1. Definitions

The following definitions apply throughout this DPA:

2. Scope and Applicability

2.1 General Application

This DPA applies when Nomorobo processes Personal Data on behalf of Client in connection with the Services described in the applicable Statement of Work (SOW).

2.2 Limited Applicability

Where no Personal Data is processed under a particular SOW, only Sections 1, 2, 6, 7, 8, and Exhibit A of this DPA apply.

2.3 Engagement-Specific Details

The specific categories of Personal Data, purposes of processing, data subjects, retention periods, and types of processing for each engagement are documented in the applicable SOW and in Exhibit B (Details of Processing).

3. Roles and Ownership

3.1 Client as Controller

Client is the "Controller" or "Business" as defined in applicable Privacy Laws.

3.2 Nomorobo as Processor

Nomorobo is the "Processor" or "Service Provider" as defined in applicable Privacy Laws.

3.3 Data Ownership

Client retains ownership of all rights, title, and interest in the Personal Data processed by Nomorobo. Nomorobo shall not acquire any ownership rights in such Personal Data.

3.4 Definitions

Terms used but not defined in this DPA shall have the meanings ascribed to them in applicable Privacy Laws and the MSA.

4. Data Privacy Obligations

Nomorobo certifies and agrees that it will:

4.1 Compliance with Privacy Laws

Comply with all applicable Privacy Laws and assist Client in complying with its obligations. Nomorobo will implement reasonable technical and organizational measures to protect Personal Data.

4.2 Immediate Notification of Non-Compliance

Immediately inform Client in writing if Nomorobo cannot meet any obligation under this DPA or if Client's instructions would violate applicable Privacy Laws.

4.3 No Breach of Law

Not take any action that would directly cause Client to breach applicable Privacy Laws.

4.4 No Dark Patterns

Not employ any Dark Patterns in processing or handling Personal Data.

4.5 Processing Per Instructions Only

Process Personal Data only in accordance with Client's documented instructions, unless required by applicable law. Specifically, Nomorobo shall NOT:

• Sell or Share Personal Data without Client's prior written consent
• Retain, use, or disclose Personal Data for purposes other than those specified in this DPA and the SOW
• Use Personal Data outside the direct business relationship with Client
• Combine Personal Data with data from other sources without Client's express written permission

4.6 Limited Employee Access

Limit access to Personal Data to employees and contractors with a legitimate need-to-know who are bound by written confidentiality obligations no less protective than this DPA.

4.7 No Disclosure to Subprocessors or AI Platforms

Not disclose Personal Data to any third-party subprocessor, Generative AI platform, or other processor without Client's prior express written agreement. This includes cloud service providers, analytics platforms, and AI/ML systems.

4.8 Subprocessor Management

If Client authorizes subprocessors, Nomorobo shall:

• Obtain Client's prior written authorization before engaging any subprocessor
• Ensure each subprocessor is bound by written obligations equivalent to this DPA
• Remain fully liable to Client for subprocessor performance
• Provide at least 30 days' notice before adding or replacing a subprocessor
• Allow Client to object on reasonable grounds and work in good faith toward resolution
• Permit Client to terminate the affected SOW without penalty if no agreement is reached

4.9 Data Localization

Store and process all Personal Data exclusively within the United States. Personal Data shall not be transferred to, stored in, or processed in any country outside the United States without Client's prior written consent.

4.10 Compliance Verification

Comply with Client's reasonable requests to audit, assess, or verify Nomorobo's compliance with this DPA and applicable Privacy Laws, including providing documentation and system access.

4.11 Data Return or Deletion Upon Termination

Upon termination or expiration of the applicable SOW or this DPA, Nomorobo shall, at Client's written direction:

• Delete all Personal Data in Nomorobo's possession, or
• Return all Personal Data to Client in a commonly used, machine-readable format

Nomorobo shall provide written certification of deletion or return within 60 days. If legally required to retain Personal Data, Nomorobo shall identify the legal requirement in writing and continue protecting such data per this DPA.

5. Data Subject Requests

5.1 Assistance with Data Subject Requests

If Client notifies Nomorobo of a Data Subject request (such as requests to access, delete, correct, or port Personal Data), Nomorobo will provide reasonable assistance to Client in fulfilling that request, subject to Nomorobo's access and possession limitations.

5.2 Notification of Complaints and Requests

If Nomorobo receives a complaint, inquiry, or request from a data subject or government authority relating to Privacy Laws or Personal Data processing, Nomorobo will promptly notify Client in writing with sufficient detail for Client to respond.

5.3 Contact for Requests

Data subject requests should be directed to privacy@nomorobo.com. Nomorobo will forward any such requests to Client for handling.

6. Security

6.1 Security Controls and Program

Nomorobo maintains a written information security program with administrative, technical, and physical safeguards designed to:

• Ensure confidentiality, integrity, and availability of Personal Data
• Protect against threats to or unauthorized access
• Comply with applicable Privacy Laws

Nomorobo applies security controls commensurate with data sensitivity and consistent with industry standards (ISO 27001, NIST Cybersecurity Framework, or equivalent). For Sensitive Personal Data, Nomorobo adheres to these industry standards as a minimum. If processing payment card data, Nomorobo maintains PCI DSS compliance.

6.2 Incident Response

6.2.1 Nomorobo maintains and regularly tests a written incident response plan enabling prompt discovery, investigation, and remediation of security incidents.

6.2.2 Data Breach Notification: Nomorobo will notify Client without unreasonable delay, but no later than 48 hours after discovering a Data Breach. The notification will include:

• The nature and scope of the breach
• Approximate date and time of discovery
• Types of Personal Data compromised
• Likely impact on affected data subjects
• Actions taken or planned to mitigate harm and prevent recurrence

6.2.3 Nomorobo will fully cooperate with Client's incident response activities, including investigation, forensics, and remediation.

6.3 Security Assessments

6.3.1 Client may conduct security assessments (on-site or remote) to verify compliance. Assessments shall occur no more than once per calendar year under normal circumstances, with at least 15 business days' notice, unless a security incident is suspected, in which case shorter notice is permitted.

6.3.2 Nomorobo will provide copies of current SOC 2 Type II and PCI DSS compliance reports where applicable, in lieu of duplicative on-site assessments.

6.3.3 Nomorobo will remediate any security deficiencies identified during assessments within 90 days, or such shorter period as required for critical issues.

7. Certification and Violation Rights

7.1 Nomorobo certifies that it understands its obligations under this DPA and applicable Privacy Laws and will comply with them.

7.2 If Nomorobo violates any material term of this DPA or applicable Privacy Laws, Client may determine and implement appropriate remedial action, including termination of the affected SOW and/or this DPA, without penalty or further notice.

8. Liability

The limitations on liability and caps on aggregate liability contained in the MSA do not apply to and are specifically excluded from breaches of this DPA. Nomorobo's indemnification and liability obligations for violations of this DPA are not subject to MSA liability limitations.

9. Insurance

Nomorobo maintains Cyber Risk and Privacy Liability Insurance with minimum coverage limits of $2,000,000 per occurrence. A certificate of insurance is available upon request.

10. Indemnity

Nomorobo's indemnification obligations for breaches of this DPA are subject to the indemnification provisions in the MSA, except that indemnification obligations owed directly to Data Subjects are in addition to and separate from MSA indemnification obligations.

11. Changes to This DPA

Nomorobo may modify this DPA to comply with new or changed Privacy Laws. Material changes will be communicated to Client with at least 30 days' notice. Client's continued use of the Services following such notice constitutes acceptance of the modified DPA. If Client objects to material changes, Client may terminate the affected SOW in accordance with the dispute resolution procedures in the MSA.