Jodie - AI Answering Service
Jodie - AI Answering Service
Login Get Started

Data Processing Addendum - Jodie

Last Updated: 08 May 2026

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service (the “Terms”) between JODIE AI LIMITED (“Jodie,” “we,” “our,” or “us”) and the subscriber identified in the relevant Subscription (the “Subscriber,” “you,” or “your”) (each a “Party” and together the “Parties”). This DPA applies only where and to the extent Jodie Processes Personal Data on the Subscriber’s behalf in the course of providing the Services. In the event of any conflict between this DPA and the Terms strictly in relation to the Processing of Personal Data, this DPA prevails; in all other respects the Terms prevail.

By subscribing to or continuing to use the Services, the Subscriber accepts this DPA. We are not required to sign a separate or bespoke DPA. If a Subscriber requires a counter-signed copy of this DPA in its current form, contact data-protection-officer [at] heyjodie.com; any departure from this DPA requires our written agreement and may be subject to additional fees.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Terms or the applicable Data Protection Laws.

  • “Data Protection Laws” means all applicable laws and regulations relating to the Processing of Personal Data, including the UK GDPR and the Data Protection Act 2018, the EU GDPR (Regulation (EU) 2016/679), the California Consumer Privacy Act as amended (CCPA/CPRA), the Australian Privacy Act 1988 (Cth), the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), Quebec’s Law 25, and the New Zealand Privacy Act 2020.
  • “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Process / Processing” and “Sub-processor” have the meanings given in the UK GDPR or, where another Data Protection Law applies, the equivalent terms in that law.
  • “Subscriber Personal Data” means Personal Data Processed by Jodie on the Subscriber’s behalf in connection with the Services, including caller audio, transcripts, AI-generated summaries, messages, bookings and related metadata.
  • “Services” has the meaning given in the Terms.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • “UK Transfer Mechanism” means the UK International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner’s Office, or the UK Addendum to the EU SCCs, as applicable.

2. Roles and Scope

  1. The Subscriber is the Controller and Jodie is the Processor of Subscriber Personal Data. The Subscriber may also be a Processor for an upstream Controller; if so, the Subscriber appoints Jodie as a Sub-processor on the same terms and warrants that it has the authority to do so.
  2. The Subscriber is solely responsible for complying with its obligations as Controller (or, where applicable, Processor for an upstream Controller) under Data Protection Laws, including: establishing the lawful basis for the Processing; providing all required notices to and obtaining all required consents from Data Subjects (including for AI handling, call recording, transcription and cross-border transfer); responding to Data Subject requests; carrying out any required impact assessments; and notifying supervisory authorities and Data Subjects of Personal Data Breaches where required by Data Protection Laws. Jodie’s role under this DPA is limited to the Processor obligations expressly set out in this DPA.
  3. Each Party will comply with the obligations that apply to it under Data Protection Laws.
  4. The subject matter, duration, nature and purpose of the Processing, the categories of Data Subjects and the categories of Personal Data are set out in Annex A.

3. Processing Instructions

  1. Jodie will Process Subscriber Personal Data only on the Subscriber’s documented instructions consistent with the standard functionality of the Services, including those given through the configuration of the Services, the Terms, this DPA and the Privacy Policy. The Subscriber’s use of the Services in their standard configuration is treated as the Subscriber’s standing instruction. Jodie may also Process Subscriber Personal Data where required to do so by applicable law (and will, where lawful, inform the Subscriber of that legal requirement).
  2. The Subscriber warrants that its instructions and configuration of the Services comply with Data Protection Laws. Jodie is not required to verify the lawfulness of any instruction. If, in Jodie’s reasonable opinion, an instruction infringes Data Protection Laws, Jodie may (without liability) decline or suspend acting on it and notify the Subscriber.
  3. Jodie has no liability for any loss or claim arising from acting on the Subscriber’s instructions or from the Subscriber’s configuration (or misconfiguration) of the Services.

4. Confidentiality

Jodie will ensure that personnel authorised to Process Subscriber Personal Data are bound by appropriate confidentiality obligations and have received training relevant to their role. The form of those obligations and training is at Jodie’s discretion.

5. Security

  1. Jodie will implement and maintain appropriate technical and organisational measures to protect Subscriber Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks to Data Subjects. A summary of the current measures is set out in Annex B.
  2. The Subscriber is responsible for using the security features made available by the Services (including authentication, access controls and configuration options) and for the security of any Subscriber-controlled environments, accounts and credentials. Jodie is not liable for any incident arising from the Subscriber’s failure to do so or from the Subscriber’s configuration of the Services.
  3. No security measure is fault-free. Jodie does not warrant that the measures will prevent all Personal Data Breaches or other incidents. Jodie’s liability for any failure of the measures is subject to section 13.

6. Sub-processors

  1. The Subscriber gives Jodie general written authorisation to engage Sub-processors (including affiliates of Jodie) to Process Subscriber Personal Data, subject to this section.
  2. Jodie maintains a list of Sub-processors that Process Subscriber Personal Data. Because the list contains commercially sensitive information about Jodie’s supply chain, Jodie makes the list available to Subscribers on request under a non-disclosure agreement. To request a copy, contact data-protection-officer [at] heyjodie.com.
  3. Jodie will use reasonable efforts to give the Subscriber prior notice before adding or replacing a Sub-processor that Processes Subscriber Personal Data, by such means and within such period as Jodie considers reasonably practicable in the circumstances. The Subscriber may object on reasonable, documented data-protection grounds within fifteen (15) days of being notified. If the Subscriber objects, the Parties will discuss the issue in good faith for up to thirty (30) days. If no resolution is reached, the Subscriber’s sole and exclusive remedy is to terminate the affected Services on written notice with effect from the date the change takes effect, with no refund or further liability to either Party. Failure by Jodie to give notice in time, by itself, will not give rise to any liability beyond the limitations and exclusions in section 13 and the Terms.
  4. Jodie will impose data-protection terms on each Sub-processor that are substantially similar to those in this DPA in so far as relevant to the services that Sub-processor provides to Jodie. Jodie’s liability to the Subscriber for the acts and omissions of its Sub-processors is limited to what Jodie’s liability would have been had Jodie performed the relevant act or omission itself, and is in any event subject to section 13 and the Terms.

7. International Transfers

  1. The Subscriber acknowledges that Jodie Processes Subscriber Personal Data in Ireland and the United States as described in the Privacy Policy and that doing so involves international transfers of Personal Data. The Subscriber consents to those transfers and to any onward transfers necessary for Jodie to provide the Services. Jodie may add, change or remove processing locations from time to time at its sole discretion, and is not required to give individual notice of any such change beyond the Sub-processor change process in section 6.

  2. Where Data Protection Laws require a transfer mechanism for a transfer of Subscriber Personal Data from the UK or the EEA to a country that is not the subject of an adequacy decision, the Parties rely on the following safeguards (incorporated by reference into this DPA, as applicable to the transfer and the recipient):

    • the EU Standard Contractual Clauses (Module 2: Controller-to-Processor, or Module 3: Processor-to-Processor), with the Subscriber as data exporter and Jodie or the relevant Sub-processor as data importer;
    • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for transfers from the UK; and
    • where the recipient is independently certified, the EU-US Data Privacy Framework and its UK Extension.

  3. The Parties agree to populate the Annexes or Appendices of the SCCs and UK Transfer Mechanism using the information in Annex A, Annex B, the Sub-processor list, and the contact details of the Parties’ representatives. Optional clauses (including the docking clause) are deemed to apply unless excluded in writing. Where the SCCs or UK Transfer Mechanism offer optional drafting choices, Jodie may select the option more favourable to it (or to the data importer) provided the choice is permitted by the instrument.

  4. Where another Data Protection Law (including PIPEDA, the Australian Privacy Act, Quebec Law 25 or the NZ Privacy Act 2020) imposes additional cross-border requirements, Jodie will, at the Subscriber’s reasonable request and cost, provide such cooperation as Jodie considers reasonably appropriate to support the Subscriber’s compliance.

8. Data Subject Requests

  1. Taking into account the nature of the Processing and the information available to Jodie, Jodie will provide the Subscriber with reasonable assistance, primarily through the self-service tools and documentation made available in the Services, to enable the Subscriber to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Assistance that materially exceeds the standard self-service tools is provided on a time-and-materials basis at Jodie’s then-current professional services rates.
  2. If Jodie receives a request directly from a Data Subject relating to Subscriber Personal Data, Jodie will (unless prohibited by law) refer the Data Subject to the Subscriber and, where reasonably practicable, notify the Subscriber. Primary responsibility for responding to Data Subject requests rests with the Subscriber.

9. Personal Data Breach

  1. Jodie will notify the Subscriber without undue delay after becoming aware of a confirmed Personal Data Breach affecting Subscriber Personal Data. The notification will include, to the extent then known and lawful to disclose, the information required by Article 33(3) of the UK GDPR; further information may be provided in stages as the investigation progresses.
  2. Jodie will take such steps as it reasonably considers appropriate to investigate, mitigate and remediate the Personal Data Breach. Jodie will, at the Subscriber’s reasonable request and cost, provide such further cooperation with the Subscriber’s investigation and notification obligations as Jodie considers reasonably appropriate.
  3. Notification of a Personal Data Breach is not, by itself, an admission of fault or liability by Jodie. Jodie’s liability for any Personal Data Breach is subject to section 13 and the Terms.

10. Data Protection Impact Assessments and Prior Consultation

Where required by Data Protection Laws, Jodie will, taking into account the nature of the Processing and the information available to Jodie, provide the Subscriber with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory authorities, primarily by way of the documentation made available with the Services. Assistance that materially exceeds that documentation is provided on a time-and-materials basis at Jodie’s then-current professional services rates.

11. Audits

  1. Jodie will make available to the Subscriber the information reasonably necessary to demonstrate compliance with this DPA, primarily through the Services’ documentation, security overview, and (where available) third-party audit reports, certifications or summaries. The Subscriber agrees that those materials are sufficient to discharge Jodie’s obligations under Article 28(3)(h) of the UK GDPR (and equivalent provisions of other Data Protection Laws) in the ordinary course.
  2. Where the Subscriber reasonably believes that the information made available under paragraph 1 is insufficient, the Subscriber may request an audit on the following terms: (a) no more than once in any twelve-month period, except where a supervisory authority requires otherwise or following a confirmed Personal Data Breach materially affecting the Subscriber’s data; (b) at least sixty (60) days’ written notice; (c) entirely at the Subscriber’s cost (including Jodie’s reasonable internal costs at Jodie’s then-current rates); (d) conducted during normal business hours, by a qualified independent auditor that is not a competitor of Jodie and that has signed a non-disclosure agreement acceptable to Jodie; (e) limited in scope to information reasonably necessary to verify Jodie’s compliance with this DPA; (f) without requiring access to the Personal Data of other customers, to source code, or to other information that would compromise Jodie’s security or confidentiality obligations to third parties; and (g) subject to the Subscriber’s prompt sharing of the audit report with Jodie and any reasonable remediation timetable agreed by the Parties. The Subscriber will indemnify Jodie against any loss or claim caused by the Subscriber’s or its auditor’s misuse of information obtained from an audit.

12. Return and Deletion

  1. On termination of the Services, the Subscriber may, within thirty (30) days of the effective date of termination, request the return or deletion of Subscriber Personal Data using the export functionality provided in the Services. After that period, Jodie may delete Subscriber Personal Data without further notice and the Subscriber waives any further right to return or copy.
  2. Jodie will delete or anonymise Subscriber Personal Data within a reasonable time after termination, except to the extent retention is required by applicable law, by an order of a competent authority, or for the establishment, exercise or defence of legal claims.
  3. Subscriber Personal Data held in routine backups will be overwritten in the ordinary course of Jodie’s backup cycle. During that period the data remains subject to this DPA but Jodie is not required to actively delete it from backups.

13. Liability

  1. The liability of each Party under or in connection with this DPA, the SCCs and any UK Transfer Mechanism (whether in contract, tort including negligence, breach of statutory duty, under the SCCs, the UK Transfer Mechanism, Data Protection Laws or otherwise) is subject to the limitations, exclusions and aggregate cap on liability set out in section 14 of the Terms.
  2. All claims by the Subscriber under or in connection with this DPA, the SCCs, any UK Transfer Mechanism and Data Protection Laws (including claims for fines, compensation under Article 82 of the UK GDPR or equivalent, and indemnity claims) count towards a single aggregate cap under section 14 of the Terms.
  3. To the maximum extent permitted by law, neither Party is liable to the other under or in connection with this DPA for any loss of profits, revenue, business, goodwill, anticipated savings or opportunity, loss or corruption of data, or for any indirect, special, incidental, consequential, exemplary or punitive damages.
  4. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded as a matter of applicable law (including, where applicable, liability for fraud or for death or personal injury caused by negligence).

14. Subscriber Indemnity

The Subscriber will indemnify, defend and hold harmless Jodie and its affiliates, officers, employees and agents against any loss, claim, fine, penalty, regulatory action, cost or expense (including reasonable legal fees) arising out of or in connection with: (a) the Subscriber’s instructions to Jodie or the Subscriber’s configuration of the Services; (b) the Subscriber’s failure to obtain any consent or to give any notice required under Data Protection Laws or applicable call-recording, wiretap, AI-disclosure or telemarketing laws; (c) any breach by the Subscriber of this DPA, Data Protection Laws or the Terms; (d) any data the Subscriber or its callers submit to the Services that the Subscriber was not entitled to submit; or (e) any claim by an upstream Controller, regulator or Data Subject relating to (a) to (d).

15. No Third Party Rights

A person who is not a Party to this DPA has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA. This section does not limit the rights of Data Subjects under the SCCs, the UK Transfer Mechanism or Data Protection Laws to the extent those rights cannot be excluded.

16. Order of Precedence

In the event of a conflict between (a) the SCCs or UK Transfer Mechanism, (b) this DPA, and (c) the Terms, the order of precedence in respect of the subject matter of the conflict is: (a) first, then (b), then (c). Each Party agrees to interpret the documents so as to give effect to the limitations, exclusions and aggregate cap on liability in section 14 of the Terms wherever permitted by law.

17. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction provisions of the Terms, except that the SCCs and the UK Transfer Mechanism are governed by the laws specified within those instruments. Where a mandatory rule of Data Protection Laws requires a different governing law for a specific obligation, that mandatory rule applies only to that obligation.

Annex A - Description of Processing

  • Subject matter: provision of the Services as described in the Terms.
  • Duration: for the term of the Subscriber’s Subscription, plus any post-termination period referred to in section 12.
  • Nature and purpose: receiving inbound calls on the Subscriber’s behalf, generating audio, transcripts, AI-generated summaries, messages, bookings and related metadata, storing them, making them available to the Subscriber, and providing related platform and support functions.
  • Categories of Personal Data: caller name and contact details (where provided by the caller), call audio and transcripts, AI-generated summaries, messages, bookings, telephone numbers, call metadata (time, duration, routing), and account, billing and support data of the Subscriber’s authorised users.
  • Categories of Data Subjects: the Subscriber’s callers, the Subscriber’s authorised users, and any other natural persons whose Personal Data is shared with the Services through call content.
  • Special category data: not intentionally collected. Any special category data that callers volunteer in a call is incidental and is governed by the same protections as other call content.
  • Frequency of transfers: continuous, on a per-call basis.

Annex B - Technical and Organisational Measures

The following is a summary of the measures Jodie maintains. Specific implementation details may evolve; Jodie will not materially reduce the level of protection during the term.

  • Encryption: TLS in transit; encryption at rest for Subscriber Personal Data.
  • Access control: role-based access, least-privilege defaults, multi-factor authentication for administrative access, and logging of administrative actions.
  • Network security: segmented production environment, firewalled boundaries, and protection against common web vulnerabilities.
  • Application security: secure software development practices, code review, dependency monitoring, and a vulnerability management process.
  • Personnel: confidentiality obligations and data-protection training for personnel with access to Subscriber Personal Data.
  • Sub-processors: due diligence before engagement, contractual data-protection terms, and ongoing oversight.
  • Backups and continuity: regular backups, periodic restore testing, and documented recovery procedures.
  • Incident response: documented incident-response process, on-call coverage and breach-notification procedures consistent with section 9.
  • Auditability: production logs and audit trails sufficient to support investigations and compliance reporting.

Contact

For questions about this DPA, sub-processor lists, or to request a counter-signed copy, contact:

  • Data Protection Officer: data-protection-officer [at] heyjodie.com
  • General Email: team [at] heyjodie.com
  • Address: 45 Albemarle Street, Mayfair, London, W1S 4JL