Data Processing Addendum

“Customer Data” means data, content, records, call information, configuration information, CRM or backoffice data, messages, prompts, call flows, transcripts, recordings, metadata, or other information submitted to, uploaded to, transmitted through, or made available to the Platform by or on behalf of Customer.

“Caller Data” means Personal Data relating to individuals who call, message, communicate with, or are otherwise routed through the Platform, including leads, customers, patients, clients, business contacts, or other third parties.

“Personal Data” means any information relating to an identified or identifiable individual, including “personal information,” “personal data,” or similar terms under applicable privacy and data protection laws.

“Subprocessor” means any third-party service provider engaged by Provider to process Personal Data on behalf of Customer in connection with the Services.

For Customer Data and Caller Data processed on Customer’s behalf, Customer is the controller, business, or equivalent entity under applicable data protection laws, and Provider is the processor, service provider, or equivalent entity, unless the parties agree otherwise in writing or applicable law requires a different classification.

Customer is responsible for determining the purposes and means of processing Personal Data, including the types of Personal Data made available to the Platform, the call flows and scripts used with the Platform, the disclosures provided to callers, and the Customer systems connected to the Platform.

Provider will process Personal Data on Customer’s behalf only as described in this DPA, the applicable agreement, Customer’s configuration settings, Customer’s documented instructions, support requests, and applicable law.

Provider will process Personal Data only for the purpose of providing, securing, supporting, maintaining, troubleshooting, and improving the Services, and as otherwise permitted by the applicable agreement or applicable law.

Customer’s documented instructions include this DPA, the applicable Master Subscription Agreement, Order Form, configuration settings, product documentation, support requests, and other written instructions provided by Customer and accepted by Provider.

Provider is not responsible for determining whether Customer’s instructions comply with laws applicable to Customer’s business, industry, callers, or end users.

The subject matter of processing is the provision of AI-powered voice answering, transcription, call routing, CRM and backoffice integrations, messaging, analytics, administrative tools, support, and related services.

The duration of processing is the applicable subscription term, plus any retention, deletion, backup, legal, or operational period described in the applicable agreement or Provider’s policies.

The nature and purpose of processing is to provide, secure, support, troubleshoot, maintain, analyze, and improve the Services.

Categories of data subjects may include callers, Customer employees and users, leads, customers, patients or clients where applicable, business contacts, vendors, and other individuals whose information is made available to the Platform by or on behalf of Customer.

Categories of Personal Data may include identifiers, contact information, audio recordings, transcripts, messages, appointment details, call metadata, CRM or backoffice fields, support information, configuration information, and other data Customer makes available to the Platform.

Customer is responsible for obtaining all rights, permissions, consents, and authorizations necessary for Provider to process Personal Data in accordance with this DPA and the applicable agreement.

Customer is also responsible for providing any legally required notices or disclosures to callers, employees, users, leads, customers, patients, clients, or other individuals, including notices relating to AI use, call recording, transcription, monitoring, messaging, and integration with Customer systems.

Customer is responsible for ensuring that its use of the Services complies with laws applicable to Customer’s business, industry, jurisdiction, and communications with individuals.

Provider will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether by written agreement, employment obligation, professional duty, or other legally enforceable commitment.

Provider will implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.

These measures may include access controls, authentication controls, encryption where appropriate, logging, monitoring, personnel controls, incident response procedures, vendor controls, and other safeguards described in Provider’s applicable Security Exhibit, security documentation, or public security materials.

Customer gives Provider general authorization to use Subprocessors to provide, secure, support, maintain, and improve the Services.

Provider maintains a public Subprocessor List, available at Annex I, which identifies material third-party providers that may process Personal Data in connection with the Services.

Provider will require Subprocessors to protect Personal Data under written obligations that are materially consistent with this DPA, taking into account the nature of the services provided by each Subprocessor.

Provider may update its Subprocessor List from time to time as its vendors, infrastructure, product features, integrations, and service providers evolve.

Provider will provide notice of material Subprocessor changes through its Subprocessor List, website, email, in-product notice, or another reasonable mechanism.

Customer may object to a new Subprocessor on reasonable data protection grounds within 15 days after notice. If Customer objects, Provider will use commercially reasonable efforts to address the objection, which may include providing additional information, offering a reasonable workaround where available, or allowing Customer to terminate the affected Services as described in the applicable agreement.

The Platform may rely on third-party artificial intelligence models, speech-to-text services, text-to-speech services, telephony providers, cloud hosting providers, CRM systems, APIs, analytics tools, and other third-party services to provide the Services.

These providers may process Personal Data as Subprocessors or third-party service providers, depending on the nature of the service and Customer’s configuration of the Platform. Material Subprocessors are identified or described in Annex I.

Provider will use commercially reasonable efforts to select third-party providers and configurations that are appropriate for the Services and that include commercially reasonable privacy, security, and data protection commitments.

Provider does not sell Personal Data.

Provider does not use Customer call recordings, transcripts, CRM records, message content, or other Customer Data to train Provider-owned general-purpose AI models unless Customer explicitly opts in in writing.

The Platform may use third-party artificial intelligence models and related services to process Customer Data in order to provide the Services. Such third-party providers may process Customer Data in accordance with their applicable terms, data processing agreements, security commitments, subprocessors, and configuration settings.

Provider will use commercially reasonable efforts to configure third-party AI services, where available, so that Customer Data is not used by those third-party providers to train general-purpose AI models.

Provider may use aggregated, anonymized, or de-identified operational information to improve service reliability, performance, security, and user experience, provided such information does not identify Customer or any individual caller.

Taking into account the nature of the processing, Provider will reasonably assist Customer with requests from individuals exercising rights under applicable data protection laws, such as access, deletion, correction, portability, or objection rights, to the extent Customer cannot fulfill such requests independently through the Services.

Customer is responsible for responding to data subject requests and determining whether and how to comply with such requests.

Provider will reasonably assist Customer with security obligations, breach notifications, data protection impact assessments, and consultations with regulators to the extent required by applicable data protection laws and related to Provider’s processing of Personal Data on Customer’s behalf.

Provider may charge reasonable fees for assistance that is outside the standard functionality of the Services or outside the scope of standard support, unless prohibited by applicable law.

Provider will notify Customer without undue delay after confirming a security incident that results in unauthorized access to, disclosure of, or loss of Personal Data processed by Provider on Customer’s behalf (“Data Incident”).

Provider’s notice will include available information reasonably necessary for Customer to meet its legal obligations, subject to law enforcement requirements, confidentiality obligations, security limitations, and the need to avoid increasing risk to Provider, Customer, other customers, or affected individuals.

Provider’s notification of a Data Incident is not an admission of fault, liability, or violation of law.

At termination of the applicable Services or upon Customer’s written request, Provider will delete or return Personal Data in accordance with the applicable agreement and Provider’s standard deletion and retention procedures, unless retention is required or permitted by applicable law, legitimate business records, security logs, fraud prevention, dispute resolution, backup cycles, legal obligations, or other reasonable operational purposes.

Personal Data stored in backups may be retained until overwritten or deleted in accordance with Provider’s standard backup retention practices, provided that such data remains protected in accordance with this DPA.

Upon reasonable written request, Provider will provide information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, compliance documentation, certifications, questionnaires, audit reports, or other relevant materials, subject to confidentiality obligations, security limitations, and reasonable restrictions.

Any onsite audit or independent third-party audit requires Provider’s prior written agreement and may be limited to avoid risk to the security, confidentiality, availability, or privacy of Provider’s systems, personnel, facilities, or other customers.

If Provider transfers EU, UK, or Swiss Personal Data outside the applicable region in a manner that requires transfer safeguards, the parties will use an approved transfer mechanism, such as Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or an appropriate successor mechanism.

Customer acknowledges that certain Subprocessors listed in Annex I may process Personal Data in jurisdictions outside Customer’s location, subject to applicable transfer safeguards where required.

To the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to Provider’s processing of Personal Data on Customer’s behalf, Provider will act as Customer’s service provider or contractor with respect to such Personal Data.

Provider will not sell or share Personal Information collected pursuant to the applicable agreement. Provider will not retain, use, or disclose Personal Information outside the business purposes specified in the applicable agreement except as permitted by applicable law. Provider will provide the same level of privacy protection required by applicable law and will notify Customer if Provider determines it can no longer meet its applicable obligations.

Customer has the right to take reasonable and appropriate steps to help ensure that Provider uses Personal Information in a manner consistent with Customer’s obligations under applicable law, as set forth in this DPA and the applicable agreement.

Provider may update this DPA from time to time to reflect changes in the Services, applicable law, security practices, Subprocessors, or operational requirements.

If Provider makes material changes to this DPA, Provider will provide notice through its website, email, in-product notice, or another reasonable mechanism. The updated DPA will be effective as of the posted “Last Updated” date unless otherwise stated.

If this DPA conflicts with the Master Subscription Agreement or other applicable agreement regarding the processing of Personal Data, this DPA controls to the extent of the conflict.

If Customer has entered into a separately signed data processing agreement with Provider, the signed agreement controls over this public DPA to the extent of any conflict.