Data Processing Addendum

Last Updated: April 2026

This Data Processing Addendum (including its Exhibits) (this "DPA") forms part of and is subject to the terms and conditions of the Dialogica Software and Services Agreement (the "Agreement") by and between Client and Dialogica. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent any language in this DPA conflicts with the Agreement, this DPA shall control.

Definitions

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

"Client Personal Data" means Client Materials that are Personal Data Processed by Dialogica's cloud computing resources under the Agreement.

"Data Protection Laws" means the privacy and data protection laws, rules and regulations applicable to a party's Processing of Client Personal Data under the Agreement. "Data Protection Laws" may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) ("CCPA"); the EU General Data Protection Regulation 2016/679 ("GDPR") and its respective national implementing legislations; other comprehensive US state privacy laws; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

"Personal Data" has the meaning assigned to the term "personal data" or "personal information" under applicable Data Protection Laws.

"Process" or "Processing" means any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection; recording; organization; structuring; storage; adaptation or alteration; retrieval; consultation; use; disclosure by transmission; dissemination; or otherwise making available; alignment or combination; restriction; erasure; or destruction.

"Security Incident(s)" means the breach of security leading to the accidental or unlawful destruction, loss, or alteration of, or the unauthorized disclosure of or access to, Client Personal Data attributable to Dialogica.

"Services" means the services that Dialogica performs under the Agreement.

"Subprocessor" means a vendor that Dialogica has engaged to Process Client Personal Data.

Processing Terms for Client Personal Data

Documented Instructions

Dialogica shall Process Client Personal Data to provide the Services in accordance with the Agreement, this DPA, and any instructions agreed upon by the parties. If applicable law requires that Dialogica Process Client Personal Data for other purposes, Dialogica shall inform Client of that legal requirement before engaging in such Processing, unless that law prohibits such information on important grounds of public interest.

Authorization to Use Subprocessors

Client authorizes Dialogica to engage Subprocessors. Dialogica's Subprocessors are listed in Exhibit A. Client acknowledges that Subprocessors may further engage vendors.

Dialogica and Subprocessor Compliance

Dialogica shall (i) enter into a written agreement with Subprocessors that imposes data protection requirements for Client Personal Data on such Subprocessors that are consistent with this DPA; and (ii) remain responsible to Client for the Subprocessors' failure to perform their obligations with respect to the Processing of Client Personal Data.

Right to Object to Subprocessors

Client may subscribe to receive notifications about new Subprocessors by emailing support@;.com. If Client subscribes to new Subprocessor notifications as described in the preceding sentence, Dialogica shall notify Client prior to engaging any new Subprocessor by sending an email to the email address that is listed as Client's account owner or administrator. Dialogica will allow Client ten (10) days to object to the new Subprocessor after notice has been sent ("Objection Period"). Client may reasonably object to a new Subprocessor only if such Subprocessor would cause (i) Client to be in material breach of Data Protection Laws, or (ii) Dialogica to be in breach of Section 2.3 of this DPA. If Client objects to Dialogica's appointment of a new Subprocessor during the Objection Period as contemplated in the preceding sentence, then Dialogica will resolve the grounds for the objection or not allow the new Subprocessor to Process Client Personal Data.

Confidentiality

Any person authorized to Process Client Personal Data shall be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality.

Information Security

Dialogica shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Client Personal Data in accordance with the Information Security Standards attached hereto as Exhibit B.

Security Incidents

Notice. Upon becoming aware of a Security Incident, Dialogica shall provide written notice without undue delay and within the time frame required under Data Protection Laws to Dialogica's primary contact at Client's organization, or the email address that is listed as Client's account owner or administrator. Where possible, such notice will include all available details required under applicable Data Protection Laws for Client to comply with its own notification obligations to government authorities and/or individuals affected by the Security Incident.

Investigation. Dialogica shall use reasonable efforts to investigate the Security Incident and provide Client with information concerning the scope, cause, impact of, and remediation measures referenced in Section 2.7.3 below taken with respect to such Security Incident upon the initial notification referenced in Section 2.7.1 above, or, if not available at such time, promptly thereafter upon Client's written request.

Remediation. Dialogica shall use commercially reasonable efforts to remediate the Security Incident as it relates to Dialogica's impacted systems.

Exceptions. Dialogica will not have any obligations under Section(s) 2.7.2 – 2.7.3 if a Security Incident is attributable to Client.

Cross-Border Transfers of Client Personal Data; EU Standard Contractual Clauses

Client authorizes Dialogica and its Subprocessors to transfer Client Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. If Client Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Client to Dialogica in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the applicable obligations set forth in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("Standard Contractual Clauses") as supplemented by Exhibit C attached hereto, the terms of which are incorporated herein by reference. Each party's execution of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

Personal Data Inquiries and Requests

Dialogica shall provide reasonable assistance to Client as required by applicable Data Protection Laws in response to any requests from individuals exercising their rights in Client Personal Data granted to them under applicable Data Protection Laws.

Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation

Dialogica shall provide reasonable assistance and information to Client as required by applicable Data Protection Laws where, in Client's judgment, the type of Processing performed by Dialogica requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities.

Demonstrable Compliance

Dialogica shall provide information reasonably necessary to demonstrate compliance with this DPA as required by applicable Data Protection Laws upon Client's reasonable request.

Audits or Assessments

Where Data Protection Laws afford Client an audit or assessment right, Client (or its appointed representative) may carry out an audit or assessment of Dialogica's policies, procedures, and records relevant to the Processing of Client Personal Data. Any audit or assessment must be: (i) conducted during Dialogica's regular business hours; (ii) with reasonable advance notice to Dialogica; (iii) carried out in a manner that prevents unnecessary disruption to Dialogica's operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority with jurisdiction over the Processing of Client Personal Data.

Service Provider Terms

To the extent that Dialogica's Processing of Client Personal Data is subject to the CCPA, this Section 2.13 also applies. Client discloses or otherwise makes available Client Personal Data to Dialogica for the limited and specific purpose of Dialogica providing the Services to Client in accordance with the Agreement and this DPA. Dialogica shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Client if it can no longer meet its obligations under the CCPA; (iv) not "sell" or "share" (as such terms are defined by the CCPA) Client Personal Data; (v) not retain, use, or disclose Client Personal Data for any purpose (including any commercial purpose) other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Client Personal Data outside of the direct business relationship between Client and Dialogica; and (vii) unless required to provide Dialogica's products and services, not combine Client Personal Data with Personal Data that Dialogica (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Dialogica will permit Client, upon reasonable request, to take reasonable and appropriate steps to ensure that Dialogica Processes Client Personal Data that is subject to this Section 2.13 in a manner consistent with the obligations of a "business" under the CCPA by requesting that Dialogica attest to its compliance with this Section 2.13. Following any such request, Dialogica will promptly provide that attestation or an explanation of why it cannot provide it. If Client reasonably believes that Dialogica is engaged in unauthorized Processing of Client Personal Data that is subject to this Section 2.13, Client will notify Dialogica of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.

Deletion of Client Personal Data

At the expiry or termination of the Agreement, upon Client's request, Dialogica shall delete all Client Personal Data (excluding any backup or archival copies, which shall be deleted in accordance with Dialogica's data retention schedule), except where Dialogica is required to retain copies under applicable laws, in which case Dialogica shall restrict any further Processing of such Client Personal Data except to the extent required by applicable laws.

Exhibit A

Dialogica Subprocessors

Exhibit B

Dialogica Information Security Standards

These Dialogica Information Security Standards (the "Information Security Standards") form part of the DPA. All capitalized terms that are not expressly defined in the Information Security Standards will have the meanings given to them in the DPA.

Dialogica shall implement and maintain an information security program ("Information Security Program") that includes reasonable administrative, technical, and physical safeguards designed to protect Client Personal Data. At a minimum, the Information Security Program shall include:

1. Authentication. Dialogica shall maintain authentication measures including, as appropriate, multi-factor authentication for key systems that Process Client Personal Data and industry standard passwords.

2. Encryption. Dialogica shall encrypt Client Personal Data in transit and at rest using industry standard encryption technologies.

3. Account Management and Access Controls. Dialogica shall maintain account management and access controls.

4. Inventory and Management of Client Personal Data and Information Systems. Dialogica shall maintain an inventory of Client Personal Data and the information systems used to Process Client Personal Data. Dialogica shall maintain approval processes designed to prevent the unauthorized connection of hardware and devices to Dialogica's information systems that Process Client Personal Data.

5. Secure Configuration of Hardware and Software. Dialogica shall maintain controls designed to ensure the secure configuration of Dialogica hardware and software that is used to Process Client Personal Data.

6. Vulnerability Scans, Penetration Testing, and Vulnerability Disclosure and Reporting. Dialogica shall carry out internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting for key information systems used to Process Client Personal Data.

7. Audit-Log Management. Dialogica shall maintain controls for audit-log management.

8. Network Monitoring and Defenses. Dialogica shall maintain controls for monitoring and defending its network.

9. Antivirus and Antimalware Protection. Dialogica shall maintain antivirus and antimalware protections on Dialogica personnel workstations.

10. Information System Segmentation. Dialogica shall maintain controls designed to ensure segmentation of its information systems that Process Client Personal Data.

11. Limitation and Control of Ports, Services, and Protocols. Dialogica shall maintain controls designed to limit and control ports, services, and protocols used to Process Client Personal Data.

12. Cybersecurity Awareness. Dialogica shall maintain a cybersecurity awareness program designed to keep Dialogica informed of changing cybersecurity threats and countermeasures.

13. Cybersecurity Education and Training. Dialogica shall provide cybersecurity education and training to all Dialogica personnel who have access to Dialogica's information systems that Process Client Personal Data.

14. Secure Development. Dialogica shall maintain controls designed to ensure secure development.

15. Vendor Management. Dialogica shall maintain oversight of Subprocessors.

16. Data Retention and Disposal. Dialogica shall maintain data retention and disposal processes for Client Personal Data.

17. Security Incident Management. Dialogica shall maintain processes for the management of Security Incidents.

18. Business Continuity and Disaster Recovery. Dialogica shall maintain industry standard business-continuity and disaster-recovery plans as it relates to the Processing of Client Personal Data.

    
    

Exhibit C

Supplemental Terms for the Standard Contractual Clauses

This Exhibit C forms part of the DPA and supplements the Standard Contractual Clauses. All capitalized terms that are not expressly defined in this Exhibit C will have the meanings given to them in the DPA.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. Supplemental Agreement. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: "To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties' processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection."; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: "To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties' processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III)."; (iii) the optional text in Clause 7 is deleted; (iv) for Module Two, Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 2.4 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

   
   

2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

   
   

   A. List of Parties

   
   

   Data Exporter: Customer

   Address: As set forth in the Notices section of the Agreement.

   Contact person's name, position, and contact details: As set forth in the Notices section of the Agreement.

   Activities relevant to the data transferred under these Clauses: As set forth in the DPA.

   Role: Controller.

   
   

   Data Importer: Dialogica

   Address: As set forth in the Notices section of the Agreement.

   Contact person's name, position, and contact details: As set forth in the Notices section of the Agreement.

   Activities relevant to the data transferred under these Clauses: As set forth in the DPA.

   Role: Processor (Module Two); Controller (Module One) (as applicable).

   
   

   B. Description of the Transfer

   Categories of data subjects whose personal data is transferred: Data exporter may submit personal data about data subjects to the Services, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include but is not limited to the following categories of data subjects: data exporter's personnel who are authorized users, individuals referred to in documents Processed by the Services.

   
   

   Categories of personal data transferred: Data exporter may submit personal data to the Services, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include but is not limited to the following personal data: name and email address.

   
   

   Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Any sensitive data provided by data exporter. Sensitive data will be subject to the Dialogica Information Security Standards attached to the DPA.

   
   

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

   
   

   Nature of the processing: As set forth in the DPA.

   
   

   Purpose(s) of the data transfer and further processing: As set forth in the DPA.

   
   

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the DPA.

   
   

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.

   
   

   C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

   
   

   D. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) under Module Two of the Clauses will be provided upon data exporter's written request; (ii) the measures data importer is required to take under Module Two, Clause 8.6(c) and Module One, Clause 8.5(c) of the Clauses will only cover data importer's impacted systems; (iii) the audit described in Module Two, Clause 8.9 of the Clauses shall be carried out in accordance with Section 2.11 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Module Two, Clause 15.1(a) of the Clauses; and (vi) the information required under Module Two, Clause 15.1(c) of the Clauses will be provided upon data exporter's written request.

   
   

3. Annex II: Annex II of the Standard Contractual Clauses shall read as follows:

   
   

   Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the Dialogica Information Security Standards attached to the DPA.

   
   

   Pursuant to Clause 10(b) of Module Two, data importer will provide data exporter assistance with data subject requests in accordance with the DPA.

   
   

4. Annex III: A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

   
   

   The UK Information Commissioner's Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") is incorporated herein by reference.

   
   

   Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

   
   

   Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.

   
   

   Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

   
   

   Table 4: The parties agree that neither party may end the UK Addendum as set out in Section 19.