This Data Processing Agreement ("DPA") forms part of the Terms of Service between Callivex (Lunatoria Prime LTD) and the customer. It governs Callivex's processing of personal data on behalf of the customer in connection with the Service.
Effective date: 1 January 2026 · Version: 1.0
For personal data processed under this DPA, the customer is the controller and Callivex is the processor, except where Callivex acts as an independent controller for purposes of network security, fraud prevention, regulator obligations, and operation of the Service generally — in which case Callivex's processing is governed by its Privacy Policy.
Provision of wholesale voice services: SIP termination, DID numbers, SIP trunking, reseller portal, billing.
For the term of the customer agreement, plus retention periods set out in the Privacy Policy.
Callivex processes personal data only on the customer's documented instructions, including those set out in the Order, the Terms of Service, and this DPA. Callivex will inform the customer if, in its opinion, an instruction infringes UK GDPR / EU GDPR or applicable law.
Personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Callivex implements appropriate technical and organisational measures, including those described in the Privacy Policy section 8 and applicable industry standards. Specifically:
Callivex may engage sub-processors for hosting, network infrastructure, payments, fraud-detection, and analytics. Current sub-processors are listed at the customer portal and may include:
Callivex flows down written data-processing terms to sub-processors equivalent to those in this DPA. Notice of sub-processor changes is given at least thirty (30) days in advance to allow the customer to object on reasonable grounds.
Callivex provides reasonable assistance to the customer in: responding to data-subject requests; ensuring compliance with security, breach-notification, and impact-assessment obligations; engaging with the supervisory authority.
Callivex notifies the customer without undue delay (and in any event within seventy-two (72) hours) on becoming aware of a personal-data breach affecting customer data, with the information required for the customer to meet its own notification obligations.
On termination of the Service, Callivex deletes or returns personal data to the customer at the customer's choice, except to the extent retention is required by applicable law (telecommunications retention, audit, regulator obligations).
Callivex makes available the information necessary to demonstrate compliance with this DPA. Where the customer requires further verification, audits may be conducted on reasonable advance notice (at least 30 days), during business hours, no more than once per twelve (12) months, and at the customer's expense, save for serious findings of non-compliance.
Personal data is hosted in the European Economic Area (primary) and the United Kingdom (failover). Where a transfer to a third country is necessary for the Service (e.g. routing to a non-EEA destination), Callivex relies on an applicable safeguard under UK GDPR / EU GDPR (adequacy decision, standard contractual clauses, or other approved mechanism).
Liability under this DPA is governed by, and subject to the limitations and exclusions in, the Terms of Service.
In the event of conflict between this DPA and the Terms of Service in respect of personal-data processing, this DPA prevails.
This DPA is governed by the laws of England and Wales.
Data-protection enquiries and DPA execution: compliance@callivex.com
Lunatoria Prime LTD, 13 Hawley Crescent, London NW1 8NP, United Kingdom.