Effective: 7 March 2025
1. Introduction
1.1 This Data Processing Agreement ("DPA") forms part of the agreement between Ambr Technologies Limited ("Supplier") and the customer entity identified in the applicable Order Form ("Customer"), which incorporates by reference the Supplier's Terms and Conditions (the "Agreement"). This DPA sets out the terms on which the Supplier will process Customer Personal Data on behalf of the Customer in accordance with Data Protection Legislation.
1.2 All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement. In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection matters.
1.3 This DPA is intended to ensure compliance with Data Protection Legislation, including the UK GDPR and Data Protection Act 2018, as well as other applicable laws.
2. Definitions
2.1 "Data Protection Legislation" means all applicable data protection and privacy laws, regulations, and legally binding codes of practice in force from time to time, including the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, each as amended or replaced from time to time.
2.2 "Personal Data" or "Customer Personal Data" means any personal data (as defined under the UK GDPR) that the Supplier processes on behalf of the Customer pursuant to the Agreement.
2.3 "Controller, Processor, Data Subject, Processing, Personal Data Breach" and all related expressions shall have the meanings given to them in the UK GDPR.
2.4 "Sub-Processor" means any third party engaged by the Supplier to process Customer Personal Data on behalf of the Customer.
3. Roles and Scope of Processing
3.1 The parties acknowledge that the Customer is the Controller and the Supplier is the Processor of the Customer Personal Data processed under the Agreement.
3.2 The Supplier shall only process the Customer Personal Data on documented instructions from the Customer, including as set out in the Agreement and this DPA, unless otherwise required by applicable law (in which case the Supplier shall use reasonable efforts to notify the Customer before such processing, unless legally prohibited).
4. Purpose, Nature, and Categories of Data
4.1 Purpose: The Supplier processes the Customer Personal Data solely to provide AI-powered training services (e.g., through simulated conversations, feedback, and progress tracking) as further described in the Agreement and Order Form.
4.2 Nature and Scope of Processing: Processing includes collection, storage, analysis, retrieval, and use of Customer Personal Data to facilitate the Supplier's services and related support.
4.3 Types of Personal Data may include, without limitation:
- Identifiers: Names, email addresses, job titles, departments, usernames
- Voice Data: Voice recordings of simulated conversations
- Transcripts: Transcripts of these simulated conversations
- Performance Data: Performance metrics, feedback data, usage statistics, progress tracking information
- Other Data: IP addresses, self-reported skill levels, organizational role and reporting structure
4.4 Categories of Data Subjects may include:
- Customer's employees, managers, and administrators participating in training
- Contractors or consultants included in the management training program
4.5 The duration of processing shall be for the term set out in the Agreement plus any additional retention period required by applicable law or as necessary to establish, exercise, or defend legal claims.
5. Data Subject Rights and Assistance
5.1 The Supplier shall, taking into account the nature of the processing, implement appropriate technical and organisational measures to assist the Customer in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Legislation. This assistance (provided at the Customer's cost) includes:
- Promptly notifying the Customer of any Data Subject request received directly (and in any event within five (5) days).
- Not responding to any such request without the Customer's express written approval (unless required by law).
6. Security Measures and Breach Notification
6.1 The Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
6.2 In the event the Supplier becomes aware of a Personal Data Breach affecting Customer Personal Data, it shall promptly (and in any event within twenty-four (24) hours) notify the Customer and provide all information the Customer reasonably requires to meet its obligations to report or inform Data Subjects of the breach under Data Protection Legislation.
7. Sub-Processors
7.1 The Customer generally authorises the Supplier to engage Sub-Processors to process Customer Personal Data. The Supplier shall:
- Impose on any Sub-Processor data protection obligations that are materially similar to those set out in this DPA.
- Remain liable to the Customer for the performance of Sub-Processors' obligations.
7.2 The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object to such changes. Where the Customer objects and cannot demonstrate an actual or likely breach of Data Protection Legislation as a reason for the objection, the Customer shall indemnify the Supplier against all losses arising out of accommodating the objection.
8. International Transfers
8.1 The Supplier may transfer Customer Personal Data outside of the UK and/or the EEA as necessary, provided that all such transfers comply with Data Protection Legislation. This may include entering into the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or other appropriate transfer mechanisms.
8.2 The Customer agrees to cooperate with the Supplier's efforts to implement any required data transfer mechanisms and shall sign additional documents or provide information reasonably requested by the Supplier to effect such mechanisms.
9. Return or Deletion of Data
9.1 Upon termination or expiry of the Agreement, and at the Customer's written direction, the Supplier shall delete (so far as technically possible) or return all Customer Personal Data within thirty (30) days, unless continued storage is required by applicable law. Customer Personal Data shall be considered deleted where it can no longer be used by the Supplier.
10. Liability and Indemnities
10.1 Nothing in this DPA limits any liability which cannot be excluded or limited under applicable law.
10.2 Subject to clause 10.1, the Supplier's total aggregate liability arising under or in connection with this DPA and the Data Protection Legislation, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed £2,000,000.
10.3 The Supplier shall indemnify and keep indemnified the Customer against all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis) arising out of or in connection with any breach by the Supplier of its obligations under this DPA, subject always to the liability cap in clause 10.2.
11. General
11.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
11.2 If any provision of this DPA is found to be invalid or unenforceable, the remainder of the DPA shall remain in full force and effect.
11.3 This DPA may be executed in counterparts, and its provisions are in addition to and not in substitution for any other rights relating to data protection contained in the Agreement.
Addendum 1 – Presentation Practice Module
1. Introduction
1.1 Applicability. This Addendum supplements the existing Data Processing Agreement (“DPA”) between Ambr Technologies Limited (“Supplier”) and the Customer, solely with respect to the Presentation Practice Module (the “Module”).
1.2 Conflict. In the event of a conflict between this Addendum and the DPA, this Addendum prevails with respect to the processing activities specifically related to the Module.
2. Additional Processing Details
2.1 Nature and Purpose of Processing. The Module enables Authorised Users to practice delivering presentations using AI-based transcription, Q&A, and feedback. In connection with the Module, the Supplier processes user audio data and transcripts. This includes:
Collection: Capturing voice recordings of presentation sessions.
Storage: Storing such voice recordings and transcripts on the Supplier’s systems as necessary to provide the service.
Analysis and Use: Converting audio to text, generating AI-generated presentation feedback and Q&A sessions, storing feedback, and facilitating session playback and record-keeping (if applicable.
2.2 Categories of Data Subjects. Employees, contractors, or other individuals designated by the Customer who choose to use the Module.
2.3 Lawful Basis.
The Supplier processes personal data in the Module on behalf of the Customer, consistent with the lawful basis set out in the DPA (e.g., performance of contract or legitimate interests, as determined by the Customer).
2.4 Retention and Deletion.
(a) During the Term. The Customer or Authorised Users may request deletion of voice recordings, transcripts, or related data at any time, and the Supplier shall comply in accordance with the DPA and the Terms.
(b) Post-Termination. Following termination or expiry of the Agreement, Clause 9 of the DPA and Clause 8.3 of the Terms govern data retrieval and deletion of module data.
3. Data Subject Rights and Assistance
3.1 AI Considerations. If a Data Subject requests correction or erasure of personal data contained within transcripts, the Supplier shall comply with such request in line with the DPA.
3.2 Requests Handling. The Supplier will promptly forward any data subject requests related to the Module to the Customer, or otherwise handle such requests as directed by the Customer under the DPA.
3.3 User Awareness. The Customer is responsible for ensuring that Authorised Users understand how their data is processed within the Presentation Practice Module, in accordance with the DPA and applicable laws.
4. Sub-Processors
4.1 AI/Transcription Tools. The engagement of sub-processors specifically to support transcription or AI feedback for the Module shall be subject to Section 7 of the DPA, including the notification and objection process set forth therein.
4.2 Liability. The Supplier remains liable for the acts and omissions of any sub-processor it appoints, as set forth in the DPA.
5. Security Measures
5.1 Technical and Organisational Measures. The Supplier shall maintain security measures appropriate for processing voice, transcript, and Q&A data, in line with Section 6 of the DPA. This includes:
- Encryption of data in transit and at rest (where applicable)
- Restricting internal access to Module data to authorised personnel
- Secure deletion of audio post-transcription (when applicable)
The Supplier shall regularly review and update these measures to ensure they remain appropriate to the risks associated with processing voice and transcript data.
6. General
6.1 No Other Amendments. Except as expressly stated in this Addendum, the DPA remains unchanged and in full force.
6.2 Governing Law. This Addendum is governed by the same law and jurisdiction provisions set out in the DPA.
6.3 Entire Agreement. This Addendum, together with the DPA, forms the entire agreement between the parties regarding the processing of personal data for the Module.
6.4 Relationship with Terms. This Addendum shall be read in conjunction with the Terms' Schedule 1 (Presentation Practice Module). In the event of any conflict between this Addendum and Schedule 1 regarding data protection matters, this Addendum shall prevail.
Addendum 2 – Coaching Module
1. Introduction
1.1 Applicability. This Addendum supplements the existing Data Processing Agreement (“DPA”) between Ambr Technologies Limited (“Supplier”) and the Customer, solely with respect to the Coaching Module.
1.2 Conflict. If there is a conflict between this Addendum and the DPA, this Addendum prevails for processing activities specifically related to the Coaching Module.
2. Additional Processing Details
2.1 Nature and Purpose of Processing. For the Coaching Module, the Supplier processes User audio data, transcripts, and AI-generated responses to provide interactive coaching simulations. This includes:
Collection: Capturing voice recordings of simulated coaching sessions, which may contain personal or sensitive information.
Storage: Storing such voice recordings and transcripts on the Supplier’s systems as necessary to provide the service.
Analysis and Use: Converting audio to text, generating AI-driven coaching prompts, storing feedback, and facilitating session playback and record-keeping (if applicable).
2.2 Types of Personal Data. The personal data processed in the Coaching Module may include, without limitation:
- Identifiers: Names, email addresses, or other user account details.
- Voice Data: Voice recordings of the coaching sessions.
- Transcripts: Converted text from user audio, which may include references to career goals, workplace challenges, or other personal reflections.
- Usage Data and Metadata: Interaction timestamps, frequency of sessions, and performance metrics.
2.3 Potential Special Category Data. The Supplier does not require Authorised Users to provide special category data (health information, ethnicity, etc.) and the Customer shall ensure that sharing such data is not part of the acceptable use. However, Users may voluntarily disclose such information. The Supplier processes any such data solely on behalf of the Customer and under the instructions set out in the DPA.
2.4 Deletion of Detected Sensitive Data. The Supplier does not accept or intend to store or otherwise process special category data in the Coaching Module. If any scanning or detection mechanism identifies such data in session content, the Supplier may delete or anonymise the relevant data and shall have no liability for any resulting loss of session records. The Customer acknowledges that it remains solely responsible for compliance with applicable laws regarding the collection and disclosure of any special category data by its Authorised Users.
2.5 Retention and Deletion.
(a) During the Term. The Customer or Authorised Users may request deletion of voice recordings, transcripts, or related data at any time, and the Supplier shall comply in accordance with the DPA and the Terms.
(b) Post-Termination. Following termination or expiry of the Agreement, Clause 9 of the DPA and Clause 8.3 of the Terms govern data retrieval and deletion of Coaching Module data.
3. Data Subject Rights and Assistance
3.1 AI Considerations. If a Data Subject requests correction or erasure of personal data contained within transcripts (or other Coaching Module records), the Supplier shall comply with such request in line with the DPA.
3.2 Requests Handling. The Supplier will promptly forward any data subject requests related to the Coaching Module to the Customer, or otherwise handle such requests as directed by the Customer under the DPA.
3.3 User Awareness. The Customer is responsible for ensuring that Authorised Users understand how their personal data (including any sensitive information) is processed within the Coaching Module, in accordance with the DPA and applicable laws.
4. Sub-Processors
4.1 Transcription / AI Tools. The use or addition of sub-processors for voice transcription or AI analysis in the Coaching Module is subject to Section 7 of the DPA, including the notification and objection process.
4.2 Liability. The Supplier remains liable for the acts and omissions of any sub-processor it appoints, as set forth in the DPA.
5. Security Measures
5.1 Technical and Organisational Measures. The Supplier shall apply appropriate security measures (e.g., encryption of data at rest and in transit, limited internal access, and secure deletion) to protect personal data processed in the Coaching Module, in line with Section 6 of the DPA.
6. General
6.1 No Other Amendments. Except as expressly stated here, the DPA remains unchanged. This Addendum is incorporated into the DPA by reference.
6.2 Governing Law. This Addendum follows the same governing law and jurisdiction as set out in the DPA.
6.3 Entire Agreement. This Addendum, together with the DPA, forms the entire agreement regarding personal data processing for the Coaching Module.
6.4 Relationship to Terms Schedule 2 (Coaching Module). This Addendum should be read alongside Schedule 2 of the Terms (Coaching Module). In the event of any conflict on data protection matters, this Addendum shall prevail.