Legal
Data Processing Agreement
This DPA forms part of the agreement between AM:PM Media Ltd (“we”, “Processor”) and any client (“Customer”, “Controller”) using the :Impact platform. It applies to personal data processed under UK GDPR Article 28.
1. Definitions
Personal Data means data relating to an identified or identifiable natural person processed by us on the Customer's behalf via :Impact (lead names, phone numbers, email addresses, conversation content, ad performance, billing).
Processing, Controller, Processor, Data Subject have the meaning given in the UK GDPR.
Subprocessor means any third party engaged by us to process Personal Data on the Customer's behalf. Listed in section 8 below.
2. Scope and roles
The Customer is the Controller; AM:PM Media Ltd is the Processor. We process Personal Data only on the Customer's documented instructions (the configuration of their :Impact account, automations, integrations).
The Customer remains responsible for the lawful basis under which Personal Data is collected from Data Subjects (form opt-ins, ad-source consent, marketing consent for Build Task 7 broadcasts).
3. Categories of personal data processed
- Lead identifiers: name, email, phone, company, address.
- Lead behaviour: form responses, ad-source UTM, AI-derived score and notes.
- Conversation content: SMS / WhatsApp / email message bodies, call recordings + transcripts.
- Calendar bookings: appointment time, location, status.
- Billing: invoice IDs, payment status (no card data — Stripe holds that).
- Customer (the org owner) account: name, email, role, login activity.
4. Purpose and duration of processing
We process Personal Data only for: lead capture, AI qualification, customer notifications (alerts, follow-ups), unified-inbox messaging, calendar coordination, billing, analytics, and compliance with the Customer's configured automations.
Processing continues for the duration of the Customer's :Impact subscription and ends within 30 days of termination, after which all Personal Data is permanently deleted (subject to legal retention obligations e.g. financial records).
5. Security measures
We apply organisational and technical measures including:
- Encryption in transit (TLS 1.2+) and at rest (Supabase AES-256).
- Row-level security policies isolating each org's data within Postgres.
- Per-user authentication via Supabase Auth, with multi-factor authentication available.
- Access logging via Sentry with PII-scrubbing before events leave the application.
- Background-job rate limiting + per-org cost caps to prevent runaway processing.
- Quarterly review of access permissions for AM:PM Media staff.
6. Data subject rights
We will assist the Customer in responding to Data Subject Access Requests, deletion requests, rectification, and objections within the UK GDPR statutory timeframes. Customers can export or delete a lead's data via the :Impact dashboard at any time.
7. Breach notification
We will notify the Customer without undue delay (and in any event within 72 hours) of any confirmed personal data breach affecting their data, with all information reasonably necessary for the Customer's ICO notification.
8. Subprocessors
We engage the following subprocessors to deliver :Impact. The Customer authorises this list as of the effective date of the agreement. We will give 30 days' notice before adding a new subprocessor, during which the Customer may object.
| Subprocessor | Purpose | Region / country |
|---|---|---|
| Supabase Inc. | Database (Postgres), authentication, file storage, realtime | EU (Frankfurt)Germany |
| Vercel Inc. | Application hosting, serverless functions, edge network | GlobalUSA |
| Anthropic, PBC | AI lead scoring, AI conversation replies, AI summaries | GlobalUSA |
| OpenAI, L.L.C. | Voice transcription (Whisper) on call recordings | GlobalUSA |
| Twilio Inc. | SMS, WhatsApp, voice calls, recordings | GlobalUSA |
| Resend, Inc. | Transactional + marketing email delivery | EU availableUSA |
| Vapi.ai | AI Receptionist (voice agent) | GlobalUSA |
| Cal.com, Inc. | Calendar booking integration | EU (Frankfurt)Germany |
| Stripe, Inc. | Subscription billing, payment processing | EU + GlobalUSA / Ireland |
| Sentry (Functional Software, Inc.) | Error monitoring (PII-scrubbed before send) | USA |
| Trigger.dev Inc. | Background job execution (workflows, automations) | EU availableUSA |
| fal.ai (Features and Labels Inc.) | AI image / video generation in Creative Studio | GlobalUSA |
| Meta Platforms, Inc. | Meta Lead Ads ingestion, Custom Audience export, ad management | GlobalUSA / Ireland |
| Apify | Outbound prospecting (Google Places data) | EUCzech Republic |
9. International transfers
Where Personal Data is transferred outside the UK or EEA, the transfer is governed by the UK International Data Transfer Addendum (IDTA) issued by the ICO, or by the European Commission's Standard Contractual Clauses (2021/914), as appropriate. Each subprocessor in section 8 either has UK adequacy or is bound by SCCs/IDTA. Copies are available on written request to legal@mediampm.com.
10. Audit rights
The Customer may, with reasonable notice, request information necessary to demonstrate our compliance with this DPA. Where the Customer is in a regulated sector (financial, health) we will support reasonable on-site audits at the Customer's expense not more than once per year.
11. Liability and termination
This DPA terminates automatically with the underlying :Impact subscription. Upon termination we will, at the Customer's choice, return or delete all Personal Data within 30 days, except where retention is required by law.
Liability under this DPA is governed by the limitations in the underlying Master Subscription Agreement.
12. Contact
Questions about this DPA, subprocessor changes, or data subject requests: legal@mediampm.com
Last updated: 2026-05-20. AM:PM Media Ltd, Glasgow, Scotland, United Kingdom. Companies House registration on file. This DPA is a template; if your organisation has bespoke requirements, contact us to negotiate variations.