# DATA PROCESSING AGREEMENT (DPA)

**Last Updated:** June 27, 2026

This Data Processing Agreement ("DPA") supplements the Logiq AI Terms of Service ("Agreement") entered into by and between **TopTips App Ltd.**, a company incorporated under the laws of England and Wales ("Logiq AI") and the legal entity or sole proprietor utilizing the Services ("Customer" or "Merchant"). This DPA governs the processing of personal data in connection with the cloud-based Voice and Chat services provided by Logiq AI.

---

### 1. Roles and Scope of Processing

**1.1 Controller-Processor Relationship.** The parties acknowledge and agree that for the purposes of the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR"):

*   The **Customer** acts exclusively as the **Data Controller** (determines the purposes and means of processing).

*   **Logiq AI** acts strictly as the **Data Processor** (processes personal data solely on behalf of, and in accordance with the documented instructions of, the Data Controller).

**1.2 Categories of Data Subjects and Data Types.** The processing comprises the following data belonging to the Customer’s retail end-users (shoppers/callers):

*   **Data Subjects:** End-users contacting the merchant's e-commerce store via phone, interactive voice response channels, or text-based web-chat.

*   **Types of Personal Data:** Telephone numbers, IP addresses, browser metadata, chat/voice interaction histories, cart identifiers, Shopify order details, voice recordings (audio files), and automated text transcripts of spoken interactions.

---

### 2. Technical Execution: The Safe-by-Default Compliance Logic

To ensure absolute alignment with Article 25 GDPR (Data Protection by Design and by Default), the Services technically segregate data processing into two distinct operational modes based on user interaction:

**2.1 Transaction-Only Mode (Modus A - Volatile Processing):**

*   **Default State:** By default, all incoming telephone calls and interactions are processed transiently in the system's volatile random-access memory (RAM) solely to enable real-time natural language understanding and text-to-speech feedback.

*   **No Retention:** Unless the affirmative opt-in trigger under Section 2.2 is fired, no permanent voice recordings (audio logs), full transcripts, or persistent data files are written to disk or stored within the Logiq AI infrastructure. All transactional session data is immediately flushed and overwritten upon call termination.

**2.2 Persistent Audio/Transcript Storage (Modus B - Opt-In Processing):**

*   **The Opt-In Constraint:** Persistent logging, permanent call transcription, and audio file recording are technically locked and deactivated by default.

*   **Activation Trigger:** Logiq AI will only switch to persistent processing mode if the end-user provides a clear, affirmative action via dual-tone multi-frequency (DTMF) signaling by pressing the hash key `[#]` during the mandatory interactive voice response (IVR) greeting phase, or clicks the explicit consent module in the web interface.

*   **Instructional Mandate:** The Customer explicitly instructs Logiq AI to permanently delete any interaction data that fails to receive this positive opt-in within the system's volatile session buffer.

---

### 3. Authorized Sub-processors

**3.1 Engagement of Sub-processors.** The Customer grants Logiq AI a general written authorization to engage third-party infrastructure and software providers to fulfill its contractual duties under the Agreement ("Sub-processors").

**3.2 Approved List of Core Sub-processors.** The Customer explicitly approves the appointment of the following core Sub-processors at the time of executing this DPA:

| Sub-processor | Corporate Entity & Location | Processing Activity |

| :--- | :--- | :--- |

| **Retell AI** | Retell AI Inc. (USA) | Voice AI stream orchestration and real-time processing |

| **Replit** | Replit, Inc. (USA) | Cloud hosting and backend application environment |

| **OpenAI** | OpenAI LLC (USA) | Large Language Models (LLM) for intent processing |

| **Twilio** | Twilio Ireland Ltd. (IE) / Twilio Inc. (USA) | Telecommunications infrastructure and SIP Trunking |

| **n8n** | n8n GmbH (Germany) | Automated workflow engineering and data pipelines |

| **ElevenLabs** | ElevenLabs Inc. (USA) | Synthetic speech synthesis and text-to-speech audio generation |

| **Stripe** | Stripe Payments Europe Ltd. (EU) | Payment |

| **Mailjet** | Mailjet SaaS Ltd (UK) | Email Services |

**3.3 Mechanism for Changes and Objections.** Logiq AI shall notify the Customer of any intended appointments or replacements of Sub-processors at least fourteen (14) days in advance via dashboard notifications or email.

*   **Right to Object:** The Customer has the right to object to such changes on reasonable, documented data protection grounds within fourteen (14) days of receiving the notice.

*   **Resolution:** If the Customer objects, Logiq AI will attempt to find a commercially reasonable alternative. If no alternative can be found, either party may terminate the Agreement for convenience without penalty by providing written notice.

---

### 4. International Data Transfers

**4.1 Legal Safeguards for US Transfers.** The Customer acknowledges that several approved Sub-processors are located in the United States (a "Third Country" under GDPR rules). To guarantee a legally adequate level of data protection, Logiq AI ensures that all transfers to US-based Sub-processors are strictly covered by at least one of the following legal safeguards:

1.  **Adequacy Decisions:** The Sub-processor is actively certified under the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the EU-U.S. DPF.

2.  **Standard Contractual Clauses (SCCs):** Where an adequacy decision is unavailable or insufficient, the transfer is governed by the standard contractual clauses approved by the European Commission (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum (IDTA).

---

### 5. Technical and Organizational Measures (TOMs)

**5.1 Security Implementation.** Logiq AI shall implement and maintain appropriate technical and organizational measures designed to protect Customer data and personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

**5.2 Standard TOMs Framework.** These measures include, but are not limited to:

*   **Encryption in Transit:** All data streams between the Customer's Shopify store, Logiq AI, and the approved Sub-processors are encrypted utilizing industry-standard Transport Layer Security (TLS 1.2 or higher).

*   **Access Control:** Access to database infrastructures and backend servers is strictly restricted to authorized engineering personnel based on the principle of least privilege, utilized exclusively to maintain and support the platform.

*   **Volatile In-Memory Segregation:** Implementation of the hard-coded technical logic outlined in Section 2.1 of this DPA to prevent unauthorized persistent storage of voice files.

---

### 6. Data Subject Rights and Assistance Obligations

**6.1 Data Subject Requests (DSRs).** If a Customer’s retail end-user contacts Logiq AI directly to exercise their rights under applicable privacy laws (e.g., access, rectification, or erasure of their chat history), Logiq AI will promptly forward such requests to the Customer via email. Logiq AI shall not respond directly to the end-user without the Customer's prior documented instructions.

**6.2 Breach Notification.** Logiq AI shall notify the Customer without undue delay (and in no event later than forty-eight (48) hours) after becoming aware of a confirmed personal data breach affecting the Customer's processed data. Logiq AI will provide reasonable assistance and documentation to enable the Customer to fulfill their legal notification obligations towards supervisory authorities or affected data subjects.

---

### 7. Audit Rights

**7.1 Documentation Audits.** The Customer has the right to verify Logiq AI’s compliance with this DPA. The Customer agrees that this audit right shall be satisfied initially by Logiq AI providing up-to-date documentation, security summaries, or self-assessments regarding its system architecture and the compliance declarations of its approved Sub-processors.

**7.2 Physical Inspection Limitations.** On-site physical inspections of Logiq AI’s corporate offices or backend server locations are strictly excluded, as Logiq AI operates entirely on cloud-based, virtualized infrastructures provided by its Sub-processors.

---

### 8. Term and Deletion of Data

**8.1 Data Deletion upon Termination.** Upon uninstallation of the Logiq AI application or termination of the SaaS Terms of Service, Logiq AI shall automatically initiate the secure deletion of all merchant-specific persistent logs, chat histories, and voice recordings stored within its active production databases.

**8.2 Erasure Timeline.** The deletion process will be finalized within a standard window of **thirty (30) days** following termination, except where retention is strictly required by applicable United Kingdom, European Union, or member state laws.