Data Processing Addendum

1.1 Terms not defined here have the meanings given in the Master SaaS Services Agreement at auralytik.com/eula. "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" have the meanings given in applicable data-protection law (including GDPR Art. 4 for EEA Customers and CCPA §1798.140 for California-resident Data Subjects).

1.2 "Customer Personal Data" means Personal Data that the Customer (or its end users) uploads to or transmits through the Auralytik platform, including but not limited to call audio, transcripts, agent and bot interaction logs, evaluation outputs, and any other content that contains personal information.

2.1 Subject matter: Processing of Customer Personal Data through Auralytik for the purpose of providing conversation intelligence services as described in the Agreement.

2.2 Duration: This DPA remains in force for as long as Pintor Project processes Customer Personal Data on behalf of the Customer, plus any retention period set out in clause 11.

3.1 Categories of Data Subjects typically include: Customer's end customers (callers, message senders, interaction participants), Customer's agents and employees who interact with the platform, and other natural persons whose data the Customer uploads.

3.2 Categories of Personal Data typically include: voice recordings, transcripts of conversations, interaction metadata (timestamps, agent IDs, channel identifiers), customer identifiers (names, account numbers, contact information embedded in conversations), and analytical outputs derived from these data (sentiment scores, compliance findings, audit evaluations).

3.3 Special categories of Personal Data: the Customer is responsible for limiting the inclusion of special-category data (health, financial, biometric, racial/ethnic origin, etc.) per the Acceptable Use Policy. Where biometric verification features are subscribed, biometric Personal Data is processed under additional safeguards documented in the relevant Service Order.

4.1 The Customer is the Controller of Customer Personal Data. Pintor Project acts as Processor and processes Customer Personal Data only on documented instructions from the Customer, including transfers to third countries, unless required to do so by applicable law.

4.2 The Customer warrants that it has all necessary legal bases, notices, and consents for Pintor Project to process Customer Personal Data, including (where applicable) consent for call recording and for the use of AI to analyze conversation content.

4.3 Pintor Project ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations and trained in data-protection requirements appropriate to their role.

5.1 The Customer authorizes Pintor Project to engage the sub-processors listed at auralytik.com/subprocessors for the processing of Customer Personal Data. The current list includes Microsoft Azure (USA, Chile, EU as applicable), Stripe (USA), ElevenLabs (USA), Twilio (USA), and Meta (USA), each used as described on the Sub-processors page.

5.2 Pintor Project will notify the Customer at least 30 days in advance of any addition or replacement of sub-processors. The Customer may object to such a change on reasonable grounds related to data protection within 30 days; if a reasonable accommodation cannot be reached, either party may terminate the affected Services without penalty.

5.3 Pintor Project enters into written agreements with each sub-processor that impose data-protection obligations no less protective than those in this DPA.

6.1 Where Customer Personal Data is transferred outside the country of the Customer's data-protection jurisdiction (including transfers from the EEA, UK, or Switzerland to a country without an adequacy decision), the transfer is governed by the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as published in Decision (EU) 2021/914, incorporated into this DPA by reference.

6.2 Where additional safeguards are required (UK IDTA, Swiss SCCs, etc.), the equivalent contractual mechanism applies.

7.1 Pintor Project implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); access controls based on least-privilege principles; multi-factor authentication for administrative access; logging and monitoring of access to Customer Personal Data; periodic vulnerability assessments and security reviews; secure software development practices; and documented incident-response procedures.

7.2 Specific security details, certifications, and audit reports are made available through auralytik.com/trust or under separate confidentiality agreement on request.

8.1 Pintor Project provides reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection, opt-out). Where technically feasible, the platform provides self-service tools for the Customer to action these requests directly.

8.2 Where Pintor Project receives a Data Subject request that relates to Customer Personal Data, it forwards the request to the Customer without undue delay and does not respond to the Data Subject directly unless required by law.

9.1 Pintor Project notifies the Customer without undue delay (and in any case within 48 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data. The notification includes: the nature of the breach; the categories and approximate number of Data Subjects and records concerned (where known); the likely consequences; and the measures taken or proposed to address the breach.

9.2 Pintor Project cooperates with the Customer in investigating, mitigating, and remediating any such breach, and in fulfilling the Customer's notification obligations to supervisory authorities and Data Subjects.

10.1 Pintor Project makes available to the Customer the information necessary to demonstrate compliance with this DPA, including (where applicable) third-party audit reports such as SOC 2, ISO 27001, or equivalent.

10.2 The Customer may, at its own cost and not more than once per year (except where required by a supervisory authority), conduct an audit of Pintor Project's data-protection practices, subject to reasonable scope limitations, confidentiality, and not exceeding what is necessary to verify compliance. Pintor Project may satisfy this obligation through the provision of third-party audit reports or attestations.

11.1 Upon termination or expiration of the Agreement, Pintor Project deletes or returns all Customer Personal Data within a reasonable period (default 90 days), except to the extent that retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

11.2 Pintor Project may retain anonymized or aggregated data derived from Customer Personal Data that no longer permits identification of individual Data Subjects.

12.1 The liability and indemnification provisions of the Master SaaS Services Agreement apply to claims arising under this DPA, subject to applicable mandatory provisions of data-protection law that cannot be limited by contract.

13.1 Where required by clause 6, the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor), published in Decision (EU) 2021/914, are incorporated into this DPA by reference. The Annexes to the SCCs are populated as follows: (Annex I A) Parties — Customer (Controller) and Pintor Project (Processor); (Annex I B) Description of transfer — as set out in clauses 2 and 3 of this DPA; (Annex I C) Competent supervisory authority — the supervisory authority of the Member State in which the Customer is established, or where the Customer is established outside the EEA, the Irish Data Protection Commission; (Annex II) Technical and organizational measures — as set out in clause 7 and at auralytik.com/trust; (Annex III) Sub-processors — as listed at auralytik.com/subprocessors.

14.1 In case of conflict between this DPA, the Master SaaS Services Agreement, and any Service Order: this DPA prevails for matters related to the processing of Personal Data; the Service Order prevails for service-specific terms; the Master SaaS Services Agreement governs all other matters.