Data Processing Agreement
Version 1.0 · Last updated: May 2026 · Elevyn Systems Ltd
What this document is: When you use SalesJet to process personal data from your own customers (leads), Elevyn Systems Ltd acts as your data processor. This agreement sets out the terms of that processing relationship as required by Article 28 of the UK GDPR. By accepting this agreement at signup, you confirm your acceptance of these terms.
1. Definitions
- "Controller" — you, the SalesJet client who has signed up for the service and whose customers' personal data is processed through the platform.
- "Processor" — Elevyn Systems Ltd, operator of the SalesJet platform.
- "Data Subjects" — your customers and leads whose personal data is processed through SalesJet.
- "Personal Data" — any information relating to an identified or identifiable natural person, including names, phone numbers, email addresses, and message content.
- "UK GDPR" — the UK General Data Protection Regulation as it forms part of domestic law in the United Kingdom.
- "Services" — the SalesJet AI-powered lead management and communication platform.
2. Subject Matter and Duration
This agreement governs the processing of personal data by Elevyn Systems Ltd on behalf of the Controller in connection with the provision of SalesJet Services.
This agreement is effective from the date of account creation and remains in force for the duration of the Controller's use of SalesJet. Upon termination, data is deleted in accordance with Section 9 below.
3. Nature and Purpose of Processing
The Processor will process personal data on behalf of the Controller for the following purposes:
- Receiving, storing, and routing inbound messages from the Controller's leads across WhatsApp, SMS, Instagram, Facebook, email, and web forms
- Generating AI-powered responses to those messages using the Anthropic Claude API
- Storing conversation history and lead records in the Controller's dashboard
- Sending outbound messages (replies, booking links, payment requests) on behalf of the Controller
- Transcribing voicemail recordings associated with the Controller's leads
- Providing analytics and reporting on lead pipeline data
The Processor will process personal data only on documented instructions from the Controller. Use of the SalesJet platform constitutes documented instructions.
4. Categories of Personal Data and Data Subjects
| Category | Examples |
|---|
| Contact data | Name, phone number, email address |
| Communication data | Message content, conversation history, channel used |
| Booking data | Appointment date, time, Calendly event ID |
| Payment data | Payment status, amount (full card data handled by Stripe, not SalesJet) |
| Technical data | Timestamps, message identifiers |
| Voice data | Call recordings and transcriptions (where applicable) |
Data subjects are the Controller's leads, prospects, and customers who contact the Controller through channels connected to SalesJet.
5. Processor Obligations
Elevyn Systems Ltd undertakes to:
- Process personal data only on the Controller's documented instructions, and not for any other purpose
- Ensure all personnel who access personal data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 6
- Assist the Controller in responding to data subject requests (access, erasure, portability, rectification) at no additional charge
- Notify the Controller within 48 hours of becoming aware of a personal data breach affecting the Controller's data subjects
- Delete or return all personal data upon termination of services (see Section 9)
- Make available all information necessary to demonstrate compliance with this agreement
- Not transfer personal data to any country outside the UK or EEA unless appropriate safeguards are in place (see Section 7)
6. Security Measures
The Processor implements the following technical and organisational measures:
- All data transmitted over HTTPS (TLS 1.2+)
- Passwords hashed using bcrypt (cost factor 12)
- Authentication via JWT tokens with 7-day expiry
- Access controls ensuring each Controller can only access their own data (ClientID scoping)
- API keys and credentials stored as encrypted environment variables
- Automatic deletion of lead data after 3 months of inactivity
- Persistent suppression list to honour opt-outs across data deletion cycles
7. Sub-processors
The Controller authorises the use of the following sub-processors. All sub-processors are bound by data processing terms at least as protective as this agreement:
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|
| Airtable | Database — stores leads and conversations | USA | UK IDTA |
| Anthropic (Claude) | AI message processing | USA | UK IDTA |
| Twilio | WhatsApp, SMS and voice delivery | USA | UK IDTA |
| Manychat | Instagram and Facebook message delivery | USA | UK IDTA |
| SendGrid (Twilio) | Email delivery | USA | UK IDTA |
| Stripe | Payment processing | USA/EU | UK IDTA / Adequacy |
| Calendly | Appointment booking | USA | UK IDTA |
| Railway | Server hosting | USA | UK IDTA |
UK IDTA = UK International Data Transfer Agreement (the post-Brexit equivalent of EU Standard Contractual Clauses). The Processor will notify the Controller of any changes to this sub-processor list with 14 days' notice, giving the Controller opportunity to object.
8. Controller Obligations
The Controller undertakes to:
- Ensure it has a valid lawful basis under UK GDPR for processing each data subject's personal data through SalesJet
- Provide appropriate privacy notices to data subjects at or before the point of data collection (e.g. on web forms, in messaging profiles, or via a privacy policy on the Controller's website)
- Honour data subject requests received directly (the Processor will assist, but the Controller is responsible for the overall response)
- Only connect channels and services for which it has the necessary rights and permissions
- Not instruct the Processor to process personal data in a way that would violate applicable law
9. Data Retention and Deletion
- Auto-deletion: Lead and conversation data is automatically deleted after 3 months of inactivity
- On request: The Controller can delete individual leads at any time via the dashboard (Right to Erasure)
- On termination: Upon account termination, all Controller data will be deleted within 30 days
- Suppression list: Opt-out records (phone numbers and emails that have requested no contact) are retained indefinitely to prevent accidental re-contact, but without any other personal data attached
- Payment records: Payment records are retained for 7 years as required by HMRC
10. Data Subject Requests
When a data subject (one of the Controller's leads) submits a data request (access, erasure, portability, rectification), the following process applies:
- Data subjects can submit requests at salesjet.co.uk/data-request.html
- The Processor will notify the Controller within 5 working days
- The Processor will assist in locating the relevant data
- The Controller is responsible for the formal response to the data subject within 30 days
11. Liability
Each party shall be responsible for its own compliance with UK GDPR. The Processor shall not be liable for any failure of the Controller to comply with its obligations as a data controller, including failure to establish a lawful basis for processing or to provide adequate privacy notices to data subjects.
12. Governing Law
This agreement is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.