1 DEFINITIONS

• “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable privacy and data protection laws.
• “Customer Data” means all Personal Data that Customer provides to Company or that Company collects, processes, or stores on Customer’s behalf in connection with the provision of the Services, including lead information, conversation transcripts, contact details, and appointment data.
• “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
• “GDPR” means the General Data Protection Regulation (EU) 2016/679.
• “Personal Data” means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Laws.
• “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or deletion.
• “Sub-processor” means any third party engaged by Company to Process Personal Data on behalf of Customer in connection with the Services.
• “Services” means the AI employee services for lead qualification and appointment scheduling provided by Company as described in the Terms of Service.

2 SCOPE AND ROLES

Data Controller and Data Processor

The parties acknowledge and agree that:

• Customer is the Data Controller of the Customer Data
• Company acts as a Data Processor, processing Customer Data solely on behalf of and according to the documented instructions of Customer
• Customer is solely responsible for compliance with all obligations under Applicable Data Protection Laws as a Data Controller

Processing Instructions

Customer instructs Company to Process Customer Data for the following purposes:

• Providing the AI employee services, including lead qualification and appointment scheduling
• Managing and facilitating communications between Customer and Customer’s leads/prospects
• Integrating with Customer’s calendar systems and CRM platforms
• Recording, transcribing, and storing conversation data
• Generating reports and analytics related to the Services
• Any other purposes necessary to provide the Services as described in the Terms of Service

Nature and Purpose of Processing

Aspect	Description
Subject Matter	AI-powered lead qualification and appointment scheduling services
Duration	For the term of the agreement and retention period specified in our Privacy Policy
Nature of Processing	Collection, recording, storage, analysis, transmission, and deletion of Personal Data
Purpose of Processing	To enable AI employee to qualify leads and schedule appointments on Customer’s behalf
Types of Personal Data	Names, email addresses, phone numbers, conversation transcripts, appointment details, company information, demographic data
Categories of Data Subjects	Customer’s leads, prospects, and customers who interact with the AI employee

3 CUSTOMER OBLIGATIONS

Customer represents, warrants, and covenants that:

Legal Basis and Consent

• Customer has obtained all necessary legal bases, consents, and authorizations required under Applicable Data Protection Laws to collect and share Customer Data with Company
• Customer has provided all required notices and disclosures to Data Subjects regarding the processing of their Personal Data
• Customer has the right to transfer Customer Data to Company for processing as described in this DPA

Compliance with Laws

• Customer’s use of the Services and provision of Customer Data complies with all Applicable Data Protection Laws
• Customer complies with all telemarketing laws, including TCPA, TSR, and Do-Not-Call regulations
• Customer maintains proper records of consent and can provide documentation upon request

4 COMPANY OBLIGATIONS

Processing According to Instructions

Company shall:

• Process Customer Data only in accordance with Customer’s documented instructions as set forth in this DPA and the Terms of Service
• Not Process Customer Data for any purpose other than providing the Services, unless required by applicable law
• Immediately inform Customer if, in Company’s opinion, an instruction violates Applicable Data Protection Laws

Confidentiality

Company shall ensure that all personnel authorized to Process Customer Data:

• Are bound by appropriate confidentiality obligations
• Receive appropriate training on data protection
• Process Customer Data only as necessary to perform their duties

Security Measures

Company implements and maintains appropriate technical and organizational measures to protect Customer Data, including:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee background checks and security training
• Incident response and business continuity procedures
• Physical security controls for data centers and facilities

5 SUB-PROCESSORS

Authorization to Use Sub-processors

Customer authorizes Company to engage Sub-processors to Process Customer Data in connection with providing the Services. Company shall:

• Ensure that Sub-processors are bound by data protection obligations substantially similar to those in this DPA
• Remain fully liable to Customer for the performance of Sub-processors’ obligations
• Conduct appropriate due diligence on Sub-processors prior to engagement

Current Sub-processors

Company currently uses the following categories of Sub-processors:

Changes to Sub-processors

Company may update its list of Sub-processors from time to time. In such cases:

• Company will provide Customer with at least 30 days’ prior notice of any new Sub-processor via email or account notification
• Customer may object to the use of a new Sub-processor on reasonable grounds related to data protection within 15 days of receiving notice
• If Customer objects and Company cannot accommodate the objection, Customer may terminate the affected Services upon written notice
• If Customer does not object within the 15-day period, Customer is deemed to have accepted the new Sub-processor

6 DATA SUBJECT RIGHTS

Company will provide reasonable assistance to Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including:

• Right of Access: Providing Data Subjects with access to their Personal Data
• Right to Rectification: Correcting inaccurate or incomplete Personal Data
• Right to Erasure: Deleting Personal Data (“right to be forgotten”)
• Right to Restriction: Restricting processing of Personal Data in certain circumstances
• Right to Data Portability: Providing Personal Data in a structured, machine-readable format
• Right to Object: Objecting to certain types of processing

Process for Data Subject Requests

If Company receives a Data Subject request directly:

• Company will promptly notify Customer of the request
• Company will not respond to the Data Subject directly without Customer’s prior authorization
• Customer will be responsible for responding to the Data Subject
• Company will provide reasonable assistance to Customer as necessary

If Customer receives a Data Subject request and requires Company’s assistance:

• Customer will submit the request to Company via email at [privacy@yourcompany.com]
• Company will respond within 10 business days with the requested information or assistance
• Company may charge reasonable fees for extensive or repetitive requests

7 DATA BREACH NOTIFICATION

Company’s Obligations

In the event Company becomes aware of a Personal Data breach affecting Customer Data, Company will:

• Notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the breach under Applicable Data Protection Laws
• Take reasonable steps to mitigate the effects and minimize any damage resulting from the breach
• Cooperate with Customer in investigating the breach and implementing remedial measures

Breach Notification Contents

Company’s breach notification will include, to the extent known:

• Description of the nature of the Personal Data breach
• Categories and approximate number of Data Subjects and Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Contact point for further information

8 DATA PROTECTION IMPACT ASSESSMENTS AND AUDITS

Assistance with Impact Assessments

Upon Customer’s written request, Company will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent such assistance is required under Applicable Data Protection Laws and relates to the processing of Customer Data.

Audit Rights

Customer may audit Company’s compliance with this DPA:

• Upon reasonable written notice (at least 30 days in advance)
• No more than once per year, unless required by a supervisory authority
• During regular business hours and in a manner that does not unreasonably interfere with Company’s operations
• Subject to reasonable confidentiality obligations
• At Customer’s expense (unless a non-compliance is discovered, in which case Company will reimburse reasonable costs)

In lieu of an on-site audit, Company may provide:

• Copies of relevant certifications (e.g., ISO 27001, SOC 2)
• Third-party audit reports
• Written responses to Customer’s audit questionnaires

9 INTERNATIONAL DATA TRANSFERS

Transfers Outside the EEA

Customer acknowledges that Company may transfer and process Customer Data outside the European Economic Area (EEA), United Kingdom, or Switzerland. Where such transfers occur, Company shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission regarding the destination country
• Other legally recognized transfer mechanisms under GDPR

Additional Measures

Company implements supplementary measures to protect Personal Data transferred internationally, including:

• Encryption of data in transit and at rest
• Contractual commitments from Sub-processors regarding data protection
• Regular assessments of data protection laws in destination countries

10 DATA RETENTION AND DELETION

Retention Period

Company will retain Customer Data:

• For the duration of the agreement with Customer
• For such additional period as specified in our Privacy Policy or Terms of Service
• As required by applicable law or regulatory obligations

Deletion Upon Termination

Upon termination or expiration of the agreement, Company will, at Customer’s choice:

• Delete all Customer Data within 30 days, except as required by law; or
• Return Customer Data to Customer in a commonly used, machine-readable format

Customer must submit a written request for data deletion or return within 30 days of termination. After this period, Company may delete all Customer Data.

Legal Retention Requirements

Notwithstanding the above, Company may retain Customer Data to the extent required by applicable law, including:

• Tax and accounting record retention requirements
• Legal hold obligations related to litigation or investigations
• Regulatory compliance obligations

Data retained for legal purposes will continue to be subject to the confidentiality and security obligations of this DPA.

11 CCPA-SPECIFIC PROVISIONS

To the extent Company processes Personal Information (as defined in the CCPA) as a Service Provider on behalf of Customer (acting as a Business), the following additional terms apply:

Service Provider Obligations

Company certifies that it:

• Understands the restrictions in CCPA Section 1798.140(ag) and will comply with them
• Will not sell or share Personal Information
• Will not retain, use, or disclose Personal Information for any purpose other than providing the Services or as otherwise permitted by the CCPA
• Will not combine Personal Information received from Customer with Personal Information received from other sources, except as permitted by the CCPA
• Will provide the same level of privacy protection as required of businesses under the CCPA

Consumer Rights

Company will assist Customer in responding to Consumer requests under the CCPA, including:

• Right to know what Personal Information is collected
• Right to delete Personal Information
• Right to opt-out of the sale of Personal Information
• Right to correct inaccurate Personal Information
• Right to limit use and disclosure of Sensitive Personal Information

Notification of Non-Compliance

Company will notify Customer if it determines that it can no longer meet its obligations under the CCPA.

12 LIABILITY AND INDEMNIFICATION

Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service.

Indemnification

Customer will indemnify, defend, and hold harmless Company from any claims, damages, losses, liabilities, and expenses (including reasonable attorneys’ fees) arising from:

• Customer’s violation of Applicable Data Protection Laws
• Customer’s failure to obtain necessary consents or provide required notices to Data Subjects
• Customer’s instructions to Company that violate Applicable Data Protection Laws
• Claims by Data Subjects related to Customer’s processing of their Personal Data

13 TERM AND TERMINATION

This DPA will commence on the effective date of the Terms of Service and will remain in effect until the termination or expiration of the Terms of Service, unless terminated earlier in accordance with its terms.

Upon termination of this DPA:

• Company’s obligation to Process Customer Data will cease
• Company will delete or return Customer Data as specified in Section 10
• The confidentiality, liability, and indemnification provisions will survive

14 GENERAL PROVISIONS

Amendments

Company may update this DPA from time to time to reflect changes in business practices or legal requirements. Company will provide Customer with at least 30 days’ notice of material changes. Customer’s continued use of the Services after such changes constitutes acceptance of the updated DPA.

Governing Law

This DPA will be governed by the same governing law provisions as set forth in the Terms of Service.

Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA will prevail with respect to data processing matters.

Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of Customer Data.