Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the service agreement ("Main Agreement") between the parties identified below and is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in GDPR Article 4(1).
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Article 4(2).
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data, as defined in GDPR Article 4(7).
• "Processor" means a natural or legal person that processes Personal Data on behalf of the Controller, as defined in GDPR Article 4(8).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "DSAR" means a Data Subject Access Request made pursuant to GDPR Articles 15-22.

3. Subject Matter and Duration

3.1 Subject Matter

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of Vorden, an AI-powered voice, chat, and omnichannel communication platform.

3.2 Duration

This DPA shall remain in effect for the duration of the Main Agreement between the Controller and the Processor. Upon termination of the Main Agreement, the provisions of this DPA regarding data deletion and return shall continue to apply until fully performed.

4. Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes in connection with Vorden:

• AI-powered voice communication (inbound and outbound calls)
• Chat and messaging services (including WhatsApp, Telegram, and SMS)
• Automatic speech-to-text transcription
• AI-assisted response generation and intent detection
• Sentiment analysis and call quality scoring
• Communication analytics and reporting
• Account management and billing

5. Types of Personal Data

The following categories of Personal Data may be processed under this DPA:

• Voice recordings (call audio)
• Call transcripts
• Phone numbers
• Email addresses
• IP addresses
• Chat messages and conversation logs
• WhatsApp, Telegram, and SMS message content
• Account profile information (name, contact details)
• Usage and session metadata

6. Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• End-users of the Controller's services
• Callers and recipients of voice communications
• Chat and messaging participants
• Employees, agents, and representatives of the Controller
• Any other individuals whose Personal Data is transmitted through Vorden

7. Obligations of the Processor

The Processor shall:

7.1 Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

7.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.3 Technical and Organizational Measures

Implement and maintain appropriate technical and organizational measures as set out in Section 8 of this DPA to ensure a level of security appropriate to the risk of processing.

7.4 Sub-processor Engagement

Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to the provisions of Section 9 of this DPA.

7.5 Data Subject Rights Assistance

Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under GDPR Articles 15-22.

7.6 Security and Breach Notification

• Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32-36, taking into account the nature of processing and the information available to the Processor.
• Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations under GDPR Articles 33 and 34, including:
  • The nature of the Data Breach
  • The categories and approximate number of Data Subjects affected
  • The likely consequences of the Data Breach
  • The measures taken or proposed to address the Data Breach

7.7 Data Deletion and Return

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data. Deletion shall be completed within 30 days of termination of the Main Agreement.

7.8 Audit and Information

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8. Technical and Organizational Measures (TOMs)

The Processor implements and maintains the following technical and organizational measures to protect Personal Data:

8.1 Encryption

• At Rest: Industry-standard encryption of all stored Personal Data, including databases, backups, and file storage.
• In Transit: Industry-standard encryption of all data transmissions between clients, servers, and sub-processors.

8.2 Access Control

• Authentication: Secure session-based authentication with short-lived access tokens and rotation.
• Role-Based Access Control: Access to Personal Data is restricted based on the principle of least privilege, with role-based permissions enforced at the application level.
• Multi-Factor Authentication (MFA): Available and enforced for administrative access to the platform.

8.3 Tenant Isolation

• Logical separation of Controller data at both the database and application level.
• Each tenant's data is isolated through dedicated schemas or partitioning, ensuring no cross-tenant data access.

8.4 Monitoring and Logging

• Application Monitoring: Continuous application and performance monitoring with Personal Data scrubbing enabled on error reports.
• Audit Logging: Comprehensive audit logs recording access to, modification of, and deletion of Personal Data.
• Logs are retained for up to 12 months and are accessible for compliance and investigation purposes.

8.5 Backup and Recovery

• Regular encrypted backups stored in cloud infrastructure located within the European Union.
• Backup integrity verification and restoration testing performed periodically.

8.6 Incident Response

• Dedicated incident response process with defined escalation paths.
• 72-hour breach notification commitment to the Controller.
• Post-incident review and remediation procedures.
• Dedicated response team with documented roles and responsibilities.

9. Sub-processors

9.1 Authorized Sub-processors

The Controller provides general written authorization for the Processor to engage the sub-processors identified on the Processor's Sub-Processors page (the "Sub-Processor List"). The Sub-Processor List specifies, for each sub-processor, the name, processing location, and purpose of processing, and is maintained and kept current by the Processor. A written snapshot of the Sub-Processor List as of the Effective Date is available on request.

9.2 Changes to Sub-processors

The Processor shall:

• Notify the Controller in writing of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
• Provide a 30-day objection period from the date of notification before engaging any new sub-processor.
• If the Controller raises a reasonable objection within the objection period, the Processor shall make reasonable efforts to provide an alternative solution. If no alternative is available, the Controller may terminate the affected services under the Main Agreement.

9.3 Sub-processor Obligations

The Processor shall impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

10. International Data Transfers

10.1 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs): The Processor enters into EU-approved Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all sub-processors located outside the EEA, including those in the United States.

10.2 Supplementary Measures

In accordance with the guidance issued following the Schrems II decision (CJEU Case C-311/18), the Processor implements the following supplementary measures:

• Industry-standard encryption of Personal Data in transit and at rest
• Strict access controls ensuring that access to Personal Data is limited to authorized personnel
• Data minimization practices, transferring only the minimum Personal Data required for processing
• Regular transfer impact assessments to evaluate the legal framework of recipient countries
• Contractual provisions prohibiting sub-processors from providing access to Personal Data to government authorities except as required by applicable law

11. Data Subject Rights

11.1 Assistance with DSARs

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject Access Requests (DSARs) and other rights requests under GDPR Articles 15-22, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

11.2 Response Process

The Processor shall:

• Promptly notify the Controller if it receives a DSAR directly from a Data Subject.
• Not respond to a DSAR directly unless authorized by the Controller.
• Provide the Controller with necessary technical assistance and data exports to facilitate timely responses to DSARs within the GDPR-mandated 30-day period.

12. Audit Rights

12.1 Controller's Right to Audit

The Controller, or a qualified third-party auditor appointed by the Controller, may audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide reasonable advance written notice (minimum 30 days, except in the case of a Data Breach).
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by the Processor.

12.2 Processor's Obligations

The Processor shall:

• Make available all information reasonably necessary to demonstrate compliance with GDPR Article 28.
• Allow for and contribute to audits and inspections by the Controller or the Controller's designated auditor.
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes GDPR or other applicable data protection law.

13. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the Main Agreement. Nothing in this DPA shall limit or exclude either party's liability for damages arising from breaches of GDPR to the extent such limitation is not permitted by applicable law.

14. Term and Termination

14.1 Effective Date

This DPA becomes effective on the later of: (a) the effective date stated above, or (b) the date the Controller enters into the Main Agreement with the Processor.

14.2 Duration

This DPA shall remain in effect for the duration of the Main Agreement.

14.3 Effects of Termination

Upon termination of the Main Agreement:

• The Processor shall, at the Controller's election, either return or delete all Personal Data within 30 days of termination.
• The Processor shall provide written certification of deletion upon the Controller's request.
• Provisions of this DPA that by their nature should survive termination (including confidentiality, liability, and audit rights for a reasonable period) shall survive.

15. General Provisions

15.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the Main Agreement, without prejudice to the mandatory provisions of GDPR.

15.2 Conflicts

In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to the processing of Personal Data.

15.3 Amendments

This DPA may be amended only by a written instrument signed by both parties. The Processor may update the technical and organizational measures described in Section 8 from time to time, provided that the updated measures offer an equivalent or higher level of protection.

Controller:

Name: ___________________________ Title: ___________________________ Signature: ___________________________ Date: ___________________________

Processor (LucyHQ, Inc.):

Name: ___________________________ Title: ___________________________ Signature: ___________________________ Date: ___________________________