This Data Processing Addendum and Standard Contractual Clauses ("DPA") supplements the master subscription agreement or terms of service agreement between VoiceAIWrapper, a product of New XP Technologies Limited, HK (”VoiceAIWrapper”) and Customer (the "Agreement"), when the GDPR applies to Customer's use of VoiceAIWrapper's Services to Process Customer Data. Except as amended by this DPA, the Agreement will remain in full force and effect.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
This DPA was last updated July 10, 2025. VoiceAIWrapper reserves the right to periodically modify this DPA upon written notice to Customer, and such modification will automatically become effective in the next service term.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Nothing in this Addendum is intended to alter or have any adverse effect on the Standard Contractual Clauses incorporated into this Addendum in Exhibit A ("Standard Contractual Clauses"). In the event that a competent government authority determines that a conflict exists between the Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail. If there is a conflict between any other agreement between the Parties including the Agreement and this DPA, the terms of this DPA will control.
1. Definitions
For the purposes defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below.
1.1 "Agreement" means any agreement between VoiceAIWrapper and a specific customer under which Services are provided by VoiceAIWrapper to that Customer. Such an agreement may have various titles, including but not limited to "Order Form," "Sales Order," or "Master Subscription Agreement."
1.2 "Customer" means the entity which determines the purposes and means of Processing of Customer Data. Customer may also be referred to as Data Controller.
1.3 "Customer Data" means any "personal data" (as defined in GDPR) that is provided by or on behalf of Customer and Processed by VoiceAIWrapper pursuant to the Agreement.
1.4 "Data Protection Laws" means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area ("EEA") and their member states, Switzerland and the United Kingdom, and any amending or replacement legislation from time to time, applicable to the Processing of Customer Data under the Agreement.
1.5 "GDPR" means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC and the UK GDPR and the Data Protection Act 2018.
1.6 "Permitted Purpose" means the use of the Customer Data to the extent necessary for provision of the Services by VoiceAIWrapper to the Customer.
1.7 "Security Incident" means any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of Customer Data.
1.8 "Services" means the VoiceAIWrapper voice AI white-label platform services and related services provided under the Agreement.
1.9 "Standard Contractual Clauses" means the agreement, attached as Exhibit A, pursuant to the European Commission decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries.
1.10 "Sub-processor" means any entity engaged by VoiceAIWrapper to Process Customer Data in connection with the Services.
1.11 "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR and the Information Commissioner, as the UK's independent data protection authority.
1.12 Terms such as "Data Subject," "Processing," "Controller," and "Processor" shall have the meaning ascribed to them in the GDPR.
1.13 "Third-Party Services" means connections and/or links to third party websites and/or services not included in the core Services offerings identified in the Agreement, including without limitation voice AI provider programmatic interfaces.
1.14 "UK SCC Addendum" means, attached as Annex IV, the United Kingdom International Data Transfer Addendum to the European Commission's Standard Contractual Clauses for International data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.
2. Data Processing
2.1 Data Processing Activities
2.1.1 Subject Matter. VoiceAIWrapper's provision of the Services to the Customer.
2.1.2 Nature and Purpose. VoiceAIWrapper will process Customer Data for the purposes of providing the Services (including administration, operations, technical and customer support), to Customer in accordance with the Agreement.
2.1.3 Roles of the Parties. The Parties acknowledge that with regard to the processing of Customer Data, Customer will be the Controller of the Customer Data and VoiceAIWrapper will be the Processor of such Customer Data. Customer understands that to the extent Third-Party Services are accessed, Customer serves as the Controller and, in turn, Customer must ensure that the Third-Party Services are not Sub-processors of VoiceAIWrapper.
2.1.4 Customer Instructions. The Parties agree this DPA and the Agreement constitute Customer's documented instructions regarding VoiceAIWrapper's processing of Customer Data, and VoiceAIWrapper will Process Customer Data in accordance with these documented instructions.
2.1.5 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR. VoiceAIWrapper will be responsible for determining the requirements of laws applicable to Customer's business or that VoiceAIWrapper's provision of the Services meet the requirements of such laws.
2.2 Categories of Data and Data Subjects
2.2.1 Categories of Personal Data:
Contact information (names, email addresses, phone numbers)
Business information (company names, business addresses)
Account and billing information
Voice call metadata and analytics
Voice recording links and references
Usage and analytics data
Customer support communications
End-user interaction data (phone numbers, email addresses, personal details collected during voice calls)
2.2.2 Categories of Data Subjects:
Customer's employees and authorized users
Customer's customers and end-users
Individuals who interact with Customer's voice AI agents
Customer support contacts
3. Customer Obligations
3.1 Instructions. Customer shall provide instructions to VoiceAIWrapper pursuant to this DPA comply with the Data Protection Laws.
3.2 Data Subject and Supervisory Authority Requests. The Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under the Data Protection Laws, and all communications from Supervisory Authorities that relate to Customer Data, in accordance with Data Protection Laws. To the extent such requests or communications require VoiceAIWrapper's assistance, the Customer shall notify VoiceAIWrapper in writing.
3.3 Notice, Consent and Other Authorizations. Customer is responsible for providing the necessary notice to the Data Subjects under the Data Protection Laws. Customer is responsible for obtaining, and demonstrating evidence that it has obtained, all necessary consents, authorizations and required permissions under the Data Protection Laws in a valid manner for VoiceAIWrapper to perform the Services.
3.4 White-Label Compliance. Where Customer uses VoiceAIWrapper's white-label services, Customer acknowledges and agrees that Customer is responsible for ensuring compliance with all applicable Data Protection Laws in relation to Customer's end-users and their personal data.
4. VoiceAIWrapper's Obligations
4.1 Scope of Processing. VoiceAIWrapper will Process Customer Data on documented instructions from the Customer, and in such manner as is necessary for the provision of Services and as required to comply with applicable law to which VoiceAIWrapper is subject. If VoiceAIWrapper believes any documented instruction or additional processing instruction from Customer violates the GDPR or other Data Protection Laws, VoiceAIWrapper will inform Customer without delay and may suspend the performance of the Services until the instruction is modified or confirmed the lawfulness of the additional processing instruction in writing.
4.2 Data Subject Requests. If VoiceAIWrapper receives a request from any Data Subject made under Data Protection relating to Customer Data, VoiceAIWrapper will provide a copy of the request to Customer within two (2) business days of receipt. VoiceAIWrapper provides Customer with tools to enable Customer to respond to a Data Subjects' requests to exercise their rights under the Data Protection Laws.
4.3 Supervisory Authority Requests. VoiceAIWrapper will notify the Customer in writing within two (2) business days of addressing any communications and abiding by any advice or orders from the Supervisory Authority relating to the Customer Data.
4.4 Retention. VoiceAIWrapper will retain Customer Data for as long as the Customer deems it necessary for the Permitted Purpose, or as required by applicable laws. At the termination of this DPA, or upon Customer's written request, VoiceAIWrapper will either destroy or return the Customer Data to the Customer, unless extended storage is required by applicable laws.
4.5 Disclosure to Third Parties and Confidentiality. VoiceAIWrapper will not disclose the Customer Data to third parties except as permitted by this DPA or the Agreement, unless disclosure is required by law. VoiceAIWrapper shall (to the extent permitted by law) notify the Customer in writing and liaise with the Customer before complying with such disclosure request.
4.6 Security Measures. VoiceAIWrapper will implement appropriate technical and organizational measures to protect Customer Data against Security Incidents. Details of VoiceAIWrapper's security measures are set out in the VoiceAIWrapper Security Policy, available at the VoiceAIWrapper website, and incorporated herein by reference.
4.7 Sub-processors. Customer acknowledges and agrees that VoiceAIWrapper may engage Sub-processors to Process Customer Data. A current list of Sub-processors is available in the VoiceAIWrapper Sub-processors document. VoiceAIWrapper will provide Customer with at least thirty (30) days' notice of any changes to Sub-processors. Customer may object to VoiceAIWrapper's appointment of a new Sub-processor by notifying VoiceAIWrapper in writing within thirty (30) days of such notice.
4.8 Data Protection Impact Assessment. VoiceAIWrapper will provide reasonable assistance to Customer in conducting data protection impact assessments and consultations with Supervisory Authorities, to the extent required by the GDPR and to the extent VoiceAIWrapper has access to relevant information.
4.9 Security Incident Response. VoiceAIWrapper will notify Customer of any Security Incident without undue delay and in any event within seventy-two (72) hours after becoming aware of the Security Incident. Such notification will include available information about the nature of the Security Incident and the steps taken to address it.
4.10 Audit Rights. Customer may conduct audits of VoiceAIWrapper's compliance with this DPA. Customer may request information about VoiceAIWrapper's compliance with this DPA, including VoiceAIWrapper's SOC 2 Type II reports and other relevant security certifications.
5. International Data Transfers
5.1 Data Transfer Mechanisms. To the extent that VoiceAIWrapper Processes Customer Data in a country that has not been designated by the European Commission as providing adequate protection for personal data, the parties will execute the Standard Contractual Clauses attached as Exhibit A.
5.2 Additional Safeguards. VoiceAIWrapper implements additional technical and organizational measures to protect Customer Data in international transfers, including encryption, access controls, and secure data centers.
6. Liability and Indemnification
6.1 Liability. Each party's liability under this DPA will be subject to the limitations and exclusions of liability set out in the Agreement.
6.2 Sub-processor Liability. VoiceAIWrapper will be liable for the acts and omissions of its Sub-processors to the same extent as if such acts and omissions were performed by VoiceAIWrapper directly under the terms of this DPA.
7. Term and Termination
7.1 Term. This DPA will remain in effect for as long as VoiceAIWrapper Processes Customer Data on behalf of Customer.
7.2 Termination. Upon termination of this DPA, VoiceAIWrapper will cease all Processing of Customer Data and will delete or return Customer Data in accordance with the Agreement and applicable law.
8. Governing Law and Jurisdiction
This DPA will be governed by and construed in accordance with the governing law provisions set out in the Agreement. Any disputes arising under this DPA will be subject to the exclusive jurisdiction provisions set out in the Agreement.
EXHIBIT A
STANDARD CONTRACTUAL CLAUSES (Transfer controller to processor)
Standard Contractual Clauses for the Transfer of Personal Data to Third Countries Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
The parties have agreed to the following Standard Contractual Clauses (the "Clauses") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data controller to the data processor of the personal data specified in Annex I.
SECTION I
Clause 1 - Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter "entity/ies") transferring the personal data, as listed in Annex I.A. (hereinafter each "data controller"); and (ii) the entity/ies in a third country receiving the personal data from the data controller, as listed in Annex I.A. (hereinafter each "data processor") have agreed to these standard contractual clauses (hereinafter: "Clauses").
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Annex to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2 - Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors, Article 28(4) of Regulation (EU) 2016/679, by ensuring that the data controller is subject to the same level of protection as the data subject.
(b) These Clauses are without prejudice to obligations to which the data controller is subject by virtue of Regulation (EU) 2016/679.
Clause 3 - Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data controller and/or data processor, with the following exceptions: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii) Clause 8 - Module Two: Clause 8.5 (e) and Clause 8.9(b); (iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); (iv) Clause 12 - Module Two: Clause 12(a), (d) and (f); (v) Clause 13; (vi) Clause 15.1(c), (d) and (e); (vii) Clause 16(e); (viii) Clause 18 - Module Two: Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4 - Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5 - Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6 - Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Docking clause
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data controller or a data processor, by completing the Annex and signing Annex I.A.
(b) Once it has completed the Annex and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data controller or a data processor in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8 - Data protection safeguards
The data controller warrants that it has used reasonable efforts to determine that the data processor is able, through the implementation of appropriate technical and organizational measures, to satisfy the obligations under these Clauses.
8.1 Purpose limitation
The data processor shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose: (a) where it has obtained the data subject's prior consent; (b) where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (c) where necessary to protect the vital interests of the data subject or of another natural person.
8.2 Transparency
On request, the data controller shall make a copy of these Clauses, including the Annex as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data controller may redact part of the text of the Annex prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights.
8.3 Accuracy and data minimization
Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data controller shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay. The data processor shall process the personal data only to the extent and for as long as necessary for the purpose(s) specified in Annex I.B.
8.4 Storage limitation
The data processor shall retain the personal data for no longer than necessary for the purpose(s) specified in Annex I.B. On expiry of the retention period, the data processor shall delete or return the personal data to the data controller, unless the retention of the personal data is required by the law of the third country.
8.5 Security of processing
(a) The data processor shall implement appropriate technical and organizational measures to ensure the security of the personal data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter 'personal data breach').
(b) The data processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. The data processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data processor under these Clauses, the data processor shall take appropriate measures to address the personal data breach, including measures to mitigate its adverse effects.
(d) The data processor shall cooperate with and assist the data controller to enable the data controller to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data processor.
8.6 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter 'sensitive data'), the data processor shall apply specific restrictions and/or additional safeguards.
8.7 Onward transfers
The data processor shall not transfer the personal data to a third party located in a third country or an international organization without the prior written authorization of the data controller. If the data processor is authorized by the data controller to make an onward transfer, the data processor shall ensure that the third party has entered into a contract with the data processor which provides the same level of protection as these Clauses.
8.8 Processing under the authority of the data controller
The data processor shall not process the personal data except on documented instructions from the data controller. If the data processor cannot provide such processing (for example, due to conflicts with the legal requirements in the third country), it shall promptly inform the data controller and suspend the processing until the data controller issues new instructions.
8.9 Documentation and compliance
(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data processor shall keep appropriate documentation of the processing activities carried out under the responsibility of the data controller.
(b) The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations set out in these Clauses and allow for and contribute to audits.
Clause 9 - Use of sub-processors
(a) The data processor has the data controller's general authorization for the engagement of sub-processor(s) from an agreed list. The data processor shall specifically inform the data controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data processor shall provide the data controller with the information necessary to enable the data controller to exercise its right to object.
(b) Where the data processor engages a sub-processor to carry out specific processing activities (on behalf of the data controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data processor under these Clauses.
(c) The data processor shall remain fully liable to the data controller for the performance of the sub-processor's obligations under its contract with the data processor.
Clause 10 - Data subject rights
(a) The data processor shall promptly notify the data controller of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data controller.
(b) The data processor shall assist the data controller in fulfilling its obligations to respond to data subjects' requests for the exercise of their rights under Regulation (EU) 2016/679.
Clause 11 - Redress
(a) The data processor shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion.
Clause 12 - Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data controller shall not be liable for any damages caused by a breach of these Clauses by the data processor.
(d) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
Clause 13 - Supervision
(a) The supervisory authority with responsibility for ensuring compliance by the data controller with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
(b) The data processor shall submit itself to the jurisdiction of and agree to comply with the orders of the competent supervisory authority with regard to the data transfer.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14 - Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data processor prevent the data processor from fulfilling the obligations under these Clauses.
(b) The Parties undertake to regularly monitor whether the laws and practices in the third country of destination applicable to the processing of the personal data by the data processor continue to provide sufficient safeguards for the personal data.
Clause 15 - Obligations of the data processor under local laws
(a) The data processor shall notify the data controller and, where possible, the data subject promptly (where appropriate, with the help of the data controller) of any legal requirements under the laws of the third country of destination that are not aligned with the requirements under these Clauses.
(b) The data processor shall provide the data controller with relevant information about the legal requirements under the laws of the third country of destination.
Clause 16 - Non-compliance with the Clauses and termination
(a) The data processor shall promptly inform the data controller if it is unable to comply with these Clauses.
(b) In the event that the data processor is in breach of these Clauses or unable to comply with these Clauses, the data controller shall suspend the transfer of personal data to the data processor until compliance is again ensured or the contract is terminated.
SECTION IV – FINAL PROVISIONS
Clause 17 - Governing law
These Clauses shall be governed by the law of the EU Member State in which the data controller is established.
Clause 18 - Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The data subject may also bring legal proceedings against the data controller and/or data processor before the courts of the Member State in which he/she has his/her habitual residence.
ANNEX I
A. LIST OF PARTIES
Data exporter (s): Customer (as defined at the end of the DPA document)
Data processor(s): VoiceAIWrapper (a product of New XP Technologies Limited)
Activities relevant to the data transferred: Provision of voice AI white-label platform services
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Customer's employees and authorized users
Customer's customers and end-users
Individuals who interact with Customer's voice AI agents
Customer support contacts
Categories of personal data transferred:
Contact information (names, email addresses, phone numbers)
Business information (company names, business addresses)
Account and billing information
Voice call metadata and analytics
Voice recording links and references
Usage and analytics data
Customer support communications
End-user interaction data
Sensitive data transferred (if applicable): None, unless specifically configured by Customer
The frequency of the transfer: Continuous during the term of the Agreement
Nature of the processing: Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction
Purpose(s) of the data transfer and further processing: Provision of voice AI white-label platform services
The period for which the personal data will be retained: As specified in the DPA and Privacy Policy
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
If the first option applies, where the Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established; or
If the second option applies, where the Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time); or
If the third option applies, where the Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR, the competent supervisory authority shall be: the supervisory authority of the EU Member State notified in writing to team@newxp.co, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES
The technical and organizational measures implemented by the data processor are described in detail in the VoiceAIWrapper Security Policy.
This agreement is hereby executed between:
VoiceAIWrapper New XP Technologies Limited | Customer Company Name: _____________ |
Name: SP Parasar | Name: _______________________ |
Contact: team@newxp.co | Contact: _____________________ |
Title: Data Protection Officer | Title: ________________________ |
Date: ____________________ | Date: ____________________ |
If you need a signed version of our Data Processing Agreement, you can request it here.