Legal

Data Processing Agreement

Last updated: 1 January 2026

1. Scope and Purpose

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Controller”) and Omnis Holdings Limited trading as Call Milly (the “Processor”) for the provision of AI-powered candidate outreach services.

This DPA sets out the terms on which the Processor will process personal data on behalf of the Controller in accordance with the UK GDPR and the Data Protection Act 2018.

2. Data Processing Details

Subject matter

AI-powered voice, SMS, and WhatsApp candidate outreach

Duration

For the term of the service agreement plus retention period

Categories of data subjects

Candidates and temporary workers in the Controller's database

Types of personal data

Name, phone number, email address, availability, employment history, call recordings, message content

3. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorised to process the data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures.
  • Not engage sub-processors without prior written authorisation from the Controller (a current list is maintained on our Sub-processors page).
  • Assist the Controller in responding to data subject requests.
  • Assist the Controller in ensuring compliance with GDPR obligations, including data protection impact assessments.
  • Delete or return all personal data upon termination of the service, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Security Measures

The Processor implements the following measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls with role-based permissions and multi-factor authentication.
  • Regular security assessments and penetration testing.
  • Incident response procedures with notification within 72 hours of becoming aware of a breach.
  • All data processed and stored on UK-based infrastructure.

5. International Transfers

All personal data is processed within the United Kingdom. The Processor will not transfer personal data outside the UK without the prior written consent of the Controller and appropriate safeguards in place (such as UK Standard Contractual Clauses).

6. Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Contact

For a signed copy of this DPA or to discuss data processing arrangements, contact us at hello@callmilly.com.