Data Processing Addendum

1. Definitions

1.1. Applicable Data Protection Laws means all laws and regulations applicable to the processing of personal data under this DPA, including but not limited to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA), and any successor legislation.

1.2. Controller means the entity that determines the purposes and means of processing personal data.

1.3. Processor means the entity that processes personal data on behalf of the Controller.

1.4. Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

1.5. Subprocessor means any third-party service provider engaged by Eloquent AI to process Personal Data on behalf of the Customer.

1.6. Standard Contractual Clauses (SCCs) means clauses adopted by the European Commission or other applicable authorities for ensuring adequate safeguards in international data transfers.

1.7. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.8. EEA means the European Economic Area, including the European Union, Iceland, Liechtenstein, and Norway.

2. Roles and Responsibilities

2.1. Customer as Controller. The Customer acts as the Controller and ensures compliance with all applicable data protection laws, including obtaining necessary consents and providing notices to data subjects.

2.2. Eloquent AI as Processor.Eloquent AI processes Personal Data only in accordance with the Customer's documented instructions, unless otherwise required by applicable law.

2.3. Compliance Cooperation. Each party will cooperate in good faith as reasonably necessary to meet its respective legal obligations under Applicable Data Protection Laws.

2.4. Dual Role. For account management, billing, and platform analytics, Eloquent AI may function as an independent controller.

3. Scope of Processing

3.1. Subject Matter. The processing is carried out to deliver the services specified under the Agreement.

3.2. Duration. Personal Data will be processed for the term of the Agreement unless otherwise required by law.

3.3. Nature and Purpose. Eloquent AI processes data for service delivery, maintenance, improvement, and regulatory compliance.

3.4. Categories of Data Subjects. Employees, contractors, and end-users engaging with the services.

3.5. Categories of Personal Data. Contact information, account credentials, communication records, and customer-provided data.

4. Subprocessing

4.1. Authorised Subprocessors. Eloquent AI maintains a current list of authorised subprocessors at eloquentai.co/legal/subprocessors. All subprocessors are bound by GDPR- and CCPA-compliant safeguards via Standard Contractual Clauses (SCCs).

4.2. Notification of Changes. Eloquent AI will notify Customer of any subprocessor changes, providing a ten (10) day objection period before the change takes effect. Continued use of the Services after the notice period constitutes acceptance.

4.3. Subprocessor Obligations.All subprocessors are subject to data protection obligations no less stringent than those in this DPA. Customer's remedies for subprocessor failures are limited to those available against Eloquent AI for negligence or wilful misconduct.

5. Security Measures

5.1. Technical and Organisational Measures. Eloquent AI implements and maintains appropriate technical and organisational security measures, including:

• Data encryption (AES-256 at rest, TLS 1.2 or higher in transit).
• Role-based access control and multi-factor authentication.
• Regular penetration testing and vulnerability assessments.

Eloquent AI does not guarantee absolute security but will implement measures aligned with industry standards.

5.2. Data Breach Notification. Eloquent AI will notify the Customer within 48 hours of confirmation of any Personal Data Breach, providing sufficient detail to enable Customer to meet its regulatory reporting obligations.

6. Data Subject Rights

6.1. Assistance. Eloquent AI will provide reasonable assistance to Customer in responding to data subject requests regarding access, rectification, deletion, or portability of Personal Data, where feasible.

6.2. Redirection of Requests. Direct requests from data subjects will be redirected to the Customer unless prohibited by law.

6.3. Personally Identifiable Information (PII). Personal Data will be deleted or de-identified once it no longer serves a lawful business purpose. Eloquent AI will honour verified deletion requests under GDPR, CCPA/CPRA unless legal retention obligations apply.

7. International and Cross-Border Data Transfers

7.1. Data transfers outside the EEA or UK are governed by the EU Standard Contractual Clauses (2021/914/EU, Modules Two and Three) and, where applicable, the UK International Data Transfer Addendum.

7.2. Eloquent AI implements supplementary technical and organisational safeguards aligned with EDPB guidance to protect transferred data.

7.3. Data processed in the United States complies with applicable state privacy laws, including CCPA/CPRA, with Eloquent AI acting as a Service Provider.

7.4. Customer acknowledges that international transfers are necessary for the delivery of the Services.

8. Retention and Deletion

8.1. Upon termination of the Agreement, Customer may request the return or deletion of all Personal Data, unless retention is required by applicable laws.

8.2. SaaS customer data is retained for up to sixty (60) days post-termination. Support records may be retained for compliance or audit purposes in accordance with applicable law.

9. Audits and Compliance

9.1. Third-Party Audits. Eloquent AI conducts regular third-party security assessments and will provide audit reports to Customer upon request.

9.2. Customer Audits.Customer may conduct one (1) audit per calendar year upon thirty (30) days' prior written notice, subject to agreed scope and reasonable costs. Eloquent AI is not required to disclose proprietary information or other customers' data.

10. Amendments

Eloquent AI may update this DPA to reflect legal changes or subprocessor modifications with thirty (30) days' prior written notice. Continued use of the Services following notice constitutes acceptance of the amended DPA.

11. CCPA / CPRA Service-Provider Commitments

For California residents, Eloquent AI acts as a Service Provider under CCPA/CPRA. Eloquent AI commits not to sell, share, or retain Personal Data for any purpose other than performing the Services or as required by law.

12. General Provisions

12.1. Governing Law. This DPA is governed by the law specified in the underlying Agreement.

12.2. Costs. Compliance activities requested beyond the scope of this DPA may incur reasonable costs, to be agreed upon in writing.

Annex 1: Details of Processing

• Purpose: To deliver and improve Eloquent AI's services.
• Duration: For the term of the Agreement or as required by law.
• Categories of Data Subjects: Employees, contractors, and end-users.
• Categories of Personal Data: Contact details, account information, communication records.

Annex 2: Security Measures

Eloquent AI's security measures include:

1. Access Controls: Role-based and least-privilege access.
2. Encryption: AES-256 for data at rest and TLS 1.2 or higher for data in transit.
3. Incident Management: 24/7 monitoring and a formal incident response programme.
4. Annual SOC 2 Type II and ISO 27001 audits and penetration testing form part of Eloquent AI's ongoing compliance programme.
5. These controls are reviewed at least annually and updated as necessary to maintain effectiveness.