Data Processing Agreement

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions or other written agreement (the "Agreement") between OPTICOMM AI S.R.L. ("OptiComm", "Processor") and the customer entity ("Customer", "Controller") for the provision of the Services. It governs the processing of personal data by OptiComm on behalf of the Customer in accordance with Article 28 of the GDPR.

In case of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR. "Data Protection Law" means the GDPR, Romanian Law no. 190/2018, and other applicable data protection laws. "Sub-processor" means any processor engaged by OptiComm to process personal data.

2. Roles and scope

2.1 The Customer is the controller (or processor acting on behalf of its own controllers), and OptiComm is the processor, in respect of personal data contained in Customer Data ("Customer Personal Data"). This includes data ingested from the Customer's connected commerce platforms and the contact details, call audio, and transcripts of individuals contacted by the AI voice agents.

2.2 OptiComm processes Customer Personal Data only on documented instructions from the Customer, including as set out in the Agreement and this DPA, unless required to do otherwise by EU or Member State law (in which case OptiComm will inform the Customer unless that law prohibits it).

2.3 The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex I.

3. OptiComm's obligations

OptiComm will:

a) process Customer Personal Data only on the Customer's documented instructions;

b) ensure that persons authorised to process the data are bound by confidentiality;

c) implement the technical and organisational measures set out in Annex II;

d) respect the conditions for engaging sub-processors (Section 5);

e) taking into account the nature of the processing, assist the Customer by appropriate measures, insofar as possible, in fulfilling the Customer's obligation to respond to data subject requests (Section 6);

f) assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to OptiComm;

g) at the Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Services, and delete existing copies unless storage is required by law (Section 11);

h) make available to the Customer information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits (Section 7); and

i) immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law.

4. Customer's obligations

The Customer warrants that: (a) it has a valid legal basis for the processing and the provision of Customer Personal Data to OptiComm, including any profiling/prediction and any recording of calls by the voice agents; (b) its instructions comply with Data Protection Law; and (c) it has provided all required notices and obtained all required consents from data subjects, including for AI interaction disclosure and call recording where required.

5. Sub-processors

5.1 The Customer provides general authorisation for OptiComm to engage sub-processors to process Customer Personal Data. A current list of sub-processors is maintained at /subprocessors (see also Annex III).

5.2 OptiComm will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains fully liable for the performance of each sub-processor.

5.3 OptiComm will give the Customer prior notice of the addition or replacement of a sub-processor (for example, by updating the list and/or by email) at least thirty (30) days in advance. The Customer may object on reasonable, data-protection-related grounds within that period; the parties will then work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected Services.

6. Data subject rights

Taking into account the nature of the processing, OptiComm will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects exercising their rights under the GDPR. If OptiComm receives a request directly from a data subject relating to Customer Personal Data, it will, unless legally prohibited, promptly forward it to the Customer and not respond except on the Customer's instructions.

7. Audits

7.1 OptiComm will make available to the Customer the information necessary to demonstrate compliance with this DPA, including current third-party certifications and audit reports (e.g. ISO/IEC 27001 certificate and Statement of Applicability summary).

7.2 The Customer may, no more than once per year (and additionally following a personal data breach or upon a supervisory authority's request), conduct an audit on reasonable prior notice, during business hours, subject to confidentiality and without compromising the security of other customers. The parties may agree that an independent auditor performs the audit. The Customer bears its own audit costs.

8. Security

OptiComm implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II, supported by its certified management systems (including ISO/IEC 27001 and ISO/IEC 27018) and aligned with NIS2 and, where applicable, DORA requirements.

9. Personal data breaches

OptiComm will notify the Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for the Customer to meet its own notification obligations under Articles 33 and 34 GDPR.

10. International transfers

10.1 OptiComm will not transfer Customer Personal Data outside the EEA without ensuring appropriate safeguards under Chapter V of the GDPR.

10.2 Where the European Commission's Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) apply, they are incorporated into this DPA by reference, with the relevant modules completed as set out in Annex IV, and supplemented by additional measures where required following a transfer impact assessment. This is relevant to certain AI/LLM and voice providers that may process data outside the EEA.

11. Deletion and return of data

On termination or expiry of the Services, OptiComm will, at the Customer's choice, return or delete Customer Personal Data within thirty (30) days, and delete existing copies, unless retention is required by EU or Member State law.

12. Liability and term

12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12.2 This DPA takes effect on the effective date and continues for as long as OptiComm processes Customer Personal Data under the Agreement.

13. Governing law

This DPA is governed by Romanian law and, where the SCCs apply, by the law designated in the SCCs.

Annex I, Details of processing

• Subject matter: Provision of the OptiComm.AI Services (need prediction, Sales Intelligence dashboard, and AI voice agents) as described in the Agreement.

• Duration: For the term of the Agreement and any retention period required by law.

• Nature and purpose: Hosting, storage, analysis, prediction/profiling, voice-call handling (including recording and transcription), and processing of Customer Data to deliver, secure, support, and maintain the Services.

• Types of personal data: Contact details (name, phone, email), business/account identifiers, order and transaction history, usage data, and, for the voice agents, call audio recordings and transcripts. The Customer controls which data it submits.

• Categories of data subjects: The Customer's employees and Authorised Users; the Customer's customers, prospects, and contacts (including individuals contacted by the voice agents).

• Special categories: None intended. The Customer must not submit special-category data unless lawfully justified and agreed in writing.

Annex II, Technical and organisational measures (summary)

• Information security governance certified to ISO/IEC 27001; cloud PII protection per ISO/IEC 27018; AI governance per ISO/IEC 42001.

• Encryption of data in transit (TLS) and at rest.

• Role-based access controls, least-privilege, and multi-factor authentication for administrative access.

• Network security: firewalls, segmentation, intrusion detection/prevention.

• Logging, monitoring, and alerting; security incident and event management.

• Secure software development lifecycle and change management.

• Vulnerability management and periodic penetration testing.

• Backup, disaster recovery, and business continuity (ISO 22301); IT service management (ISO/IEC 20000-1).

• Personnel confidentiality obligations and security awareness training.

• Vendor and sub-processor due diligence.

• Data minimisation, retention, and secure deletion procedures.

• Incident response and breach notification processes aligned with NIS2 and, where applicable, DORA.

Annex III, Authorised sub-processors

See the separate, maintained register at /subprocessors.

Annex IV, Standard Contractual Clauses configuration

• Module: Module Two (Controller-to-Processor); Module Three (Processor-to-Processor) where the Customer is itself a processor.

• Clause 7 (docking): Included.

• Clause 9 (sub-processors): Option 2, general written authorisation; notice period 30 days.

• Clause 11 (redress): Optional independent dispute resolution, not included.

• Clause 17 (governing law): Law of Romania.

• Clause 18 (forum): Courts of Bucharest, Romania.

• Annexes to SCCs: Use Annex I and Annex II of this DPA.