Data Processing Addendum

1. Roles and Responsibilities

For the purposes of this DPA and applicable data protection laws:

• Controller: You (the business customer) determine the purposes and means of processing personal data of your customers and end users. You are the data controller with respect to any Customer Data submitted to the Service.
• Processor: AlwaysRespond processes personal data on your behalf solely for the purpose of providing the Service. We act as a data processor with respect to Customer Data.

Each party shall comply with its respective obligations under applicable data protection legislation, including, where applicable, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy laws.

2. Scope of Processing

The personal data processed under this DPA includes:

• Categories of data subjects: Your customers and end users who communicate with you through the Service
• Types of personal data: Phone numbers, names, message content, appointment details (dates, times, service types, notes), communication preferences, and any other personal data included in messages exchanged through the Service
• Processing activities: Receiving, storing, transmitting, and displaying SMS and WhatsApp messages; scheduling and managing appointments; generating AI-powered responses; providing analytics and reporting; and maintaining conversation history
• Duration of processing: For the duration of the Agreement and as required to fulfill our obligations under this DPA, including any post-termination retention period as described in Section 8

3. Processing Instructions

We shall process personal data only on your documented instructions, unless required to do so by applicable law. The Agreement and this DPA constitute your complete instructions to us for processing personal data, unless you provide additional written instructions.

If we believe that an instruction from you infringes applicable data protection law, we will promptly inform you. We shall not be obligated to follow instructions that we reasonably believe are unlawful.

We will not process personal data for any purpose other than as necessary to provide the Service, as instructed by you, or as required by applicable law. We will not sell, share, or otherwise use personal data for our own commercial purposes beyond service delivery.

4. Confidentiality

We ensure that all persons authorized to process personal data on our behalf are bound by appropriate confidentiality obligations, whether contractual or statutory. Access to personal data is limited to personnel who require it for the performance of their duties in connection with the Service.

We shall not disclose personal data to any third party except as permitted by this DPA, as instructed by you, or as required by applicable law. In the event that we receive a legally binding request from a governmental or regulatory authority for disclosure of personal data, we will promptly notify you (unless prohibited by law) and provide only the minimum amount of data required.

5. Security Measures

We implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption: Encryption of personal data in transit using TLS 1.2 or higher, and encryption of personal data at rest using AES-256 or equivalent industry-standard algorithms
• Access controls: Role-based access controls, multi-factor authentication for administrative access, and principle of least privilege for all system access
• Network security: Firewalls, intrusion detection and prevention systems, and regular vulnerability assessments and penetration testing
• Monitoring and logging: Continuous monitoring of systems for security events, comprehensive audit logging, and automated alerting for suspicious activity
• Physical security: Our infrastructure is hosted with cloud providers that maintain SOC 2 Type II certification and implement strict physical access controls
• Business continuity: Regular data backups, disaster recovery plans, and redundant infrastructure to ensure data availability and resilience
• Personnel security: Background checks for employees with access to personal data, mandatory security awareness training, and ongoing education on data protection best practices
• Incident response: Documented incident response procedures with defined roles, escalation paths, and communication protocols for security breaches

In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include, to the extent available, the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

6. Subprocessors

You grant us general authorization to engage subprocessors to assist in providing the Service. We maintain a list of current subprocessors, which includes:

• Messaging carriers (e.g., Telnyx, Twilio) for SMS and WhatsApp message transmission and delivery
• Cloud infrastructure providers for hosting, data storage, and computing resources
• AI and machine learning providers for powering conversational AI features and natural language processing
• Payment processors (e.g., Stripe) for handling subscription billing and payment transactions
• Analytics and monitoring providers for service performance monitoring and operational analytics

Before engaging a new subprocessor, we will notify you of the intended change, providing you with a reasonable opportunity to object. If you have a legitimate objection, we will make reasonable efforts to make available a change in the Service or recommend a commercially reasonable alternative. If no alternative is available and you maintain your objection, either party may terminate the affected portion of the Service.

We require all subprocessors to enter into written agreements that impose data protection obligations no less protective than those set out in this DPA. We remain fully liable for the acts and omissions of our subprocessors to the same extent as if we had performed the processing ourselves.

7. Assistance with Data Subject Rights and Compliance

We will assist you in fulfilling your obligations to respond to data subject requests to exercise their rights under applicable data protection law. This includes requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

If we receive a data subject request directly, we will promptly notify you and will not respond to the request unless authorized by you or required by applicable law.

We will also provide reasonable assistance with:

• Data protection impact assessments where required by applicable law
• Prior consultations with supervisory authorities where required
• Compliance with data breach notification obligations under applicable law
• Demonstrating compliance with data protection obligations through audits and inspections, subject to reasonable notice and confidentiality obligations

We may charge a reasonable fee for assistance that is excessive or manifestly unfounded, or that goes beyond what is required to comply with applicable data protection law.

8. Data Retention and Deletion

Upon termination or expiration of the Agreement, we will, at your choice, return or delete all personal data processed on your behalf within 30 days, unless retention is required by applicable law. You may request a copy of your data in a commonly used, machine-readable format before deletion.

During the term of the Agreement, we retain personal data in accordance with the retention periods specified in our Privacy Policy and any specific retention instructions provided by you.

Where we are required by applicable law to retain certain personal data beyond the termination of the Agreement, we will isolate and protect such data and limit processing to only what is required by law. We will notify you of any such legal retention requirement.

9. International Data Transfers

AlwaysRespond is based in the United States. Personal data may be transferred to and processed in the United States or other countries where our subprocessors operate. Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, we implement appropriate safeguards to ensure an adequate level of protection.

These safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into this DPA by reference
• Transfers to countries that have been deemed to provide an adequate level of data protection by the European Commission
• Binding Corporate Rules where applicable
• Other legally recognized transfer mechanisms under applicable data protection law

Upon request, we will provide you with information about the specific transfer mechanisms used for any particular transfer of personal data. We will conduct transfer impact assessments as necessary and implement supplementary measures where required to ensure that the level of protection is not undermined.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability for losses that cannot be limited or excluded under applicable law.

The Controller shall be liable for ensuring that the processing of personal data is carried out in compliance with applicable data protection law, including ensuring a lawful basis for processing and obtaining necessary consents from data subjects.

The Processor shall be liable for the processing of personal data in accordance with the Controller's documented instructions and for implementing and maintaining appropriate security measures as described in this DPA.

11. Conflict

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data. In the event of any conflict between this DPA and applicable data protection law, applicable data protection law shall prevail.

This DPA is governed by the same governing law as the Agreement, except where applicable data protection law requires otherwise. All terms not defined in this DPA shall have the meaning given to them in the Agreement.

12. Contact Information

For questions or concerns about this Data Processing Addendum or our data processing activities, please contact us:

Email: support@alwaysrespond.com

For general privacy inquiries, please refer to our Privacy Policy. For questions about our use of cookies, please refer to our Cookie Policy.