Data Processing Agreement

Draft notice: this Data Processing Agreement is published as a customer-facing reference. The final form will be reviewed by counsel before any customer is asked to execute it. To request a counter-signed copy, email compliance@zazavoice.com.

1. Definitions

In this Data Processing Agreement ("DPA"), the terms "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Sub-processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, the "GDPR") and, where applicable, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA").

"Customer" means the business entity that has entered into a subscription agreement with MR Recruits Limited Liability Company ("ZazaVoice", "we", "us") for use of the ZazaVoice service (the "Service"). "Customer Personal Data" means Personal Data that ZazaVoice processes on behalf of Customer in the course of providing the Service.

2. Subject Matter and Duration

ZazaVoice will Process Customer Personal Data only on the documented instructions of Customer (which include the use of the Service in accordance with our Terms of Service) and for the purpose of providing the Service. This DPA applies for the term of the underlying subscription agreement and any period during which ZazaVoice retains Customer Personal Data after termination.

3. Nature of Processing

The categories of Personal Data Processed under this DPA include:

• End-user contact identifiers (phone numbers, names, email addresses) supplied by Customer
• Call recordings and AI-generated transcripts (where Customer enables recording)
• Call metadata (timestamps, duration, disposition, agent identity)
• SMS message content sent or received through the Service
• Authentication identifiers (login email, OAuth subject) of Customer's authorized users

The categories of Data Subjects include Customer's end users (the people Customer's voice agents call or message) and Customer's own employees who use the platform.

4. Sub-processors

ZazaVoice engages the following third-party Sub-processors to deliver the Service. Customer authorizes their use by entering into this DPA. ZazaVoice will give Customer at least 30 days' advance notice of any new Sub-processor by updating this page; Customer may object on reasonable data-protection grounds before the new Sub-processor is engaged.

5. Security Measures

ZazaVoice maintains technical and organisational measures designed to protect Customer Personal Data against unauthorised access, disclosure, alteration, or destruction. These include:

• Encryption in transit (TLS 1.2+) for all customer-facing traffic and inter-service calls
• Encryption at rest for all stored data, with column-level AES-256-GCM encryption for sensitive credentials
• Strict tenant isolation: every database row carries an organisation identifier enforced in the service layer
• Role-based access control for ZazaVoice personnel; production access is logged and reviewed
• Automated vulnerability scanning of dependencies and container images
• Regular backups of the production database with point-in-time recovery

6. Data Subject Requests

ZazaVoice will, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights under the GDPR, CCPA, or other applicable privacy laws. Customer can export or delete Customer Personal Data via the dashboard, or by request to compliance@zazavoice.com.

7. Personal Data Breach Notification

ZazaVoice will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) of the GDPR to the extent then known.

8. Audit Rights

ZazaVoice will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by Customer or an auditor mandated by Customer, no more than once per calendar year and subject to reasonable confidentiality and operational safeguards. Industry-standard third-party reports (e.g., SOC 2 reports of our Sub-processors) will be accepted in place of on-site audits where appropriate.

9. International Transfers

ZazaVoice is established in the United States and primarily processes Customer Personal Data in the United States. Where the GDPR applies and Customer is established in the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor) are incorporated into this DPA by reference and govern any transfer of Customer Personal Data to ZazaVoice or its Sub-processors outside that jurisdiction.

10. Return or Deletion of Data

On termination of the Service, ZazaVoice will, at Customer's choice, return or delete all Customer Personal Data, except to the extent retention is required by applicable law or for the establishment, exercise, or defence of legal claims. Backups containing Customer Personal Data are retained for up to 30 days after deletion and then overwritten in the ordinary course.

11. Liability and Indemnification

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability section of the underlying subscription agreement.

12. Governing Law

This DPA is governed by the laws specified in the underlying subscription agreement. If no such law is specified, this DPA is governed by the laws of the State of New Jersey, United States, without regard to its conflict of laws rules.

13. Contact

For data-protection questions or to request a counter-signed copy of this DPA: