Effective Date: 1st March 2025

Last Updated: 24th October 2025

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zindex Ltd, a company registered in England and Wales (company number: 09390031) trading as Unibound.ai ("Processor" or "Unibound") and the entity using Unibound.ai's services ("Controller" or "Customer"). This DPA supplements the Terms of Service and governs the processing of personal data in compliance with UK GDPR and other applicable data protection laws. In the event of a conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail.

1. Definitions

1.1 "Personal Data" means the personal data that Unibound.ai is Processing under the Agreement.

1.2 "Processing" means any  processing or other access to or operation or set of operations performed on Personal Data, and “Process” and “Processed” shall have corresponding meanings.

1.3 "Controller" and “Processor” shall have the same meanings ascribed to them in the Data Protection Laws.

1.4 “Data Protection Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the Processing of Personal Information.

1.5 "EEA" means the European Economic Area.

1.6 "Data Transfer" means any transfer of Personal Data outside of the EEA. Switzerland or the United Kingdom.

1.7 The lowercase terms “personal data”, “data subject”, “processing”, “controller”, “joint controller,” “processor”, “personal data breach” and “supervisory authority” shall have the same meanings ascribed to them in the Data Protection Laws, and where the Data Protection Laws use equivalent or corresponding terms, such as “personal information” instead of “personal data,” they shall be read herein as the same.

2. Roles and Responsibilities

2.1 Controller Responsibilities: The Controller is responsible for ensuring that Personal Data provided to Unibound complies with applicable laws and that data subjects have been informed and, where required, have given consent for processing.

2.2 Processor Responsibilities: Unibound shall:

  • Process Personal Data only as instructed by the Controller, unless required to do so by applicable law to which Unibound.ai is subject; in such a case, Unibound.ai shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Unibound.ai shall immediately inform Controller if, in its opinion, an instruction infringes the Data Protection Laws.
  • Implement and maintain appropriate security measures to protect Personal Data, including those specified in the Agreement, in such a manner that its Processing of Personal Data will meet the requirements of the Data Protection Laws, ensure the protection of the rights of the data subjects, and provide a standard of protection that is at least the same level of protection as is required under the Data Protection Laws.
  • Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations and will not Process the Personal Information except on instructions from Controller, unless required to do so by applicable law.
  • Provide assistance to the Controller in fulfilling its obligations regarding data subject rights and regulatory compliance. Unibound.ai shall, to the extent legally permitted, promptly notify Controller in writing of any request from a data subject, supervisory authority or other third party or any subpoena or other judicial or administrative order or request by a government authority or proceedings that Unibound.ai receives seeking access to or disclosure of Personal Data. Controller shall have the right to oppose or intervene in such action or deal with such request at its own costs in lieu of and on behalf of Unibound.ai, unless prohibited by law. Unibound.ai shall reasonably cooperate with Controller in such proceedings.

3. Scope of Data Processing

3.1 Nature and Purpose: Unibound processes Personal Data for the sole purpose of providing AI-driven automation services.

3.2 Types of Data Processed: Unibound processes any data provided by the Controller or through integrations with third-party CRM and ATS systems. This may include:

  • Names, email addresses, job titles.
  • Contact details and business-related information.
  • AI-driven insights and analytics data.

3.3 Internal Processing Purposes: Unibound.ai may process Personal Data as an independent controller for internal security, compliance, and performance monitoring purposes.

3.4 Data Storage: Unibound.ai does not store Personal Data but transmits it to N8N and VAPI, which holds the data on behalf of the Controller.

4. Sub-processors

4.1 Approved Sub-processors: The Controller grants general authorisation to Unibound.ai to engage the following sub-processors:

  • n8n GmbH, registered under HRB 212509 B with the District Court of Berlin-Charlottenburg, Germany. Registered address: Novalisstr. 10, 10115 Berlin, Germany. Provides automation and workflow orchestration services.
  • Vapi Inc., incorporated in Delaware, United States, with principal place of business at 95 3rd Street, 2nd Floor, San Francisco, CA 94103, USA. Provides voice AI and telephony infrastructure services.
  • OpenAI, L.L.C., a company incorporated in the State of Delaware (Registration No. 7063675) with its registered office at 1455 3rd Street, San Francisco, California 94158, United States.

4.2 Sub-processor Notification & Objections: Unibound.ai shall notify the Controller in writing of any intended changes concerning sub-processors, giving the Controller the opportunity to object. Where Unibound.ai engages a sub-processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out herein and the Agreement or other legal act between the Parties shall be imposed on that sub-processor by way of a contract or other legal act under applicable law. Where that sub- processor fails to fulfil its data protection obligations, Unibound.ai shall remain fully liable for the performance of that sub-processor's obligations.

5. Data Transfers Outside the UK/EU

5.1 To the extent that Controller transfers Personal Information from the EEA to Unibound located outside the EEA, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:

  1. Controller is the “data exporter” and Unibound is the “data importer”;
  2. the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted and the applicable annexes are completed respectively with the information set out in the Agreement;
  3. to the extent that each Party acts as a controller, Module One applies and Modules Two, Three and Four are omitted;
  4. to the extent that Controller acts as a controller and Unibound.ai acts as a processor, Module Two applies, Modules One, Three and Four are omitted, Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days;
  5. to the extent that each Party acts as a processor, Module Three applies, Modules One, Two and Four are omitted; Clause 9(a) Option 1 is omitted and the time period in Option 2 is 14 days;
  6. the “competent supervisory authority” is that in the country where the data exporter is established;
  7. the Clauses are governed by the law of the country where the data exporter is established;
  8. any dispute arising from the Clauses shall be resolved by the courts of the country where the data exporter is established; and
  9. if there is any conflict between any of the terms of the Agreement and the Clauses, the Clauses will prevail.

5.2 To the extent that Controller is located outside the EEA and receives Personal Information from Unibound.ai located in the EEA, unless the Parties may rely on an alternative transfer mechanism or basis under the Data Protection Laws, the Parties will be deemed to have entered into the Clauses in respect of such transfer, whereby:

  1. Unibound.ai is the “data exporter” and Controller is the “data importer”;
  2. the applicable annexes are completed respectively with the information set out in the Agreement;
  3. to the extent that Unibound.ai is acting as a controller, Module One applies, Modules Two, Three and Four, the footnotes, Clause 11(a) Option and Clause 17 Option 1 are omitted;
  4. to the extent that Unibound.ai is acting as a processor, Module Four applies and Modules One, Two and Three and the footnotes are omitted;
  5. the “competent supervisory authority” is that in the country where the data exporter is established;
  6. the Clauses are governed by the law of the country where the data exporter is established;
  7. any dispute arising from the Clauses shall be resolved by the courts of the country where the data exporter is established; and
  8. if there is any conflict between any of the terms of the Agreement and the Clauses, the Clauses will prevail.

5.3 In relation to transfers of personal data from the United Kingdom, the Clauses as implemented under section 5.1 above will apply as modified by the International Data Transfer Addendum to the Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-datatransfer-addendum.pdf, with Tables 1 to 3 completed respectively with the information set out in the Agreement and Table 4 completed by selecting “neither party”.

5.4 In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 5.1 above will apply subject to the following modifications:

  1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
  2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
  3. references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
  4. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
  5. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
  6. the Clauses are governed by the law of Switzerland; and
  7. any dispute arising from the Clauses will be resolved by the courts of Switzerland.

6. Security Measures

6.1 Unibound.ai shall implement technical and organizational measures to ensure the security of Personal Data, including:

  • SSL encryption for all data transmitted through its platform.
  • Access controls to restrict data processing to authorised personnel.
  • Regular security audits to assess potential risks.

7. Data Subject Rights & DPIA Assistance

7.1 The Processor shall assist the Controller in responding to data subject requests related to:

  • Access, correction, or deletion of Personal Data.
  • Restriction or objection to processing.
  • Data portability requests.

7.2 The Processor shall assist the Controller with Data Protection Impact Assessments (DPIAs) as required under Articles 35 & 36 of UK GDPR.7.3 Requests must be submitted to james@unibound.ai for processing.

8. Data Breach Notification

8.1 In the event of a data breach, Unibound.ai shall notify the Controller without undue delay and no later than 24 hours, providing details of:

  • The nature of the breach.
  • Categories of affected data subjects.
  • Measures taken to mitigate the breach.

8.2 The Controller is responsible for notifying affected individuals and regulators as required by law.

9. Retention and Deletion

9.1 Unibound retains Personal Data only for the duration necessary to fulfill its processing obligations.

9.2 Upon termination of services, Unibound shall delete or return Personal Data at the Controller’s request unless retention is required by law.

10. Audit Rights

10.1 The Controller shall have the right to request audits or receive compliance documentation to verify Unibound’s compliance with this DPA.

10.2 Audits shall be limited to one per year unless a security breach has occurred.

11. Governing Law and Dispute Resolution

11.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales.

11.2 Any disputes arising under this DPA shall be subject to binding arbitration in London, UK.

IN WITNESS WHEREOF, the parties have caused this Data Processing Agreement to be executed by their duly authorised representatives as of the Effective Date.

Building AI Agents that supercharge your team to do more, without increasing headcount.

© 2025 Unibound. All Rights Reserved.
Unibound is a trading name of Zindex Ltd, registered in England & Wales (Company No. 09390031)