Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into the Master Subscription Agreement (“Agreement”) between the Client and Sekondary S.L., doing business as VoiceB (“VoiceB” or the “Data Processor”).

The purpose of this DPA is to establish the terms and conditions under which VoiceB will process personal data on behalf of the Client in connection with the provision of the Service, in accordance with Article 28 of the GDPR and other applicable data protection laws.

By subscribing to and/or using the Service, the Client (the “Data Controller”):

• Acknowledges that this DPA applies automatically without the need for a physical signature.

• Confirms that it has read and understood this DPA.

• Agrees that VoiceB will process personal data as described herein, exclusively for the provision of the Service.

This DPA shall remain in force for the duration of the Agreement and is an integral part thereof.

STIPULATIONS

1. Definitions

"Data Protection Legislation" shall be interpreted as the Regulation, Directive 2002/58/EC, as well as any other rules and / or regulation implemented or created with the aforementioned Directives, or that modifies, replaces, recreates or consolidates any of them, as well as any other laws applicable to the processing of personal data that may exist in any jurisdiction, including, where appropriate, the guides and codes of practice published by the control authorities.

"Data controller", "Data processor", "data subjects", "processing" and "appropriate technical and organizational measures" shall be interpreted in accordance with the Data Protection Legislation applicable in the relevant jurisdiction.

"Personal data breach" means any breach of personal data that causes the destruction, loss or accidental or unlawful alteration of personal data to which the data subject have had access and / or have been treated by the data processor during the provision of the Service.

Any other terms defined and used in this DPA shall be interpreted in accordance with the provisions of the same.

2. Purpose

The purpose of this DPA is to:

2.1 Define the terms and conditions according to which the Data Processor will carry out the processing of the personal to which it has access in the framework of the Service.

2.2 Establish the applicable confidentiality conditions that the Data Processor, and all its personnel, collaborators and / or agents must comply with at all times during the provision of the Service and once it has finished.

3. Obligations of the Data Controller.

3.1 The Data Controller recognises and accepts that knows and complies with the Data Protection Legislation and assumes all the responsibility in relation to the fulfilment of the obligations that it holds as Data Controller. The Data Controller shall defend and hold the Data Processor harmless against all claims, losses, damages, costs and expenses that may arise or relate, directly and indirectly with claims, procedure and / or fines of any nature with respect to the breach of the Data Controller of the guarantees and obligations established in this section.

3.2 Specifically, as Data Controller, it is obliged, and will be solely responsible for the following obligations and guarantees: (i) That the personal data is collected and processed in accordance with and in compliance with the requirements of the Data Protection Legislation; (ii) it complies with all obligations, including those related to obtaining the consent and information that are necessary in accordance with the Data Protection Legislation for the processing of personal data that is made as a consequence and / or in relation to the Services Contract; (iii) to implement and update the notices necessary for personal data protection and the privacy policies on the Websites that are owned by them. In the event that the Service is provided on the website held by the Data Processor , the Data Controller shall provide the Data Processor , prior to the start of the provision of the Service, the notifications of data protection and privacy regulations that must be inserted by the Data Processor on the aforementioned website and / or the support used to collect the personal data.

3.3 The delivery of the legal notifications mentioned in the previous section 3.2 on behalf of the Data Controller to the Data Processor is a necessary requirement for the commencement of the Services.

3.4 The Data Controller states that the processing of personal data by the Data Processor does not entail a high risk for the rights and freedoms of natural persons.

4. Purpose and object of the processing of personal data. Obligations.

4.1 The Parties acknowledge that the Client is the Data Controller and VoiceB., is the Data Processor in relation to the personal data that will be processed during the provision of the Service.

4.2 The object of the processing is the provision of the Service and this DPA will have the same duration as the Service Contract of which it is an inseparable part. Appendix A of the DPA establishes the nature and purpose of the processing, the type of personal data processed by the Data Processor , as well as the categories of the data subjects whose personal data will be processed in the framework of the provision of the Service.

4.3 The processing of personal data that the Data Processor fulfils will be limited to the necessary processing's to render the Service to the Data Controller and, in any case, it will be subject to the documented instructions of the Data Controller.

4.4 The Data Processor agrees not to carry out any other processing on the personal data or to apply or use the personal data for any purpose other than the provision of the Service.

4.5 If the Data Processor is obliged to process the data for any other purpose under Union or Member State law, it shall inform the Data Controller of this legal requirement prior to the processing, unless such Law prohibits it for reasons important to the public interest.

5. Security of personal data

5.1 The Data Processor declares that it is obliged to implement and maintain the appropriate technical and organizational measures to protect personal data against unauthorized or illegal processing and against accidental or unlawful loss, destruction, alteration, damage or accidental or unlawful theft. These measures shall be appropriate considering: (i) the risks presented by data processing, in particular as a consequence of the destruction, loss or accidental or unlawful alteration of transmitted personal data, and (ii) the nature of the data of personal nature object of protection. At a minimum, these measures shall comply with the requirements established under Appendix B of this DPA.

6. Prohibition of communication of personal data

6.1 Except for the cases of subcontracting existing in accordance with the below Seventh stipulation, the Data Processor undertakes to keep under his / her control and custody all the data of the Data Controller that it accesses due to the provision of the Service and not to disclose them, transfer them, or in any way communicate them, not even for their conservation, to other people.

7. Subprocessors

7.1 The Data Processor is authorized to engage sub processors if it is necessary for the fulfilment of the Service. In the event that the services subject to subcontracting imply the access and processing by the sub processor of the personal data of the Data Controller, the Data Processor will subscribe, prior to the commencement of the subcontracting, a Data Processing Agreement with the Sub processor in no less demanding terms than those contained in this DPA..

7.2 The Data Controller acknowledges and accepts that, as of the effective date of this DPA, the Data Processor uses the sub processors listed in Appendix A.

7.3 The Data Processor may update the list of sub processor from time to time. Any such updates will be communicated to the Data Controller through the Website or by email. The Data Controller shall have a period of 15 calendar days from the notification to raise any legitimate and duly reasoned objection.

7.4 For all purposes, the sub processor will have the status of data processor. In the event of non-compliance and / or defective compliance by the subcontractor of the formalized processing assignment or the Data Protection Legislation, the Data Processor will remain fully responsible to the Data Controller regarding the compliance of the obligations of the sub processor.

7.5 In the event that (i) the European Commission establishes or any supervisory authority adopts standard contractual clauses for the matters referred to in Articles 28.3 and 28.4 of the Regulations, in accordance with the provisions of Articles 28.7 and 28.8 of the Regulations (as applicable), and (ii) the Data Controller notifies the Data Processor of its desire to incorporate elements of such standard contractual clauses to this DPA, the Data Processor will accept the changes required by Data Controller to achieve this objective.

8. Obligation to return the data

8.1 Upon termination of the Agreement, VoiceB will delete or return Personal Data in accordance with its standard retention policies, unless otherwise required by law.

8.2 Once the obligations referred to in the previous paragraph have been fulfilled, the Data Processor , through an authorized person, must if required by Data Controller, issue a formal communication stating that it has been carried out faithfully.

8.3 In the event that the Data Processor, its staff, collaborators and / or agents are legally bound to preserve an endorsement of its corporate information during a legally stipulated period, the material of the Data Controller has to be destroyed or returned once the legally stipulated period has expired.

9. Backup copies

9.1 The Data Processor undertakes not to copy or reproduce the information provided by the Data Controller, except when necessary for its processing or to implement the security measures to which it is legally bound as the data processor.

9.2 In the latter case, each of the copies or reproductions will be subject to the same commitments and obligations set forth in the clauses of this DPA, and must be destroyed or returned, as indicated in the previous Stipulation.

10. Responsibilities

10.1 The Data Processor undertakes to comply with the obligations established in this DPA and in the Data Protection Legislation. Pursuant to Article 82 of the Regulation, and subject to the Master Service Agreement, the Data Processor is liable to the Data Controller for damages caused to the data subject or third parties, including administrative sanctions, arising from judicial or extrajudicial claims or sanctioning procedures of the Supervisory Authority, which are a consequence of the direct non-observance of the instructions assumed in this DPA and / or of the non-compliance or defective fulfilment of the Regulation.

11. Other obligations of the Parties.

11.1. The Data Processor undertakes to:

(i) Process Personal Data in accordance with the documented instructions of the Data Controller (which may be specific or general) or as periodically notified by the Data Controller directly, and solely and exclusively for the purpose of providing the agreed Services. Likewise, the Data Processor commits not to apply or use personal data for any purpose other than that of this contract, nor to disclose or transfer them, not even for storage, to other persons.

(ii) Immediately inform the Data Controller if it considers that any of the Data Controller's instructions violate Data Protection Regulations or any other provision on data protection of the Union or Member States.

(iii) Maintain the duty of confidentiality regarding personal data accessed under this assignment, even after its termination.

(iv) Ensure that its authorized personnel or collaborators handling Personal Data have expressly and in writing committed to confidentiality or are subject to a statutory confidentiality obligation, and that they comply with the corresponding security measures, which must be duly communicated to them.

(v) Make available to the Data Controller all necessary information to demonstrate compliance with its obligations if requested.

(vi) Keep a written record of all processing activities carried out on behalf of the Data Controller, which must include:

a. Name and contact details of the Data Processor .

b. The categories of processing carried out on behalf of the Data Controller.

(vii)Cooperate with the Data Controller in handling requests for the rights of data subjects in accordance with Data Protection Regulations. In any case, the Data Processor must immediately forward to the Data Controller any request for the exercise of the rights of access, rectification, erasure, objection, restriction of processing, data portability, and the right not to be subject to automated individual decision-making (including profiling) made by an affected party whose data has been processed by the Data Processor in compliance with this contract. This ensures that the Data Controller addresses the request within the time limits set by the applicable regulations. The transfer of the request must be made without undue delay as quickly as possible, without undue delay.

11.2. The Data Controller acknowledges and accepts that it is their duty to provide information to data subjects whose personal data is collected for processing, at the time of collection.

12. Personal data Breach

12.1. In case of suspicion of a personal data breach, the Data Processor will take immediate action, with the purpose of investigating the possible personal data breach and to identify, prevent, mitigate and, if necessary, remedy the effects of the possible personal data breach.

12.2 Immediately notify the Data Controller as soon as there are reasonable grounds to believe that a personal data breach has occurred, and, to the extent possible, provide the Data Controller with a detailed description of the personal data breach, which will include:

(a) The possible impact of the personal data breach.

(b) The categories and the approximate number of affected data subjects, as well as their country of residence and the approximate number of personal data records affected.

(c) The risk that has caused the personal data breach to the data subjects.

(d) The measures adopted or proposed by the Data Processor to remedy the breach of data breach and to mitigate the possible negative effects.

(e) Provide periodic updates and any other information requested by the Data Controller in relation to the personal data breach.

(f) Will not disclose or publish any communication, notice, press release or report related to the breach of personal data without the prior written authorization of the Data Controller (except in the case that it is obliged to do so in accordance with the provision of Law).

If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

The Data Controller acknowledges that it is their duty to report data security breaches to the Spanish Data Protection Agency and to notify the affected individuals as soon as possible when the breach is likely to pose a high risk to the rights and freedoms of natural persons.

13. International Transfer of personal data

13.1 The Data Processor will not process the data outside the European Economic Area or in any country for which the European Commission has not guaranteed an adequate level of protection without the written authorization of the Data Controller or without complying with the requirements established by the GDPR for carrying out international transfers.

14. Audit

14.1 The Data Processor shall allow the Data Controller and its respective auditors or authorized agents to verify compliance with the obligations set out in this DPA. For such purposes, the Data Processor shall make available all information reasonably necessary to demonstrate compliance with the obligations established herein, including where applicable and when available, third-party certifications and audit reports (such as ISO, SOC 2, or equivalent), as well as any additional documentation reasonably requested by the Data Controller.

14.2 All information obtained and derived from the audits will be treated as Confidential Information of the Data Processor.

15. Entry into force

15.1 This DPA will enter into force upon Client´s acceptance of the Master Service Agreement and shall remain in force for as long as VoiceB processes Personal Data on behalf of the Client under the Agreement. The obligations under this DPA that, by their nature, extend beyond the termination of the Agreement (including confidentiality and data deletion obligations) shall remain in effect after termination.

APPENDIX A

Special categories of data:

No categories of Sensitive Personal Data as defined by Applicable Privacy Law shall be processed for the purposes of this Processing Appendix.

Personal Data Processing Activities

Nature and Purpose of Processing

Collection, Access, Storage, Consultation, Comparison, Analysis, Anonymization.

The purpose of the processing is the provision of the Service under the Contract.

Categories of Data Subjects

The categories of data subjects whose personal data will be processed by the Data Processor within the scope of service provision are:

• Internet users who access the service from the landing page where the service is presented (data subjects).

• Client.

Categories of Personal Data

The categories of personal data accessed by the Data Processor are as follows:

a) Identifying Data: Name, surname, ID card number, residential address, email address, IP address, mobile phone number, and bank account details.

b) User Content: Voice recordings, transcriptions, messages, contact information, and any other data provided during phone communications.

c) Usage Data: Interactions with the Service, such as call duration, frequency, metadata.

d) Device Data: Including IP address, browser type, operating system, device identifiers, and mobile network information.

e) Website Navigation Data: Cookies and tracking technologies.

f) Data required for DDI procurement: Information requested by the telecommunications provider (Twilio) for the acquisition of direct dial-in (DDI) numbers, which may include identifying details of the contracting company or individual, legal documentation, billing address, and any other country-specific requirements. The specific information requirements will be subject to the prevailing regulations of the respective country and can be consulted at Twilio Regulatory Guidelines.

Special Categories of Personal Data (if applicable)

No special categories of personal data are processed.

Retention Period of Personal Data

For the duration of the contract or for the time specified by the client.

List of sub processors

The up-to-date list of sub processors engaged by the Data Processor for the provision of the Service is available at the following URL:

https://docs.voiceb.ai/legal-and-compliance/data-sub-processors