ArcaDesk acts as a Data Processor on behalf of every client. This page explains how we handle your clients' personal data — and how to request the full signable agreement.
This DPA governs every instance where ArcaDesk processes personal data on your behalf — from the first inbound call to the final data deletion after your contract ends.
Identity and contact data (names, phone numbers, emails), communication data (call recordings, transcripts, message content), transactional data (appointment records, booking history), and behavioural data (opt-out status, engagement history).
Your existing and prospective clients, leads who contact or are contacted through your ArcaDesk system, and any contacts in your connected CRM. We do not process special category data (health, financial account numbers) without a separate written addendum.
Inbound call handling and qualification, outbound call and SMS sequences, CRM data capture and management, appointment booking, automated follow-up, and revenue performance reporting.
For the full term of your Service Agreement, plus any legally required retention periods thereafter. Upon termination, all data is returned or securely deleted within 30 days at your election.
These are ArcaDesk's binding obligations as your Data Processor — written into every client agreement, not just stated as policy.
ArcaDesk implements technical and organisational security measures appropriate to the sensitivity of the personal data we process on your behalf.
All personal data is encrypted in transit (TLS 1.2+) and at rest. Call recordings and transcripts are encrypted and stored in access-controlled environments.
Each client's data is held in a logically isolated environment. No data from your firm is accessible to any other ArcaDesk client, regardless of sector or geography.
Role-based access ensures only personnel with a documented business need can access your data. All access is logged and reviewed regularly. Access is revoked immediately on personnel change.
In the event of a security incident, ArcaDesk will notify you without undue delay and in all cases within 72 hours — with full details of the incident, affected records, and remediation steps.
Data is securely deleted at the end of each defined retention period. Upon contract termination, all data is returned or deleted within 30 days, with written confirmation provided.
All system access, data interactions, and consent records are logged with timestamps. For regulated sectors, extended audit trail retention is available on request.
ArcaDesk engages trusted third-party infrastructure providers to deliver the Services. All sub-processors are bound by data protection obligations equivalent to this DPA. You will be given advance notice of any changes.
| Category | Purpose | Location | Safeguard |
|---|---|---|---|
Cloud Hosting & Infrastructure |
Secure storage of personal data, call recordings, and CRM data | US / EU | SCCs / Adequacy |
Telephony & VoIP Platform |
Inbound and outbound call routing, recording, and transcription | US | DPA in place |
CRM Platform |
Contact management, workflow automation, pipeline tracking | US | DPA in place |
Email & SMS Delivery |
Outbound marketing and follow-up message delivery | US | DPA / SCCs |
Analytics & Reporting |
Revenue performance dashboards and anonymised usage analytics | US / EU | DPA in place |
Calendar Integration |
Appointment booking and confirmation automation | US | DPA in place |
A full named sub-processor list with specific vendor names and data handling details is available on request at [email protected]. You will be notified with reasonable advance notice of any changes.
ArcaDesk retains personal data only as long as necessary. Default retention periods are set out below — extended retention is available for regulated sectors on request.
| Data Category | Default Retention | Extended (on request) |
|---|---|---|
Call recordings & transcripts |
12 months from date of recording | Up to 7 years — regulated sectors (SOX, FCA) |
CRM contact records & interaction history |
Duration of Service Agreement + 12 months | As specified in writing by Controller |
Consent records (TCPA, marketing) |
5 years from date of consent | As required by applicable law |
Performance & analytics reports |
24 months | Indefinite (anonymised only) |
Security & access logs |
12 months | 24 months |
In addition to the general DPA terms, ArcaDesk applies sector-specific provisions for professional services clients. Select your sector below.
Attorney-client privilege. ArcaDesk acknowledges that legal intake calls may involve privileged communications. Intake scripts are configured to avoid eliciting privileged information beyond what is necessary for qualification and booking — in line with ABA Model Rule 1.6.
GLBA compliance. As a service provider handling financial services client data, ArcaDesk operates as a GLBA-covered third party — bound by contractual safeguarding obligations equivalent to your firm's requirements under the Gramm-Leach-Bliley Act.
E&O risk by design. ArcaDesk intake scripts for insurance clients are reviewed to ensure no coverage advice, policy recommendations, or binding commitments are made by the AI system. The AI qualifies and books — your licensed broker handles the rest.
Complete the form below to receive the full, signable Data Processing Agreement by email — typically within one business day. No sales pitch. Just the document.
✓ Request received. The DPA will be in your inbox within one business day.