Data Processing Agreement

Effective Date: April 08, 2026

Introduction

Effective date: April 8, 2026

This Data Processing Agreement (the “Agreement”) is incorporated into and forms part of the Terms of Use. In the event of any conflict between this Agreement and the Terms of Use with respect to the Processing of Personal Data, this Agreement shall prevail. Capitalized terms used but not defined in this Agreement shall have the meanings ascribed to them in the Terms of Use.

This Agreement is entered into by and between the Client and SupportYourApp.

This Agreement applies only to the extent that SupportYourApp processes Personal Data on behalf of the Client in the course of providing SupportYourApp's services, and where such Personal Data (as defined below) is subject to Applicable Data Protection Laws (as defined below) of the relevant jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland, and/or the United Kingdom.

Service Data may include Personal Data. To the extent that Service Data constitutes or contains Personal Data subject to Applicable Data Protection Law, it shall be governed by this Agreement. All other Service Data is governed solely by the Terms of Use.

1. DEFINITIONS

Unless defined in the Terms of Use, all capitalized terms used in this Agreement shall have the meanings given them below:

1.1 Applicable Data Protection Law means any applicable privacy and data protection laws and regulations. For Personal Data from Europe: Applicable Data Protection Law includes, but is not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded) and related ordinances (“FADP”), the Data Protection Act (DPA 2018), as amended, and the GDPR as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws (“UK Data Protection Law”), and the binding laws and regulations of the European Union, the European Economic Area (“EEA”) and/or their member states, Switzerland, and the United Kingdom. For Personal Data from the United States: Applicable Data Protection Law includes, but is not limited to, federal and state privacy laws as they may apply, including the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act, and all other applicable comprehensive U.S. state data privacy laws, collectively referred to as “Applicable U.S. Data Protection Law”. “Applicable Data Protection Law” excludes (a) laws requiring the localisation of Personal Data and (b) laws specific to the Client or Client’s industry that are not generally applicable to the Provider as Processor.

1.2 Controller means the entity which determines the purposes and means of the Processing of Personal Data. With respect to Personal Data from California residents, Controller shall include the term "Business" according to the meaning given to that term in the CCPA.

1.3 Data Subject means (i) an individual who is the subject of Personal Data; or (ii) a "Consumer" as the term is defined in the CCPA.

1.4 EU SCCs means the standard contractual clauses for the transfer of Personal Data to Controllers and Processors established in third countries, adopted by the European Commission from time to time, the adopted version of which in force at the date of signature of this DPA is that set out in the Annex to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914, and as may be amended or replaced from time to time.

1.5 HIPAA means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended from time to time.

1.6 Party means any of Client or SupportYourApp, and "Parties" means Client and SupportYourApp.

1.7 Personnel means any employee, agent, contractor, work-for-hire or any other person working under the direct authority of SupportYourApp.

1.8 Processor has the meaning given in Applicable Data Protection Law; with respect to Personal Data from California residents, Processor shall include the term "Service provider" according to the meaning given to that term in the CCPA.

1.9 Service Data means all electronic data, text, messages, communications or other materials submitted to and processed within the scope of the Services by Client, Users, and End-Users.

1.10 Services means the services described in the Terms of Use.

1.11 Sub-processor means any third party processor engaged by SupportYourApp to assist in fulfilling its obligations with respect to providing the Services pursuant to the Terms of Use or this Agreement in accordance with Client's instructions and the terms of its written subcontract.

1.12 Terms of Use means the agreement between Client and SupportYourApp for the provision of the Services.

1.13 Third Party Services means third-party products, applications, services, software, networks, systems, directories, websites, databases that are connected to or integrated with the Services.

1.14 UK Addendum means the UK ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

The terms "Personal Data", "Processing", "Process", "Supervisory Authority", "Personal Data Breach" shall have the meanings set out in the Applicable Data Protection Law even if such terms are not capitalized in this Agreement.

2. SCOPE, ROLES AND DATA OWNERSHIP

2.1 Scope. This Agreement governs the processing of Personal Data by SupportYourApp on behalf of Client in the course of providing the Services under the Terms of Use. It applies only to the extent that Service Data submitted to the Services constitutes or contains Personal Data subject to Applicable Data Protection Law. All other Service Data is governed solely by the Terms of Use.

2.2 Data Ownership. All Service Data processed under this Agreement and the Terms of Use shall remain the property of Client. SupportYourApp acquires no ownership rights in Service Data or Personal Data by virtue of this Agreement.

2.3 Client as Controller. Where Client processes Personal Data as a Controller and engages SupportYourApp to process that Personal Data on its behalf, SupportYourApp acts as Processor. Client is responsible for ensuring it has a valid legal basis under Applicable Data Protection Law for all Personal Data submitted to the Services and for the lawfulness of its instructions to SupportYourApp. Module 2 of the EU SCCs shall apply to any international transfer of Personal Data in this configuration.

2.4 Client as Processor. Where Client itself acts as a Processor on behalf of a third-party Controller — for example, where Client is a BPO, outsourcing, or managed services provider — SupportYourApp acts as Sub-processor in that processing chain. In this configuration:

(i) Client warrants that it has obtained all necessary authorisations from the relevant Controller to engage SupportYourApp as Sub-processor, and that SupportYourApp's engagement is consistent with the terms of the agreement between Client and that Controller;

(ii) Client shall ensure that the Controller's instructions, to the extent passed through to SupportYourApp, are consistent with Applicable Data Protection Law and do not impose obligations on SupportYourApp beyond those set out in this Agreement;

(iii) SupportYourApp shall process Personal Data only in accordance with Client's instructions, which Client represents reflect the Controller's documented instructions; and

(iv) Module 3 of the EU SCCs shall apply to any international transfer of Personal Data in this configuration.

2.5 Mixed Configurations. Client may act as Controller with respect to some Personal Data and as Processor with respect to other Personal Data processed through the Services. In such cases, Sections 2.3 and 2.4 apply respectively to each category of Personal Data, and the applicable SCC module shall be determined on a per-transfer basis.

2.6 SupportYourApp's Role. SupportYourApp processes Personal Data solely as Processor or Sub-processor, as applicable under this Section 2, and does not determine the purposes or means of processing Personal Data submitted through the Services. SupportYourApp shall notify Client if it receives instructions that, in its reasonable opinion, would cause it to act as a Controller rather than a Processor or Sub-processor.

2.7 Controller Accountability. Where Client acts as Processor under Section 2.4, the ultimate accountability for compliance with Applicable Data Protection Law rests with the Controller on whose behalf Client acts. SupportYourApp's obligations under this Agreement run to Client only, and SupportYourApp shall have no direct legal relationship with or obligations to any third-party Controller unless separately agreed in writing.

2.8 Anonymised and Pseudonymised Data. Where Service Data has been genuinely anonymised such that it cannot reasonably be re-identified by any means likely to be used by SupportYourApp, the Client, or any third party (taking into account singling out, linkability, and inference), such anonymised data falls outside the scope of this Agreement and Applicable Data Protection Law, and SupportYourApp may process it as controller for its own purposes. Where SupportYourApp processes pseudonymised Service Data for AI model training and product improvement pursuant to the opt-in/opt-out mechanism in the Terms of Use, such processing is carried out on the basis of Client's documented instruction as recorded in the applicable Service Order. SupportYourApp shall not process pseudonymised Service Data for its own AI model training where Client has elected to opt out in the applicable Service Order.

3. OBLIGATIONS OF SUPPORTYOURAPP

3.1 Processing Description. The Parties agree that the subject-matter and duration of the Processing performed by SupportYourApp under this Agreement, including the nature and purpose of the Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Annex I to this Agreement and in the Terms of Use.

3.2 Processor Obligations. As part of SupportYourApp providing the Services to Client under the Terms of Use, SupportYourApp agrees and declares as follows:

(a) to process Personal Data in accordance with Client's documented instructions as set out in the Terms of Use and this Agreement, or as otherwise necessary to provide the Services, and also with regard to transfers of Personal Data to a third country or an international organisation in accordance with Article 28(3)(a) of the GDPR, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, SupportYourApp shall inform Client of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);

(b) to ensure that all Personnel of SupportYourApp are fully aware of their responsibilities to protect Personal Data in accordance with this Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) to implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breach, provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected;

(d) to notify Client without undue delay (and in any event within 72 hours) in the event of a confirmed Personal Data Breach affecting Client’s Service Data and to cooperate with Client as necessary to mitigate or remediate the Personal Data Breach;

(e) taking into account the nature of the Processing, to assist Client (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Client's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a "Data Subject Request"). In the event SupportYourApp receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to Client in the first instance. However, in the event Client is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Client, SupportYourApp shall, on Client's request and at Client's reasonable expense, address the Data Subject Request as required under Applicable Data Protection Law;

(f) upon request, to provide Client with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to SupportYourApp, to help Client to conduct any data protection impact assessment or Supervisory Authority consultation it is required to conduct under Applicable Data Protection Law;

(g) upon termination of the Terms of Use, to comply with the requirements of Section 8 (Return and Destruction of Personal Data);

(h) to comply with the requirements of Section 5 (Audit) in order to make available to Client information that demonstrates SupportYourApp's compliance with this Agreement; and

(i) to designate a privacy point of contact responsible for coordinating and overseeing compliance with this Agreement, including the measures detailed in Annex II. Where SupportYourApp is required under Applicable Data Protection Law to appoint a Data Protection Officer, SupportYourApp shall do so and that individual shall serve as the privacy point of contact under this Agreement.

3.3 Unlawful Instructions. SupportYourApp shall inform Client if, in its opinion, Client's Processing instructions infringe any law or regulation. In such event SupportYourApp is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

3.4 U.S. Data Protection Law Obligations. Where the Applicable U.S. Data Protection Law applies, the following provisions apply in addition to the provisions of this DPA: (i) Provider shall not retain, use, or disclose Personal Data (i) for any purpose other than for the specific purpose of providing the Services to Client as set out in the Terms of Use, this DPA, and other relevant agreement(s); (ii) outside of the direct business relationship between Provider and Client; or (iii) as otherwise prohibited by Applicable U.S. Data Protection Law; (ii) Provider shall not “sell” or “share” Personal Data. (iii) Provider shall not combine Personal Data that it receives from Client with Personal Data it receives from, or on behalf of, another person, or collects from its own interactions with data subjects, except where both (i) expressly required to perform the Services and (ii) permitted by Applicable U.S. Data Protection Law. (iv) Provider certifies that it understands the restrictions and obligations set forth in this Section 3.4 and will comply with them. (v) Provider shall promptly notify Client if it determines it can no longer meet its obligations under Applicable U.S. Data Protection Law.

4. SUB-PROCESSORS AND THIRD PARTY SERVICES

4.1 General Authorisation. Client hereby confirms its general written authorisation for SupportYourApp's use of the Sub-processors listed at [INSERT SUB-PROCESSOR LIST URL] (the "Sub-Processor List") in accordance with Article 28 of the GDPR and equivalent requirements in other Applicable Data Protection Law, to assist SupportYourApp in providing the Services and processing Personal Data, provided that such Sub-processors:

(i) agree to act only on SupportYourApp's instructions when processing Personal Data, which instructions shall be consistent with Client's processing instructions to SupportYourApp; and

(ii) agree to protect Personal Data to a standard consistent with the requirements of this Agreement, including implementing and maintaining appropriate technical and organisational measures consistent with the Security Standards described in Annex III to this Agreement, as applicable.

4.2 Sub-processor Liability and Changes. SupportYourApp shall remain liable to Client for the subcontracted processing of Personal Data by any of its Sub-processors under this Agreement. SupportYourApp shall update the Sub-processor List on its Website with any Sub-processor to be appointed at least thirty (30) days prior to such change. Client may sign up to receive email notification of any such changes on SupportYourApp's Website.

4.3 Objection to Sub-processors. In the event that Client objects to the processing of its Personal Data by any proposed Sub-processor as described in Section 4.2 on reasonable grounds relating to data protection, it shall inform SupportYourApp in writing by emailing privacy@supportyourapp.com within thirty (30) days following the update of the Sub-processor List. In such event, the Parties shall negotiate in good faith a solution to the objection. If the Parties cannot reach resolution within sixty (60) days of SupportYourApp's receipt of Client's objection, SupportYourApp will either (a) instruct the Sub-processor to not process Client's Personal Data, in which event this Agreement shall continue unaffected, or (b) allow Client to terminate this Agreement and any related services agreement with SupportYourApp immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Client as of the effective date of termination.

4.4 Third Party Services. The Services provide links to integrations with Third Party Services, including, without limitation, certain Third Party Services which may be integrated directly into Client's account or instance in the Services. If Client elects to enable, access, or use such Third Party Services, its access and use of such Third Party Services is governed solely by the terms and conditions and privacy policies of such Third Party Services, and SupportYourApp does not endorse and is not responsible or liable for, and makes no representations as to any aspect of such Third Party Services, including, without limitation, their content or the manner in which they handle Personal Data or any interaction between Client and the provider of such Third Party Services. Where a Third Party Service processes Personal Data in connection with Client's use of such Third Party Service, it does so either as an independent controller or, where Client has separately engaged such provider as a processor, as Client's own processor — in either case, not pursuant to SupportYourApp's instructions. The providers of Third Party Services shall not be deemed Sub-processors for any purpose under this Agreement.

5. AUDIT

5.1 Audit Right. Client may request to conduct an audit of SupportYourApp's compliance with this Agreement in accordance with Applicable Data Protection Law, solely in relation to the processing of Client's Personal Data. Audits shall be conducted at Client's expense and limited to once per calendar year, unless required by a competent supervisory authority or triggered by a confirmed Personal Data Breach or a material suspected Personal Data Breach affecting Client's Personal Data. Client must provide at least thirty (30) days' prior written notice to privacy@supportyourapp.com, specifying the audit's scope and purpose. Audits shall be conducted during normal business hours to minimise disruption to SupportYourApp's operations.

5.2 Audit Mechanism. In lieu of an on-site audit, SupportYourApp may satisfy its audit obligations under this Section 5 by providing Client with relevant third-party certifications (including ISO 27001 and SOC 2 reports), independent audit reports, or written responses to Client's reasonable security questionnaires, where such materials are reasonably sufficient to demonstrate compliance with this Agreement.

5.3 Access Restrictions. SupportYourApp may restrict Client's access to information that is legally privileged, subject to confidentiality obligations owed to third parties, or security-sensitive where disclosure would create material risk to SupportYourApp's systems or other clients. No audit shall involve access to data relating to any other SupportYourApp client.

5.4 Audit Reports and Remediation. Any report or information generated in connection with a Data Protection Audit shall be treated as SupportYourApp's Confidential Information. If an audit reveals any confirmed non-compliance with this Agreement, Client shall promptly notify SupportYourApp in writing, and SupportYourApp shall use commercially reasonable efforts to address and remediate such confirmed non-compliance within forty-five (45) days of receipt of written notice, or such longer period as is reasonably required given the nature of the non-compliance.

5.5 SCC Prevail. In the event of any conflict between the audit terms in this Section 5 and the audit terms in the EU SCCs and/or UK Addendum, the audit terms in the EU SCCs and/or UK Addendum shall control. Nothing in this Section 5 modifies or affects any supervisory authority's rights under the EU SCCs and/or UK Addendum.

6. INTERNATIONAL DATA EXPORTS

6.1 General. Client acknowledges that SupportYourApp and its Sub-processors may maintain data processing operations in countries that are outside of the European Union and/or the EEA and/or their member states and/or Switzerland and/or the United Kingdom. If SupportYourApp processes Personal Data in a country that has not received an adequacy decision from the European Commission or Swiss or UK authorities, as applicable, such transfer shall take place on the basis of the EU SCCs and/or UK Addendum, as applicable.

6.2 EU SCCs. Where SupportYourApp processes Personal Data that is subject to the GDPR in a country that has not received an adequacy decision from the EU Commission, the Parties hereby incorporate the EU SCCs by reference. Where the EU SCCs apply, they will be deemed completed as follows:

(i) Module 2 (Controller to Processor) will apply where Client is a controller of Personal Data and SupportYourApp is a processor of Personal Data; Module 3 (Processor to Processor) will apply where Client is a processor of Personal Data and SupportYourApp is a processor of Personal Data;

(ii) in Clause 7, the optional docking clause will not apply;

(iii) in Clause 9(a), Option 2 "General Written Authorisation" will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4 of this Agreement;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply. The governing law for the EU SCCs shall be the laws of Ireland, given that the Terms of Use is governed by the laws of the State of Delaware, which is not an EEA member state law;

(vi) in Clause 18(b), disputes arising under the EU SCCs shall be resolved before the courts of Dublin, Ireland, given that the Terms of Use does not designate courts in an EEA Member State;

(vii) Annex I.A and I.B and Annex II of the EU SCCs shall be deemed completed with the information set out in Annex I and Annex II to this Agreement; and

(viii) in Annex I.C of the EU SCCs, where the data exporter is established in the EEA, the competent Supervisory Authority shall be the authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer. Where the data exporter is not established in the EEA, but is within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1), the Supervisory Authority shall be that of the member state in which the representative is established. If the data exporter is not established in the EEA but falls within the territorial scope of GDPR without having to appoint a representative pursuant to Article 27(2), the Supervisory Authority of Ireland shall act as the competent Supervisory Authority.

Nothing in the interpretations in this Section 6.2 is intended to conflict with either Party's rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.

6.3 UK Addendum. When SupportYourApp processes Personal Data subject to UK Data Protection Law in a country that has not received an adequacy decision from the UK authorities, the Parties hereby incorporate the UK Addendum for Personal Data subject to UK Data Protection Law by this reference. Where the UK Addendum applies, it will be deemed completed as follows:

(i) Table 1 shall be deemed completed with the information set out in Annex I of this Agreement, the contents of which are hereby agreed by the Parties;

(ii) Table 2: the Parties select the checkbox that reads "Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum", and the accompanying table shall be deemed completed according to the Parties' preferences outlined in Section 6.2 above;

(iii) Table 3 shall be deemed completed with the information set out in Annex I and Annex II and Section 4 of this Agreement; and

(iv) Table 4: the Parties agree that neither Party may terminate the UK Addendum as set out in Section 19 of the UK Addendum.

6.4 Switzerland under EU SCCs. Where SupportYourApp processes Personal Data subject to the Swiss Federal Act on Data Protection ("FADP") in a country that has not received an adequacy decision from Swiss authorities, the Parties hereby incorporate the EU SCCs (for Personal Data subject to FADP) by this reference. To the extent Personal Data transfers are subject to FADP, the EU SCCs shall be deemed completed with the information set forth in Section 6.2 above, as appropriate, and the following shall apply:

The term "member state", as used in the EU SCCs, shall not be interpreted to limit data subjects in Switzerland from being able to sue for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs. Until the revised FADP comes into effect (the version enacted on 25 September 2020, as amended), the EU SCCs shall also protect the data of legal entities. For the purposes of Annex I.C of the EU SCCs, where Client is the data exporter and the Personal Data transferred is exclusively subject to FADP, the Swiss Federal Data Protection and Information Commissioner (the "FDPIC") shall be the competent Supervisory Authority. Where the Personal Data transferred is subject to both the FADP and the GDPR: (i) parallel supervision should apply; or (ii) for the (revised) FADP, the FDPIC shall be the competent Supervisory Authority insofar as the transfer is governed by the (revised) FADP, and for the GDPR, the competent Supervisory Authority is as determined in Section 6.2(viii). References to the GDPR should be understood as references to the FADP and, once effective, the (revised) FADP, insofar as Personal Data transfers are subject to the FADP or (revised) FADP.

7. OBLIGATIONS OF CLIENT

As part of receiving the Services under the Terms of Use, Client agrees to comply with its obligations under Applicable Data Protection Law in its capacity as controller (or, where applicable, processor) of Personal Data processed through the Services.

8. RETURN AND DESTRUCTION OF PERSONAL DATA

8.1 Export Period. Upon termination of the Terms of Use, SupportYourApp will, for up to thirty (30) calendar days following such termination, make Personal Data available to Client for export or download at Client's own expense, except for Personal Data that (i) has been deleted prior to termination, (ii) was submitted in violation of the Terms of Use, or (iii) is subject to a legal hold or court order.

8.2 Deletion. After the export period set out in Section 8.1, SupportYourApp shall delete or irreversibly anonymise all Personal Data stored or processed on behalf of Client, unless prohibited by applicable law or legal order. Upon Client's written request, SupportYourApp shall provide written confirmation of deletion or anonymisation.

8.3 Other Service Data. All other Service Data that does not constitute Personal Data is subject to the return and deletion provisions in the Terms of Use.

9. DURATION

The duration of the Processing covered by this Agreement shall correspond to the period during which Client utilizes the Services.

10. HIPAA

10.1 No BAA. This Agreement does not constitute a Business Associate Agreement ("BAA") for the purposes of HIPAA. SupportYourApp does not act as a Business Associate with respect to Protected Health Information ("PHI") as defined under HIPAA unless the Parties have separately executed a written BAA.

10.2 PHI Prohibition. Client must not submit PHI through the Services, including through SupportVoice, unless a BAA has been executed between the Parties. Processing of PHI without a BAA in place constitutes a material breach of this Agreement and the Terms of Use. Nothing in this Agreement or the Terms of Use shall be construed as creating any HIPAA compliance obligation on the part of SupportYourApp absent a separately executed BAA.

11. LIMITATION ON LIABILITY

11.1 Liability Cap. This Agreement shall be subject to the limitations of liability agreed between the Parties set forth in the Terms of Use, and any reference to the liability of a Party means that Party and its Affiliates in the aggregate. For the avoidance of doubt, SupportYourApp's total liability for all claims from Client or its Affiliates arising out of or related to this Agreement and the Terms of Use shall apply in aggregate for all claims under both the Terms of Use and this Agreement. The enhanced liability cap for confirmed Personal Data breach claims set out in Section 15.2 of the Terms of Use applies to claims arising under this Agreement where the conditions set out therein are satisfied.

11.2 Data Subject and SCC Claims. This Section 11 shall not be construed as limiting the liability of either Party with respect to claims brought by Data Subjects or under the EU SCCs' Clause 12 and/or the UK Addendum.

12. MISCELLANEOUS

12.1 Amendments. SupportYourApp may make revisions to this Agreement from time to time. For revisions that are administrative in nature or required by applicable law, SupportYourApp shall provide at least fourteen (14) days' prior notice by posting the updated Agreement on its Website. For revisions that materially and adversely affect Client's rights or obligations under this Agreement, SupportYourApp shall provide at least thirty (30) days' prior written notice by email to Client's designated contact. If Client objects to any material revision, Client may, within such thirty (30) day period, terminate the affected Service Order(s) without liability for remaining Subscription Term fees by providing written notice of objection and termination, in accordance with Section 21 of the Terms of Use. Continued use of the Services after the effective date of any revision constitutes acceptance of the updated Agreement.

12.2 Assignment. SupportYourApp may assign or transfer this Agreement, in whole or in part, without Client's consent: (a) to any Affiliate of SupportYourApp; or (b) in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of SupportYourApp's assets or the business line to which this Agreement relates, provided that the assignee agrees in writing to be bound by the terms of this Agreement and maintains a level of data protection no less than that required hereunder. SupportYourApp shall notify Client of any such assignment within a reasonable time. Where an assignment results in a material change to the processing of Personal Data SupportYourApp shall notify Client at least thirty (30) days in advance of such change taking effect, and Client may exercise its objection rights under Section 4.3 of this Agreement with respect to any new Sub-processor engaged as a result. Client may not assign or transfer this Agreement or any of its rights or obligations hereunder without SupportYourApp's prior written consent, except in connection with an assignment of the Terms of Use permitted under Section 22 of the Terms of Use, in which case this Agreement shall be deemed assigned together with the Terms of Use. Any purported assignment in breach of this Section 12.2 shall be null and void.

12.3 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Entire Agreement. This Agreement and the Terms of Use constitute the entire understanding between the Parties with respect to the processing of Personal Data, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject matter.

12.5 Successors and Assigns. Subject to Section 13.2, this Agreement will be fully binding upon, inure to the benefit of, and be enforceable by the Parties and their respective permitted successors and assigns.

13. GOVERNING LAW AND JURISDICTION

13.1 Governing Law. This Agreement shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Terms of Use, unless required otherwise by Applicable Data Protection Law. For the avoidance of doubt, to the extent the EU SCCs apply, the governing law and forum for those SCCs shall be as set out in Sections 6.2(v) and 6.2(vi) of this Agreement respectively.

13.2 Notices. Notices under this Agreement should be sent in accordance with the notice provisions in the Terms of Use.

ANNEX I

A. LIST OF PARTIES

Data exporter:

Name: As specified in the Service Order

Address: As specified in the Service Order

Role: Controller or Processor

Data importer:

Name: As specified in the Service Order

Address: As specified in the Service Order

Contact person’s name, position and contact details: privacy@supportyourapp.com

Role: Processor

B. DESCRIPTION OF PROCESSING

Categories of data subjects

Client may, at its sole discretion, submit Personal Data to the Services, which may include, but is not limited to, the following categories of data subjects: employees (including contractors and temporary employees), customers, end-users, service providers, business partners, and vendors (all of whom are natural persons), as well as any natural persons authorized by Client to use the Services.

Categories of Personal Data

Client may, at its sole discretion, transfer Personal Data to the Services, which may include, but is not limited to, the following categories of Personal Data: first and last name, email address, telephone number, addresses (business or personal), date of birth, communications (telephone recordings, voicemail, voice-synthesised responses), IP addresses, order information, and any personal data submitted by Client's customers and end-users. Where Client subscribes to SupportVoice, categories of Personal Data may additionally include Voice Data (audio recordings and voice-derived data) which may, depending on applicable law and the nature of the data, constitute biometric data within the meaning of Article 9 GDPR and equivalent provisions under Applicable Data Protection Law.

Special Categories of Personal Data (if applicable)

Sensitive Data may, from time to time, be included in processing via the Services where Client or its customers and end-users choose to include Special Categories of Personal Data (as defined below) within the Services. Client is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Client's customers and end-users to transmit or process any Special Categories of Personal Data via the Services. “Special Categories of Personal Data” shall have the same meaning as special categories of personal data in Article 9 of the GDPR and be inclusive of similar concepts under Applicable Data Protection Law.

Retention

SupportYourApp will process and retain Personal Data in accordance with the Section 8 (Return and Destruction of Personal Data) of this Agreement.

Nature and Purpose(s) of the Processing

The data importer will process Personal Data solely to fulfil its purposes under the Terms of Use executed between the data importer and data exporter, including processing personal data: (i) to provide the Services in accordance with the Terms of Use, including operating SupportCRM, SupportReply, and SupportVoice; (ii) to perform any steps necessary for the performance of the Terms of Use; (iii) to perform any processing activity initiated by the data exporter in its use of the Services, including AI inference, autonomous response generation, and voice synthesis through SupportVoice; (iv) to use pseudonymised Service Data for AI model training and product improvement where Client has not opted out in the applicable Service Order, in accordance with Section 2.8 of this Agreement and Section 9.4 of the Terms of Use; and (v) to comply with other reasonable instructions provided by the data exporter that are consistent with the terms of the Terms of Use.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

SupportYourApp reserves the right to update its technical and organisational measures from time to time without prior notification to Client; provided that any updates do not materially reduce the overall protections set forth in this Annex.

1. Physical Controls

Controls related to the physical environment, such as ID badges, biometric door access to the office/space, cypher/key locks to the doors or cabinets/safes, visual controls of the information access (via windows or screen). SupportYourApp utilizes specialized third-party infrastructure providers for data hosting. These providers maintain physical security at data centers, including biometric access controls, CCTV, and environmental protections. Those controls are confirmed by those providers ISO 27001 and/or SOC2 certifications.

2. Logical Controls

Controls are defined as restricting virtual access to data; they consist of identification, authentication, and authorization protocols utilized worldwide to protect data from unauthorized access, including password programs, smart cards, or tokens to identify and screen users and access levels:

Data Encryption in transit and at rest;

Role Based Access Control (RBAC);

Firewall, IDS/IPS;

Anti-virus and Anti-malware protection;

Database Monitoring and Management system;

Log Management;

Regular Backups.

3. Technical/Operational Controls

Controls related to the technical and operational processes and procedures:

Change and Configuration Management Process;

Vulnerability and Patch Management Process;

Security Awareness and Training Process;

Secure Software Development;

Continuous Improvement Process.

4. Administrative/Management Controls

Controls related to administration and management processes, procedure, and principles:

Security and Compliance Policies;

ISO 27001 certification;

Compliance Assessment Process;

Firewall Change Management Process;

Internal Audit Process;

Incident Response Plan;

Business Continuity and Disaster Recovery Plan;

Regular Access Rights Review Process;

ANNEX III

SUB-PROCESSORS SECURITY STANDARDS

As of the Effective Date of this Agreement, SupportYourApp’s Sub-processors, when processing Service Data on behalf of Client in connection with the Services, shall implement and maintain the following technical and organizational security measures for the processing of such Service Data (the “Services Security Standards”):

1. Physical Access Controls: Sub-processors will take reasonable measures, such as employing security personnel and securing buildings, to prevent unauthorized persons from gaining physical access to Service Data.

2. System Access Controls: Sub-processors will take reasonable measures to prevent the use of Service Data without authorization. These controls shall vary based on the nature of the processing and may include, among other measures, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access at multiple levels. This also includes but not limited to the Role Based Access Control as per need-to-know security principle.

3. Data Access Controls: Sub-processors will take reasonable measures to ensure that Service Data is accessible and manageable only by properly authorized staff. Direct database query access will be restricted, and application access rights will be established and enforced to ensure that only persons entitled to access specific Service Data have such access. Service Data shall not be read, copied, modified, or removed without authorization during processing. SupportYourApp will implement and maintain an access policy under which access to its system environment, data processing systems, Service Data, and other data is restricted to authorized personnel only.

4. Transmission Controls: Sub-processors will take reasonable measures to ensure that it is possible to verify and establish which entities are authorized to receive Service Data during transmission so that Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.

5. Input Controls: Sub-processors will take reasonable measures to ensure that it is possible to verify and establish whether and by whom Service Data has been entered into, modified, or removed from data processing systems. Additionally, any transfer of Service Data to a third-party service provider will be conducted via secure transmission.

6. Data Protection: Sub-processors will take reasonable measures to ensure that Service Data is secured to protect against accidental destruction or loss. Sub-processors will ensure that, when hosted by a Sub-processor, backups are completed regularly, secured, and encrypted to ensure that Service Data is protected. Sub-processors will implement and maintain a managed security program to identify risks and deploy preventative technologies and processes to mitigate common attacks.

7. Logical Separation: Sub-processors will logically segregate Service Data from the data of other parties on its systems to ensure that Service Data is processed separately.

8. People Controls: Sub-processors will take reasonable measures to ensure that all staff, who have access to the systems and data, have appropriate NDA signed and passed Sub-processor’s Security Awareness training.

For instance client-logo client-logo client-logo client-logo client-logo client-logo client-logo client-logo is working with us

Contact Us Now