Data Protection Addendum

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• Affiliate: means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or VOCALLABS AI (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
• Customer Personal Data: means any Personal Data provided by or made available by Customer to VOCALLABS AI or collected by VOCALLABS AI on behalf of Customer which is Processed by VOCALLABS AI to perform the Services;
• Controller to Processor SCCs: means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries;
• Data Protection Laws: means any local, state, or national law regarding the processing of Personal Data applicable to VOCALLABS AI in the jurisdictions in which the Services are provided to Customer;
• EU Area: means the European Union, European Economic Area, United Kingdom, and Switzerland;
• EU Area Law: means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("EU GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons; (ii) the Data Protection Act 1998 of the United Kingdom and the EU GDPR as saved into United Kingdom Law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("Swiss DPA"); (iv) any other law relating to the data protection, security, or privacy of individuals that applies in the EU Area; or (v) any successor or amendments thereto;
• Security Incident: means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by VOCALLABS AI;
• Services: means the services to be supplied by VOCALLABS AI to Customer or Customer's Affiliates pursuant to the Agreement;
• Third Country: means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

The terms "Business", "Business Purpose", "commercial purpose", "Contractor", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor", "Sell", "Service Provider", "Share", "Subprocessor", "Supervisory Authority", and "Third Party" have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. In connection with its access to and use of the Services, Customer shall Process Customer Personal Data within such Services and provide VOCALLABS AI with instructions in accordance with applicable Data Protection Laws. As between the Parties, Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to VOCALLABS AI of Customer Personal Data. Customer agrees not to provide VOCALLABS AI with any data concerning a natural person's health, religion or any special categories of data as defined in Article 9 of the GDPR.

VOCALLABS AI shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:

• Process the Customer Personal Data for the purposes of the Agreement and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Customer;
• Ensure that persons authorized to Process the Customer Personal Data have committed themselves to confidentiality;
• Take all measures required to ensure the security of Processing;
• Respect the conditions for engaging another Processor;
• Assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR;
• Delete or return all the Personal Data to Customer after the end of the provision of Services;
• Make available to Customer all information necessary to demonstrate compliance with these obligations.

VOCALLABS AI implements and maintains appropriate technical and organizational security measures including:

• Encryption of personal data in transit and at rest;
• Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems;
• Ability to restore availability and access to personal data in a timely manner;
• Regular testing, assessing and evaluating of technical and organizational measures.

The parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates (as exporter) to VOCALLABS AI (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs.

For transfers of Personal Data to Third Countries, VOCALLABS AI shall:

• Process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany;
• Implement appropriate safeguards through Standard Contractual Clauses;
• Conduct regular reviews of international transfers;
• Implement additional technical measures where necessary.

Customer should routinely review all international transfers of Personal Data on a case-by-case basis in order to monitor new risks because of the changes in local laws, data practices, etc., and implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks to ensure the Personal Data remains protected to the standard required under Data Protection Laws.

VOCALLABS AI may engage Subprocessors to Process Customer Personal Data, subject to:

• Prior notification to Customer of intended changes;
• Imposing data protection obligations on Subprocessors;
• Remaining liable for Subprocessor compliance.

Organization

VOCALLABS AI designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.

Policies and Standards

• Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data.
• These policies are updated at least once annually.
• VOCALLABS AI operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard.

Risk Management

• VOCALLABS AI engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
• Maintains a formal and effective risk treatment program including penetration testing, vulnerability management and patch management.
• Reviews security incidents regularly, including effective determination of root cause and corrective action.

Access Controls

• Maintains a formal access management process for all personnel with access to Customer Personal Data.
• Access reviews are conducted periodically to ensure proper authorization.
• Multi-Factor authentication required for all administrators and end users.
• Implements least privilege and need-to-know principles for data access.

Infrastructure Security

• Uses AWS as primary data center with Multi-Availability Zone configuration.
• Conducts regular backup restoration testing to ensure resiliency.
• Implements comprehensive logging and monitoring systems.
• Performs regular vulnerability scans on all infrastructure components.
• Maintains incident management policies and procedures.

Data Protection

• Implements HTTPS encryption for data in transit.
• Encrypts data at rest using industry-standard encryption.
• Maintains logical isolation between different customers' data.
• Implements secure data disposal processes.