Data Processing Agreement

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including CCPA and any other applicable U.S. laws
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion
• "Sub-processor" means any third party appointed by Gnosi to process Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Controller" means the entity that determines the purposes and means of Processing
• "Processor" means the entity that Processes Personal Data on behalf of the Controller

2. Data Processing Details

2.1 Nature and Purpose of Processing

Gnosi will Process Personal Data as necessary to provide the AI-powered phone answering services pursuant to the Terms of Service and as further instructed by Customer through the use of the Services.

2.2 Categories of Data Subjects

• Customer's clients and prospects who call
• Customer's employees and contractors
• Any other individuals whose calls are processed through the Service

2.3 Types of Personal Data

2.4 Duration of Processing

Processing will continue for the duration of the Agreement and as necessary for Gnosi to comply with its legal obligations, resolve disputes, and enforce agreements.

3. Data Processor Obligations

Gnosi shall:

• Process Personal Data only on documented instructions from Customer
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure security
• Not engage another processor without prior specific or general written authorization
• Assist Customer in responding to data subject requests
• Assist Customer in ensuring compliance with security, breach notification, and assessment obligations
• Delete or return all Personal Data at the end of services
• Make available all information necessary to demonstrate compliance

4. Security Measures

Gnosi implements and maintains the following technical and organizational measures:

4.1 Technical Measures

• Encryption of data in transit (TLS 1.2 or higher)
• Encryption of data at rest (AES-256)
• Firewalls and intrusion detection systems
• Regular security patches and updates
• Access logging and monitoring
• Regular vulnerability scanning

4.2 Organizational Measures

• Access control and authorization procedures
• Employee confidentiality agreements
• Regular security training
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular security audits

5. Sub-processors

5.1 Authorized Sub-processors

Customer acknowledges and agrees that Gnosi may engage the following Sub-processors:

5.2 New Sub-processors

Gnosi shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes within 30 days.

6. Data Subject Rights

Gnosi shall assist Customer in fulfilling its obligations to respond to Data Subject requests, including:

• Access: Providing copies of Personal Data
• Rectification: Correcting inaccurate Personal Data
• Erasure: Deleting Personal Data ("right to be forgotten")
• Restriction: Limiting Processing of Personal Data
• Portability: Providing Personal Data in a structured format
• Objection: Ceasing Processing based on legitimate interests

7. Data Breach Notification

7.1 Notification Requirements

In the event of a Personal Data breach, Gnosi shall:

• Notify Customer without undue delay and within 72 hours of becoming aware
• Provide details of the nature and scope of the breach
• Describe likely consequences of the breach
• Detail measures taken or proposed to address the breach
• Cooperate with Customer in investigating the breach

7.2 Documentation

Gnosi shall maintain records of all breaches, including facts, effects, and remedial action taken.

8. Data Location

Customer acknowledges that Gnosi processes and stores data in the United States. By using our services, Customer consents to the processing and storage of Personal Data in the United States.

9. Audits and Inspections

9.1 Audit Rights

Customer has the right to conduct audits to verify Gnosi's compliance with this DPA:

• Maximum of one audit per year unless required by Data Protection Laws
• 30 days written notice required
• Conducted during business hours with minimal disruption
• Customer bears all costs of the audit

9.2 Certifications

Gnosi shall provide Customer with copies of relevant certifications and audit reports upon request, including SOC 2 reports and security assessments.

10. Data Deletion and Return

Upon termination of the Agreement:

• Gnosi shall, at Customer's choice, delete or return all Personal Data
• Data return will be in commonly used, machine-readable format
• Deletion will be completed within 30 days of termination
• Certificate of deletion will be provided upon request
• Legal retention requirements may override deletion obligations

11. Liability and Indemnification

Each party shall indemnify the other against all damages, losses, and expenses arising from breaches of this DPA or Data Protection Laws.

12. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Obligations relating to confidentiality, data deletion, and any provisions that by their nature should survive shall continue after termination.

13. Governing Law

This DPA shall be governed by the laws specified in the Terms of Service. However, nothing in this DPA shall be construed to limit either party's rights under Data Protection Laws.

14. Contact Information