Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement or other written or electronic agreement between Telegent ("Data Processor") and you ("Data Controller") (collectively, the "Parties").

This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Telegent enterprise operational intelligence platform and related services.

Parties Subject to this DPA: - All enterprise customers who process personal data through the Platform - Data subjects whose personal data is processed via Telegent services - Sub-processors engaged by Telegent for platform operations

For purposes of this DPA, the following terms have the meanings given below:

Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") as defined under applicable data protection law, including but not limited to GDPR and HIPAA.

Processing: Any operation or set of operations performed on Personal Data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

Data Controller: The entity that determines the purposes and means of processing Personal Data.

Data Processor: The entity that processes Personal Data on behalf of and under the instructions of the Data Controller.

Sub-processor: Any third party engaged by Telegent to process Personal Data on behalf of Data Controller.

Processing Operations: Telegent processes personal data solely for the purpose of providing the Platform services as specified in the applicable service agreement. Processing is conducted only on documented instructions from Data Controller.

Nature of Processing: - Collection and intake of customer communication data - Storage and management of business intelligence inputs - Automated analysis and routing operations - Generation of revenue intelligence outputs - Secure deletion upon contract termination or data controller instruction

Categories of Personal Data: - Contact information (names, emails, phone numbers) - Communication records (calls, messages, emails) - Business intelligence and analytics data - Usage metrics and operational outputs

Data Subjects: - Customer employees and representatives - End users of customer services - Business contacts managed through the Platform

Telegent shall: - Process Personal Data only on documented instructions from Data Controller - Ensure that persons authorized to process Personal Data have committed to confidentiality - Implement appropriate technical and organizational security measures per ISO 27001 standards - Engage sub-processors only with prior written consent and under equivalent obligations - Assist Data Controller in ensuring compliance with applicable data protection obligations - At Data Controller's choice, delete or return all Personal Data upon termination - Make available all information necessary to demonstrate compliance with GDPR Article 28 - Allow for and contribute to audits, including inspections, conducted by Data Controller or an auditor mandated by Data Controller

Security Measures (per GDPR Article 32): - Encryption of personal data at rest and in transit - Pseudonymization and anonymization where appropriate - Ongoing confidentiality, integrity, availability, and resilience - Ability to restore availability and access to personal data in a timely manner - Regular testing and assessment of security measures

Data Controller shall: - Provide accurate and complete instructions for processing - Ensure lawful basis exists for all processing activities - Maintain records of processing activities as required by law - Ensure appropriate consent mechanisms are in place where required - Notify Telegent of any data subject requests within 72 hours - Conduct Data Protection Impact Assessments when required - Ensure that personal data used through the Platform is lawfully obtained - Maintain accuracy of personal data processed through the Platform

Data Subject Rights: Data Controller is responsible for responding to data subject requests. Telegent will provide reasonable assistance to Data Controller in fulfilling these obligations upon request.

Cross-Border Transfers: Data Controller is responsible for ensuring any cross-border transfer of personal data complies with applicable law. Telegent maintains appropriate safeguards including Standard Contractual Clauses for international transfers.

Authorized Sub-processors: Telegent engages the following categories of sub-processors to deliver Platform services:

Infrastructure Providers: - Cloud hosting and data storage services - Backup and disaster recovery services - Network infrastructure and CDN services

Communication Services: - Telecom carriers for voice and SMS delivery - Email service providers - Notification delivery services

Security and Compliance: - Security monitoring and SIEM services - Compliance and audit service providers - Identity and access management providers

Prior Authorization: Data Controller grants general written authorization for Telegent to engage new sub-processors. Telegent will provide 30 days notice before engaging new sub-processors, during which Data Controller may object in writing.

Liability: Telegent remains liable to Data Controller for the performance of sub-processor obligations.

Notification Obligations: In the event of a Personal Data Breach, Telegent will notify Data Controller without undue delay, and within 72 hours at minimum per GDPR requirements.

Breach Notification Contents: - Nature of the breach including categories and approximate number of data subjects affected - Contact point for further information - Likely consequences of the breach - Measures proposed or taken to address the breach - Steps data subjects can take to protect themselves

Cooperation: Telegent will fully cooperate with Data Controller in investigating, mitigating, and reporting the breach to supervisory authorities and data subjects as required.

Documentation: Telegent maintains documented evidence of all personal data breaches and remedial actions taken for regulatory review.

Contract Termination: Upon termination of the service agreement, Telegent will, at Data Controller's election: - Return all Personal Data in a structured, commonly used, machine-readable format (CSV, JSON, or XML) - Securely delete all Personal Data from our systems and sub-processor systems - Provide written certification of deletion upon request

Deletion Timeline: Standard deletion procedures complete within 30 days of contract termination. Secure destruction certificates are provided upon completion.

Data Retention: Upon contract expiration, Telegent will retain Personal Data for a maximum of 90 days to facilitate smooth transition, after which all data is permanently deleted unless legally required to retain longer.

Export Assistance: Enterprise customers may request data export assistance during the 90-day transition period. Export fees apply for non-standard formats or volumes exceeding 10GB.