DATA PROCESSING AGREEMENT
Effective Date: 4th June 2026
This Data Processing Agreement (“DPA”) sets out how Super Benji Limited (“Super Benji”, “we”, “us”, or “our”) processes personal data on behalf of the Customer in connection with the Services. This DPA is incorporated by reference into the Super Benji Terms and Conditions at https://superbenji.ai/terms-conditions/ (together with any order form or principal agreement, the “Agreement”).
If there is any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls. This DPA will remain in effect for the duration of the Agreement.
Capitalised terms not defined in this DPA have the meanings given in the Agreement.
1. Definitions
1.1 “Controller” means the natural or legal person which determines the purposes and means of the processing of Personal Data.
1.2 “Customer Data” means personal data provided by the Customer to Super Benji in the course of using the Services, as defined in the Agreement.
1.3 “Data Protection Laws” means all applicable data protection and privacy legislation in force, including UK GDPR, EU GDPR (Regulation 2016/679), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and any equivalent or successor legislation, as applicable to the respective party.
1.4 “Data Subject” means the individual to whom Personal Data relates.
1.5 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.6 “Personal Data” means any information relating to an identified or identifiable natural person that is contained within Customer Data and protected under applicable Data Protection Laws.
1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Super Benji in connection with the Services.
1.8 “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion. “Process”, “Processes” and “Processed” shall be construed accordingly.
1.9 “Processor” means a natural or legal person which processes Personal Data on behalf of a Controller.
1.10 “Prospect Data” means Personal Data relating to third-party individuals sourced by Super Benji from licensed data providers or publicly available sources and made available to the Customer via the Services. For the avoidance of doubt, Super Benji acts as an independent Controller in respect of Prospect Data it sources and supplies, as further described in the Agreement.
1.11 “Sub-Processor” means any third party engaged by Super Benji to process Personal Data on its behalf in connection with the Services.
1.12 “UK GDPR” means EU GDPR as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2. Scope and Roles
2.1 This DPA applies to the processing of Customer Data by Super Benji on the Customer’s behalf in connection with the Services.
2.2 In respect of Customer Data, the Customer is the Controller and Super Benji is the Processor. Super Benji will process Customer Data only on the documented instructions of the Customer, as set out in the Agreement and this DPA.
2.3 In respect of Prospect Data that Super Benji sources and supplies to the Customer, Super Benji acts as an independent Controller. The Customer becomes an independent Controller of Prospect Data once it is made available via the platform. The obligations in this DPA relating to Processor activities do not apply to Super Benji’s own Controller activities in respect of Prospect Data; those are governed by Super Benji’s Privacy Policy and the Agreement.
2.4 This DPA does not apply to personal data processed by the Customer independently of the Services, including the Customer’s own use of Prospect Data after it has been made available via the platform.
3. Customer Responsibilities
3.1 The Customer is responsible for complying with all Data Protection Laws applicable to it as Controller, including ensuring it has a valid lawful basis for each processing activity carried out using the Services.
3.2 The Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which it was obtained.
3.3 The Customer is responsible for ensuring that its instructions to Super Benji comply with applicable Data Protection Laws.
3.4 The Customer is responsible for providing transparency notices to Data Subjects as required under applicable Data Protection Laws, including UK GDPR Articles 13 and 14, in respect of any processing carried out using the Services.
3.5 The Customer is responsible for maintaining records of consent, legitimate interest assessments, or other legal bases relied upon for any outbound communications sent using the Services, for such periods as required by applicable law.
3.6 The Customer will inform Super Benji without undue delay if it becomes unable to comply with its obligations under this clause or applicable Data Protection Laws.
4. Super Benji Obligations as Processor
4.1 Super Benji will process Customer Data only in accordance with the Customer’s documented instructions as set out in the Agreement, unless required to do so by applicable law. Where Super Benji is required by law to process Customer Data other than in accordance with the Customer’s instructions, Super Benji will notify the Customer before doing so, to the extent permitted by law.
4.2 Super Benji will ensure that personnel authorised to process Customer Data are subject to appropriate confidentiality obligations.
4.3 Super Benji will implement and maintain appropriate technical and organisational security measures to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, appropriate to the risk. Details of Super Benji’s current security measures are available on request.
4.4 Super Benji will not transfer Customer Data outside the UK or EEA without ensuring that appropriate safeguards are in place in accordance with applicable Data Protection Laws, including through the use of the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) and UK Addendum, as applicable. See Clause 8.
4.5 Super Benji will provide reasonable assistance to the Customer to enable it to respond to Data Subject requests and to fulfil its obligations under applicable Data Protection Laws, including in relation to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
4.6 Super Benji will not use Customer Data to train, fine-tune, benchmark, or improve any AI model beyond what is necessary to deliver the Services to the Customer, without the Customer’s prior written consent, unless in anonymised or aggregated form that cannot be re-identified.
5. Sub-Processors
5.1 The Customer grants Super Benji general authorisation to engage Sub-Processors to assist in delivering the Services. Super Benji will maintain a list of current Sub-Processors, available to the Customer on request.
5.2 Super Benji will notify the Customer of any intended addition or replacement of a Sub-Processor at least 30 days prior to the change taking effect. The Customer may object to any new Sub-Processor on reasonable data protection grounds by written notice within that 30-day period.
5.3 Where the Customer raises a reasonable objection and the parties are unable to resolve it, Super Benji may at its discretion: not appoint the Sub-Processor; cease to provide the affected element of the Services; or permit the Customer to terminate the affected Services without penalty.
5.4 Super Benji will impose data protection obligations on Sub-Processors that are no less protective than those in this DPA, and will remain liable to the Customer for the acts and omissions of Sub-Processors to the same extent as if Super Benji had performed the processing itself.
6. Data Subject Requests
6.1 Super Benji will, to the extent technically feasible, assist the Customer in responding to Data Subject requests relating to Customer Data processed under this DPA, taking into account the nature of the processing.
6.2 If Super Benji receives a Data Subject request directly relating to Customer Data, it will promptly notify the Customer and will not respond substantively on the Customer’s behalf without the Customer’s prior written authorisation, except as required by law.
6.3 The Customer is solely responsible for responding to Data Subject requests relating to its own use of Prospect Data, including any opt-out, erasure, or unsubscribe requests received from individuals contacted through the Services. Super Benji will, upon written instruction, provide reasonable technical assistance to support technical suppression of contact records in the platform.
7. Personal Data Breaches
7.1 Super Benji will notify the Customer without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach affecting Customer Data processed under this DPA.
7.2 The notification will include, to the extent available: a description of the nature of the breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects. Super Benji may provide an initial notification with available information and supplement it as further information becomes available.
7.3 Super Benji will cooperate with the Customer and provide reasonable assistance to enable the Customer to meet its own breach notification obligations under applicable Data Protection Laws.
8. International Data Transfers
8.1 Super Benji may process or permit Sub-Processors to process Customer Data in countries outside the UK or EEA where necessary to deliver the Services. Super Benji will ensure that any such transfer is made in compliance with applicable Data Protection Laws.
8.2 Where Customer Data originating in the UK is transferred to a country not recognised as adequate by the UK ICO, Super Benji will implement the UK International Data Transfer Agreement (IDTA) or equivalent approved transfer mechanism.
8.3 Where Customer Data originating in the EEA is transferred to a country not recognised as adequate by the European Commission, Super Benji will implement the EU Standard Contractual Clauses (EU SCCs) as adopted by the European Commission Decision 2021/914, Module Two (Controller to Processor), and where applicable the UK Addendum.
8.4 Where both UK GDPR and EU GDPR apply to a transfer, Super Benji will implement both the IDTA and the EU SCCs (with UK Addendum) as required. The parties agree that execution of this DPA constitutes agreement to the applicable SCCs and IDTA, incorporating Super Benji as data importer and the Customer as data exporter, with the processing details set out in this DPA and available in the processing schedule provided on request.
9. Retention and Deletion
9.1 Super Benji will retain Customer Data only for as long as necessary to provide the Services and as required by applicable law.
9.2 Upon termination or expiration of the Agreement, Super Benji will, within 90 days, delete or return all Customer Data processed under this DPA, at the Customer’s election, unless applicable law requires continued retention. Super Benji will confirm completion of deletion in writing upon request.
9.3 Super Benji may retain anonymised or aggregated data derived from Customer Data that cannot be re-identified, for the purpose of improving its Services.
10. Audit Rights
10.1 Super Benji will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and will permit audits or inspections by the Customer or its appointed auditor, where required by applicable Data Protection Laws.
10.2 The Customer may exercise its audit rights no more than once per calendar year, except where required by a supervisory authority or in response to a confirmed Personal Data Breach. The Customer will give reasonable prior written notice and will conduct audits in a manner that minimises disruption to Super Benji’s operations.
10.3 Super Benji may, in lieu of a direct audit, provide the Customer with a summary of a relevant third-party security audit, certification, or attestation, where available and subject to confidentiality obligations.
10.4 The Customer will reimburse Super Benji for the reasonable costs of any audit not required by applicable Data Protection Laws and not conducted in response to a Personal Data Breach.
11. AI Processing
11.1 The Customer acknowledges that the Services use artificial intelligence and automated message generation technologies to facilitate and deliver outbound communications on the Customer’s behalf. Super Benji processes Customer Data as Processor in this context, acting solely on the Customer’s instructions.
11.2 Super Benji will not use Customer Data to train, fine-tune, or improve any AI model used by other customers or for Super Benji’s own general purposes, without the Customer’s prior written consent, except in anonymised or aggregated form that cannot be re-identified.
11.3 The Services involve the automated generation of personalised messages based on Customer-configured parameters. The Customer is responsible for ensuring that any automated processing of Data Subjects’ personal data complies with applicable Data Protection Laws, including where profiling or automated decision-making obligations may apply.
11.4 The Customer is responsible for providing any required transparency notices to Data Subjects under UK GDPR Articles 13 and 14 in respect of AI-generated communications sent using the Services.
12. General Provisions
12.1 This DPA is governed by the laws of England and Wales, consistent with the Agreement. Any disputes arising under this DPA are subject to the exclusive jurisdiction of the courts of England and Wales.
12.2 Liability under this DPA is subject to the limitations and exclusions set out in the Limitation of Liability clause of the Agreement, except to the extent that applicable Data Protection Laws impose higher standards that cannot be contractually limited.
12.3 Super Benji may update this DPA from time to time to reflect changes in law or its processing activities. Super Benji will provide at least 30 days’ prior written notice of any material changes. Continued use of the Services after the effective date of any change constitutes acceptance.
12.4 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.
12.5 This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the processing of personal data in connection with the Services, and supersedes all prior agreements or understandings on the same subject matter.
Contact Details
For data protection queries relating to this DPA:
Super Benji Limited
46 Woodstock Rd, Oxford OX2 6HT
Email: benji@superbenji.ai
Website: https://www.superbenji.ai