Data processing Agreement

This Data Processing Agreement, inclusive of its annexures, exhibits and attachments, (collectively referred to as the “DPA”) forms a part of the Master Software and Services Agreement (“Agreement”) entered into by and between Intuon Analytics and Customer.

Definitions

Any capitalised term not defined in this DPA shall have the meaning given to it in the Agreement.

Affiliates +

shall mean a person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purposes of this definition, "Control" means, with respect to any person or entity, the right to exercise or cause the exercise of at least fifty-one (51) per cent or more of the equity or other voting rights in such person or entity or the power to direct or cause the direction of the management or policies of such entity.

Agreement +

shall mean all current and future agreements between Intuon Analytics and Customer in connection with which Intuon Analytics provides Software Services involving the Processing of Personal Data on behalf of Customer. This DPA is incorporated into such Agreement(s) by this reference.

Controller +

shall mean the Customer. (Other definitions for Data Subject, DPA, EEA, EU GDPR, FDPA, Personal Data, Restricted Transfer, Services, SCCs, Sub-processor, Supervisory Authority, and UK GDPR follow the same structure).

Data Protection Law +

shall mean all applicable laws and regulations of the EU, EEA, UK, and their member states, including EU GDPR, UK GDPR, FDPA, CCPA, and related legislation. (Additional definitions are included but omitted here for brevity).

Purpose & Scope

2. Purpose

2.1. The Processor shall process Customer Content, which may include Personal Data, in accordance with this DPA while providing the Services.

3. Scope

Limited Processing (3.1) +

The Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with the Agreement, this DPA, and the Controller’s documented instructions.

Authority of Personnel (3.2) +

Both Parties must take steps to ensure that any natural person acting under their authority who has access to Personal Data does not process them except on the instructions from the Controller or as required by any Data Protection Law.

Processor Obligations

4.1, 4.2, 4.3. The Processor must process Personal Data only within the scope of this DPA and Controller instructions. Processor must notify Controller if instructions violate Data Protection Law.

Personnel Requirements (4.4) +

Processor shall ensure all employees/contractors handling Personal Data are aware of its confidential nature, are contractually bound to confidentiality, have received appropriate training, and are bound by this DPA.

Technical & Organisational Measures (4.5, 4.6, 4.7, 4.8) +

Processor shall implement appropriate TOMs, including pseudonymisation, encryption, ensuring confidentiality/integrity/availability, and regular security testing. TOMs detailed in Annex 2 are a minimum standard and Processor shall comply with all data security requirements of the Agreement.

Assistance to Controller (4.9) +

The Processor shall assist the Controller by having in place appropriate TOMs for the fulfilment of the Controller's obligation to respond to Data Subject requests and data protection compliance obligations.

 

Controller Obligations & Sub-processors

5. Controller Obligations

5.1. The Controller warrants that it complies with Data Protection Law, has obtained all necessary permissions, and ensures its Affiliates comply with this DPA.

Controller's TOMs (5.2) +

The Controller shall implement appropriate TOMs, including pseudonymisation, encryption, ensuring integrity/availability, and regularly testing security measures, similar to Processor's obligations.

Fees for Assistance (5.3) +

The Controller acknowledges that assistance with audits, DPIAs, or other requests may result in additional fees, which the Processor shall notify of in advance.

6. Sub-processors

Authorisation and Notification (6.1, 6.3, 6.4) +

Controller authorises use of Sub-processors (including Affiliates). Processor shall provide 30 days prior notification of new or replacement Sub-processors, and the Controller may object in writing within ten (10) Business Days.

Flow-Down & Transfers (6.5, 6.6) +

All Sub-processors must be appointed under a written contract containing materially the same data protection obligations as the Processor's in this DPA. Sub-processors may make Restricted Transfers with adequate safeguards (e.g., SCCs).

Restricted Transfers & DSAR

7. Restricted Transfers

7.1. Restricted Transfers between Parties (Controller/Processor/Sub-processor) shall be subject to the applicable SCCs (EU, UK, or Swiss).

SCCs Application & Governing Law (7.2, 7.3) +

EU SCCs apply to EEA transfers (Module 2, 3, or 4 applies based on roles). Governing law for EU SCCs is Irish law, disputes resolved by courts of Ireland. Specific adjustments are made for transfers governed by the Swiss FDPA.

8. Data Subject Access Requests (DSAR)

Handling DSARs (8.1, 8.2) +

Controller may require correction, deletion, or blocking of Personal Data. If Processor receives a DSAR, it will refer the Data Subject to the Controller (unless prohibited by law), and the Controller shall reimburse the Processor for costs incurred from providing reasonable assistance.

Audit to General Provisions

9. Audit

Processor shall make available necessary information for compliance and contribute to audits/inspections. Audits primarily consist of reviewing independent auditor reports; more extensive audits require notice and must not interfere with business.

10. Personal Data Breach

Processor shall notify Controller without undue delay (and in any event within 24 hours of discovery) of any Personal Data Breach and take all reasonable measures to secure the data and limit effects.

11. Compliance, Cooperation and Response

Processor shall assist with DPIAs and notify Controller of adverse requests/complaints. Controller must notify Processor of changes to data protection laws; if non-compliance results, Controller may terminate the affected Services.

12. Liability

The limitations on liability set out in the Agreement apply to all claims. Processor is liable for breaches caused by its Sub-processors; Controller is liable for breaches caused by its Affiliates.

13. Term and Termination

The DPA term commences with the Agreement and terminates automatically with its expiry or termination.

14. Deletion and Return of Personal Data

Processor shall, at Controller's choice (upon request within 30 days of Services end), delete or return Personal Data. All copies must be deleted within 6 months of termination, or within 1 year for partial data stored in backups.

15. General

This DPA is the entire understanding of the Parties, governed by the laws of India, with exclusive jurisdiction in Indian courts. It is incorporated into the Agreement.

Annexes

Annex 1: Processing Description

Lists Customer as **Exporter/Controller** and Intuon Analytics as **Importer/Processor**.

Categories of Data & Purpose +

**Data Subjects** include prospects, customers, employees, and users. **Data Categories** include title, position, contact info, order/payment data. **Purpose** is processing anonymized agent voice recordings for Accent Translation and Voice Enhancement Services.

Annex 2: TOMs Summary

Details Technical and Organisational Security Measures, serving as Appendix II to the SCCs.

Key Security Measures +

Includes AES256 encryption at rest, TLS for data in transit, multi-client capability, roles/authorisation based on "least privilege," daily backups, third-party data centers with ISO 27001/SSAE 16 SOC 2, and physical security measures.

Annex 3: List of Sub- Processors

The following third-parties are used for Hosting the Production Environment:

  • Amazon Web Services (India)
  • Microsoft Azure (India)
  • Frappe Cloud (India, USA)

 

 

 

 

 

 

 

|