Data Processing Agreement

Parties

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms of Service (the "Principal Agreement") between:

By accepting the Terms of Service, the Customer accepts this DPA. TOL LLC will countersign a copy on request.

Recitals

• The Customer acts as a Data Controller with respect to personal data Processed through the Service.
• The Customer wishes to subcontract processing of that personal data to TOL LLC in connection with the Isabel voice assistant Service.
• The Parties seek to implement a data processing agreement that complies with the GDPR (EU Regulation 2016/679), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), as applicable.
• The Parties wish to lay down their rights and obligations.

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms have the following meaning:

• "Agreement" means this DPA and all Schedules.
• "Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of the Customer in connection with the Principal Agreement, including call audio, call transcripts, caller phone numbers, and caller-provided metadata.
• "Contracted Processor" means TOL LLC or a Subprocessor.
• "Data Protection Laws" means EU Data Protection Laws, the UK GDPR, the CCPA/CPRA, and, to the extent applicable, the data protection or privacy laws of any other country.
• "EEA" means the European Economic Area.
• "EU Data Protection Laws" means the GDPR and laws implementing or supplementing it in the EEA, as amended or superseded from time to time.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Data Transfer" means a transfer of Company Personal Data from the Customer to TOL LLC, or an onward transfer from TOL LLC to a Subprocessor or between two establishments of TOL LLC, in each case where such transfer would be prohibited by Data Protection Laws absent a lawful transfer mechanism.
• "Services" means the Isabel AI voice assistant platform and related functions described in the Principal Agreement, including call answering, transcription, appointment scheduling, and caller-facing interactions on the Customer's behalf.
• "Subprocessor" means any person appointed by or on behalf of TOL LLC to Process Company Personal Data on behalf of the Customer in connection with this Agreement.

The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the same meaning as in the GDPR.

2. Processing of Company Personal Data

TOL LLC shall:

• comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
• not Process Company Personal Data other than on the Customer's documented instructions, including as set out in the Principal Agreement and this DPA, unless required by applicable law.

The Customer instructs TOL LLC to Process Company Personal Data for the purposes of providing the Services, including answering inbound calls, generating transcripts and summaries, scheduling appointments through configured integrations, and fulfilling the Customer's configuration.

The subject-matter, duration, nature, purpose, categories of data, and categories of data subjects of the Processing are described in Schedule 1.

3. Processor Personnel

TOL LLC shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to individuals who need to know or access the relevant Company Personal Data as strictly necessary for the purposes of the Principal Agreement, and that such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TOL LLC shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including where appropriate the measures referred to in Article 32(1) of the GDPR.

A summary of the technical and organizational measures in place at TOL LLC is set out in Schedule 2.

5. Subprocessing

The Customer grants TOL LLC general authorization to engage Subprocessors listed in Schedule 3. TOL LLC shall notify the Customer in advance of any intended changes to Subprocessors and give the Customer a reasonable opportunity to object on reasonable data protection grounds. TOL LLC shall impose on each Subprocessor data protection obligations substantially equivalent to those set out in this Agreement.

6. Data Subject Rights

Taking into account the nature of the Processing, TOL LLC shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to enable the Customer to respond to requests to exercise Data Subject rights under Data Protection Laws.

TOL LLC shall:

• promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
• not respond to that request except on the Customer's documented instructions or as required by applicable law, in which case TOL LLC shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before responding.

7. Personal Data Breach

TOL LLC shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Company Personal Data, providing the Customer with sufficient information to meet any obligation to report or inform Data Subjects under Data Protection Laws.

TOL LLC shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

TOL LLC shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer reasonably considers to be required under Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by Contracted Processors and taking into account the nature of the Processing and information available to TOL LLC.

9. Deletion or Return of Company Personal Data

Subject to this Section 9, TOL LLC shall promptly and in any event within 30 days of the date of cessation of the Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of Company Personal Data, save to the extent that applicable law requires retention of some or all of the Company Personal Data (in which case TOL LLC shall isolate and protect the retained data from any further Processing except to the extent required by such law).

The Customer may export Company Personal Data held by TOL LLC at any time before the Cessation Date by contacting privacy@callisabel.com.

10. Audit Rights

TOL LLC shall make available to the Customer on reasonable written request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality obligations and advance notice of no less than 30 days.

To the extent TOL LLC already provides independent third-party audit reports (e.g. SOC 2, ISO 27001), the Customer's audit rights under this Section 10 will be deemed satisfied by provision of those reports, except where applicable law requires a direct audit.

11. Data Transfers

TOL LLC may transfer or authorize the transfer of Company Personal Data to countries outside the EEA, the United Kingdom, or Switzerland only where an appropriate lawful transfer mechanism is in place. Where such a transfer occurs, the Parties agree that the EU Commission's Standard Contractual Clauses (Module 2 or Module 3, as applicable) and, for UK transfers, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, are incorporated by reference into this Agreement and apply to the transfer.

TOL LLC is headquartered in the United States and hosts the Services on cloud infrastructure located in the United States. By accepting this DPA, the Customer authorizes transfers of Company Personal Data to the United States for the purposes described in Schedule 1, subject to the safeguards above.

12. CCPA / CPRA — Service Provider Terms

Where TOL LLC Processes personal information of California residents on the Customer's behalf, TOL LLC acts as a "service provider" as defined by the CCPA/CPRA. TOL LLC shall:

• not sell or share personal information as those terms are defined by the CCPA/CPRA;
• not retain, use, or disclose personal information for any purpose other than the specific purpose of performing the Services, or as otherwise permitted by the CCPA/CPRA;
• not retain, use, or disclose personal information outside of the direct business relationship between the Parties; and
• not combine personal information received from the Customer with personal information received from or on behalf of any other person, except as permitted by the CCPA/CPRA.

TOL LLC certifies that it understands the restrictions in this Section and will comply with them.

13. General Terms

14. Governing Law and Jurisdiction

This Agreement is governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict-of-laws rules. Any dispute arising in connection with this Agreement which the Parties cannot resolve amicably shall be submitted to the exclusive jurisdiction of the state and federal courts located in Delaware, except that where a mandatory forum is required by the Data Protection Laws of the Data Subject's jurisdiction, that forum shall apply.

Schedule 1 — Details of Processing

Schedule 2 — Technical and Organizational Measures

TOL LLC maintains the following measures, as further described in the Privacy Policy and security documentation:

• Encryption in transit (TLS 1.2+) for all external connections.
• Encryption at rest for integration OAuth tokens via AES-256-GCM envelope encryption backed by Google Cloud KMS.
• Role-based access control for administrative functions and the principle of least privilege for internal access.
• Structured audit logging with per-request correlation identifiers and retention.
• Tiered rate limiting and webhook signature verification on external-facing endpoints.
• Tenant isolation at the application layer with per-business access enforcement.
• Regular dependency scanning and vulnerability remediation.
• Incident response process with 72-hour breach notification commitment.
• Confidentiality obligations on all personnel with access to Company Personal Data.

Schedule 3 — Authorized Subprocessors

The following Subprocessors are authorized as of the date of this Agreement. The up-to-date list is maintained at callisabel.com/dpa and customers may request advance notice of changes by contacting privacy@callisabel.com.

Additional sub-processors may apply where the Customer opts into optional integrations (e.g. Google Calendar, Slack, Calendly, Acuity, Zapier). The Customer's use of those integrations constitutes instruction to transmit Company Personal Data to the corresponding provider.

Execution

This DPA is entered into by the Customer's acceptance of the Principal Agreement. TOL LLC will countersign an executed copy on request by the Customer. To request a countersigned copy or a version with tailored terms, contact privacy@callisabel.com.