Data Processing Addendum

2.1. "Personal Information" (or "Personal Data") means any information relating to an identified or identifiable natural person or household that is processed by RespondWize on behalf of Customer under the Agreement and subject to Applicable Data Protection Laws.

2.2. "Processing" (or "to process") means any operation or set of operations performed upon Personal Information, whether or not by automated means, including, without limitation, collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, deletion, or destruction.

2.3. "Applicable Data Protection Laws" means all U.S. data privacy and protection laws, regulations, and rules that are applicable to the processing of Personal Information under the Agreement, including but not limited to the California Consumer Privacy Act (as amended by the California Privacy Rights Act), other applicable state privacy laws (e.g., Colorado Privacy Act, Virginia CDPA, Connecticut, Utah, etc.), federal laws regulating specific types of data (e.g., FERPA if relevant, HIPAA if applicable, etc.), and any implementing or successor legislation.

2.4. "Controller" (or "Business") means the entity that determines the purposes and means of the processing of Personal Information. For purposes of this DPA, Customer is the Controller of the Personal Information it transfers to RespondWize.

2.5. "Processor" (or "Service Provider") means the entity which processes Personal Information on behalf of the Controller, as instructed by the Controller. For the purposes of this DPA, RespondWize acts as a Processor or Service Provider to Customer.

2.6. "Sub-Processor" means any third party (including affiliates of RespondWize) engaged by RespondWize to assist in fulfilling its obligations with respect to the processing of Personal Information under this DPA.

3.1. Controller and Processor. The Parties acknowledge and agree that, for the purposes of the Agreement and this DPA, Customer is acting as the Controller (or "Business"), and RespondWize is acting as the Processor (or "Service Provider").

3.2. Instructions for Processing. RespondWize will process Personal Information only in accordance with the documented instructions of Customer, including those set forth in the Agreement and this DPA, unless otherwise required by applicable law.

3.3. Compliance with Laws. Each Party shall comply with all Applicable Data Protection Laws in respect of the processing of Personal Information under this DPA.

4.1. Subject Matter and Duration. The subject matter of the processing is the performance of the Services pursuant to the Agreement. Processing shall continue until the termination or expiration of the Agreement (including any post-termination period during which RespondWize provides transition services or data return/deletion).

4.2. Nature and Purpose of Processing. RespondWize will process Personal Information as necessary to provide the Services described in the Agreement, including (without limitation) voice AI services, scheduling, outbound communications, AI-driven analysis, and other tasks undertaken on behalf of Customer. This may include collecting, storing, analyzing, modifying, transmitting, or deleting Personal Information to meet the agreed-upon functionalities.

4.3. Types of Personal Information. Depending on Customer's use of the Services, Personal Information may include (without limitation) name, contact details (phone, email), audio recordings of voice, scheduling data, and any other personal data that Customer or its end users input or otherwise make available to RespondWize.

4.4. Categories of Data Subjects. Data Subjects may include employees, prospective customers, alumni, students, or any individuals whose personal data is provided to RespondWize by Customer.

4.5. Limitation on Selling or Sharing. RespondWize will not sell or share (as those terms are defined under applicable state laws) Personal Information, nor retain, use, or disclose Personal Information for any purpose other than as set out in the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws.

5.1. Personnel Confidentiality. RespondWize shall ensure that its personnel engaged in the processing of Personal Information are informed of the confidential nature of the information and subject to written confidentiality obligations.

5.2. Access Limitation. RespondWize will restrict access to Personal Information to those personnel who need such access to perform the Services under the Agreement.

6.1. Security Program. RespondWize shall implement and maintain reasonable administrative, technical, and physical measures designed to protect Personal Information against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

6.2. Examples of Security Measures. Such measures may include, but are not limited to:

• Encryption of data in transit and at rest, where appropriate.
• Access controls ensuring only authorized staff can access Personal Information.
• Network security measures (firewalls, intrusion detection systems).
• Regular security testing and assessments.
• Employee training on data security and privacy.

6.3. Security Certifications or Audits. Upon Customer's reasonable request, RespondWize may provide summaries of relevant certifications, policies, or audit reports (e.g., SOC 2) to demonstrate compliance with its obligations under this section.

7.1. Authorization. Customer generally authorizes RespondWize to engage third-party Sub-Processors as necessary to perform the Services. A list of Sub-Processors (or categories thereof) may be provided to Customer upon request or published on RespondWize's website.

7.2. Sub-Processor Obligations. RespondWize shall ensure that each Sub-Processor is bound by written obligations at least as protective of Personal Information as those set forth in this DPA. RespondWize remains liable to Customer for any acts or omissions of its Sub-Processors that cause RespondWize to breach any of its obligations under this DPA.

7.3. Changes to Sub-Processors. RespondWize will provide notice to Customer (e.g., via email or dashboard) of any new or replaced Sub-Processor. If Customer reasonably objects (on privacy or data protection grounds), RespondWize will work with Customer in good faith to address concerns.

8.1. Request Handling. If RespondWize receives a request from a Data Subject (e.g., access, deletion, correction) relating to Personal Information processed under this DPA, RespondWize shall promptly notify Customer (unless prohibited by law) and shall not respond to the request except as instructed by Customer or as required by applicable law.

8.2. Cooperation. RespondWize shall provide reasonable assistance to Customer to fulfill Data Subject requests under Applicable Data Protection Laws, taking into account the nature of the processing and the information available to RespondWize. Customer shall be responsible for any costs arising from such assistance.

9.1. Breach Notification. RespondWize shall notify Customer without undue delay after becoming aware of any unauthorized access to, or disclosure of, Personal Information under RespondWize's control that compromises the security, confidentiality, or integrity of such Personal Information ("Security Breach").

9.2. Notification Details. Such notice shall include:

• A description of the nature of the Security Breach (where known).
• The categories and approximate number of Data Subjects and records concerned (where known).
• Likely consequences of the Security Breach.
• Steps taken or proposed to be taken by RespondWize to address or mitigate the Security Breach.

9.3. Ongoing Cooperation. RespondWize will provide reasonable cooperation to Customer in Customer's breach notification or remediation efforts.

10.1. Deletion Upon Termination. Upon expiration or termination of the Agreement, RespondWize shall, upon Customer's written request, delete or return all Personal Information (including any copies) in its possession or control. If deletion or return is not feasible (e.g., due to legal retention requirements), RespondWize shall protect the Personal Information from any further processing and delete it as soon as practicable.

10.2. Customer Data Copies. If Customer requires a copy of Personal Information, RespondWize shall provide it in a common machine-readable format within a reasonable time after termination, subject to any fees or costs as outlined in the Agreement.

11.1. Right to Audit. Where required by applicable law, Customer (or an independent auditor acting on its behalf) may, upon at least thirty (30) days' prior written notice and not more than once annually, conduct an on-site audit of RespondWize's processing of Personal Information. The scope of such audit shall be limited to RespondWize's compliance with this DPA and shall not unduly interfere with RespondWize's business operations.

11.2. Confidentiality of Audits. All information disclosed by RespondWize during such audits shall be considered confidential and used solely for the purpose of verifying compliance with this DPA.

11.3. Costs. Customer shall bear any costs related to the audit unless otherwise agreed by the Parties in writing.

12.1. CCPA/CPRA. In the event the CCPA/CPRA applies to the processing of Personal Information:

• RespondWize is a "Service Provider" and shall not "Sell" or "Share" Personal Information or retain, use, or disclose Personal Information for any purpose other than performing the Services under the Agreement or as otherwise permitted by the CCPA/CPRA.
• RespondWize certifies that it understands and will comply with the restrictions and obligations of the CCPA/CPRA applicable to Service Providers.

12.2. Other State Laws. Where other U.S. state consumer privacy laws (e.g., Colorado, Virginia, Connecticut, Utah) impose similar or additional obligations, RespondWize shall comply with those obligations to the extent they are applicable.

13.1. Biometric or Voice Data. To the extent RespondWize processes "voice data" or other biometric identifiers on behalf of Customer, RespondWize will comply with all applicable biometric data laws (e.g., Illinois Biometric Information Privacy Act) and will not collect, store, or use such biometric data for any purpose beyond what is necessary to perform the Services. For more information, please see our Biometric Data Disclosure & Policy.

13.2. Consent Requirements. Customer is responsible for ensuring that all required consents for the collection and processing of biometric data are obtained from the Data Subjects prior to providing such data to RespondWize.

14.1. School Official. If RespondWize processes data subject to FERPA on behalf of an educational institution, RespondWize agrees it may be deemed a "school official" with a "legitimate educational interest" in the data.

14.2. Use Limitation. RespondWize shall use FERPA-protected data only for the purposes authorized by the educational institution and will not redisclose the data to third parties except as permitted under FERPA or as instructed by the institution.

15.1. Liability Cap. The limitations of liability set forth in the Agreement shall apply to this DPA.

15.2. Indemnification. To the extent permitted under the Agreement, each Party shall defend and indemnify the other Party for any claims or damages caused by its breach of this DPA or Applicable Data Protection Laws.

16.1. Term. This DPA will remain in effect for the duration of the Agreement, plus any period after termination during which RespondWize processes Personal Information solely for post-termination obligations (e.g., data return or deletion).

16.2. Survival. Sections of this DPA that by their nature should survive termination (e.g., confidentiality, data protection obligations) shall survive.

17.1. Conflict. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with respect to data protection obligations.

17.2. Governing Law. This DPA shall be governed by the same law and dispute resolution terms as set forth in the Agreement, unless required otherwise by Applicable Data Protection Laws.

17.3. Entire Agreement. This DPA and the Agreement constitute the entire agreement between the Parties concerning the processing of Personal Information and supersede any prior or contemporaneous agreements, communications, or understandings, written or oral.

17.4. Amendments. This DPA may only be amended by a written instrument signed by authorized representatives of both Parties.

17.5. Counterparts. This DPA may be executed in any number of counterparts, each of which shall be deemed an original, but all counterparts together constitute one and the same instrument.