SideKickCo - Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the SideKickCo Business-to-Business Terms of Service (the "Agreement") between Launch Mode Ltd, trading as SideKickCo ("Processor", "we", "us", or "our") and the business utilizing the SideKickCo service ("Controller", "Customer", or "you").

1. Definitions and Interpretation

"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and any changes made under the Data (Use and Access) Act 2025.

"Personal Data", "Data Subject", "Controller", "Processor", and "Processing" shall have the meanings given to them in the UK GDPR.

"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, or data concerning sex life or sexual orientation.

2. Roles and Scope of Processing

2.1. Relationship of the Parties: For the purposes of the Data Protection Legislation, you are the Controller and we are the Processor of the Personal Data provided by individuals calling your business ("Caller Data").

2.2. Compliance: Both parties will comply with all applicable requirements of the Data Protection Legislation. You warrant that you have all necessary rights, lawful bases, and transparent notices in place to allow us to process Caller Data on your behalf.

3. Obligations of the Processor

When processing Caller Data on your behalf, we shall:

3.1. Instructions: Process Caller Data only on your documented written instructions (which include the configuration of the SideKickCo service), unless required by UK law to act otherwise.

3.2. Confidentiality: Ensure that personnel authorized to process Caller Data have committed themselves to confidentiality.

3.3. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, protecting against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

3.4. Data Subject Rights: Promptly notify you if we receive a request from a Data Subject (e.g., a Subject Access Request or erasure request) and provide reasonable assistance to help you respond, at your cost. We will not respond directly to the request unless authorized by you.

3.5. Breach Notification: Notify you without undue delay upon becoming aware of a Personal Data Breach affecting your Caller Data, providing sufficient information to allow you to meet any reporting obligations to the Information Commission or Data Subjects.

3.6. Deletion or Return: At your written choice, delete or return all Caller Data to you after the end of the provision of services, unless UK law requires storage of the Personal Data.

4. Use of Sub-processors

4.1. General Authorization: You grant us general written authorization to engage third-party Sub-processors to deliver the SideKickCo service. The current list of approved Sub-processors is set out in Annex 2.

4.2. Notification of Changes: We shall notify you (via email or platform notification) of any intended changes concerning the addition or replacement of Sub-processors at least 30 days beforehand, giving you the opportunity to object. If you reasonably object and we cannot accommodate the objection, you may terminate the Agreement.

4.3. Flow-down Obligations: We shall enter into written agreements with our Sub-processors imposing data protection obligations no less protective than those in this DPA.

5. International Data Transfers

5.1. You acknowledge that our Sub-processors (such as OpenAI and Vapi) may process Caller Data outside of the UK (e.g., in the United States).

5.2. We shall ensure that any transfer of Caller Data outside the UK is done in compliance with Data Protection Legislation, utilizing appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or recognizing a valid adequacy decision (e.g., the UK-US Data Bridge).

6. Special Category Data Disclaimer

6.1. Service Intent: SideKickCo is a lead-qualification and booking tool. It is not designed, intended, or secured for the active collection or processing of Special Category Data.

6.2. Incidental Collection: You acknowledge that because SideKickCo utilizes open-ended conversational AI, callers may voluntarily and incidentally disclose health data or vulnerabilities (e.g., medical conditions affecting an emergency call-out). We process this data purely incidentally as part of the audio transcription and AI analysis. You agree not to deliberately configure the AI prompts to solicit Special Category Data.

Annex 1: Details of Processing

Subject Matter & Nature: The interception of telephone calls, voice-to-text transcription, AI-driven conversational analysis for lead qualification, booking management, and SMS notification routing.

Duration: The duration of your subscription to the SideKickCo service.

Categories of Data Subjects: Individuals (customers or potential customers) placing telephone calls to your business number.

Types of Personal Data: Names, telephone numbers, physical addresses, job requirements, voice audio recordings, and text transcripts of conversations.

Annex 2: Authorized Sub-processors

As of the Effective Date, the following Sub-processors are authorized:

(Note: Stripe is utilized as a Processor for your billing data as a Customer, but is not considered a Sub-processor for Caller Data).