Back

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between [Company Name] ("Risala", the "Processor") and the customer using the Risala platform (the "Controller"). It applies whenever Risala processes personal data on the Controller's behalf — primarily call recordings, transcripts, and AI-generated analysis. Acceptance of the Terms at sign-up constitutes acceptance of this DPA.

1. Definitions

Terms used here have the meaning given to them in the UK GDPR and EU GDPR (Regulation 2016/679), and where applicable the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

2. Roles & scope

The Controller is the customer that opens a Risala workspace and uploads or captures call content. Risala is the Processor and only handles personal data on the Controller's documented instructions, which are the Terms, this DPA, and the configuration of the workspace.

Subject matter: provision of AI-powered call analysis. Duration: term of the Controller's subscription. Nature: hosting, transcription, AI analysis, dashboards, retention, deletion. Categories of data subjects: Controller's employees, the Controller's customers and prospects (call participants). Categories of personal data: name, voice recording, transcript content, role, metadata (call time, duration, participants).

3. Controller obligations

The Controller warrants that it:

  • Has a lawful basis to record calls and process the resulting personal data, and has obtained any consent required under local law (UK: notification under RIPA 2000 and UK GDPR; UAE: explicit consent under the PDPL; other jurisdictions: the applicable rules).
  • Provides accurate sub-processor and processing notices to data subjects in its own privacy policy.
  • Configures retention periods, access controls, and member roles appropriately for its sector.
  • Will not upload special-category data (health, biometric identification, criminal-convictions data) without first notifying Risala.

4. Risala's obligations

  • Process personal data only on the Controller's documented instructions.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Section 8).
  • Assist the Controller in responding to data-subject requests.
  • Assist the Controller with data-protection impact assessments and prior consultations where required.
  • Notify the Controller without undue delay, and within 72 hours, of any personal-data breach affecting the Controller's data.
  • Make available all information necessary to demonstrate compliance and allow audits as set out in Section 9.

5. Sub-processors

The Controller gives general authorisation to engage the sub-processors listed in our Privacy Policy. Risala will give the Controller at least 14 days' notice of any addition or replacement, during which the Controller may object on reasonable data-protection grounds. Each sub-processor is bound by data-protection terms equivalent to those in this DPA.

6. AI processing — model training

Customer content sent to Deepgram, OpenAI, and Anthropic is configured so that it is not used to trainthe providers' underlying models. Content is retained only as long as needed to return a result, then deleted by the provider.

7. International transfers

Where personal data is transferred outside the UK / EEA, Risala relies on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. The Controller authorises these transfers by accepting this DPA.

8. Security measures

Risala implements at minimum:

  • TLS 1.2+ encryption in transit.
  • Encryption at rest for recordings, transcripts, and database content.
  • Workspace-scoped access controls with cross-tenant guards on every privileged action.
  • Audit logging for administrative actions.
  • Multi-factor authentication available on every account.
  • Least-privilege internal access, reviewed quarterly.
  • Regular vulnerability scanning and dependency patching.
  • Documented incident-response procedures.

9. Audits

Risala will, on reasonable written notice and at the Controller's cost, provide the information needed to demonstrate compliance with this DPA — including responses to security questionnaires and copies of independent assessments where available. On-site audits are by mutual agreement and limited to what is strictly necessary.

10. Data-subject requests

Most data-subject rights (access, rectification, erasure, restriction, portability) can be exercised by the Controller directly inside the Risala application — workspace administrators can export, delete, or correct content. Where additional assistance is needed, Risala will respond within 14 calendar days.

11. Personal-data breaches

On becoming aware of a personal-data breach affecting Controller content, Risala will notify the Controller's designated administrator without undue delay and within 72 hours, providing the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

12. Return and deletion

On termination of the subscription Risala will, at the Controller's choice, return or delete all Controller personal data within 30 days, unless retention is required by law (for example, billing records held for tax purposes). Backups containing residual copies are encrypted and rotated out within 90 days.

13. Liability

The liability provisions of the Terms & Conditions apply to this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Order of precedence

In case of conflict between this DPA and the Terms & Conditions, this DPA prevails on data-protection matters. In case of conflict with the SCCs, the SCCs prevail.

15. Contact

Data-protection point of contact: privacy@risala.tech.