Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into the Phoneless Terms of Service ("Agreement") between Phoneless Inc. ("Phoneless") and the customer identified in the Agreement ("Customer"). It applies when Phoneless processes Personal Data on behalf of Customer in providing the Service. Where Customer is subject to GDPR, UK GDPR, or analogous law, this DPA forms a binding agreement.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Sub-processor", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Data" means Personal Data that Phoneless processes on behalf of Customer in providing the Service.

2. Roles of the parties

Customer is the Controller of Customer Data. Phoneless is the Processor. Each party will comply with its obligations under applicable data protection law.

3. Subject matter and duration

The subject matter of processing is the operation of the Phoneless Service. The duration is the term of the Agreement plus any period during which Phoneless retains Customer Data to comply with law.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects: Customer's end users, callers contacting Customer, and Customer's authorized personnel.

Categories of Personal Data:

• Names and phone numbers of callers.
• Audio recordings and transcripts of calls; SMS and WhatsApp message content.
• Booking details (date, time, requested service).
• Account information of Customer's authorized users.

5. Phoneless's obligations

• Process Customer Data only on documented instructions from Customer (the Agreement and use of the Service constitute such instructions).
• Ensure persons authorized to process Customer Data are bound by confidentiality.
• Implement appropriate technical and organizational measures to protect Customer Data (see Annex II).
• Assist Customer, taking into account the nature of the processing, in fulfilling Customer's obligations to respond to Data Subject requests.
• Assist Customer with data protection impact assessments and consultation with supervisory authorities, where reasonably required.
• Notify Customer of a Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware.
• At Customer's choice, delete or return all Customer Data after the end of the provision of services, subject to legal retention obligations.
• Make available to Customer all information necessary to demonstrate compliance with this DPA.

6. Sub-processors

Customer provides general authorization for Phoneless to engage Sub-processors. The current list is published on our Security page. Phoneless will:

• Provide at least 30 days' prior notice of any new Sub-processor processing Customer Data.
• Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
• Remain liable for the acts and omissions of its Sub-processors.

Customer may object on reasonable grounds. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service.

7. International transfers

Phoneless processes Customer Data in the United States. Where Customer Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy determination, the parties incorporate by reference:

• The EU Standard Contractual Clauses (Module Two: Controller to Processor), as adopted by the European Commission in Decision 2021/914.
• The UK International Data Transfer Addendum to the EU SCCs.
• The Swiss Data Protection Authority's recognition of the SCCs, with appropriate amendments.

The parties agree to the optional Docking Clause and that the law of Ireland governs the EU SCCs.

8. Audits

Customer may audit Phoneless's compliance with this DPA no more than once every twelve months, on at least 30 days' prior written notice and during normal business hours. Phoneless will make available its most recent third-party audit reports (e.g., SOC 2) and security documentation in lieu of an on-site audit, where these reasonably satisfy Customer's audit needs.

9. Return or deletion of Customer Data

On termination of the Agreement, Phoneless will delete all Customer Data within 30 days, except as required to be retained by law. Backups are purged within 90 days.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

11. Changes

Phoneless may update this DPA from time to time to reflect changes in law or our practices. Material changes will be notified to Customer at least 30 days in advance.

Annex I — Description of processing

See sections 3 and 4 above.

Competent supervisory authority

For Customers established in the EEA, the supervisory authority of the EEA member state where the Customer is established. For UK Customers, the Information Commissioner's Office.

Annex II — Technical and organizational measures

The technical and organizational measures implemented by Phoneless are described on our Security page. They include encryption in transit and at rest, role-based access control, multi-factor authentication, audit logging, regular third-party penetration testing, and a 24/7 incident response process.

Contact

Phoneless Inc.
Data Protection: dpo@phoneless.us