Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Barpel AI Inc. ("Processor") and the customer ("Controller") and sets out the terms for processing personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This DPA applies when Barpel processes personal data on behalf of the Controller in the course of providing the AI voice support platform services.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by Barpel on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Subprocessor" means any third-party processor engaged by Barpel to assist in providing the Service.
• "Security Incident" means any unauthorized access, disclosure, or breach of Personal Data.

3. Data Processing

3.1 Scope and Purpose

Barpel will process Personal Data only for the purpose of providing the AI voice support services as described in the Terms of Service and in accordance with the Controller's documented instructions.

3.2 Categories of Data

The Personal Data processed may include:

• Customer contact information (name, phone number, email)
• Order and transaction data
• Call recordings and transcripts
• Customer service interaction history
• Account and billing information

3.3 Data Subject Categories

The Personal Data relates to the Controller's customers, potential customers, and end-users who interact with the AI voice support system.

4. Subprocessors

The Controller authorizes Barpel to engage Subprocessors to assist in providing the Service. Barpel maintains a current list of Subprocessors at barpel.ai/subprocessors.

Barpel will:

• Enter into written agreements with Subprocessors that include data protection obligations substantially similar to those in this DPA
• Remain liable for any breaches caused by Subprocessors
• Notify the Controller of any intended changes to Subprocessors at least 30 days in advance
• Provide the Controller the opportunity to object to new Subprocessors

5. Security Measures

Barpel implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls and multi-factor authentication for all systems.
• Network Security: Firewalls, intrusion detection, and DDoS protection.
• Monitoring: Continuous security monitoring and logging.
• Backups: Regular encrypted backups with tested recovery procedures.
• Employee Training: Regular security awareness training for all personnel.

6. Data Subject Rights

Barpel will assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

Barpel will notify the Controller promptly upon receiving any such request and will not respond directly to the Data Subject unless authorized by the Controller.

7. Security Incidents

In the event of a Security Incident, Barpel will:

• Notify the Controller without undue delay and no later than 24 hours after becoming aware of the incident
• Provide details about the nature of the incident, affected data, and likely consequences
• Take immediate steps to contain and remediate the incident
• Cooperate with the Controller in any required notifications to supervisory authorities or Data Subjects
• Document the incident and response actions taken

8. Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, Barpel ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)

9. Data Retention and Deletion

Barpel will retain Personal Data only for as long as necessary to provide the Service or as required by law. Upon termination of the agreement or upon the Controller's request, Barpel will:

• Delete all Personal Data within 30 days, except where retention is required by law
• Provide written confirmation of deletion upon request
• Ensure Subprocessors also delete all Personal Data

10. Audit Rights

The Controller has the right to audit Barpel's compliance with this DPA. Audits may be conducted annually or following a Security Incident. Barpel will cooperate with such audits and provide access to relevant documentation. Any third-party audits must be conducted at the Controller's expense and with reasonable advance notice.

11. Term and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination, Barpel's obligations regarding data protection and security will continue for as long as Barpel retains any Personal Data.