purpose other than performing the Services or as otherwise permitted by law.

12. General Provisions

12.1. Governing Law: This DPA is governed by the laws specified in the Agreement.

12.2. Costs: Additional compliance activities beyond Eloquent AI’s obligations under this DPA may incur reasonable costs, to be agreed upon in writing.

Annex 1: Details of Processing

• Purpose: To deliver and improve Eloquent AI’s services.
• Duration: For the term of the Agreement or as required by law.
• Categories of Data Subjects: Employees, contractors, and end-users.
• Categories of Personal Data: Contact details, account information, communication records.

Annex 2: Security Measures

Eloquent AI’s security measures include:

1. Access Controls: Role-based and least-privilege access.
2. Encryption: AES-256 for data at rest and TLS 1.2 or higher for data in transit.
3. Incident Management: 24/7 monitoring and a formal incident response program.
4. Annual SOC 2 Type II and ISO 27001 audits and penetration testing form part of Eloquent AI’s ongoing compliance programme.
5. These controls are reviewed at least annually and updated as necessary to maintain effectiveness.

‍