1 Definitions

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including GDPR, CCPA, and any other applicable privacy and data protection laws.
• "Customer Data" means all Personal Data that Customer provides to Company or that Company collects, processes, or stores on Customer's behalf, including lead information, conversation transcripts, contact details, and appointment data.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Laws.
• "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, storage, adaptation, retrieval, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by Company to Process Personal Data on behalf of Customer.
• "Services" means the AI employee services for lead qualification and appointment scheduling provided by Callium AI.

2 Scope and Roles

Data Controller and Data Processor

• Customer is the Data Controller of the Customer Data
• Callium AI acts as a Data Processor, processing Customer Data solely on behalf of and according to Customer's documented instructions
• Customer is solely responsible for compliance with all obligations under Applicable Data Protection Laws as a Data Controller

Processing Instructions

Customer instructs Company to Process Customer Data for the following purposes:

• Providing AI employee services including lead qualification and appointment scheduling
• Managing and facilitating communications between Customer and Customer's leads/prospects
• Integrating with Customer's calendar systems and CRM platforms
• Recording, transcribing, and storing conversation data
• Generating reports and analytics related to the Services

Nature and Purpose of Processing

3 Customer Obligations

Legal Basis and Consent

• Customer has obtained all necessary legal bases, consents, and authorizations required under Applicable Data Protection Laws
• Customer has provided all required notices and disclosures to Data Subjects regarding the processing of their Personal Data
• Customer has the right to transfer Customer Data to Company for processing as described in this DPA

Compliance with Laws

• Customer's use of the Services complies with all Applicable Data Protection Laws
• Customer complies with all telemarketing laws, including TCPA, TSR, and Do-Not-Call regulations
• Customer maintains proper records of consent and can provide documentation upon request

4 Company Obligations

Processing According to Instructions

• Process Customer Data only in accordance with Customer's documented instructions
• Not Process Customer Data for any purpose other than providing the Services, unless required by applicable law
• Immediately inform Customer if an instruction violates Applicable Data Protection Laws

Confidentiality

• All personnel authorized to Process Customer Data are bound by appropriate confidentiality obligations
• Personnel receive appropriate training on data protection
• Customer Data is processed only as necessary to perform duties

Security Measures

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee background checks and security training
• Incident response and business continuity procedures
• Physical security controls for data centers and facilities

5 Sub-Processors

Authorization to Use Sub-processors

• Sub-processors are bound by data protection obligations substantially similar to those in this DPA
• Callium AI remains fully liable to Customer for the performance of Sub-processors' obligations
• Appropriate due diligence is conducted on Sub-processors prior to engagement

Current Sub-processors

Changes to Sub-processors

• At least 30 days' prior notice of any new Sub-processor via email or account notification
• Customer may object within 15 days on reasonable grounds related to data protection
• If objection cannot be accommodated, Customer may terminate the affected Services
• No objection within 15 days constitutes acceptance of the new Sub-processor

6 Data Subject Rights

Callium AI will provide reasonable assistance to Customer in responding to Data Subject requests, including:

• Right of Access: Providing Data Subjects with access to their Personal Data
• Right to Rectification: Correcting inaccurate or incomplete Personal Data
• Right to Erasure: Deleting Personal Data ("right to be forgotten")
• Right to Restriction: Restricting processing of Personal Data in certain circumstances
• Right to Data Portability: Providing Personal Data in a structured, machine-readable format
• Right to Object: Objecting to certain types of processing

Process for Data Subject Requests

• Callium AI will promptly notify Customer of any Data Subject request received directly
• Callium AI will not respond to the Data Subject directly without Customer's prior authorization
• Customer will be responsible for responding to the Data Subject
• Submit requests requiring Company's assistance to info@callium.co
• Callium AI will respond within 10 business days with the requested information or assistance

7 Data Breach Notification

Company's Obligations

In the event of a Personal Data breach affecting Customer Data, Callium AI will:

• Notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide sufficient information to allow Customer to meet any breach reporting obligations
• Take reasonable steps to mitigate effects and minimize damage
• Cooperate with Customer in investigating the breach and implementing remedial measures

Breach Notification Contents

• Description of the nature of the Personal Data breach
• Categories and approximate number of Data Subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address and mitigate the breach
• Contact point for further information

8 Data Protection Impact Assessments and Audits

Assistance with Impact Assessments

Upon written request, Callium AI will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities.

Audit Rights

• Upon reasonable written notice (at least 30 days in advance)
• No more than once per year, unless required by a supervisory authority
• During regular business hours without unreasonably interfering with operations
• Subject to reasonable confidentiality obligations
• At Customer's expense (unless non-compliance is discovered)

In lieu of on-site audits, Callium AI may provide relevant certifications, third-party audit reports, or written responses to audit questionnaires.

9 International Data Transfers

Transfers Outside the EEA

Customer acknowledges that Callium AI may transfer and process Customer Data outside the EEA, United Kingdom, or Switzerland. Where such transfers occur, appropriate safeguards are in place including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission regarding the destination country
• Other legally recognized transfer mechanisms under GDPR

Additional Measures

• Encryption of data in transit and at rest
• Contractual commitments from Sub-processors regarding data protection
• Regular assessments of data protection laws in destination countries

10 Data Retention and Deletion

Retention Period

• For the duration of the agreement with Customer
• For such additional period as specified in our Privacy Policy or Terms of Service
• As required by applicable law or regulatory obligations

Deletion Upon Termination

Upon termination or expiration of the agreement, Callium AI will, at Customer's choice, delete all Customer Data within 30 days or return it in a commonly used, machine-readable format. Customer must submit a written request within 30 days of termination.

Legal Retention Requirements

Callium AI may retain Customer Data as required by applicable law including tax and accounting requirements, legal hold obligations, and regulatory compliance. Data retained for legal purposes continues to be subject to the confidentiality and security obligations of this DPA.

11 CCPA-Specific Provisions

Service Provider Obligations

Callium AI certifies that it:

• Will not sell or share Personal Information
• Will not retain, use, or disclose Personal Information for any purpose other than providing the Services
• Will not combine Personal Information received from Customer with Personal Information from other sources, except as permitted by the CCPA
• Will provide the same level of privacy protection as required of businesses under the CCPA

Consumer Rights

• Right to know what Personal Information is collected
• Right to delete Personal Information
• Right to opt-out of the sale of Personal Information
• Right to correct inaccurate Personal Information
• Right to limit use and disclosure of Sensitive Personal Information

12 Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service.

Customer will indemnify, defend, and hold harmless Callium AI from any claims, damages, losses, liabilities, and expenses arising from:

• Customer's violation of Applicable Data Protection Laws
• Customer's failure to obtain necessary consents or provide required notices to Data Subjects
• Customer's instructions to Callium AI that violate Applicable Data Protection Laws
• Claims by Data Subjects related to Customer's processing of their Personal Data

13 Term and Termination

This DPA commences on the effective date of the Terms of Service and remains in effect until termination or expiration of the Terms of Service. Upon termination, Company's obligation to Process Customer Data will cease, Customer Data will be deleted or returned as specified in Section 10, and the confidentiality, liability, and indemnification provisions will survive.

14 General Provisions

Amendments

Callium AI may update this DPA from time to time. At least 30 days' notice will be provided for material changes. Continued use of the Services after such changes constitutes acceptance.

Governing Law

This DPA will be governed by the same governing law provisions as set forth in the Terms of Service.

Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA will prevail with respect to data processing matters.