Data Processing Addendum

Capitalized terms have the meanings given in the Agreement or in Applicable Data Protection Law. In particular:

Customer Personal Data

Personal data Customer or its end users submit to or generate through the Service, including call audio, transcripts, call metadata, agent configuration that contains personal data, and data passed to or returned from integrated tools during a call.

Controller / Processor / Sub-processor / Data Subject / Personal Data Breach

Have the meanings given in Article 4 GDPR (and equivalents under other Applicable Data Protection Law).

SCCs

The Standard Contractual Clauses approved by the European Commission in Decision 2021/914/EU.

UK Addendum

The International Data Transfer Addendum to the EU Commission SCCs (Version B1.0) issued by the UK Information Commissioner.

The parties agree that, with respect to the processing of Customer Personal Data under the Agreement, Customer is the Controller and CallingScout is the Processor. To the extent Customer is itself a processor for another controller, CallingScout acts as a sub-processor and Customer warrants it has the authority and instructions of the relevant controller.

Where CallingScout processes account-related data of Customer's authorized users (workspace admins, billing contacts, dashboard users) or aggregate operational data to operate, secure, and improve the Service, CallingScout acts as a controller for that limited processing as described in the Privacy Policy.

CallingScout will process Customer Personal Data only:

• on Customer's documented instructions, which are set out in the Agreement (including this DPA, the dashboard, and the API used to configure the Service);
• as required by law applicable to CallingScout. If CallingScout is required to process other than as instructed, it will inform Customer before processing, unless the law prohibits notice on important grounds of public interest.

The subject matter, nature, purpose, duration of processing, types of personal data, and categories of data subjects are described in Annex I.

Customer warrants and represents that, for all Customer Personal Data:

• it has a valid legal basis under Applicable Data Protection Law (consent, contract, legitimate interest, legal obligation, or other) for the processing it instructs;
• it has provided all required notices to data subjects, including disclosures about recording, AI use, and onward sharing to processors and sub-processors;
• it has obtained any consent or carried out any opt-out mechanism the law requires before placing calls or processing end-user data;
• it complies with the calling-compliance obligations in Section 6 of the Terms.

Customer is solely responsible for the lawfulness of the processing instructions it gives CallingScout and for the accuracy, quality, and legality of Customer Personal Data.

CallingScout will ensure that personnel authorized to process Customer Personal Data are bound by enforceable confidentiality obligations and are trained on data-protection requirements appropriate to their role.

CallingScout will implement and maintain the technical and organizational security measures described in Annex II and on the Trust page. Customer is responsible for configuring the Service appropriately for the sensitivity of its data, including choosing retention windows, enabling encryption-at-rest options where offered, and managing user access.

Customer grants CallingScout a general authorization to engage sub-processors to perform the processing described in the Agreement. The current list of sub-processors, with the categories of data and processing locations, is available on request from security@CallingScout.ai, and is referenced on our Trust page.

CallingScout will:

• impose data-protection obligations on each sub-processor that are no less protective than those in this DPA;
• remain liable for the acts and omissions of its sub-processors as if they were its own;
• give Customer at least 30 days' prior notice (by email or in-product notice) before adding or replacing a sub-processor. Customer may, on reasonable data-protection grounds, object during the notice period. The parties will work in good faith to resolve the objection. If they cannot, Customer's exclusive remedy is to terminate the affected portion of the Service and receive a pro-rata refund of prepaid, unused fees.

Taking into account the nature of the processing, CallingScout will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to data-subject requests (access, rectification, deletion, restriction, portability, and objection) under Applicable Data Protection Law. The Service provides self-service controls in the dashboard and API to export and delete Customer Personal Data. If CallingScout receives a request directly from a data subject relating to Customer Personal Data, CallingScout will not respond substantively except to direct the data subject to Customer, and will notify Customer of the request without undue delay.

CallingScout will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will include, to the extent known at the time and with updates as facts develop: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and the measures taken or proposed to address the breach. CallingScout will reasonably cooperate with Customer in any required notifications to supervisory authorities or data subjects.

CallingScout's notification of, or response to, a Personal Data Breach is not an acknowledgement of fault or liability.

During the term, Customer may export Customer Personal Data through the Service at any time. On termination or expiry of the Agreement, CallingScout will, at Customer's choice, return or delete all Customer Personal Data, unless retention is required by law. The default retention window after termination is 30 days, after which Customer Personal Data is deleted from primary systems and rotated out of backups within a further 60 days (90 days total).

CallingScout will make available to Customer the information necessary to demonstrate compliance with this DPA, including its most recent SOC 2 Type II report (or equivalent third-party audit) under NDA on request to security@CallingScout.ai. Customer agrees that audit reports of this kind satisfy any audit obligation under Applicable Data Protection Law. Where Applicable Data Protection Law requires an on-site audit, the parties will agree in advance on scope, timing, and confidentiality, and Customer will bear the reasonable costs unless the audit reveals a material breach by CallingScout. Audits will not unreasonably interfere with operations and will respect the confidentiality of other customers' data.

To the extent CallingScout transfers Customer Personal Data outside the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate the SCCs as follows:

• Module Two (Controller to Processor) applies where Customer is a controller and CallingScout is its processor.
• Module Three (Processor to Processor) applies where Customer is itself a processor and CallingScout acts as a sub-processor.
• For UK transfers, the SCCs are read with the UK Addendum. For Swiss transfers, references to the GDPR are read as references to the FADP and references to EU member-state supervisory authorities are read as references to the Swiss FDPIC.
• Clause 7 (Docking) applies. Clause 11(a) (Independent dispute resolution): the optional language is not selected. Clause 17 (Governing law): Ireland. Clause 18 (Forum and jurisdiction): Ireland. Annexes I, II, and III of the SCCs are populated by Annex I, Annex II, and the sub-processor list referenced on the Trust page.

Where the U.S. or another country has been formally recognized as providing adequate protection (for example, under the EU-U.S. Data Privacy Framework), CallingScout may rely on that mechanism in addition to or instead of the SCCs to the extent permitted.

To the extent CallingScout processes personal information of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, or New Jersey residents on Customer's behalf, CallingScout is a “service provider” or “processor” under those laws. CallingScout will:

• process such personal information only for the limited and specified purposes set out in the Agreement;
• not “sell” or “share” personal information as those terms are defined under those laws;
• not retain, use, or disclose personal information outside the direct business relationship or for any commercial purpose other than the business purposes specified in the Agreement;
• not combine personal information received from Customer with personal information received from any other source, except as the law permits;
• provide Customer with the assistance reasonably necessary for Customer to comply with consumer requests.

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement. Where the SCCs apply, claims arising directly out of the SCCs are subject to the terms of the SCCs, including their liability and remedy provisions for data subjects.

If any part of this DPA is held invalid or unenforceable, the rest remains in effect. This DPA is governed by, and construed under, the same governing law as the Agreement, except where the SCCs or Applicable Data Protection Law require otherwise. If CallingScout updates this DPA, the updated version will apply to processing carried out after the effective date of the update. We will not reduce protections in a way that breaches Applicable Data Protection Law.

A. List of parties

Data exporter: Customer, as identified in the Agreement. Role: controller (or processor on behalf of its own controller).

Data importer: CallingScout, Inc., [street address], [city, state, ZIP], United States. Role: processor (or sub-processor).

B. Description of transfer

Categories of data subjects

Customer's end users, leads, prospects, customers, and any other natural persons who interact with agents Customer deploys through the Service. Customer's authorized users (admins, dashboard users) for the limited account-management processing described in Section 2.

Categories of personal data

Identifiers (name, phone number, email, account ID), call content (audio recording where enabled, transcript, language, sentiment markers), call metadata (timestamps, duration, jurisdiction, outcome codes, tool calls), and any other personal data Customer or its end users submit to the Service.

Sensitive data

None expected by default. Customer must not submit sensitive categories (Article 9 GDPR data, government identifiers, payment-card primary account numbers, children's data) unless the Agreement expressly permits and additional safeguards are agreed in writing.

Frequency of transfer

Continuous, for the duration of the Agreement.

Nature of processing

Hosting, processing, storage, retrieval, transmission, deletion, and other operations needed to provide the Service, including real-time speech-to-text, language-model inference, text-to-speech, telephony, integration calls, observability, and support.

Purpose

To provide, operate, secure, and support the Service that Customer has purchased.

Duration

For the term of the Agreement, plus the retention period described in Section 10.

Sub-processors

Current list available on request from security@CallingScout.ai. Processing duration: same as the Service.

C. Competent supervisory authority

For SCCs Module Two/Three: the supervisory authority of the EU member state in which Customer is established. Where Customer is not established in the EU, the supervisory authority of the EU member state in which Customer's EU representative is appointed. In absence of either, the Irish Data Protection Commission.

CallingScout maintains a documented information-security program designed to protect the confidentiality, integrity, and availability of Customer Personal Data. Current measures are summarized below and described in greater detail on the Trust page.

• Encryption. TLS 1.2+ in transit. AES-256 at rest for stored audio, transcripts, and backups. Keys managed via a hardware-backed key management service with periodic rotation.
• Access control. Single sign-on with mandatory multi-factor authentication for CallingScout personnel. Role-based access on a need-to-know basis. Quarterly access reviews. Just-in-time elevation for production access with audit logging.
• Network and infrastructure. Production workloads run in segmented Virtual Private Clouds. Databases are not exposed to the public internet. Egress filtering and IDS in place. Configuration managed as code with peer review.
• Application security. Secure development lifecycle. Dependency vulnerability scanning. Static analysis in CI. Secret scanning. Pre-deployment review for changes touching authentication, authorization, or data handling.
• Vulnerability management. Periodic third-party penetration testing. Continuous internal scanning. Published vulnerability disclosure policy on the Trust page. Remediation SLAs by severity.
• Logging and monitoring. Centralized audit logging for production, retained at least 12 months. Security monitoring with on-call response.
• Personnel. Background checks where lawful. Security and privacy training at hire and annually. Documented separation procedure that revokes access on departure.
• Vendor management. Security and data-protection reviews of sub-processors before engagement and on a recurring basis.
• Resilience. Encrypted backups. Documented and tested incident-response and business-continuity plans.
• Data segregation. Logical isolation of customer tenants. Data export and deletion controls available in the dashboard and API.