Data Processing Addendum (DPA)

Last Updated: 2025.12.20

This Data Processing Addendum (“DPA”) forms part of the agreement between friendlyAI.studio Inc. (“friendlyAI” or “Processor”) and the customer identified in the applicable order form or agreement (“Customer” or “Controller”) and applies to the processing of Personal Data in connection with the Services.

This DPA is incorporated by reference into the applicable agreement governing the Services (the “Agreement”).

1. Definitions

For purposes of this DPA, terms such as “Personal Data”, “Processing”, “Controller”, and “Processor” shall have the meanings given to them under applicable data protection laws, including the GDPR, PIPEDA, and similar laws.

2. Roles of the Parties

• Customer acts as the Controller of Personal Data.

• friendlyAI acts as the Processor, processing Personal Data solely on behalf of and under the documented instructions of the Customer.

Customer is responsible for determining the purposes and legal bases for Processing and for complying with all applicable data protection laws.

3. Scope and Purpose of Processing

friendlyAI processes Personal Data solely to provide the Services, including:

• Operating voice-based AI interactions;

• Recording calls and generating transcripts;

• Providing analytics, support, and platform functionality.

Processing activities may include collection, recording, storage, analysis, transmission, and deletion of Personal Data.

4. Categories of Data and Data Subjects

Data Subjects may include:

• Customer’s end users or callers;

• Customer representatives and authorized users.

Categories of Personal Data may include:

• Voice recordings;

• Call transcripts;

• Call metadata (time, duration, routing);

• Account and usage information.

5. Customer Instructions

friendlyAI shall process Personal Data only:

• In accordance with this DPA and the Agreement;

• On documented instructions from Customer;

• As required by applicable law (in which case friendlyAI will inform Customer unless prohibited).

6. Customer Responsibilities

Customer represents and warrants that it:

• Has obtained all necessary notices, consents, and permissions from data subjects, including consent for call recording where required;

• Has provided all required privacy disclosures;

• Will not instruct friendlyAI to process Personal Data in violation of applicable law.

7. Data Retention and Deletion

• Voice recordings and transcripts are retained for up to 30 days, unless otherwise instructed by Customer or required by law.

• Upon termination of the Services, friendlyAI will delete or return Personal Data in accordance with the Agreement, subject to legal retention requirements.

8. Subprocessors

Customer authorizes friendlyAI to engage subprocessors to support delivery of the Services, including cloud, voice, and AI service providers.

friendlyAI shall ensure subprocessors are subject to contractual data protection obligations consistent with this DPA.

9. International Transfers

Personal Data may be processed in Canada, the United States, or other jurisdictions where friendlyAI or its subprocessors operate.

friendlyAI shall implement appropriate safeguards for international data transfers as required by applicable law.

10. Security Measures

friendlyAI shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

11. Data Subject Requests

If friendlyAI receives a request from a data subject relating to Personal Data processed on behalf of Customer, friendlyAI shall, to the extent legally permitted, promptly direct the data subject to Customer.

friendlyAI shall provide reasonable assistance to Customer in responding to such requests where required by law.

12. Personal Data Breach

friendlyAI shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

Notification will include available information necessary for Customer to comply with its legal obligations.

13. Audits

Upon reasonable request, friendlyAI shall make available information necessary to demonstrate compliance with this DPA.

Audits shall be limited in scope, subject to confidentiality obligations, and conducted in a manner that does not unreasonably interfere with friendlyAI’s operations.

14. Liability

Liability under this DPA shall be subject to the limitations of liability set out in the Agreement.

15. Governing Law

This DPA shall be governed by the laws specified in the Agreement.

16. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

17. Term

This DPA shall remain in effect for the duration of the Agreement.