(1) The Customer — you, the entity identified at acceptance (the company name, your full name, your role, and the email address you sign in with on the Mocean setup page form the binding identification of the Controller for this DPA) ("Controller").
(2) Caelus Global Ltd — company no. 17201074, registered office 124-128 City Road, London, England, EC1V 2NX, operating the Mocean AI voice-agent service ("Processor").
Effective date: the date you click Accept on the Mocean setup page.
This Data Processing Agreement ("DPA") governs the processing of personal data by the Processor on behalf of the Controller in connection with the Mocean service, and forms part of the agreement between the parties for the supply of that service ("Principal Agreement"). It is entered into to satisfy Article 28 of the UK GDPR and the Data Protection Act 2018.
1.1 The Controller determines the purposes and means of processing the personal data. The Processor processes that personal data only on the Controller's documented instructions, as set out in this DPA and the Principal Agreement.
1.2 Each party will comply with its respective obligations under UK Data Protection Law (the UK GDPR, the Data Protection Act 2018, and any successor or related legislation).
1.3 The Controller is responsible for ensuring it has a lawful basis to collect and share the personal data with the Processor, for maintaining its own registration with the Information Commissioner's Office (ICO) where required, and for providing appropriate privacy information to data subjects.
2.1 Subject matter: processing of personal data of the Controller's prospective and existing customers who contact the Controller by telephone (and, where enabled, web form), handled by the Mocean AI voice agent.
2.2 Duration: for the term of the Principal Agreement and until deletion or return of personal data under clause 9.
2.3 Nature and purpose: receiving and handling inbound enquiries, qualifying the enquiry, capturing enquiry details, booking appointments, and passing the resulting record into the Controller's own CRM. Processing includes voice telephony, speech-to-text transcription, AI-assisted conversation, structured data extraction, transient storage, and onward transfer to the Controller's CRM.
3.1 Data subjects: the Controller's prospective and existing customers (members of the public who contact the Controller).
3.2 Types of personal data:
3.3 No special category data is intentionally collected. The Controller will not instruct the Processor to use the service to collect special category data (Article 9 UK GDPR). If a caller volunteers such data it is processed only incidentally as part of the call record.
The Processor will:
4.1 process personal data only on the Controller's documented instructions, including regarding international transfers, unless required to do otherwise by law (in which case it will inform the Controller unless legally prohibited);
4.2 ensure persons authorised to process the personal data are bound by confidentiality;
4.3 implement appropriate technical and organisational security measures (Schedule 2);
4.4 not engage a sub-processor without the Controller's general written authorisation; the authorised sub-processors are listed in Schedule 1, and the Processor will give the Controller prior notice of any intended addition or replacement, allowing the Controller to object on reasonable data-protection grounds;
4.5 impose on each sub-processor data-protection obligations equivalent to those in this DPA;
4.6 taking into account the nature of processing, assist the Controller by appropriate measures in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection);
4.7 assist the Controller in ensuring compliance with security, breach notification, data protection impact assessment and prior consultation obligations (Articles 32–36 UK GDPR);
4.8 notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach, with sufficient information to enable the Controller to meet its own notification obligations;
4.9 make available to the Controller information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates (on reasonable notice and subject to confidentiality);
4.10 inform the Controller if, in its opinion, an instruction infringes UK Data Protection Law.
5.1 Some authorised sub-processors (Schedule 1) process personal data outside the UK, including in the United States. Where personal data is transferred outside the UK, the transfer is made under an appropriate safeguard, being the UK International Data Transfer Agreement, the EU Standard Contractual Clauses together with the UK Addendum, or a UK adequacy regulation, as applicable to the relevant sub-processor.
6.1 The Processor maintains the technical and organisational measures in Schedule 2, appropriate to the risk presented by the processing and the nature of the data.
7.1 The Controller provides general authorisation for the sub-processors listed in Schedule 1, which are integral to delivering the service. Clause 4.4 governs changes.
8.1 If the Processor receives a request from a data subject, it will not respond directly (unless legally required) and will promptly forward the request to the Controller and assist as set out in clause 4.6. The Controller's CRM remains the Controller-controlled system of record for ongoing rights management.
9.1 On termination of the Principal Agreement, or on the Controller's written request, the Processor will, at the Controller's choice, delete or return all personal data and delete existing copies, unless storage is required by law.
9.2 Retention: call recordings and transcripts held by the Processor are retained for 90 days and then deleted, save for the structured enquiry record passed to the Controller's CRM, which thereafter sits within the Controller's own controlled environment.
10.1 Liability under this DPA is subject to the limitations and exclusions of liability in the Principal Agreement.
10.2 This DPA is governed by the laws of England and Wales. In the event of conflict between this DPA and the Principal Agreement on data protection matters, this DPA prevails.
Caelus Global Ltd accepts this DPA by publishing it and processing personal data under it. The Controller accepts this DPA by clicking the Accept button on the Mocean setup page (which simultaneously accepts the Master Services Agreement of which this DPA forms part). The full name, role, and company legal name the Controller provides at acceptance, together with the email address used to sign in, the IP address, user-agent, and timestamp recorded at the moment of acceptance, constitute the Controller's signature for the purposes of this DPA.
| Sub-processor | Purpose | Processing location | Transfer safeguard |
|---|---|---|---|
| Twilio Inc. | Inbound telephony / call routing | US (with global infra) | SCCs + UK Addendum |
| ElevenLabs Inc. | Voice AI engine: speech-to-text, conversational AI, text-to-speech | US | SCCs + UK Addendum |
| Anthropic (engaged via ElevenLabs) | Large language model powering the agent's responses | US | SCCs + UK Addendum (via ElevenLabs) |
| Vercel Inc. | Application hosting / serverless processing of the post-call webhook | US/global edge | SCCs + UK Addendum |
| Supabase | Transient database for call records pending CRM sync | EU/UK or US per project configuration | SCCs + UK Addendum where applicable |
| The Controller's chosen CRM (e.g. GoHighLevel / HighLevel Inc., Pipedrive, HubSpot, Salesforce, Zoho, monday.com, etc. — as identified during setup) | The Controller's own CRM — destination system of record | EU/UK or US per the Controller's CRM region | Controller-selected; the Controller's own processor relationship with their chosen CRM |
| Resend | Transactional email (lead/booking notifications to the Controller) | US | SCCs + UK Addendum |
The Processor does not sell personal data and does not use call content to train third-party AI models beyond what is necessary to deliver the service.