Data Processing Agreement
Effective Date: 22 March 2026 Last Updated: 28 May 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CTrend Ltd ("Processor"), a company registered in England and Wales (Company Number: 17200901, Registered Address: 61 Bridge Street, Kington, Herefordshire, HR5 3DJ), and the Tenant organisation ("Controller") using the CTrend platform ("Service").
This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the Service, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Definitions
- "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable secondary legislation.
- "Personal Data" has the meaning given in the UK GDPR.
- "Processing" has the meaning given in the UK GDPR.
- "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
- "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
3. Scope of Processing
3.1. Subject Matter
The Processor processes Personal Data to provide the Service, including: - Message routing and delivery across connected channels - AI-powered automated responses and conversation management - Contact management and conversation history - Automatic message translation - Voice-to-text transcription - Knowledge base indexing and retrieval (RAG) - Contact memory extraction (AI-derived factual context) - Campaign and broadcast message delivery - Webhook event delivery to Controller-configured endpoints - Analytics and usage reporting
3.2. Categories of Data Subjects
- End users who communicate through connected messaging channels (Telegram, WhatsApp, Instagram, Messenger, Viber, Email, Webchat)
- Contacts stored within the Service
- Account holders, team members, and operators
- Visitors who interact via the Webchat Widget or Mobile App
3.3. Types of Personal Data
- Names, phone numbers, email addresses, usernames, and display names
- Message content, conversation history, and translations
- Voice messages and audio transcriptions
- AI-extracted contact facts (preferences, topics, context)
- Knowledge base documents uploaded by the Controller
- Usage data, interaction metadata, and login information
- Device identifiers and push notification tokens (mobile app)
- Payment information (processed by Paddle, not stored by Processor)
3.4. Duration of Processing
Processing continues for the duration of the Controller's use of the Service. Upon account deletion, Personal Data is permanently deleted immediately. The Controller is advised to export data before initiating deletion.
4. Obligations of the Processor
The Processor shall:
4.1. Process Personal Data only on documented instructions from the Controller, unless required by applicable law. If required by law, the Processor shall inform the Controller of the legal requirement before processing, unless prohibited.
4.2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 UK GDPR), including: - Encryption of data at rest: all message content, secrets, API keys, and credentials encrypted with Fernet symmetric encryption. Each tenant is provisioned with a unique encryption key (per-tenant key isolation) — compromise of one tenant's data does not expose other tenants' data - TLS 1.2+ encryption for all data in transit - Secure password hashing (bcrypt with salt) - Role-based access controls (owner, admin, operator, viewer) - Multi-factor authentication for administrative access - Network isolation of database and AI services - SSRF protection for HTTP skill execution - Prompt injection detection and sanitisation - Regular security assessments and vulnerability reviews - Documented incident response procedures
4.4. Not engage another sub-processor without prior general or specific written authorisation of the Controller. The current list of approved sub-processors is available at Sub-Processor List. General authorisation is granted by accepting these terms.
4.5. Assist the Controller in responding to requests from Data Subjects to exercise their rights under Data Protection Laws, including: - Right of access (Art. 15) — data export in JSON format - Right to rectification (Art. 16) - Right to erasure (Art. 17) — per-contact and per-conversation deletion - Right to restriction (Art. 18) - Right to data portability (Art. 20) — structured machine-readable export - Right to object (Art. 21)
4.6. Assist the Controller in ensuring compliance with obligations relating to: - Security of processing (Art. 32) - Breach notification (Art. 33, 34) — see §7 below - Data protection impact assessments (Art. 35) - Prior consultation with supervisory authorities (Art. 36)
4.7. At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service. Deletion is performed immediately upon account closure. The Controller may export data before deletion via the Data Export feature. Backups containing deleted data are overwritten within 30 days. Applicable law may require continued storage of certain records (e.g., payment records for 7 years).
4.8. Make available to the Controller all information necessary to demonstrate compliance with these obligations, and allow for and contribute to audits.
5. Sub-Processors
5.1. The Controller provides general authorisation for the Processor to engage sub-processors listed at Sub-Processor List.
5.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors by updating the Sub-Processor List at Sub-Processor List and revising the "Last Updated" date. Material changes may additionally be communicated via in-app notification or email.
5.3. If the Controller objects to a new sub-processor, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the Service within 30 days of the change taking effect.
5.4. Where the Processor engages a sub-processor, the Processor shall impose on the sub-processor the same data protection obligations as set out in this DPA by way of a contract.
6. International Transfers
6.1. The Processor shall not transfer Personal Data outside the United Kingdom without appropriate safeguards in place.
6.2. Where transfers are necessary for the provision of the Service (e.g., to AI providers in the United States), the Processor shall ensure that one of the following mechanisms is in place: - UK International Data Transfer Agreement (IDTA) - UK Addendum to the EU Standard Contractual Clauses - Adequacy decision by the Secretary of State
6.3. The specific transfer mechanism for each sub-processor is documented in the Sub-Processor List.
7. Personal Data Breach Notification
7.1. The Processor shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data Breach.
7.2. The notification shall include: - A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned - The name and contact details of the Processor's privacy contact - A description of the likely consequences of the breach - A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
7.3. Where it is not possible to provide all information at the same time, the Processor shall provide initial notification followed by further information as it becomes available.
7.4. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
8. Data Retention and Deletion
Upon termination of the Service or upon Controller's request:
| Data Type | Deletion Timeline |
|---|---|
| Messages and conversations | Immediately upon account deletion |
| Contact data and memory | Immediately upon account deletion or per-contact erasure request |
| Knowledge base documents and embeddings | Immediately upon account deletion |
| Account data | Immediately upon account deletion |
| AI processing logs | Automatically purged after 90 days |
| Skill execution logs | Automatically purged after 90 days |
| Webhook event logs | Automatically purged after 30 days |
| Expired tokens (password reset, email verification) | Automatically purged hourly |
| Payment records | 7 years (legal requirement) |
| Backups containing deleted data | Overwritten within 30 days |
9. Audit Rights
9.1. The Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA.
9.2. The Controller may conduct audits, including inspections, with at least 30 days' written notice and during business hours, no more than once per year unless a breach has occurred.
9.3. The Processor may charge reasonable costs for audits that go beyond standard compliance documentation.
10. Records of Processing Activities
The Processor maintains records of processing activities carried out on behalf of the Controller (Art. 30(2) UK GDPR), including: - Categories of processing carried out - International transfers and safeguards - Description of technical and organisational security measures - Sub-processor details
These records are available upon request.
11. Term and Termination
11.1. This DPA remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
11.2. Upon termination, the Processor shall delete all Personal Data in accordance with §8 above, unless applicable law requires retention.
11.3. The obligations in this DPA survive termination to the extent required for the Processor to complete deletion and comply with legal obligations.
12. Liability
The Processor's liability under this DPA is subject to the limitations set out in the Terms of Service §13.
13. Contact
For DPA-related inquiries:
CTrend Ltd Company Number: 17200901 61 Bridge Street, Kington, Herefordshire, HR5 3DJ
- Email: privacy@ctrend.co.uk