Data Processing Agreement

1. Definitions

• Controller: You, the CRM account holder, who determines the purposes and means of processing personal data
• Processor: Unavoidable Marketing Ltd, who processes personal data on your behalf
• Personal Data: Any information relating to identified or identifiable individuals stored in the CRM
• Processing: Any operation performed on personal data including storage, retrieval, use and deletion
• UK GDPR: The UK General Data Protection Regulation as retained in UK law

2. Subject Matter and Nature of Processing

We process the following categories of personal data on your behalf:

• Contact data: Names, phone numbers, email addresses, business details of your customers and prospects
• Communication data: SMS messages, call logs, email correspondence stored in the CRM
• Clinical data (where applicable): Treatment notes, health records, appointment history for clinical practices
• Financial data: Quote and invoice records
• Location data: Addresses, GPS coordinates from field jobs

Processing is carried out for the purpose of providing the CRM service as described in your subscription plan.

3. Your Obligations as Controller

As the Data Controller, you are responsible for:

• Ensuring you have a lawful basis (consent, legitimate interest, contract) for processing each individual's data
• Providing accurate privacy notices to your customers explaining how their data is used
• Responding to data subject requests from your customers within the required timeframes
• Complying with UK PECR when sending SMS or email marketing
• Not importing data obtained unlawfully or without appropriate consent
• Ensuring any staff who access the CRM are trained in data protection

4. Our Obligations as Processor

We commit to:

• Process personal data only on your documented instructions
• Ensure all staff with access to your data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (detailed below)
• Not engage sub-processors without your prior consent (see section 6)
• Assist you in responding to data subject rights requests within 72 hours of receiving them
• Notify you without undue delay (within 72 hours) of any personal data breach
• Delete or return all personal data on termination of the agreement
• Make available all information necessary to demonstrate compliance with this DPA

5. Technical and Organisational Security Measures

6. Sub-processors

We use the following authorised sub-processors. By using the Service, you consent to their use:

• Amazon Web Services (AWS) - Server infrastructure (UK/EU data centres)
• Stripe Inc. - Payment processing (PCI-DSS Level 1 certified)
• Twilio Inc. - SMS and voice communications
• Bland.ai - AI voice call processing
• Anthropic / OpenRouter - AI content generation (data not used for model training)

We will notify you of any intended changes to sub-processors with at least 30 days notice, giving you the opportunity to object.

7. Data Transfers

Your data is primarily processed and stored in the UK and EEA. Where data is transferred to processors outside the UK (e.g. US-based services), we ensure adequate safeguards are in place via Standard Contractual Clauses (SCCs) or UK adequacy decisions.

8. Data Retention and Deletion

We retain your data for the duration of your subscription plus 30 days. On request, we will permanently delete your data within 72 hours. Backup copies are purged within 90 days.

You can export all your data at any time via Settings → Data & GDPR within the CRM.

9. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware, providing:

• Nature of the breach and categories of data affected
• Approximate number of individuals affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Contact