This Data Processing Agreement (“Agreement”) is entered into between NexaVoxa (“Data Processor”) and the customer entity that accepts this Agreement (“Company” or “Data Controller”). By using NexaVoxa’s services, the Company agrees to be bound by the terms of this Data Processing Agreement.

For questions regarding this Data Processing Agreement or to exercise any rights hereunder, please contact [privacy@villaextechnologies.com].

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Customer Personal Data: Personal Data processed by the Data Processor or its Sub-processor on behalf of the Company to perform the Services under the Service Agreement.
• Processing: Any operation performed on Personal Data, such as collection, storage, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
• Data Subject: An individual whose Personal Data is processed.
• Sub-processor: Any third party engaged by the Data Processor to process Personal Data on behalf of the Company.
• Data Protection Laws: All applicable data protection and privacy laws, including EU Data Protection Laws, GDPR, CCPA, and other similar laws in the jurisdictions in which the Service is provided.
• Data Transfer: The transfer of Personal Data from the Company to the Data Processor or to any Sub-processor, or between two establishments of the Data Processor, where such transfer would be prohibited by Data Protection Laws.

2. Subject Matter and Duration

The Data Processor shall process Personal Data on behalf of the Company as necessary to perform the services defined in the Service Agreement. This Agreement shall remain in effect for the duration of the Service Agreement.

2.1 Service-Specific Data Retention
The Data Processor shall retain Voice AI Service Customer Data transmitted through the Service for a maximum of thirty (30) days, after which it will be deleted unless the Data Processor is required to retain copies under applicable laws.

3. Nature and Purpose of Processing

The processing involves managing and facilitating AI-driven voice communications, including recording, transcribing, and analyzing voice data to enhance communication services. The Company is the Data Controller, and NexaVoxa acts as the Data Processor.

4. Types of Personal Data and Categories of Data Subjects

Types of Personal Data:

• Voice recordings
• Transcriptions
• Contact information (phone numbers, email addresses)
• Communication metadata (time, date, duration of calls)
• Account information (user IDs, preferences)

Categories of Data Subjects:

• Customers of the Company
• End-users of the Company’s services
• Employees, contractors, and agents of the Company who use the services
• Third-party individuals who communicate with the above categories

5. Obligations of the Data Processor

The Data Processor agrees to:

• Process Personal Data only on documented instructions from the Company.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
• Assist the Company in fulfilling its obligations regarding data subject rights, including access, rectification, erasure, and restriction of processing.
• Notify the Company of any Personal Data Breach within 72 hours of becoming aware.
• Ensure that individuals authorized to process Personal Data are committed to confidentiality.

6. Data Breach Notification

The Data Processor shall notify the Company without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach. Such notification will include the nature of the breach, the categories of affected data, and the measures taken to address it.

7. Sub-processing

• The Data Processor may engage third-party subprocessors to assist in processing Personal Data. Sub-processors will be bound by similar obligations as those in this Agreement.
• A list of subprocessors will be provided to the Company, and the Company has the right to object to new subprocessors.

8. International Data Transfers

The Data Processor shall not transfer Personal Data to countries outside of the European Economic Area (EEA) or any jurisdiction that does not ensure an adequate level of protection unless the Company provides explicit consent and appropriate safeguards are implemented.

9. Audit Rights

The Company has the right to audit the Data Processor’s compliance with this Agreement. The Data Processor will allow the Company or a third-party auditor to conduct audits, provided the Company gives reasonable notice and limits the audit to once per year unless otherwise required by law.

10. Return and Deletion

Upon termination of this Agreement, the Data Processor shall return or delete all Personal Data as instructed by the Company unless required by law to retain it.

11. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of U.S, and any disputes arising from or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of U.S.

12. Company Obligations

The Company shall:

• Ensure it has the legal right to provide Personal Data to the Data Processor.
• Comply with applicable Data Protection Laws and ensure that all Personal Data shared with the Data Processor is legally obtained.
• Take reasonable steps to ensure the security of the Personal Data it shares with the Data Processor.

13. Service Data

The Data Processor may collect, use, and disclose Service Data for its business purposes, such as improving the Services, fraud prevention, and maintaining the security of the system. Service Data is not considered Personal Data under this Agreement.

EXHIBIT A: DETAILS OF PROCESSING
Nature and Purpose of Processing: The Data Processor processes Personal Data as needed to provide the AI-driven services, including voice communications, transcriptions, and analysis.

Duration of Processing: The processing lasts for the term of the Service Agreement and as required for data retention or legal obligations.

Categories of Data Subjects:

• Customers, end-users, employees, contractors, and agents of the Company

Categories of Personal Data:

• Voice recordings, contact details, account information

Processing Operations:

• Collection, recording, storage, and analysis of Personal Data for the purpose of providing NexaVoxa services.

EXHIBIT B: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Processor will implement the following security measures:

1. Encryption: Encrypt all Personal Data at rest and in transit using industry-standard protocols.
2. Access Control: Role-based access control and multi-factor authentication for all systems accessing Personal Data.
3. Redundancy and Backup: Ensure high availability with geographically distributed systems and daily backups.
4. Incident Response: Maintain a documented and tested incident response plan for data breaches or security incidents.

By using NexaVoxa’s services, the Company agrees to be bound by the terms of this Data Processing Agreement.