Data Processing Addendum

Effective Date: April 18, 2026
Version: 1.1
Company: 2845341 Ontario Inc. (VocaIQ)

This Data Processing Addendum ("DPA") supplements and is incorporated into the VocaIQ Terms of Service at /legal/terms-of-service (the "Agreement"). It applies wherever 2845341 Ontario Inc. ("Processor") processes Personal Data on behalf of the Customer ("Controller") in connection with the VocaIQ Services. Where there is a conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters. This DPA is intended to satisfy the requirements of GDPR Article 28 and analogous provisions under PIPEDA and other applicable privacy laws.

1. Definitions

Capitalised terms used in this DPA have the following meanings:

• "Controller" means the Customer who determines the purposes and means of processing Personal Data.
• "Processor" means 2845341 Ontario Inc. (VocaIQ), which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Law.
• "Data Protection Law" means GDPR, UK GDPR, PIPEDA, CCPA, and any other applicable privacy or data protection statute, regulation, or binding guidance.
• "GDPR" means EU Regulation 2016/679 and any national implementing legislation.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by the Processor to carry out Processing activities on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries pursuant to GDPR Article 46(2)(c).

2. Scope and Nature of Processing

2.1 Subject Matter

The Processor processes Personal Data for the purpose of delivering the VocaIQ AI voice agent platform, including inbound and outbound call handling, transcription, CRM synchronisation, appointment scheduling, SMS notifications, and related Services as described in the Agreement.

2.2 Categories of Data Subjects

• Customers' employees, agents, and authorised users of the platform.
• Callers and contacts who interact with the Customer's AI voice agent.
• Leads and CRM contacts synchronised by the Customer.

2.3 Categories of Personal Data

• Identity data: name, job title.
• Contact data: email address, telephone number, business address.
• Call data: audio recordings, voice transcripts, call metadata.
• CRM data: lead status, appointment history, notes.
• Technical data: IP addresses, session logs, authentication tokens.

2.4 Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement unless instructed otherwise in writing, and thereafter as required by applicable law or as specified in Section 12 of this DPA.

3. Controller Obligations

The Controller represents and warrants that: (a) it has a valid legal basis for processing each category of Personal Data prior to making it available to the Processor; (b) it has provided all required notices to data subjects and obtained all necessary consents; (c) its instructions to the Processor comply with applicable Data Protection Law; and (d) it has authority to enter into this DPA on behalf of itself and, where applicable, its affiliates.

4. Processor Obligations

The Processor shall:

• (a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing unless prohibited by law;
• (b) Ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations;
• (c) Implement and maintain appropriate technical and organisational measures as described in Section 7;
• (d) Assist the Controller in complying with data subject rights requests as described in Section 9;
• (e) Make available all information reasonably necessary to demonstrate compliance with this DPA;
• (f) Notify the Controller promptly if any instruction from the Controller infringes applicable Data Protection Law.

5. Sub-processors

5.1 General Authorisation

The Controller provides general authorisation to the Processor to engage Sub-processors. The current list of Sub-processors is maintained at /legal/subprocessor-list.

5.2 Change Notification

The Processor shall provide at least 30 days' advance written notice of any intended addition or replacement of Sub-processors. The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying the Processor in writing within 14 days of the notice. If the parties cannot resolve the objection, the Controller may terminate the affected Services without penalty.

5.3 Sub-processor Obligations

The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA and shall remain liable for each Sub-processor's acts and omissions.

6. International Data Transfers

6.1 Transfer Mechanisms

Where the Processor transfers Personal Data from the European Economic Area (EEA), UK, or Switzerland to a country that does not benefit from an adequacy decision, the transfer shall be governed by the applicable EU Standard Contractual Clauses (Controller-to-Processor, Module 2) as issued by the European Commission, which are incorporated by reference into this DPA. Canada benefits from an adequacy decision with respect to PIPEDA-covered organisations; transfers to 2845341 Ontario Inc. in Canada therefore rely on the adequacy decision as the primary transfer mechanism.

6.2 Onward Transfers

Where a Sub-processor is located outside the EEA or an adequate jurisdiction, the Processor shall ensure appropriate SCCs or equivalent safeguards are in place prior to transfer. Details are available in the Subprocessor List at /legal/subprocessor-list.

7. Technical and Organisational Measures (TOMs)

The Processor shall implement and maintain the following minimum technical and organisational security measures. Detailed descriptions are available in the Security Overview.

• Encryption in transit: TLS 1.3 for all data transmitted between systems and clients.
• Encryption at rest: AES-256 encryption for all stored Personal Data.
• Access control: Role-based access controls, principle of least privilege, and multi-factor authentication for all production system access.
• Data segregation: Multi-tenant architecture with row-level security (RLS) ensuring logical separation of Customer data.
• Audit logging: Logging of all access to Personal Data with tamper-resistant retention.
• Vulnerability management: Annual penetration testing and continuous vulnerability monitoring.
• Business continuity: Daily encrypted backups retained for 30 days; documented recovery procedures.
• Personnel training: Regular data protection and security training for all personnel with access to Personal Data.
• Vendor due diligence: Security assessments of Sub-processors prior to engagement.

The Processor may update TOMs over time provided the overall level of protection is not materially reduced.

8. Security Incident and Breach Notification

8.1 Internal Detection

The Processor shall maintain internal incident response procedures with a target detection-to-assessment timeline of 24 hours.

8.2 Notification to Controller

Upon becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware. Notification shall include, to the extent known at the time:

• Description of the nature of the Security Incident;
• Categories and approximate number of data subjects affected;
• Categories and approximate number of Personal Data records affected;
• Name and contact details of the data protection point of contact;
• Likely consequences of the Security Incident;
• Measures taken or proposed to address the Security Incident.

Notification may be provided in phases as information becomes available. Notification to the Controller does not constitute an admission of fault or liability.

8.3 Controller Obligations

The Controller remains responsible for determining whether to notify affected data subjects and supervisory authorities under applicable Data Protection Law.

9. Data Subject Rights Assistance

The Processor shall assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, and objection) by making available the technical mechanisms necessary to retrieve, correct, or delete Personal Data. Where a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller. The Controller is responsible for responding to such requests within the timelines required by applicable Data Protection Law.

10. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent such assessments relate to the Processor's processing activities and the Processor possesses relevant information.

11. Audit Rights

The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA. Upon at least 30 days' prior written notice, and no more than once per calendar year (absent reasonable cause), the Processor shall allow the Controller or its designated third-party auditor (subject to confidentiality obligations and provided the auditor is not a competitor of the Processor) to audit the Processor's relevant data processing facilities and records. The parties agree that an up-to-date SOC 2 Type I or Type II report, where available, may satisfy the Controller's audit requirements in lieu of an on-site audit.

12. Return and Deletion of Personal Data

Upon termination or expiration of the Agreement, the Processor shall:

• Continue to make Customer Data available for export for 30 days following the effective date of termination ("Export Window").
• Delete Customer Data from production systems within 60 days after the Export Window closes, subject to retention required by applicable law or for legitimate legal defense purposes.
• Purge backup copies of Customer Data within 90 days.

At the Controller's written request, the Processor shall provide a certificate of deletion. The Controller is solely responsible for exporting any Customer Data it wishes to retain prior to the expiration of the Export Window.

13. Confidentiality of Processing

The Processor shall ensure that all persons who have access to Personal Data are bound by written confidentiality obligations and are informed of the applicable data protection requirements. Access is restricted to those who need it to perform their duties.

14. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement. To the extent permitted by applicable Data Protection Law, the liability cap in the Agreement applies to any claims arising under this DPA. Nothing in this DPA limits either party's liability for personal data breaches caused by the party's wilful misconduct or gross negligence, to the extent such limitation is prohibited by applicable law.

15. Signatures

This DPA takes effect automatically upon the Customer's acceptance of the Terms of Service. No separate signature is required for standard customers. Enterprise customers requiring a countersigned copy should contact [email protected].

For enterprise or custom DPA execution, the following signature block applies:

Contact

For questions regarding this Data Processing Addendum or to request a signed copy, please contact:

2845341 Ontario Inc. - Privacy & Legal
Email: [email protected]
Address: 215 Daffodil Court
Website: https://vocaiq.ai