info@zavvion.com
0044 203 576 1 675
Get In Touch
Home/Legal/Data Processing Addendum

Data Processing Addendum

Processor terms for client contracts involving personal data.

1. Status and use

This Data Processing Addendum is a contract schedule for B2B clients. It should apply only where incorporated into a signed proposal, order form, master services agreement or statement of work.

It is designed for situations where the Client is the controller and Zavvion is the processor for Client Personal Data. Some processing by Zavvion, such as account management and billing contacts, will be as an independent controller.

Data Protection Officer (DPO): Cham Arachchi, via info@zavvion.com.

ICO registration: We are registered with the Information Commissioner’s Office (ICO) as a data protection fee payer.

2. Roles

ClientController for its customers, callers, leads, attendees, staff, prospects and end users.
ZavvionProcessor when processing Client Personal Data only to provide the Services and follow documented Client instructions.
Sub-processorsThird-party providers approved under this Addendum and listed or referenced in the Sub-processors page or contract schedule.

3. Processing instructions

Zavvion will process Client Personal Data only on the Client’s documented instructions, including instructions in the contract, proposal, statement of work, workflow documentation, support tickets and agreed configuration settings.

If Zavvion believes an instruction is unlawful or creates material risk, Zavvion may pause the affected processing and ask for clarification.

4. Processing details

Subject matterConfiguration, implementation, operation, support and optimisation of AI automation, CRM, lead response, voice AI, booking, follow-up, communications, payment, invoicing and ticketing workflows.
DurationFor the contract term plus any agreed migration, support, backup or deletion period.
Nature and purposeCollecting, routing, storing, transmitting, analysing, transcribing, automating, reporting and supporting business workflow data as agreed.
Data subjectsClient customers, leads, prospects, callers, website visitors, attendees, staff, contractors, suppliers and business contacts.
Personal data categoriesNames, contact details, company details, messages, call metadata, recordings, transcripts, booking details, CRM notes, preferences, support tickets, payment status and similar operational data.
Special category dataNot permitted unless expressly agreed in writing with additional safeguards. This is especially important for clinics, healthcare, legal, finance, insurance and children-facing services.

5. Confidentiality and staff access

Zavvion will ensure that people authorised to process Client Personal Data are subject to appropriate confidentiality obligations and access controls.

Access should be limited to people who need it to provide, support or secure the Services.

6. Security measures

Zavvion will maintain appropriate technical and organisational measures, taking account of the nature, scope, context and risk of the processing.

  • role-based access and least-privilege permissions;
  • password management and multi-factor authentication where available;
  • encrypted connections where supported;
  • secure configuration of third-party tools;
  • segregation of client workspaces where practical;
  • backup, logging and audit controls where available;
  • incident response and breach escalation process;
  • supplier due diligence for material sub-processors; and
  • staff confidentiality and data protection training appropriate to role.

7. Sub-processors

The Client gives general written authorisation for Zavvion to use sub-processors needed to deliver the Services, subject to Zavvion maintaining a sub-processor list and giving notice of material changes where agreed.

Zavvion must ensure sub-processors are subject to data protection obligations appropriate to the processing they perform.

See Sub-processors for the public list. The applicable contract should state how much notice is required before adding or replacing a sub-processor.

8. International transfers

Zavvion will not make restricted transfers of Client Personal Data unless a lawful transfer mechanism is in place where required, such as UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, or another lawful safeguard or exception.

Client-specific transfer risk assessments may be required for certain tools and sectors.

9. Assistance with rights, DPIAs and breaches

Zavvion will provide reasonable assistance to the Client, taking account of the nature of the processing, for data subject requests, security obligations, data protection impact assessments and regulator consultations where required.

Zavvion will notify the Client without undue delay after becoming aware of a personal data breach affecting Client Personal Data. The contract should specify the practical notification channel and details required.

10. Return and deletion

At the end of the Services, Zavvion will delete or return Client Personal Data, at the Client’s choice, unless retention is required by law or technically retained in backups for a limited period.

The applicable contract should specify export format, offboarding fees, backup deletion timing and any retention needed for disputes, audit or legal record keeping.

11. Audit and information rights

Zavvion will provide information reasonably necessary to demonstrate compliance with this Addendum. Any audit should be reasonable, proportionate, confidential, limited to relevant processing and scheduled to avoid unnecessary disruption.

12. Liability and order of documents

Liability should be handled in the main contract. Unless a lawyer-reviewed contract says otherwise, the general service liability cap is intended to be the revenue actually received by Zavvion from that particular customer during the three months immediately before the event giving rise to the claim.

This Addendum should not increase or reduce liability unless expressly stated. If there is a conflict between this Addendum and the main contract on data protection matters, the Addendum should take priority for those matters unless lawyer-reviewed wording says otherwise.

Last updated: 18 May 2026.

Book a Strategy Call