VOXAPP LTD

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is made between VoxApp Ltd (“VoxApp,” “we,” “us,” or “our”) and you, the individual or entity that has entered into our Terms and Conditions with us (“Customer,” “you,” or “your”), collectively referred to as the “Parties” and each a “Party.” This DPA supplements the Terms and Conditions between the Parties and applies to the provision of Services under those Terms and Conditions. This DPA applies only where you are located in the European Union, the United Kingdom, or to the extent relevant, where the New Zealand Privacy Act 2020 applies.

Capitalised terms not defined herein shall have the meanings assigned to them in the Terms and Conditions.

BACKGROUND

1. The Parties have entered into the Terms and Conditions for the provision of Services.
2. The Parties wish to implement this DPA to define their respective rights and obligations regarding the processing of Personal Data under the Terms and Conditions.
3. When you or your authorised users provide Personal Data to us to sign up for our Services and create an account, we act as a Data Controller for that account information. When you input or upload Personal Data into the Services and we process it on your behalf, you act as a Data Controller, and we act as a Data Processor.
4. For the purposes of the EU Standard Contractual Clauses (“EU SCCs”) and/or the UK Addendum, we are the Data Importer, and you are the Data Exporter.

1. DEFINITIONS AND INTERPRETATION

In this DPA, unless the context requires otherwise:

• Applicable Data Protection Law means laws and regulations applicable to the processing of Personal Data by the Parties, including:
  • The EU GDPR;
  • The UK GDPR;
  • The New Zealand Privacy Act 2020; and
  • The Australian Privacy Principles under the Privacy Act 1988 (Cth).
• Controller means the Party specified in the Background section as the Controller, as defined under the EU GDPR or UK GDPR.
• Data Subject means an individual identified or identifiable by Personal Data.
• DPA means this Data Processing Agreement and its Annexes.
• EEA means the European Economic Area.
• EU GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data.
• EU SCCs means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
• Personal Data means any data processed by VoxApp on behalf of the Customer under the Terms and Conditions.
• Processor means VoxApp, acting as a Processor under the EU GDPR or UK GDPR.
• Restricted Transfer means:
  1. A transfer of Personal Data from the EEA to a country outside the EEA not subject to an adequacy determination; or
  2. A transfer of Personal Data from the UK to a country not subject to adequacy regulations under the UK Data Protection Act 2018.
• Services means the services provided under the Terms and Conditions.
• Sub-Processor means any third party appointed by VoxApp to process Personal Data on behalf of the Customer.
• UK Addendum means the international data transfer addendum to the EU SCCs implemented by the UK Information Commissioner’s Office.
• UK GDPR means the EU GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018.

2. COMMENCEMENT AND TERM

This DPA will commence on the Contract Start Date (which is the date you signed up for VoxApp) and continue for as long as the Terms and Conditions remain in effect or until VoxApp retains any Personal Data (whichever is longer).

3. PROCESSING OF PERSONAL DATA

3.1 Role of the Parties

• VoxApp will process Personal Data only to provide the Services in accordance with the Customer’s instructions under the Terms and Conditions and this DPA.

3.2 Compliance

• The Customer agrees to comply with Applicable Data Protection Laws and to establish a legal basis for processing and transferring Personal Data to VoxApp.
• VoxApp will promptly notify the Customer if it believes an instruction violates Applicable Data Protection Laws.

4. DATA SUBJECT REQUESTS

4.1 Direction of Requests

• If VoxApp receives a request directly from a Data Subject, it will forward the request to the Customer unless legally required to respond.

4.2 Assistance

• VoxApp will assist the Customer in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject requests (e.g., requests for access, rectification, erasure, data portability).

5. CONFIDENTIALITY

VoxApp will ensure that its personnel and advisors processing Personal Data are subject to binding confidentiality obligations. VoxApp shall not disclose or use Personal Data without the Customer’s authorisation, except as required by law.

6. SUB-PROCESSORS

6.1 Use of Sub-Processors

• VoxApp may engage Sub-Processors to provide certain aspects of the Services on its behalf.
• VoxApp will remain liable for any acts or omissions of its Sub-Processors that cause it to breach any of its obligations under this DPA.

6.2 Written Agreements

• VoxApp will ensure each Sub-Processor is bound by written agreements that impose data protection obligations at least as protective as those set out in this DPA.

(No specific Sub-Processor list is provided.)

7. SECURITY

7.1 Technical and Organisational Measures

• VoxApp will implement technical and organisational measures to ensure the security of Personal Data. Examples are provided in Annex 2.

7.2 Customer Obligations

• The Customer is responsible for reviewing the information made available by VoxApp relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations.

8. AUDITS AND INSPECTIONS

8.1 Right to Audit

• VoxApp will allow for and contribute to reasonable audits and inspections by the Customer (or a third-party auditor mandated by the Customer) to verify VoxApp’s compliance with this DPA, subject to reasonable notice and confidentiality obligations.

8.2 Scope of Audit

• Any audit must be conducted during normal business hours, without interfering with VoxApp’s business operations, and must comply with the Parties’ confidentiality obligations.

9. PERSONAL DATA BREACH

9.1 Notification

• VoxApp will notify the Customer without undue delay (and, where feasible, within 48 hours) upon becoming aware of any Personal Data Breach.

9.2 Mitigation and Cooperation

• VoxApp will promptly take reasonable steps to contain and remediate the breach and assist the Customer in meeting its breach notification obligations under Applicable Data Protection Laws.

10. DATA PROTECTION IMPACT ASSESSMENT

Where required by Applicable Data Protection Laws, VoxApp will provide reasonable assistance to the Customer in conducting data protection impact assessments and any necessary prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to VoxApp.

11. DELETION OR RETURN OF PERSONAL DATA

Upon termination or expiry of the Terms and Conditions, VoxApp will delete or return all Personal Data (including copies) within 90 days, unless it is required to retain the data by law. If the Customer requests a return of the data, VoxApp will provide it in a commonly used file format.

12. RESTRICTED TRANSFERS

12.1 EEA Transfers

• Where a transfer of Personal Data is a Restricted Transfer under the EU GDPR, the EU SCCs will apply and are incorporated by reference into this DPA.

12.2 UK Transfers

• Where a transfer is a Restricted Transfer under the UK GDPR, the UK Addendum will apply and is incorporated by reference into this DPA.

12.3 Hierarchy

• In the event of a conflict between this DPA and the EU SCCs or the UK Addendum, the EU SCCs or the UK Addendum (as applicable) shall prevail.

13. LIABILITY

Each Party’s liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set out in the Terms and Conditions. Nothing in this DPA limits liability where such limitation is prohibited by Applicable Data Protection Laws.

14. GENERAL

14.1 Governing Law

• This DPA is governed by and construed in accordance with the laws of England and Wales.

14.2 Order of Precedence

• In the event of a conflict, the following order of precedence applies:
  1. EU SCCs or UK Addendum (as relevant);
  2. Annexes to this DPA;
  3. This DPA; and
  4. The Terms and Conditions.

14.3 Severability

• If any provision of this DPA is found to be invalid or unenforceable, that provision shall be deemed amended to the minimum extent necessary to make it valid and enforceable, and the remaining provisions shall remain in full force and effect.

14.4 Entire Agreement

• This DPA, including its Annexes, together with the Terms and Conditions and any documents incorporated by reference, constitutes the entire agreement of the Parties with respect to its subject matter and supersedes all prior and contemporaneous agreements.

ANNEX 1: DESCRIPTION OF TRANSFER

• Data Controller: Customer
• Data Processor: VoxApp Ltd
• Personal Data Transferred: Identity, Contact, Professional, Financial, Technical, Profile, and Marketing Data (or as otherwise specified by the Customer).
• Data Subjects: May include the Customer’s customers, employees, contractors, candidates, and/or other individuals about whom Personal Data is provided to VoxApp through use of the Services.
• Purpose of Processing: To provide the Services under the Terms and Conditions.
• Duration of Processing: For the term of the Terms and Conditions and up to 90 days after termination or expiry (or such longer period as may be required by law).

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

1. Encryption: Transport Layer Security (TLS) 1.2 or higher for data in transit.
2. Access Control: Role-based access and multi-factor authentication for administrative access.
3. Network Security: Firewalls and intrusion detection mechanisms to monitor network traffic.
4. Physical Security: Hosting in secure data centres with restricted access and robust physical security controls.
5. Disaster Recovery: Regular backups and testing of disaster recovery procedures to ensure continuity of service.

‍