Data Processing Addendum

Last updated: February 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Generative Solutions UK ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of our services.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the UK GDPR (the Data Protection Act 2018 and UK General Data Protection Regulation).

2. Scope and Roles

You are the Controller of any Personal Data submitted to our services by you or your end users. We are the Processor, processing Personal Data on your behalf to provide the contracted services (GenAxiom, CrystalClear, and/or Gen-Receptionist).

3. Data Processing Details

  • Subject matter: Provision of AI-powered business software services
  • Duration: The term of your subscription agreement
  • Nature and purpose: Hosting, processing, and delivering AI-powered applications; customer support; billing
  • Types of Personal Data: Name, email address, company name, phone number, usage data, support communications
  • Categories of Data Subjects: Customer employees and end users of provisioned services

4. Processor Obligations

We shall:

  • Process Personal Data only on your documented instructions
  • Ensure persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without prior written authorisation (see our Sub-processor List)
  • Assist you in responding to Data Subject requests (access, rectification, erasure, portability)
  • Notify you without undue delay of any Personal Data breach
  • Delete or return all Personal Data upon termination of the agreement, subject to legal retention requirements
  • Make available information necessary to demonstrate compliance and allow for audits

5. International Transfers

Where Personal Data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, or reliance on the UK-US Data Bridge where applicable. See our Sub-processor List for details of international transfers.

6. Security Measures

We implement the following technical and organisational measures:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data
  • Access controls with role-based permissions
  • Password hashing (bcrypt)
  • Rate limiting and intrusion detection
  • Regular security assessments
  • Audit logging of access to personal data
  • Incident response procedures

7. Data Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay and no later than 48 hours after becoming aware of the breach, providing sufficient information for you to meet your own notification obligations to the ICO and affected Data Subjects.

8. Termination

Upon termination of services, we will delete your Personal Data within 30 days, except where retention is required by law (e.g. financial records retained for 6 years under UK tax law).

9. Contact

For DPA-related enquiries, contact our Data Protection team at privacy@generativesolutions.uk.