eniq.ai
FeaturesUse CasesIntegrationsPricing
Sign InStart Free Trial

Data Processing Addendum

Legal terms and privacy information for eniq.ai customers, account users, and communication participants.

Effective Date: June 5, 2026

This Data Processing Addendum ("DPA") is entered into between:

  • Netpeak LTD, a company registered in England and Wales (company number 08991979), with its registered office at 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ ("eniq.ai", "Processor"); and
  • the customer identified in the Terms of Service, Subscription, or order form that incorporates this DPA (the "Customer", "Controller").

Each a "Party" and together the "Parties".

This DPA supplements the Terms of Service available at https://eniq.ai/terms-of-service (the "Agreement"). In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the 2021 EU Standard Contractual Clauses (where incorporated by reference in Section 7), the Standard Contractual Clauses prevail.

By signing the Agreement, clicking "I agree" to this DPA, connecting a Service integration, or continuing to use the Service after the Effective Date, the Customer agrees to be bound by this DPA.

1. Definitions

Capitalized terms used but not defined here have the meaning given in the Agreement or in the applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means all laws and regulations applicable to the Parties' Processing of Personal Data under this DPA, including:
  • Regulation (EU) 2016/679 (the "GDPR");
  • the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, the "UK GDPR");
  • the Swiss Federal Act on Data Protection ("FADP");
  • the Ukrainian Law On Personal Data Protection ("Ukrainian DPL");
  • the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA");
  • the Brazilian General Data Protection Law ("LGPD");
  • and any successor, amending, or equivalent laws and regulations.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", and "Supervisory Authority" have the meanings given in the GDPR (or equivalent meanings under other Applicable Data Protection Laws).
  • "Business", "Service Provider", "Sale", and "Share" have the meanings given in the CCPA/CPRA, as applicable.
  • "Customer Personal Data" means Personal Data contained within Customer Data that eniq.ai Processes on behalf of the Customer under the Agreement.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the UK International Data Transfer Addendum (Version B1.0) issued by the UK Information Commissioner.
  • "Services" means the services provided under the Agreement.
  • "TOMs" means the technical and organizational measures described in Annex II.

2. Subject Matter, Roles, and Scope

2.1 Roles

With respect to Customer Personal Data:

  • the Customer is the Controller (or, where the Customer itself acts as a processor for a third-party controller, a Processor); and
  • eniq.ai is a Processor (and, under the CCPA/CPRA, a Service Provider).

Where Customer is a Processor acting for a third-party controller, Customer represents that it has full authority under its agreement with that controller to enter into this DPA and instruct eniq.ai as described here, and Customer will be responsible for all obligations of the controller under Applicable Data Protection Laws.

2.2 Subject Matter

The subject matter of the Processing is the performance of the Services.

2.3 Duration

This DPA is in effect for as long as eniq.ai Processes Customer Personal Data under the Agreement and for any further period required by law.

2.4 Nature and Purpose

The nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.

2.5 Customer's Instructions

The Customer instructs eniq.ai to Process Customer Personal Data: (a) as necessary to provide, maintain, secure, support, and invoice for the Services in accordance with the Agreement and the Documentation; (b) as further instructed in writing by the Customer through the Service's configuration, APIs, or a support ticket, to the extent consistent with the Agreement; (c) as necessary to comply with a legal obligation binding on eniq.ai.

eniq.ai will notify the Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Laws, and may suspend performance of the instruction until the Customer modifies or confirms it.

2.6 Compliance by the Customer

The Customer is solely responsible for: (a) determining the lawfulness of the Processing, including identifying an appropriate legal basis under Article 6 GDPR and, where applicable, an exception under Article 9 GDPR; (b) obtaining any consents or providing any notices to Data Subjects required by Applicable Data Protection Laws (including recording-, wiretap-, and messaging-platform consents as described in Section 4 of the Terms of Service); (c) the accuracy, quality, and legality of Customer Personal Data and of the means by which the Customer acquired it; (d) securing and lawfully using any third-party credentials or tokens the Customer provides to the Service.

2.7 No Sale; Limited Business Purpose (CCPA/CPRA)

eniq.ai is a Service Provider under the CCPA/CPRA. eniq.ai will not (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties; or (d) combine Customer Personal Data with personal data it receives from or on behalf of another person, except as permitted by the CCPA/CPRA. eniq.ai certifies that it understands and will comply with these restrictions.

3. Confidentiality

eniq.ai will ensure that persons authorized to Process Customer Personal Data are bound by confidentiality obligations (contractual or statutory), are trained on data protection, and are granted access on a need-to-know basis.

4. Security of Processing

eniq.ai will implement and maintain the technical and organizational measures described in Annex II to protect Customer Personal Data against a Personal Data Breach. eniq.ai may update the TOMs from time to time provided the overall level of protection is not materially reduced.

5. Personal Data Breaches

eniq.ai will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known at the time, the information described in Article 33(3) GDPR, and eniq.ai will provide updates as more information becomes available. eniq.ai will cooperate with the Customer in good faith and provide reasonable assistance to enable the Customer to meet its own breach-notification obligations.

eniq.ai's notification of, or response to, a Personal Data Breach is not an acknowledgement by eniq.ai of any fault or liability.

6. Sub-processing

6.1 General Authorization

The Customer grants eniq.ai a general authorization to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is maintained at https://eniq.ai/subprocessors (the "Sub-processor List") and is incorporated into this DPA.

6.2 Sub-processor Obligations

Each Sub-processor is engaged under a written agreement that imposes data-protection obligations substantially similar to those in this DPA. eniq.ai remains responsible for the acts and omissions of its Sub-processors to the same extent as for its own.

6.3 Notice of Changes

eniq.ai will update the Sub-processor List before engaging a new Sub-processor that will Process Customer Personal Data and will notify the Customer (by email to the billing contact or via an in-product notice) of any such addition. The Customer may subscribe to change notifications by writing to [email protected].

6.4 Objection

Within 30 days of notification, the Customer may object in writing to a new Sub-processor on reasonable data-protection grounds. The Parties will work together in good faith to resolve the objection. If eniq.ai cannot reasonably accommodate the objection, the Customer may, as its sole and exclusive remedy, terminate the portion of the Services affected by the new Sub-processor on 30 days' notice, with a pro-rated refund of prepaid fees for the terminated portion.

7. International Data Transfers

7.1 Transfer Mechanism

Where Processing of Customer Personal Data involves a transfer from the EEA, the United Kingdom, Switzerland, Ukraine, or another jurisdiction with transfer restrictions to a country that is not the subject of an adequacy decision:

(a) EEA transfers. The Parties agree that the 2021 EU Standard Contractual Clauses are hereby incorporated by reference and apply as follows:

  • Module Two (Controller → Processor) where the Customer is a Controller;
  • Module Three (Processor → Processor) where the Customer is a Processor acting for a third-party controller.

(b) UK transfers. The UK Addendum is incorporated by reference. The applicable SCC module is selected per (a); Tables 1–3 of the UK Addendum are completed by reference to the Parties and to this DPA; Table 4 provides that neither Party may end the Addendum as set out in Section 19 of the Addendum.

(c) Swiss transfers. The FADP-adapted version of the SCCs applies, with references to the GDPR replaced or supplemented by the FADP and references to EU Member State law replaced by Swiss law, and with the Swiss Federal Data Protection and Information Commissioner recognized as a competent supervisory authority for Swiss Personal Data.

(d) Ukrainian transfers. The Parties will rely on an applicable safeguard available under the Ukrainian DPL (including consent, contractual safeguards equivalent to the SCCs, or adequacy under subsequent regulation), as described in Annex III.

7.2 Completion of SCCs

The SCCs are completed as follows:

  • Clause 7 (Docking clause): the optional docking clause applies.
  • Clause 9 (Sub-processors): Option 2 (general written authorization) applies, with the notice period in Section 6.3.
  • Clause 11 (Redress): the optional independent-dispute-resolution provision does not apply.
  • Clause 17 (Governing law): the SCCs are governed by the law of Ireland (or, if the law of Ireland does not permit third-party beneficiary rights, by the law of an EU Member State that does).
  • Clause 18 (Forum and jurisdiction): disputes arising from the SCCs will be resolved by the courts of Ireland.
  • Annex I.A (List of Parties), Annex I.B (Description of Transfer), Annex I.C (Competent Supervisory Authority), and Annex II (TOMs) are populated by Annex I and Annex II of this DPA.

7.3 Supplementary Measures

The TOMs in Annex II constitute, together with any further measures agreed by the Parties in writing, the supplementary measures required under the SCCs to ensure an essentially equivalent level of protection for transferred Personal Data.

8. Assistance with Data Subject Rights

Taking into account the nature of the Processing, eniq.ai will assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

In particular, the Service provides the Customer with in-product tools to access, export, correct, restrict, and delete Customer Personal Data. If the Customer requires further assistance, eniq.ai will provide reasonable support; where the requested assistance is disproportionate or falls outside eniq.ai's standard Service, eniq.ai may charge a reasonable fee.

Where a Data Subject contacts eniq.ai directly, eniq.ai will, without undue delay, forward the request to the Customer and will not respond substantively except as legally required or as instructed by the Customer.

9. Data-Protection Impact Assessments and Prior Consultation

Taking into account the nature of the Processing and the information available to it, eniq.ai will provide reasonable assistance to the Customer with any data-protection impact assessment or prior consultation with a Supervisory Authority that the Customer is required to carry out under Articles 35 and 36 GDPR (or equivalent provisions).

10. Return or Deletion

Upon the earlier of termination of the Agreement or the Customer's written request:

(a) Export. For 30 days after termination, eniq.ai will make Customer Personal Data available for export through the Service's standard export functions.

(b) Deletion. Within 60 days after termination or receipt of the Customer's request (whichever is earlier), eniq.ai will delete or anonymize all Customer Personal Data in production systems. Backups containing Customer Personal Data will be purged on a rolling schedule not exceeding 35 days from the deletion date, after which the data becomes irretrievable.

(c) Retention required by law. eniq.ai may retain Customer Personal Data to the extent, and for as long as, required by applicable law, provided that eniq.ai continues to protect the data in accordance with this DPA.

(d) Certification. Upon written request, eniq.ai will certify in writing that it has complied with this Section.

11. Audits and Inspections

11.1 Information

eniq.ai will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including:

  • this DPA and any updates;
  • the Sub-processor List;
  • a summary of the TOMs in Annex II;
  • the most recent independent security assessment, certification, or penetration-test summary (where available, under a non-disclosure obligation).

11.2 Audit Right

Subject to Sections 11.3 and 11.4, and not more than once per calendar year (except where required by a Supervisory Authority or following a confirmed Personal Data Breach), the Customer may audit eniq.ai's compliance with this DPA.

11.3 Audit Procedure

The Customer will give eniq.ai at least 30 days' prior written notice, will conduct the audit during eniq.ai's normal business hours, will not disrupt eniq.ai's operations, will ensure that any auditor (including the Customer's own personnel) is bound by written obligations of confidentiality, and will share any audit findings with eniq.ai. Each Party bears its own costs; the Customer will reimburse eniq.ai's reasonable costs if the audit materially exceeds this scope.

11.4 Alternatives

eniq.ai may satisfy an audit request by providing (a) the information described in Section 11.1, (b) responses to a mutually agreed security questionnaire, or (c) a summary of an independent third-party audit report, if, in the Customer's reasonable view, such materials adequately demonstrate compliance.

12. Liability

Each Party's liability arising under or in connection with this DPA is subject to the aggregate liability cap and other limitations set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws.

13. General

13.1 Order of Precedence

If there is a conflict or inconsistency between documents, the following order applies (highest to lowest): (i) the SCCs and UK Addendum (where applicable); (ii) this DPA; (iii) the Agreement; (iv) the Sub-processor List and other policies referenced above.

13.2 Changes to the DPA

eniq.ai may update this DPA from time to time, provided that updates do not materially diminish the protections afforded to Customer Personal Data. Material changes will be notified at least 30 days in advance and published at https://eniq.ai/data-processing-agreement. The Customer's continued use of the Services after the effective date of an update constitutes acceptance.

13.3 Governing Law of this DPA (outside SCCs)

Except where the SCCs or UK Addendum prescribe a different governing law, this DPA is governed by the law specified in the Agreement (see Section 17 of the Terms of Service).

13.4 Severability

If any provision of this DPA is held unenforceable, the remaining provisions remain in effect.

13.5 Signature / Acceptance

This DPA may be signed in counterparts or accepted electronically (including by click-through). Where a customer requires a countersigned copy, send a request to [email protected].

Annex I — Description of the Processing

A. List of Parties

  • Data Exporter: The Customer identified in the Agreement.
  • Role: Controller (or Processor, as applicable).
  • Contact point for data protection: as identified in the Customer's account.
  • Activities relevant to the transfer: use of the Service as described in the Agreement.
  • Signature/date: per acceptance of the DPA.
  • Data Importer: Netpeak LTD
  • Address: 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ
  • Contact point for data protection: [email protected]
  • Role: Processor (Sub-processor where Customer is a Processor).
  • Activities relevant to the transfer: provision of the eniq.ai conversation-intelligence Service — recording, ingestion, transcription, AI analysis, storage, integrations.

B. Description of Transfer

Categories of Data Subjects. The Customer determines the categories, which may include:

  • the Customer's employees, contractors, and agents (Authorized Users);
  • the Customer's customers, prospects, and leads;
  • other individuals whose communications are recorded, ingested, or analyzed by the Service (including call participants, meeting attendees, and chat/message correspondents).

Categories of Personal Data. Determined by the Customer, which may include:

  • identification and contact data (name, email, phone, chat handles, profile image);
  • employment/role data (job title, team, access role);
  • communication content — voice recordings, video, transcripts, chat/message text, email bodies;
  • communication metadata (timestamps, duration, direction, channel, participant identifiers);
  • CRM fields synced by the Customer (deal data, notes, scores);
  • AI-generated analyses (summaries, scores, sentiment, tags) derived from the above;
  • technical data (IP, device, browser, usage logs) for Authorized Users;
  • billing data of the Customer's authorized purchasers.

Sensitive Data. The Customer must not submit special categories of Personal Data (Article 9 GDPR) or Personal Data relating to criminal convictions (Article 10 GDPR) unless it has a lawful basis and has informed eniq.ai. If such data is nonetheless present in recordings or transcripts, the TOMs in Annex II apply.

Frequency of transfer. Continuous, for the duration of the Subscription.

Nature of Processing. Hosting, transmission, storage, transcription, analysis, indexing, sub-processor transmission, deletion, export.

Purpose(s) of the transfer and further Processing. Provision of the Service under the Agreement.

Retention period. As set out in the Privacy Policy and in-product retention settings; in any event, deleted within 60 days after termination (subject to legal retention).

Sub-processor transfers. Subject, nature, duration, and purpose as described above, and as set out in the Sub-processor List.

C. Competent Supervisory Authority

Where Module Two or Three of the SCCs applies:

  • if the data exporter is established in an EEA Member State: the Supervisory Authority of that Member State;
  • if the data exporter is not established in the EEA but falls within the territorial scope of GDPR Article 3(2) and has appointed an EU representative: the Supervisory Authority of the Member State in which the representative is established;
  • otherwise: the Irish Data Protection Commission (as fallback competent authority).

For UK transfers: the UK Information Commissioner's Office (ICO). For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical and Organizational Measures

eniq.ai implements and maintains the following measures, which may be updated from time to time provided the overall level of protection is not materially reduced.

1. Organizational Measures

  • Written information-security policies reviewed at least annually.
  • Designated personnel responsible for security and data protection.
  • Role-based access with least-privilege principles; access reviews at least quarterly.
  • Mandatory onboarding and recurring security-awareness training for personnel.
  • Confidentiality obligations in all personnel and contractor agreements.
  • Background checks (where permitted by law) for personnel with privileged access.
  • Documented incident-response plan and on-call rotation.
  • Change-management process with code review and audit logging.

2. Access Control

  • Unique user accounts; no shared credentials.
  • Multi-factor authentication (TOTP/WebAuthn) required for administrative access.
  • Centralized identity management and single sign-on for internal systems.
  • Automated de-provisioning on role change or departure.
  • Privileged-access sessions logged.

3. Authentication of End Users

  • Customer credentials hashed with a modern password-hashing algorithm (e.g., Argon2 or bcrypt) and never stored or transmitted in clear text.
  • Optional two-factor authentication (TOTP) offered to Authorized Users.
  • OAuth tokens and third-party API keys stored encrypted at rest.
  • Session tokens signed and time-boxed; configurable session timeouts.

4. Encryption

  • In transit: TLS 1.2+ with modern cipher suites for all external traffic and for internal traffic that traverses untrusted networks.
  • At rest: provider-managed encryption of object storage and databases; application-level encryption of sensitive secrets (OAuth tokens, API keys, integration credentials).

5. Network Security

  • Perimeter protection via cloud provider VPCs, firewall rules, and TLS-terminating edge services.
  • DDoS mitigation at the edge.
  • Hardened base images; dependency and vulnerability scanning in CI/CD.
  • Segregation between production and non-production environments; no production data in development or test systems.

6. Logical Separation of Customer Data

  • Multi-tenant architecture with logical isolation at the application layer; tenant identifier enforced at every Service boundary.
  • Strict access-control checks before every read/write of Customer Data.
  • Rate limits and abuse-prevention controls.

7. Availability and Resilience

  • Automated backups of production databases, retained up to 35 days, stored in encrypted form in a separate region where applicable.
  • Monitoring of system health and key metrics; alerting on anomalies.
  • Documented disaster-recovery procedures; recovery objectives reviewed at least annually.

8. Logging and Monitoring

  • Application, access, and audit logs retained in a centralized system for at least 90 days (and up to 18 months for security-relevant events).
  • Centralized error and performance monitoring (Sentry).
  • Alerts on authentication anomalies, privilege escalations, and suspicious patterns.

9. Secure Development

  • Peer code review for all production changes.
  • Static analysis and dependency-vulnerability scanning in CI/CD.
  • Security-sensitive changes gated on additional review.
  • Documented process for handling externally reported vulnerabilities.

10. Vendor and Sub-processor Management

  • Due diligence prior to onboarding any Sub-processor with access to Personal Data.
  • Data-processing terms (including, where applicable, SCCs) executed with each Sub-processor.
  • Periodic review of Sub-processor security posture.

11. Physical Security

  • Physical security of hosting facilities is provided by the underlying cloud providers (Google Cloud Platform and others). Relevant certifications (e.g., ISO 27001, SOC 2) are published by those providers.

12. Deletion

  • Customer-triggered deletion functions in the Service.
  • Scheduled purging of terminated accounts per Section 10 of the DPA.
  • Backups purged on rolling schedule (up to 35 days) after primary deletion.

13. AI-Specific Measures

  • Third-party AI providers engaged under zero-retention / no-training terms where available.
  • Customer Data is not used to train or fine-tune models operated by eniq.ai or by Sub-processors, except with the Customer's explicit opt-in.
  • Prompt and output logging limited to what is necessary for debugging, abuse prevention, and service reliability, retained per the Privacy Policy.

14. Assistance to the Customer

  • In-product tools to support Data-Subject rights (export, correction, deletion).
  • Documented Personal Data Breach notification process (Section 5 of the DPA).

Annex III — Jurisdiction-Specific Provisions

A. United Kingdom

The UK Addendum (Version B1.0) is incorporated by reference and supplements the SCCs for UK transfers. Tables 1–3 are completed by reference to the Parties and Annexes of this DPA; Table 4 provides that neither Party may end the Addendum as set out in Section 19 of the Addendum.

B. Switzerland

For Swiss transfers, references in the SCCs to the GDPR are understood as references to the FADP (and to the GDPR where the FADP offers a lower level of protection); references to EU Member State law are understood as references to Swiss law; the competent Supervisory Authority is the FDPIC; and the SCCs also protect legal persons to the extent required under the FADP.

C. Ukraine

For Personal Data subject to the Ukrainian DPL, the Parties will rely on a transfer basis available under that law, including the Data Subject's consent, contractual safeguards providing protections equivalent to those of the SCCs, or an applicable adequacy decision once adopted. The Customer remains responsible for any specific notification or registration obligations that may apply under Ukrainian law.

D. California (CCPA/CPRA)

eniq.ai acts as a Service Provider (and, where relevant, Contractor) as defined in the CCPA/CPRA. eniq.ai makes the certifications and accepts the restrictions set out in Section 2.7. For the avoidance of doubt, Customer Personal Data received from the Customer is used only to perform the Business Purposes specified in the Agreement and is not Sold, Shared, or combined with Personal Data from other sources except as expressly permitted by the CCPA/CPRA.

E. Brazil (LGPD)

Where the LGPD applies, the Parties will comply with its requirements. For the purposes of this DPA, "Controller" and "Processor" correspond to *controlador* and *operador* under the LGPD. The Brazilian National Data Protection Authority (ANPD) is the competent supervisory authority for LGPD matters.

By entering into the Agreement or continuing to use the Services after the Effective Date, the Parties are deemed to have signed this DPA, including its Annexes.

Netpeak LTD Name: _____________________________ Title: _____________________________ Date: _____________________________

Customer Company: __________________________ Name: _____________________________ Title: _____________________________ Date: _____________________________

eniq.ai

AI-powered conversation intelligence platform for all customer interactions.

Product
FeaturesPricingIntegrations
Company

© 2025 eniq.ai. All rights reserved.

Sign InStart Free Trial