This Data Processing Addendum (“DPA”), forms part of the Agreement between Uniphore Technologies Inc., having its principal place of business at 1001 Page Mill Road, Bldg 4, Suite 100-B Palo Alto, CA 94304 , or any Uniphore Affiliate, as applicable, (“Uniphore”) and Customer (as defined below) and shall be effective on the date both parties execute the Agreement (“Effective Date”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Definitions

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Agreement” means the Non-Disclosure Agreement between Customer and Uniphore or any other written agreement between Uniphore and Customer that governs any data transfer from Customer to Uniphore, as such terms may be updated by Uniphore from time to time.

“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.

“Customer” means the counterparty to the Agreement.

“Customer Data” means any Personal Data that Uniphore processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.

“Data Protection Laws” means all data protection and privacy laws applicable in India to the processing of Personal Data under the Agreement, including, Information Technology Act, 2000, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

“Group” means any and all Affiliates that are part of an entity’s corporate group.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” has the meaning given to it in accordance with the applicable Laws of India and “process”, “processes” and “processed” shall be interpreted accordingly.

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

“Services” means any product or service provided by Uniphore to Customer pursuant to the Agreement.

“Sub-processor” means any Data Processor engaged by Uniphore or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.  Sub-processors may include third parties or members of the Uniphore Group.

Relationship with the Agreement

2.1 The parties agree that this DPA shall replace any existing data processing terms the parties may have previously entered into in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.4 Any claims against Uniphore or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Uniphore in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Uniphore’s liability under the Agreement as if it were liability to the Customer under the Agreement.

2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction of India

2.7 This DPA shall terminate simultaneously and automatically with the termination or expiry of the Agreement.

Scope and Applicability of this DPA

3.1 This DPA (excluding Annex A) applies where and only to the extent that Uniphore processes Customer Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.

Roles and Scope of Processing

4.1 Role of the Parties.  As between Uniphore and Customer, Customer is the Data Controller of Customer Data, and Uniphore shall process Customer Data only as a Data Processor acting on behalf of Customer.

4.2 Customer Processing of Customer Data.  Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Uniphore; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Uniphore to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

4.3 Uniphore Processing of Customer Data.  Uniphore shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Uniphore in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Uniphore.

4.4 Details of Data Processing

(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.

(b) Duration: As between Uniphore and Customer, the duration of the data processing under this DPA is until the termination of processing under the Agreement in accordance with its terms.

(c) Frequency:  The processing is continuous.

(d) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and/or the performance of Uniphore’s obligations under the Agreement (including this DPA) or as otherwise agreed in writing by the parties.

(e) Nature of the processing: Uniphore provides AI-powered real-time and post-call sentiment, engagement, and conversation insights for virtual meetings hosted by sales teams; and customer service transcription, analytics, virtual assistant, and agent verification platforms and support services for the platforms. Processing will include the development of products and services and the delivery or demonstration of the Services to the Customer in accordance with the Agreement.

(f) Categories of data subjects: Any individual accessing and/or using the Services through the Customer’s account (“Users”); and any individual whose information is stored on or collected via the Services, including (1) employees, vendors, agents, or contingent workers of the Customer (who are natural persons) and (2) natural persons authorized by the Customer to use the Services (for example, customers, users, and prospective customers of the Customer).

(g) Types of Customer Data: The categories and types of Personal Data Processed involve information related to the communications between Customer and Customer’s end-users, provided by the Customers representatives or end-users, including but not limited to:

• personal information normally exchanged during a customer service or sales conversation such as name, address, username or email address;
• specific personal information involved in the fulfilment of a customer service request, such as customer or user id, verification information, personal identification information (i.e. passport, driver’s license or tax identification numbers) or other information related to a Customer end-user’s account with Customer;
• financial information (invoices, payment details and receipts);
• device information including IP address, location, device type, operating system, Internet service provider, mobile network, system configuration information,
• employment details (i.e. employer, job title, employee ID);
• order data (documentation of all orders done);
• Agent and/or Customer sales rep performance metrics;
• Call agent biometric voiceprint;
• User usage and behaviour on the Services information;
• End-user sentiment, tone, intention, engagement characteristics.

(h) Special Categories of Personal Data or Sensitive Data: Certain Services may process a user’s voice, image and behavioral information, such as choice of words, patterns of speech, or facial expressions. Uniphore does not want to, nor does it intentionally, collect or process any other Special Categories of Personal Data in connection with the provision of the Services and utilizes technical and organizational measures to limit, protect, and redact sensitive personal data that is unintentionally received, but Special Categories of Personal Data may nevertheless be incidentally collected during the course of interactions between the Customer and the Customer’s end users, depending on the context of Customer’s implementation of the Services. Customer shall not share any such special categories of personal data or sensitive data without written approval of Uniphore in advance and specifically amending this DPA to describe it.

(i) Period of Retention.  The period of retention for Customer Data will depend on the specific Services being used and will be as set forth in the Agreement or other specific product documentation and as outlined in the Uniphore Privacy Policy.

(j) Subprocessors. To the extent applicable to the particular subprocessor, the descriptions above also apply to Uniphore transfers to subprocessors.  Uniphore will use commercially reasonable efforts to ensure that its contracts with each subprocessor are at least as protective of Customer Data as this DPA.

4.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Uniphore shall have a right to use and disclose data relating to the operation, support, and use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, Uniphore is the Data Controller of such data and accordingly shall process such data in accordance with the Uniphore Privacy Policy and Data Protection Laws.

Subprocessing

5.1 Authorized Sub-processors.  Customer agrees that Uniphore may engage Sub-processors to process Customer Data on Customer’s behalf. Uniphore may continue to use those Sub-processors already engaged by Uniphore as at the date of this Addendum.

5.2 Sub-processor Obligations. Uniphore shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws of India; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Uniphore to breach any of its obligations under this DPA.

Security

6.1 Security Measures.  Uniphore shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Uniphore’s security standards described in Annex A (“Security Measures”).

6.2 Updates to Security Measures.  Customer is responsible for reviewing the information made available by Uniphore relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws of India.   Customer acknowledges that the Security Measures are subject to technical progress and development and that Uniphore may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

6.3 Customer Responsibilities.  Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

Security Reports and Audits

7.1 Uniphore shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Uniphore’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

International Transfers

8.1 Data center locations.  Uniphore may transfer and process Customer Data anywhere in the world where Uniphore, its Affiliates or its Sub-processors maintain data processing operations.  Uniphore shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.

Additional Security

9.1 Confidentiality of processing.  Uniphore shall ensure that any person who is authorized by Uniphore to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

9.2 Security Incident Response.  Upon becoming aware of a Security Incident, Uniphore shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known within 48 hours on a reasonable efforts basis.

Limitation of Liability

10.1 Subject to the additional Clauses in Appendix IV and notwithstanding any other terms of the Agreement or this DPA, and to the full extent allowable under applicable law, Uniphore’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this DPA, any collateral contract insofar as it relates to the obligations set out in this DPA, or Applicable Data Protection Laws shall be limited to the higher of $10,000 or the actual fees paid by the Customer under the Agreement or the relevant purchase document(s) in the twelve (12) month period immediately preceding the date the first claim arises.

Changes to Sub-processors.

To the extent EU Data Protection Law applies to the Services Uniphore is providing Customer under the Agreement, the terms in this Section 11 shall apply:

11.1 Uniphore shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.

11.2 Customer may object in writing to Uniphore’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution.  If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

Return or Deletion of Data

12.1 Upon termination or expiration of the Agreement, Uniphore shall (at Customer’s election) delete or return to  Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Uniphore is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Uniphore shall securely isolate and protect from any further processing, except to the extent required by applicable law.

Cooperation