Data Processing & GDPR

1. Role of Vox Automated

When we design, configure and maintain automation systems for clients, we typically act as a “data processor” under GDPR and similar laws. The client remains the “data controller” and is responsible for ensuring there is a lawful basis to process any personal data used in the automations.

2. Types of Data Processed

Depending on the project, automations may process:

• Contact details for leads and customers (e.g. name, email, phone number).
• Business and transaction data (e.g. enquiries, bookings, call transcripts).
• Support and communication history (e.g. emails, chat logs, CRM notes).

We discourage clients from sending special category data (such as health or political data) through automations unless this is absolutely necessary and accompanied by appropriate safeguards and explicit consent where required.

3. Purpose of Processing

We process personal data solely for the purpose of delivering automation services requested by the client, including configuration, monitoring, optimisation and troubleshooting of the relevant workflows.

4. Data Processing Instructions

We only process personal data on documented instructions from the client, unless required to do so by law. Those instructions may be set out in the project proposal, services agreement, emails or ticketing systems used during the engagement.

5. Confidentiality & Security

• We take reasonable technical and organisational measures to protect data we access.
• Access to client systems is limited to team members who need it for service delivery.
• We encourage use of role-based access, strong authentication and secure credential sharing.

Further security details can be added in a separate Data Processing Agreement (DPA) if required.

6. Sub-Processors

To deliver our services, we may use sub-processors such as:

• Cloud hosting providers and automation platforms (e.g. n8n, Make, CRMs).
• AI model providers (e.g. OpenAI, Anthropic, or similar vendors as agreed with the client).
• Project management, support and communication tools.

Where these providers act as processors, we aim to ensure they offer appropriate contractual and technical protections consistent with applicable data-protection laws.

7. International Transfers

Some sub-processors may be located outside the UK or EEA. In such cases, we seek to ensure that appropriate safeguards (such as Standard Contractual Clauses or equivalent mechanisms) are in place. Clients are encouraged to review the data-transfer arrangements of any third-party tools they choose to use.

8. Data Retention

We do not keep client data longer than necessary to deliver the Services or meet our legal obligations. Access credentials, exports and logs are deleted or anonymised once no longer required. Clients may request deletion of specific materials, subject to any legal retention requirements.

9. Assistance to Controllers

Where reasonably possible, we assist clients in fulfilling their responsibilities towards data subjects, for example by helping to locate, correct or remove data processed in the automations we manage, when a valid request has been made to the client.

10. Data Breach Notification

If we become aware of a personal-data breach affecting systems under our control, we will notify the relevant client without undue delay and provide available information to support their own assessment and notifications, where required by law.

11. Relationship to Privacy Policy

This page focuses on our role as a data processor for clients. For information about how we process personal data in our own capacity as controller (e.g. website visitors, leads and direct customers), please see our Privacy Policy.

12. Contact & DPA Requests

Clients who require a formal Data Processing Agreement (DPA) or have questions about our data-processing practices can contact:

Vox Automated
Email: support@voxautomated.com