Legal

Data Processing Agreement

The UK GDPR Article 28 terms on which we process personal data on behalf of subscribing garages.

Effective date: 26 April 2026

1. Parties and scope

This Data Processing Agreement (the "DPA") forms part of the agreement between MOT Logs Ltd ("Processor", "we") and the garage subscriber ("Controller", "you") that uses the Agent voice AI receptionist service (the "Service"). It applies whenever we process personal data on your behalf in connection with the Service.

Where this DPA conflicts with the Terms and Conditions, this DPA prevails on data protection matters.

2. Definitions

"UK GDPR" means the UK General Data Protection Regulation as defined in the Data Protection Act 2018. "Personal data", "processing", "data subject", "controller", and "processor" have the meanings given in the UK GDPR. "Sub-processor" means any third party engaged by us to process personal data on your behalf.

3. Roles

For personal data processed under the Service, you are the controller and we are the processor. We will only process personal data on your documented instructions, which include the configuration choices you make in your Agent account, your written instructions through the support channel, and the operations needed to deliver the Service set out in Annex 1.

If we believe an instruction infringes UK GDPR or other data protection law, we will tell you without undue delay.

4. Subject matter, duration, nature, and purpose of processing

See Annex 1 for full details. In summary:

  • Subject matter: handling incoming telephone calls to your garage and related messaging.
  • Duration: for the term of your subscription and any retention period set out in section 11.
  • Nature and purpose: answering calls with an AI voice receptionist; transcribing calls; taking and confirming bookings; sending booking-related messages; integrating with your Garage Management System and the DVSA MOT history service.
  • Categories of data subjects: people who call your garage's phone line, primarily existing and prospective customers.
  • Categories of personal data: as set out in Annex 1.

5. Confidentiality

We will ensure that anyone authorised to process personal data under this DPA is subject to a duty of confidence and only processes personal data on our instructions, which reflect yours.

6. Security

We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:

  • encryption of personal data in transit (TLS) and at rest;
  • role-based access controls and least-privilege administration;
  • audit logging of access to call recordings and transcripts;
  • regular vulnerability scanning and patching;
  • secure software development practices;
  • resilience and backup of processing systems; and
  • regular review and testing of these measures.

7. Sub-processors

You give us general written authorisation to engage sub-processors. The current list is in Annex 2. We will:

  • impose data protection terms on each sub-processor that are no less protective than those in this DPA;
  • remain liable to you for the acts and omissions of our sub-processors as if they were our own; and
  • give you reasonable prior notice (by email or in-product notice) of any intended addition or replacement of a sub-processor, so that you have an opportunity to object on reasonable data protection grounds. If you object, we will work with you in good faith to find a workable solution; if none can be found, you may terminate the affected part of the Service.

8. Assistance with data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts us directly, we will refer them to you, except where the request is to delete a specific call recording held by us, which we will action and notify you of.

9. Assistance with the Controller's other obligations

Taking into account the nature of processing and the information available to us, we will assist you in complying with your obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, and prior consultation with the ICO).

10. Personal data breaches

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. Our notification will describe (so far as known) the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take.

11. Return or deletion on termination

On termination of the Service, you may export your booking and customer data through the Agent admin area for 30 days. After that, we will delete or return all personal data processed on your behalf, except where we are required to keep a copy by law or for the limited audit and dispute-resolution purposes set out in our Privacy Policy.

12. Audits and information

We will make available to you all information reasonably necessary to demonstrate compliance with our obligations under Article 28 UK GDPR. We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, on reasonable prior written notice, no more than once per year (unless required by a regulator or following a personal data breach), during business hours, and subject to reasonable confidentiality undertakings.

13. International transfers

We process personal data under this DPA only in the United Kingdom and the European Economic Area, and we do not transfer personal data outside that area. If we propose to introduce a sub-processor outside the UK and EEA, we will give you prior notice under section 7 and will only proceed under an appropriate transfer mechanism (such as the UK Extension to the EU–US Data Privacy Framework, the International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK addendum).

14. Liability and governing law

The liability provisions and governing law set out in the Terms and Conditions apply to this DPA. This DPA is governed by the laws of England and Wales and the courts of England and Wales have exclusive jurisdiction.

Annex 1 — Processing details

  • Subject matter: Voice AI reception, booking, and messaging for the Controller's MOT garage.
  • Duration: The term of the subscription, plus the retention periods in our Privacy Policy.
  • Nature and purpose: Answering incoming telephone calls; speech-to-text transcription; LLM-based conversation; booking creation and amendment; sending SMS confirmations and reminders; lookup against the DVSA MOT history service; integration with the Controller's Garage Management System.
  • Types of personal data: Caller telephone number (CLI); name; vehicle registration mark (VRM) and vehicle details; booking history; full call audio recordings; AI-generated transcripts; call metadata (time, duration, outcome); where a calendar integration is enabled: OAuth refresh tokens or app-specific passwords (stored encrypted), connected account email address, calendar event IDs, start/end times, event summaries, locations, free/busy status, all-day flags, ETags, sub-calendar membership, and attendee email addresses.
  • Categories of data subjects: Existing and prospective customers of the Controller's garage who call its Agent-powered phone line; the Controller's own staff or account holders whose calendar is connected to Agent.
  • Special category data: None expected. Callers are asked not to volunteer special category data; any such data they nonetheless provide is processed only to the extent necessary to take the booking.

Annex 2 — Sub-processors

The following sub-processors are engaged by us in the provision of the Service. All processing takes place in the United Kingdom or the European Economic Area.

  • UK telephony carrier (Twilio) — call origination and termination on the UK PSTN. Location: United Kingdom.
  • EU cloud and hosting infrastructure (Hetzner Online GmbH) — compute, storage, and networking for the Service, including the Agent application, database, and self-hosted calendar-sync infrastructure. Location: EEA (Germany).
  • Speech recognition and Large Language Model inference (Groq) — transcription of speech and generation of the AI's responses. Location: United Kingdom and EEA.
  • Voice synthesis (ElevenLabs) — converting the AI's responses to speech. Location: United Kingdom and EEA.
  • SMS gateway (Twilio) — sending booking confirmations and reminders. Location: United Kingdom.
  • Payment processing (Stripe) — handling subscription payments from garage subscribers. Location: United Kingdom and EEA. Stripe does not process call, calendar, or booking data relating to callers.
  • DVSA MOT history service — lookup of vehicle MOT status and test history. Location: United Kingdom.

Note on calendar-sync infrastructure: The Nango calendar-sync component runs on our own Hetzner host (listed above) and is operated entirely by MOT Logs Ltd. It is not a third-party sub-processor; it is part of our infrastructure. OAuth refresh tokens for Google Calendar and Microsoft 365 integrations are held within this self-hosted environment. iCloud and CalDAV credentials are encrypted and stored in Agent's own database using ASP.NET Core IDataProtectionProvider and do not pass through Nango.

An up-to-date list of sub-processors, including the legal entity name of each, is available on request from info@motlogs.com.

Contact

MOT Logs Ltd
27 Old Gloucester Street, London, WC1N 3AX, United Kingdom
Email: info@motlogs.com