CallNest Cloud - AI Intelligent Call Tracking & Management System

This Data Processing Addendum ("Addendum" or "DPA") is entered into by and between the Customer ("Controller") and CallNest Cloud ("Processor"), collectively referred to as the "Parties."

This Addendum forms an integral part of the Principal Agreement (e.g., CallNest Cloud Terms of Service, Master Services Agreement) under which Processor provides Services to Controller. The terms of this Addendum are effective as of the date the Principal Agreement is executed or, if later, the date this Addendum is separately executed or accepted by both Parties ("Addendum Effective Date").

The purpose of this Addendum is to ensure that any Processing of Personal Data by Processor on behalf of Controller is conducted in compliance with Applicable Data Protection Law(s) and to set forth the rights and obligations of the Parties concerning such Processing.[1] This Addendum is essential for establishing a clear framework for data handling, thereby assisting both Parties in meeting their respective legal obligations concerning privacy and data security. The proper linkage of this DPA to a "Principal Agreement" is fundamental, ensuring that the data processing terms are contextualized within the broader commercial relationship and that there is a clear hierarchy of documents should any conflicts arise, particularly regarding data protection matters.

1. Definitions

For the purposes of this Addendum, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.

"Agreement" or "Principal Agreement": The main service agreement, including any order forms, statements of work, or similar documents, entered into between Controller and Processor for the provision of CallNest Cloud Services.[2]

"Applicable Data Protection Law(s)": All international, federal, state, local, and provincial data privacy, data security, data breach notification, and data protection laws and regulations applicable to the Processing of Personal Data under this Addendum. This includes, but is not limited to, the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 ("UK GDPR"); the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act ("CCPA"); the Swiss Federal Act on Data Protection ("FADP"); and any other laws or regulations pertaining to data privacy or security that apply to the Services provided under the Principal Agreement.[1]

"Controller": The entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In the context of this Addendum, "Controller" refers to the Customer.[1, 3]

"Processor": The entity that Processes Personal Data on behalf of the Controller. In the context of this Addendum, "Processor" refers to CallNest Cloud.[1, 3]

"Data Subject": An identified or identifiable natural person to whom Personal Data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[1, 4]

"Personal Data": Any information relating to a Data Subject that is Processed by Processor as part of providing the Services to Controller under the Principal Agreement. The specific categories of Personal Data are further detailed in Annex 1 (Details of Processing Activities) to this Addendum. It is important to note that this definition pertains specifically to data processed by CallNest Cloud on behalf of the Controller. Data that CallNest Cloud processes for its own business purposes, such as for billing its customers or managing its own employee data, is governed by CallNest Cloud's own Privacy Policy and internal data management policies, where CallNest Cloud acts as a Controller.[2, 4]

"Customer Personal Data" or "Controller Personal Data": Synonymous with "Personal Data" as defined above, emphasizing that the data belongs to the Controller or was provided by the Controller for Processing by the Processor.[1, 2]

"Processing" or "Process": Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.[1]

"Sub-processor": Any third party, including an Affiliate of Processor, engaged by Processor to Process Personal Data in connection with the provision of the Services to Controller.[1, 2]

"Security Incident" or "Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Processor or its Sub-processors in connection with the provision of Services under the Principal Agreement. This definition is intended to be broad to ensure timely notification to the Controller, who will then assess if the incident meets the threshold for a "Personal Data Breach" under specific regulations like GDPR.[1, 5]

"Services": The CallNest Cloud services, including any related software, platforms, and support, provided by Processor to Controller as described in the Principal Agreement.[1]

"Standard Contractual Clauses" or "SCCs": The standard contractual clauses for the transfer of Personal Data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses or alternative transfer mechanisms recognized under Applicable Data Protection Law(s) (e.g., the UK International Data Transfer Agreement or Addendum).[5, 6]

"GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).[1]

"CCPA": The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act ("CPRA") and its implementing regulations.

"Technical and Organizational Security Measures" or "TOMs": The measures implemented and maintained by Processor to ensure a level of security appropriate to the risk of Processing Personal Data, as further detailed in Annex 3 (Technical and Organizational Security Measures) to this Addendum.

2. Roles and Responsibilities of the Parties

2.1. Processor's Obligations

Processor shall Process Personal Data only on behalf of the Controller and in strict compliance with Controller's documented instructions, including with regard to transfers of Personal Data to a third country or an international organization. Such instructions are set forth in this Addendum, the Principal Agreement, and as may be further provided by Controller in writing from time to time. Processor shall not Process Personal Data for any other purpose unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.[2, 7]

Processor shall immediately inform the Controller if, in Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law(s) (GDPR Art. 28(3)(h)). This obligation requires Processor to maintain a level of awareness regarding data protection principles to identify potentially problematic instructions, though it does not make Processor a legal advisor to Controller. It serves as a crucial checkpoint to prevent inadvertent non-compliance by both parties.

The specific details of the Processing activities, including the subject-matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are specified in Annex 1 (Details of Processing Activities) to this Addendum.

2.2. Controller's Obligations

Controller represents and warrants that it has established and will maintain a lawful basis (e.g., consent, contractual necessity, legitimate interests) for the Processing of Personal Data by Processor as contemplated by this Addendum and the Principal Agreement.

Controller's instructions to Processor for the Processing of Personal Data shall, at all times, comply with Applicable Data Protection Law(s). Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data and instructed its Processing.[5] This includes, for example, Controller's responsibility for obtaining any necessary consents for call recording features offered within the Services.[8, 9]

Controller is responsible for providing all necessary privacy notices to Data Subjects and for obtaining all necessary consents from Data Subjects concerning the Processing of their Personal Data as described herein and in Annex 1.

Controller acknowledges that Processor is reliant on Controller for direction as to the extent to which Processor is entitled to use and Process the Personal Data. Consequently, Processor will not be liable for any claim brought by a Data Subject arising from any action or omission by Processor, to the extent that such action or omission resulted from Controller's instructions or Controller's failure to comply with its obligations under Applicable Data Protection Law(s).

3. Details of Processing (Specified in Annex 1)

The details of the data processing activities performed by the Processor on behalf of the Controller are specified in Annex 1 to this Addendum. This Annex is a critical component, fulfilling the requirements of GDPR Article 28(3) by providing transparency and defining the precise scope of authorized data processing. Any significant changes to the nature or purpose of processing, such as the introduction of new service features that materially alter how data is handled, may necessitate an update to Annex 1 and potentially this DPA, with appropriate notification to the Controller.

4. Confidentiality

Processor shall ensure that any personnel authorized to Process Personal Data under this Addendum have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Art. 28(3)(b); [7]). This commitment is fundamental to protecting the secrecy of Controller's data.

Processor shall ensure that access to Personal Data is strictly limited to those of its personnel who need to access the relevant Personal Data for the purposes of performing Processor's obligations under the Principal Agreement and this Addendum. The "need-to-know" basis for access is a core security principle.[2]

These confidentiality obligations shall survive the termination of this Addendum and the Principal Agreement. The operationalization of this clause requires CallNest Cloud to have robust internal policies, employee training programs, and contractual agreements (e.g., Non-Disclosure Agreements within employment contracts) that explicitly cover the handling of customer data.

5. Security of Processing (Technical and Organizational Measures - TOMs)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures shall include, inter alia, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing (GDPR Art. 32(1); [10, 11]).

Processor's specific TOMs are described in detail in Annex 3 (Technical and Organizational Security Measures) to this Addendum. Alternatively, or supplementarily, these TOMs may be detailed in a separate security document, such as a "CallNest Cloud Security Whitepaper," which will be made available to the Controller and incorporated by reference herein.[12, 13] The commitment to "regularly testing, assessing, and evaluating" these TOMs signifies an ongoing, dynamic approach to security, acknowledging that threats and technologies evolve. This implies a security lifecycle management process within CallNest Cloud, not merely a static list of controls.

Processor shall not materially decrease the overall security of the Services during a subscription term. While security is risk-based and not absolute, this provides assurance against arbitrary reductions in protection. The "state of the art" and "costs of implementation" considerations from GDPR Article 32 mean that security measures are expected to be reasonable and proportionate, not necessarily "impenetrable," which is an unrealistic standard.

6. Sub-processing

6.1. General Authorization

Controller hereby grants Processor general written authorization to engage Sub-processors to Process Personal Data on Controller’s behalf in connection with the provision of the Services, provided that Processor complies with the requirements set forth in this Section 6.[7, 14] This approach is common for SaaS providers as it allows for operational flexibility while providing Controllers with oversight.

6.2. List of Sub-processors

Processor shall maintain an up-to-date list of its Sub-processors, which shall be made available to the Controller, either as Annex 2 to this Addendum or via a publicly accessible website (URL to be provided to Controller). This list shall, at a minimum, identify the Sub-processor, describe the services it provides, and state the country where its Processing activities primarily take place.[13, 14]

6.3. Notification of New Sub-processors

Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors. Such notification shall be provided in writing (e.g., via email or through a notification on Processor’s platform) at least thirty (30) days (or a commercially reasonable period otherwise agreed) in advance of the new Sub-processor commencing the Processing of Personal Data, thereby giving the Controller an opportunity to object to such changes.[7, 14]

6.4. Objection Rights

Controller may object in writing to Processor's appointment or replacement of a Sub-processor within fifteen (15) days of receiving the notification, provided such objection is based on reasonable grounds relating to data protection (e.g., if the proposed Sub-processor does not provide sufficient guarantees to implement appropriate TOMs). If Controller objects, Processor will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Processor is unable to make available such change within a reasonable period of time, either Party may terminate the applicable Order Form(s) with respect to only those Services which cannot be provided by Processor without the use of the objected-to new Sub-processor by providing written notice to the other Party.[14]

6.5. Sub-processor Agreements

Prior to a Sub-processor first Processing Personal Data, Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations that are substantially similar to, and at least as protective as, those set out in this Addendum, particularly regarding the implementation of appropriate TOMs (GDPR Art. 28(4); [7]). If CallNest Cloud utilizes AI-powered sub-processors, for instance, for features like call transcription or sentiment analysis, these agreements must include robust clauses preventing the sub-processor from using Customer Personal Data to train its general AI models, unless explicitly instructed or consented to by the Controller.[15]

6.6. Liability

Processor shall remain fully liable to the Controller for the performance of that Sub-processor's data protection obligations as if they were Processor's own (GDPR Art. 28(4); [14]).

7. Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law(s) (e.g., rights of access, rectification, erasure, restriction of Processing, data portability, objection) (GDPR Art. 28(3)(e)). This assistance implies that CallNest Cloud's platform should ideally provide functionalities that enable Controllers to manage data in response to such requests, such as search, export, and deletion tools.[16]

Processor shall: Promptly, and in any event within five (5) business days, notify Controller if Processor receives a request directly from a Data Subject concerning Personal Data Processed under this Addendum.[2] Not respond directly to any such Data Subject request, except on the documented instructions of Controller or as strictly required by applicable laws to which Processor is subject. If Processor is legally required to respond, it shall, to the extent permitted by law, inform Controller of that legal requirement before responding. Provide Controller with reasonable cooperation and assistance, including access to Personal Data and Processing records, as Controller may require to respond to such Data Subject requests in accordance with Applicable Data Protection Law(s).

8. Personal Data Breach (Security Incident Notification)

Processor shall notify Controller without undue delay, and in any event within forty-eight (48) hours (or such shorter period as may be required by Applicable Data Protection Law or as agreed by the Parties), after becoming aware of a Security Incident affecting Personal Data Processed under this Addendum (GDPR Art. 33(2); [2, 17]). This timeframe necessitates robust internal incident detection, assessment, and escalation procedures within CallNest Cloud.

The notification to Controller shall, at a minimum and where feasible: (a) Describe the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) Communicate the name and contact details of Processor’s data protection officer (if appointed) or other relevant contact point where more information can be obtained; (c) Describe the likely consequences of the Security Incident; and (d) Describe the measures taken or proposed to be taken by the Processor to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects (GDPR Art. 33(3)). Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available, and further information shall be provided as it becomes available without undue further delay.

Processor shall provide reasonable cooperation and assistance to Controller in the investigation, mitigation, and remediation of each such Security Incident, and in enabling Controller to meet its own notification obligations to Supervisory Authorities and Data Subjects under Applicable Data Protection Law(s).[17]

Controller shall have the sole right and responsibility to determine whether and how to notify any third parties, including Data Subjects and Supervisory Authorities, of the Security Incident, unless otherwise explicitly required by law to be performed by Processor. Processor shall not make any public statements or notifications regarding a Security Incident without Controller's prior written consent, unless legally mandated.[18, 19] This allocation ensures the Controller maintains control over its regulatory compliance and communication strategy concerning breaches involving its data.

9. Assistance to Controller

Taking into account the nature of Processing and the information available to the Processor, Processor shall provide reasonable assistance to Controller in ensuring compliance with Controller's obligations pursuant to Articles 32 to 36 of the GDPR (or equivalent provisions under other Applicable Data Protection Law(s)), which include obligations related to Security of Processing, Notification of a Personal Data Breach to the supervisory authority, Communication of a Personal Data Breach to the Data Subject, Data Protection Impact Assessment (DPIA), and Prior Consultation with a supervisory authority (GDPR Art. 28(3)(f); [5]).

Specifically, if Controller considers that a DPIA is required for a processing activity involving the Services, Processor shall, upon request, provide reasonable assistance and available information regarding the Services (such as descriptions of security measures, data flows, and Sub-processor details) to enable Controller to conduct such DPIA and, if necessary, consult with the relevant supervisory authority. This requires CallNest Cloud to have such information documented and readily available for sharing with Controllers, potentially under non-disclosure agreements.

10. International Transfers of Personal Data

Processor shall not transfer Personal Data to any country or territory outside the European Economic Area (EEA), Switzerland, or the United Kingdom (UK) that is not recognized by the European Commission (or the relevant UK or Swiss authorities) as providing an adequate level of data protection, unless such transfer is made in compliance with appropriate safeguards as required by Applicable Data Protection Law(s), and authorized by the Controller.

Where Processor engages in such an international transfer of Personal Data, it shall do so by utilizing a recognized transfer mechanism under Applicable Data Protection Law(s). This may include: (a) A finding of adequacy for the recipient country by the European Commission (or equivalent UK/Swiss body). (b) The Standard Contractual Clauses (SCCs), as incorporated into Annex 4 of this Addendum. The Parties agree that the SCCs will apply to Personal Data that is transferred, either directly or via onward transfer, from the EEA, UK, or Switzerland, to any country or recipient outside those areas not recognized as providing an adequate level of data protection for the purposes of Applicable Data Protection Law(s).[6, 20] (c) Binding Corporate Rules (BCRs) duly approved by a competent Supervisory Authority, if applicable to Processor or its Sub-processors.[21, 22] (d) Any other valid transfer mechanism or derogation permitted under Applicable Data Protection Law(s).

For any transfers to which the SCCs apply, Annex 4 (Standard Contractual Clauses) will specify the applicable SCC modules (e.g., Module Two: Controller to Processor; Module Three: Processor to Processor) and include any necessary supplementary measures identified through a Transfer Impact Assessment (TIA) to ensure an essentially equivalent level of data protection. The need for such TIAs and supplementary measures, particularly for transfers to countries like the United States, is a significant consideration stemming from legal precedents such as the Schrems II judgment.[13, 16] CallNest Cloud should be prepared to discuss its approach to TIAs and the supplementary measures it employs.

The annexes to this DPA (Annex 1, Annex 2, Annex 3) are designed to provide the necessary information for completing the appendices of the SCCs.

11. Audit Rights

Processor shall make available to Controller, upon reasonable request, all information necessary to demonstrate compliance with Processor's obligations laid down in Article 28 of the GDPR and this Addendum. Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (GDPR Art. 28(3)(h)).

Such audits shall be subject to the following conditions: (a) Controller shall provide Processor with reasonable advance written notice (e.g., at least thirty (30) days) of any audit, unless a shorter period is required due to a Security Incident or regulatory demand. (b) Audits shall be conducted during Processor's normal business hours and in a manner that does not unreasonably interfere with Processor's business operations. (c) Audits shall be limited in frequency, typically to not more than once per calendar year, unless a verified Security Incident affecting Controller's Personal Data has occurred, or there is a material change in Processor's processing activities or Applicable Data Protection Law(s) that warrants an additional audit. (d) The scope of any audit shall be limited to Processor's facilities, systems, records, and personnel that are relevant to the Processing of Controller’s Personal Data. (e) Processor may satisfy Controller's audit requests by providing relevant and current third-party audit reports or certifications, such as SOC 2 Type II reports, ISO 27001 certifications, or similar attestations, where available. Controller agrees that such reports or certifications may be used to demonstrate Processor's compliance with its obligations under this Addendum.[16, 17] This approach balances the Controller's need for assurance with the operational practicalities for a multi-tenant SaaS provider.

Controller shall bear its own costs and expenses associated with conducting any audit. If an audit requires Processor to expend significant time or resources beyond providing existing documentation or certifications, Processor reserves the right to charge Controller a reasonable fee for such assistance, of which Controller will be notified in advance.

All information disclosed during an audit shall be treated as Confidential Information of the Processor.

12. Return and Deletion of Personal Data

Upon the termination of the Principal Agreement, or earlier upon Controller's written request, Processor shall, at the choice of the Controller, either securely delete or return all Personal Data Processed on behalf of the Controller to the Controller in a mutually agreed format and manner (GDPR Art. 28(3)(g)). The technical capability to return data in a structured, commonly used, and machine-readable format (e.g., CSV exports for call logs, downloadable recordings) is an important aspect of this obligation.[23]

Processor shall delete all existing copies of such Personal Data from its systems, including backups, unless Union or Member State law, or other applicable law to which Processor is subject, requires continued storage of the Personal Data. If such retention is required, Processor shall inform Controller of this requirement and shall ensure the continued confidentiality and security of such Personal Data, Processing it only to the extent and for the duration required by such law.

Processor shall provide written confirmation of such deletion to Controller upon request. The typical timeframe for deletion post-termination might be within 30 to 90 days, allowing for operational processes.[16]

13. Liability and Indemnification

13.1. Liability

The liability of each Party, and their respective Affiliates, arising out of or related to this Addendum (whether in contract, tort, or under any other theory of liability) will be subject to the exclusions and limitations of liability set out in the Principal Agreement.[17, 24] It is essential to align liability provisions to avoid conflicting contractual regimes. For the avoidance of doubt, the total aggregate liability of Processor (and its Affiliates) under or in connection with this Addendum shall not exceed the overall monetary cap on liability stipulated in the Principal Agreement.

13.2. Indemnification by Controller

Controller shall indemnify, defend, and hold harmless Processor, its Affiliates, officers, directors, employees, and agents from and against all claims, losses, damages, liabilities, fines, penalties, and expenses (including reasonable attorneys' fees) asserted by a third party (including Data Subjects or Supervisory Authorities) arising from or related to: (a) Processor's Processing of Personal Data in accordance with Controller's instructions that are found to be in breach of Applicable Data Protection Law(s); or (b) Controller's material breach of its obligations under this Addendum or Applicable Data Protection Law(s).[24]

13.3. Indemnification by Processor

Processor shall indemnify, defend, and hold harmless Controller, its Affiliates, officers, directors, employees, and agents from and against all claims, losses, damages, liabilities, fines, penalties, and expenses (including reasonable attorneys' fees) asserted by a third party (including Data Subjects or Supervisory Authorities) arising from or related to Processor's material breach of its obligations under this Addendum.[24]

13.4. Indemnification Procedure

The indemnification obligations set forth above are conditional upon: (a) the indemnified Party promptly notifying the indemnifying Party in writing of any claim; (b) the indemnifying Party having sole control of the defense and settlement of the claim (provided that the indemnifying Party shall not settle any claim in a manner that admits fault or imposes an obligation on the indemnified Party without the indemnified Party's prior written consent, not to be unreasonably withheld); and (c) the indemnified Party providing reasonable cooperation and assistance in the defense of the claim, at the indemnifying Party's expense.

14. Term and Termination

This Addendum shall commence on the Addendum Effective Date and shall continue in full force and effect for as long as Processor Processes Personal Data on behalf of Controller under the Principal Agreement.

Termination of the Principal Agreement for any reason shall automatically terminate this Addendum.

Notwithstanding termination, the provisions of this Addendum that by their nature are intended to survive termination or expiration (including, without limitation, obligations related to confidentiality, security, return and deletion of Personal Data, liability, indemnification, and governing law) shall so survive and continue in full force and effect. This ensures that critical data protection obligations persist even after the commercial relationship ends.

15. Miscellaneous

15.1. Governing Law and Jurisdiction

This Addendum and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws stipulated for governing the Principal Agreement. Any legal actions, suits, or proceedings arising out of or relating to this Addendum shall be brought exclusively in the courts of the jurisdiction stipulated in the Principal Agreement.[8, 17, 24]

15.2. Notices

Any notices, requests, demands, or other communications required or permitted under this Addendum shall be in writing and shall be provided in accordance with the notice provisions set forth in the Principal Agreement.

15.3. Severability

If any term or provision of this Addendum is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect any other term or provision of this Addendum or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination, the Parties shall negotiate in good faith to modify this Addendum so as to effect the original intent of the Parties as closely as possible.

15.4. Amendments

This Addendum may only be amended by a written instrument duly signed by authorized representatives of both Parties. However, Processor reserves the right to update Annex 2 (List of Approved Sub-processors) and Annex 3 (Technical and Organizational Security Measures) from time to time, provided that such updates to Annex 3 do not materially decrease the overall security of the Services, and updates to Annex 2 follow the notification and objection procedures outlined in Section 6.

15.5. Order of Precedence

In the event of any conflict or inconsistency between the terms of this Addendum and the terms of the Principal Agreement, the terms of this Addendum shall prevail solely with respect to the subject matter of data protection and the Processing of Personal Data. In all other respects, the terms of the Principal Agreement shall prevail. This clause is crucial for ensuring that specific data protection commitments are not inadvertently overridden by general commercial terms.

15.6. Entire Agreement

This Addendum, together with the Principal Agreement and its Annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.

Signatures

(If this Addendum is executed as a separate document from the Principal Agreement, signature blocks for authorized representatives of both Controller and Processor would be included here. If incorporated by reference into the Principal Agreement, acceptance of the Principal Agreement signifies acceptance of this Addendum.)

IN WITNESS WHEREOF, the Parties hereto have caused this Data Processing Addendum to be executed by their duly authorized representatives.

CONTROLLER (CUSTOMER)

By: ______________________________

Name: _____________________________

Title: _____________________________

Date: ______________________________

PROCESSOR (CALLNEST CLOUD)

By: ______________________________

Name: _____________________________

Title: _____________________________

Date: ______________________________

Annex 1: Details of Processing Activities

This Annex forms part of the Data Processing Addendum between Controller and Processor and describes the Processing of Personal Data conducted by Processor on behalf of Controller in connection with the Services.

A. Subject-Matter of Processing: Details: The provision of CallNest Cloud's cloud-based communication services as described in the Principal Agreement, including but not limited to voice calling capabilities, call recording and storage (if activated by Controller), call routing, messaging (SMS/MMS, chat, if applicable), voicemail services, analytics related to communication activities, and associated technical support services provided to the Controller.

B. Duration of Processing: Details: For the term of the Principal Agreement between Controller and Processor, and thereafter as necessary for Processor to fulfill its obligations of data return or secure deletion as set out in Section 12 of this Addendum, or as may be required by applicable law.

C. Nature of Processing: Details: The Processing operations performed by Processor on Personal Data include, as necessary to provide the Services: collection (from Controller, or from Data Subjects interacting with Controller or Controller's users via the Services), recording (e.g., call recordings, voicemail), storage, retrieval, use (e.g., to route calls, display information to Controller's users), analysis (e.g., to provide communication analytics to Controller, or for service improvement and maintenance purposes on an aggregated/anonymized basis or as specifically instructed by Controller for Controller's benefit), disclosure by transmission (e.g., routing communications over telecommunication networks), organization, structuring, transcription (if such a feature is offered and used by Controller), consultation, restriction, erasure, or destruction of Personal Data.

D. Purpose(s) of Processing: Details: The primary purposes of Processing Personal Data are: To enable Controller and its authorized users to utilize the CallNest Cloud Services for their business communication activities in accordance with the Principal Agreement. To provide customer support, troubleshooting, and maintenance services to the Controller. To maintain, secure, and improve the Services (e.g., by analyzing aggregated usage patterns to enhance performance, provided that such analysis for general service improvement does not involve Processing Personal Data in a way that identifies individual Data Subjects of the Controller, unless specifically instructed or permitted). To prevent or address service errors, security issues, or technical problems. To comply with Controller's documented lawful instructions regarding the Processing of Personal Data. To fulfill Processor's legal and contractual obligations under the Principal Agreement and this Addendum.

E. Categories of Personal Data: Details: The categories of Personal Data Processed are determined and controlled by Controller in its use of the Services and typically include, but are not limited to: Controller’s User Data: Identification details of Controller’s authorized users (e.g., name, surname, email address, user ID, work position), log-in credentials, company information, IP addresses, technical details of service usage (e.g., system logs, action logs).[12] Communication Content Data: Voice recordings of telephone calls, video recordings of video calls (if applicable), transcripts of calls or voicemails (if applicable), content of SMS/MMS messages, content of chat messages, voicemail messages, content of faxes.[12, 16] Communication Metadata: Telephone numbers of call participants (calling and called parties), caller ID information, date, time, and duration of communications, routing information (source and destination of communications), communication logs, status of messages, error data, IP addresses associated with communications, device information (e.g., type, operating system) of users accessing the Services, location data derived from IP addresses or provided by devices in the context of delivering communications.[12, 16, 22] Support Interaction Data: Personal Data provided by Controller’s users during interactions with Processor’s customer support services (e.g., names, contact details, content of support queries, transcripts of support conversations).[12] Data Provided via Integrations: Personal Data that Controller chooses to share from or to third-party applications when integrating them with the CallNest Cloud Services. The categories of such data depend on the specific integration configured by the Controller.

F. Categories of Data Subjects: Details: The categories of Data Subjects whose Personal Data is Processed are determined and controlled by Controller in its use of the Services and typically include, but are not limited to: Controller’s employees, agents, contractors, representatives, or other authorized individuals who use the CallNest Cloud Services. Customers, clients, prospects, suppliers, business partners, and other individuals who communicate with the Controller or Controller’s authorized users via the CallNest Cloud Services (e.g., individuals calling Controller’s phone numbers managed through the Services, or being called by Controller’s users).[16]

G. Processing of Special Categories of Personal Data (if applicable): Details: The CallNest Cloud Services are generally not designed or intended for the Processing of Special Categories of Personal Data as defined under Article 9 of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation) or similarly sensitive data under other Applicable Data Protection Law(s). Controller agrees not to upload, transmit, or otherwise cause to be Processed any such Special Categories of Personal Data via the Services unless: (i) Controller has obtained explicit consent from the Data Subject for such Processing for one or more specified purposes, or another valid legal basis under Article 9 GDPR (or equivalent) exists; (ii) Controller has explicitly notified Processor in writing of its intent to Process such data via the Services; and (iii) the Parties have agreed in writing to any additional safeguards or terms that may be necessary for such Processing. Controller remains solely responsible for compliance with all legal requirements applicable to the Processing of Special Categories of Personal Data it initiates via the Services.[16]

H. Permitted Purposes for Processor's Own Use (if any, strictly limited and de-identified/aggregated): Details: Processor may Process Personal Data in an aggregated or de-identified form for its own legitimate business purposes, such as service improvement, development of new features, usage analytics, and security monitoring, provided that such Processing does not permit the identification of any individual Data Subject or the Controller. Any such Processing will be conducted in accordance with Applicable Data Protection Law(s).

Annex 2: List of Approved Sub-processors

Processor uses the following Sub-processors to assist in providing the Services. This list is subject to change in accordance with Section 6 of the DPA. An up-to-date list will be maintained by Processor and made available to Controller (e.g., at a designated URL or upon request).

Sub-processor Name & Legal Entity: *Example: Amazon Web Services, Inc.*

Service Provided / Purpose of Processing: *Cloud infrastructure hosting, data storage, compute services*