Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Autonimate, doing business as Audiosa ("Processor," "we," "us," or "our"), and the customer ("Controller," "you," or "your") who has agreed to Audiosa's Terms of Service.

This DPA supplements the Terms of Service and governs the processing of Personal Data by Audiosa on behalf of the Controller in connection with the Audiosa platform and services.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by Audiosa to process Personal Data on behalf of the Controller.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including GDPR, CCPA, and other relevant legislation.

3. Scope and Roles

3.1 Roles

The parties acknowledge and agree that with respect to the Processing of Personal Data:

• You are the Controller of the Personal Data
• Audiosa is the Processor acting on your behalf

3.2 Scope of Processing

Audiosa will process Personal Data only as necessary to provide the Services as described in the Terms of Service, including:

• Transcription of audio call recordings
• AI-powered analysis and insights generation
• Storage of recordings, transcripts, and analytics
• Providing access to the Audiosa platform and dashboard

4. Categories of Personal Data

The following categories of Personal Data may be processed under this DPA:

5. Processor Obligations

Audiosa shall:

• Process Personal Data only on your documented instructions, unless required by applicable law
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to Data Subject rights requests
• Assist you in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities
• Delete or return Personal Data upon termination of the Services, at your choice
• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by you or your designated auditor

6. Sub-processors

6.1 Authorized Sub-processors

You hereby provide general authorization for Audiosa to engage Sub-processors, subject to the requirements of this Section.

6.2 Current Sub-processors

The following Sub-processors are currently engaged:

6.3 Changes to Sub-processors

We will notify you of any intended changes to Sub-processors by updating the list above and notifying you via email at least 30 days before the change. You may object to such changes by terminating the affected Services.

7. Security Measures

Audiosa implements and maintains the following technical and organizational security measures:

• Encryption of data in transit using TLS 1.2+
• Encryption of data at rest using AES-256
• Access controls and authentication (password policies, session management)
• Regular security assessments and vulnerability scanning
• Employee security training and confidentiality agreements
• Incident response and breach notification procedures
• Business continuity and disaster recovery measures
• Physical security of data center facilities (via hosting providers)

8. Data Subject Rights

Audiosa will assist you in responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

If Audiosa receives a request from a Data Subject directly, we will promptly notify you and will not respond to the request unless you instruct us to do so or as required by law.

9. Data Breach Notification

Such notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

10. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries where Audiosa or its Sub-processors operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Addendums with Sub-processors that include appropriate safeguards

11. Term and Termination

This DPA shall remain in effect for the duration of the underlying Terms of Service.

Upon termination:

• At your choice, we will delete or return all Personal Data within 90 days
• We will provide certification of deletion upon request
• We may retain Personal Data as required by applicable law

12. Contact Information