Legal

Data Processing Agreement

Last updated:

This Data Processing Agreement is between Summone Limited, trading as Summone Consulting, registered in Scotland, ICO Registration ZC123116, referred to as the Processor, and the client organisation entering into a consulting engagement, referred to as the Controller.

1. Purpose

This agreement governs the processing of personal data by Summone Consulting on behalf of the client in connection with the delivery of AI consulting services.

2. Scope of Processing

  • Subject matter: AI consulting, workflow automation, voice AI development, and related services as set out in the engagement agreement.
  • Duration: The term of the consulting engagement plus any retention period required by law.
  • Nature: Development assistance, strategic analysis, workflow automation, and advisory services.
  • Type of personal data: As provided by the client. May include contact data, employee data, or customer data depending on the engagement.
  • Categories of data subjects: As determined by the client.

3. Processor Obligations

Summone Consulting will:

  • Process personal data only on documented instructions from the client.
  • Ensure that persons authorised to process data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  • Not engage sub-processors without prior written consent from the client.
  • Assist the client in responding to data subject rights requests.
  • Delete or return all personal data at the end of the engagement as instructed.
  • Provide all information necessary to demonstrate compliance with this agreement.

4. Sub-Processors

Where AI tools or third party services are used that may process personal data, Summone Consulting will notify the client in advance and obtain written approval. Current sub-processors used in consulting engagements are listed in our AI Data Handling Policy. The client may object to the use of any sub-processor within 14 days of notification.

5. International Transfers

Some AI tools used by Summone Consulting are operated by US-based providers. Where personal data is transferred outside the UK, such transfers are made under appropriate safeguards including Standard Contractual Clauses or adequacy decisions as applicable.

6. Security Incidents

Summone Consulting will notify the client without undue delay and within 72 hours of becoming aware of any personal data breach affecting client data.

7. Client Obligations

The client warrants that it has a lawful basis for sharing personal data with Summone Consulting and that it has provided appropriate notices to data subjects. The client is responsible for decisions made regarding AI tool usage where those decisions are made against the documented advice of Summone Consulting.

8. Liability

Each party's liability under this agreement is subject to the limitations set out in the main consulting engagement agreement. Summone Consulting maintains professional indemnity insurance covering its consulting activities.

9. Governing Law

This agreement is governed by the laws of Scotland and subject to the jurisdiction of the Scottish courts.

10. Signatures

For Summone Limited

Steven Summone, Director

Date:

For the Client

Name:

Title:

Organisation:

Date:

To request a signed copy of this agreement for your procurement process, contact steven@summone.co.uk.