Data Processing Addendum

Last updated: 11 April 2026

1. Introduction and Definitions

This Data Processing Addendum ("DPA") forms part of the Terms of Service between The Rams Agency LTD (trading as SiteVoice, "we", "us", "Processor") and the Company Account holder ("you", "Customer", "Controller"). It sets out our obligations as a data processor in relation to the Content you upload or generate through the Service.

In this DPA, the following definitions apply:

  • "Controller" — the customer Company Account that determines the purposes and means of processing Content through the Service.
  • "Processor" — The Rams Agency LTD, which processes Content on behalf of the Controller.
  • "Content" — audio recordings, AI-generated transcriptions, extracted defect items, photographs, inspection metadata, and any other data uploaded to or generated within the Service on behalf of the Controller.
  • "Personal Data" — has the meaning given in the UK GDPR.
  • "UK GDPR" — the UK General Data Protection Regulation, together with the Data Protection Act 2018.
  • "Sub-processor" — any third party engaged by the Processor to process Content on the Processor's behalf, as listed in Annex 2.

By using the Service under an active Company Account, the Controller agrees to this DPA. In the event of a conflict between the Terms of Service and this DPA, this DPA prevails with respect to the processing of Content.

2. Scope and Processor Role

The Processor processes Content only on the documented instructions of the Controller. The Controller's instructions are embodied in: (a) these Terms and this DPA; (b) the ordinary operation of the Service as documented on sitevoice.app; and (c) any additional specific instructions provided by the Controller in writing.

If the Processor believes that an instruction from the Controller infringes UK GDPR or other applicable UK data protection law, the Processor will inform the Controller without delay.

The Processor acts as a data processor in relation to Content. The Processor acts as a data controller in relation to account, authentication, billing, error log, and activity log data (as set out in the Privacy Policy). This DPA covers the processor relationship only.

3. Subject Matter, Duration, Nature, and Purpose of Processing

As required by Article 28(3) of the UK GDPR, the following table describes the processing:

Subject matterThe provision of the SiteVoice voice-powered inspection platform
DurationThe term of the Controller's Company Account subscription, plus the retention periods set out in Section 12 and the Privacy Policy
Nature of processingCollection, transcription, AI-based analysis, categorisation, storage, display, export, and deletion of Content
PurposeEnabling the Controller to conduct voice-powered site inspections, generate reports for Building Safety Act 2022 record-keeping, and manage its inspection workflows

4. Types of Personal Data and Data Subjects

As required by Article 28(3) of the UK GDPR, the following table describes the categories of data and data subjects:

Personal Data processedName, email address, job role; voice recordings and AI-generated transcriptions (which may reference individuals present on site); photographs (which may show identifiable individuals); inspection metadata including site and plot information
Categories of data subjectsThe Controller's employees and contractors who use the Service; third parties incidentally captured in voice recordings or photographs (for example, trades working on site during an inspection)
Special category dataWe do not require or invite users to upload special category personal data. If special category data is incidentally captured (for example, in a photograph or voice recording), it is processed under the same terms as other Content.

5. Processor Obligations

In accordance with Article 28(3)(a)–(h) of the UK GDPR, the Processor shall:

  • (a) process Content only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by law;
  • (b) ensure that persons authorised to process Content have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) take all measures required pursuant to Article 32 of the UK GDPR, as set out in Annex 1 (Section 6 of this DPA);
  • (d) engage sub-processors only in accordance with Section 7 of this DPA;
  • (e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligation to respond to data subject requests;
  • (f) assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor;
  • (g) at the choice of the Controller, delete or return all Content to the Controller after the end of the provision of the Service, and delete existing copies unless UK or EU law requires storage of the Content;
  • (h) make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA, and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller, subject to Section 11.

6. Technical and Organisational Measures (Annex 1)

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR:

6.1 Encryption

  • All data transmitted between the Service and users is encrypted using HTTPS/TLS.
  • Passwords are hashed using bcrypt with 12 salt rounds; plaintext passwords are never stored.
  • Content stored at rest is protected by encryption provided by our hosting and storage providers (Replit, Cloudflare R2, database host).

6.2 Authentication and Access Control

  • JWT access tokens are short-lived (15 minutes) and rotated on refresh; refresh tokens are stored in httpOnly, Secure cookies with a 7–30 day lifetime.
  • Accounts are locked after 5 failed login attempts, with a 15-minute lockout period.
  • All state-changing requests require a valid CSRF token with timing-safe comparison.
  • Authentication endpoints are rate-limited to prevent brute-force attacks.
  • Access to customer data by Processor personnel is limited to Internal Admin role holders and is logged.

6.3 Data Isolation

  • The Service is multi-tenant with logical data isolation — each Company Account's data is filtered by a `company_id` and cannot be accessed across tenants.
  • All data access queries enforce tenant filtering at the data access layer.

6.4 Application and Network Security

  • HTTP security headers are configured via Helmet, including a Content Security Policy.
  • Dependencies are monitored and updated regularly to address known vulnerabilities.
  • Internal administrative access is restricted to email domains ending in `@sitevoice.app` and requires an explicit Admin role.

6.5 Physical Security

Physical security of the underlying infrastructure is inherited from our hosting providers (Replit, Cloudflare, our database host, and each sub-processor listed in Annex 2), each of which maintains appropriate physical security controls at its facilities.

6.6 Operational Security

  • Error logs are reviewed for signs of security issues.
  • Activity logs are maintained for audit purposes and to support Building Safety Act 2022 record-keeping.
  • Automated retention enforcement of error logs and deleted accounts is being rolled out (see Privacy Policy §10).

7. Sub-processors (Annex 2)

The Controller authorises the Processor to engage the following sub-processors, each of which processes Content on the Processor's behalf to deliver the Service:

Sub-processorLocationPurposeData categoriesTransfer safeguard
OpenAIUnited StatesAudio transcription and defect item extractionInspection audio, transcriptionsSCCs + UK IDTA
DeepgramUnited StatesSpeech-to-text fallback for Safari/FirefoxInspection audio (streaming)SCCs + UK IDTA
StripeUnited StatesPayment processing, subscription managementName, email, billing address, card last4/brand, countrySCCs + UK IDTA
ResendUnited StatesTransactional email deliveryName, email, team invitation metadataSCCs + UK IDTA
Cloudflare R2GlobalFile storage for inspection photos and mediaInspection photos, audio filesSCCs + UK IDTA
Google FontsGlobal (Google)Font delivery via CDNIP address (incidental, at request time)SCCs + UK IDTA
ReplitUnited StatesApplication hosting (autoscale)All Content by virtue of hosting the serversSCCs + UK IDTA
Replit (PostgreSQL)United StatesPostgreSQL database hostingAll stored ContentSCCs + UK IDTA

The Processor will provide the Controller with 30 days' prior notice of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable grounds. Notice will be delivered by email to the account administrator of the Company Account, or via a dedicated sub-processor changelog page on sitevoice.app if one is established.

8. International Data Transfers

Several sub-processors listed in Annex 2 are based in the United States. The Processor relies on Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum (IDTA) published by the UK Information Commissioner's Office as the transfer safeguard for such transfers.

Where a sub-processor is certified under a recognised transfer framework, the Processor may additionally rely on such certification as a complementary safeguard. The Processor assesses each sub-processor's location and transfer safeguards before engaging them.

9. Data Subject Rights Assistance

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to data subject requests under Chapter III of the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

When the Processor receives a data subject request directly, the Processor will forward it to the Controller without undue delay and will not respond to the request itself except on the Controller's documented instructions or where required by law.

The Processor will respond to reasonable assistance requests from the Controller within a time frame that allows the Controller to meet its own one-month response deadline under the UK GDPR.

10. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Content. The 48-hour window is deliberately tighter than the 72-hour window within which the Controller must notify the ICO under Article 33 of the UK GDPR, to give the Controller sufficient time to act.

The Processor's notification will include, to the extent known at the time:

  • the nature of the breach, including categories and approximate number of data subjects and records affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its possible adverse effects;
  • the name and contact details of the Processor's point of contact for further information.

The Processor will cooperate with the Controller in investigating, mitigating, and remediating the breach.

11. Audit Rights

The Controller may, upon reasonable written request and no more than once per year, require the Processor to provide written evidence of its compliance with this DPA, including:

  • a description of the technical and organisational measures in place (Annex 1);
  • the current list of sub-processors (Annex 2);
  • confirmation of transfer safeguards in place for international transfers;
  • any third-party security attestations (such as SOC 2, ISO 27001) that the Processor may obtain in future.

On-site physical audits are not generally offered; the Processor prefers to respond through written evidence and attestations in order to minimise operational disruption. The Controller may request an on-site audit only where required by applicable law or by a regulator, and subject to reasonable scheduling, confidentiality, and cost-sharing arrangements.

12. Return and Deletion of Content

On termination of the Terms of Service, the Processor shall, at the Controller's choice, return or delete all Content held on the Controller's behalf. Deletion will be completed within 90 days of termination, aligned with the retention schedule in the Privacy Policy, unless UK law requires continued retention (for example, activity logs retained for Building Safety Act 2022 record-keeping).

During the 90-day wind-down period, the Controller may request export of Content in a structured, commonly used format, subject to the Processor's reasonable technical capabilities. After the 90-day period, backups containing Content are overwritten in the ordinary course.

13. Liability

The Processor's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, Section 11. Nothing in this DPA excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded or limited under the laws of England and Wales.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA. This section is aligned with Section 18 of the Terms of Service.

15. Changes to This DPA

The Processor may update this DPA from time to time to reflect changes in law, sub-processor arrangements, technical measures, or business operations. Material changes will be notified to account administrators at least 30 days in advance. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated DPA.