Data Processing Agreement

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws, including the GDPR (EU 2016/679), UK GDPR, and the California Consumer Privacy Act (CCPA).

"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller for the duration of the Agreement and as necessary to perform the AI-powered voice automation, messaging, and customer engagement services described therein.

Processing shall continue for the term of the Agreement and shall cease upon termination, subject to Section 11 (Return and Deletion of Data).

3. Nature and Purpose of Processing

The Processor processes Personal Data to provide the BizRnR platform services, including: inbound and outbound call handling, SMS and WhatsApp messaging, lead qualification, appointment scheduling, CRM synchronization, and analytics reporting.

Processing is carried out solely on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).

4. Types of Personal Data

The following categories of Personal Data may be processed under this DPA: names, email addresses, phone numbers, business addresses, voice recordings and transcriptions, chat and messaging content, IP addresses, browser and device identifiers, and any other data the Controller submits through the platform.

5. Categories of Data Subjects

Data subjects include the Controller's customers, prospective customers, employees, contractors, and any other individuals whose Personal Data is submitted to or collected by the BizRnR platform on behalf of the Controller.

6. Obligations of the Processor

The Processor shall: (a) process Personal Data only on documented instructions from the Controller, including transfers to a third country or international organization; (b) ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 9; (d) respect the conditions for engaging Sub-processors as set out in Section 7; (e) assist the Controller in responding to data subject requests under Chapter III of the GDPR; (f) assist the Controller in ensuring compliance with Articles 32 through 36 of the GDPR, taking into account the nature of processing and the information available to the Processor; (g) at the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law; and (h) make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage Sub-processors. The Processor shall maintain a current list of Sub-processors and shall notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification.

Current Sub-processors include: Twilio (telephony and SMS), ElevenLabs (voice synthesis), Stripe (payment processing), Supabase (database hosting), Vercel (application hosting), and OpenAI (AI language models). A complete list is available at https://bizrnr.com/legal/sub-processors.

The Processor shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

8. Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland. Where such transfers occur, the Processor shall ensure that an adequate level of protection is in place by relying on: (a) an adequacy decision by the European Commission; (b) Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor); or (c) other lawful transfer mechanisms recognized under applicable Data Protection Laws.

The Processor shall promptly notify the Controller if it becomes aware that it can no longer comply with the obligations under this Section.

9. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures, including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); access controls with role-based permissions and multi-factor authentication; regular vulnerability scanning and penetration testing; incident response procedures with defined escalation paths; employee security training and background checks; physical security controls at data center facilities; and logging and monitoring of access to Personal Data.

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to address evolving risks.

10. Audit Rights

The Controller may, upon reasonable written notice of at least 30 days, conduct or commission an independent auditor to conduct an audit of the Processor's compliance with this DPA, no more than once per calendar year unless required by a supervisory authority or following a Personal Data breach.

The Processor shall cooperate with such audits and provide the Controller with all information and access reasonably necessary to verify compliance. The Controller shall bear the costs of any audit it initiates.

11. Return and Deletion of Data

Upon termination of the Agreement, the Processor shall, at the Controller's election, return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or securely delete all Personal Data and certify such deletion in writing within 90 days, unless applicable law requires further storage.

The Processor may retain Personal Data to the extent required by applicable law, provided that such Personal Data is processed only for the purpose required by law and subject to appropriate confidentiality protections.

12. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include: (a) the nature of the breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the contact details of the Processor's data protection point of contact.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the Agreement, unless otherwise required by applicable Data Protection Laws.

14. Contact

For questions about this DPA or to request a countersigned copy, contact [email protected].