DATA PROCESSING AGREEMENT

This data processing agreement (the Agreement) is entered into by and between:

SIA“TelTel”, registration number 40103143723, legal address: Garkalnes region, Garkalne, Lakstigalu street 4, LV-2137, Latvia, represented by Janis Grinbergs, acting on the basis of the articles of association (the Processor),

The following terms and conditions constitute a legally binding contract (this "Contract") between you (“you” or “your”) and Operator, that governs all use by you of the teltel.io website and other websites provided by Operator (the "Services") and any other services or products provided by Operator. If you use any Services or products provided by Operator, you are considered as Client. Both together hereinafter referred as the Parties, and separately as the Party,

WHEREAS:

• The Parties have concluded Telecommunication contract (the Main Agreement), under which the Controller is using the Processor to perform certain data processing activities on behalf of the Controller and in accordance with the instructions of the Controller,

THEREFORE, to properly implement the requirements of EU General Data Protection Regulation (EC) 2016/679 (the Regulation), the Parties entered into this Agreement:

  1. SCOPE OF PROCESSOR’S OBLIGATIONS

    1. This Agreement provides for obligations of the Processor, which the Regulation requires to impose upon data processor, as well as other terms and conditions that the Processor must comply with in order to ensure that the Regulation is properly implemented.

    2. This Agreement replaces all previous obligations of the Processor to the Controller regarding the processing and protection of personal data if such were established for the Processor by the Main Agreement or other agreements between the Processor and the Controller.

  2. SUBJECT MATTER AND DURATION OF THE DATA PROCESSING

    1. The specific instructions to the data processing activities are specified in Appendix 1 to the Agreement.

    2. The data processing conducted by the Processor may continue as long as the Main Agreement is in force or as long as necessary for the performance of the Main Agreement, if such time is shorter. When the Main Agreement ends, regardless of the legal ground for end of validity, the Processor shall terminate all data processing operations on behalf of the Controller, unless the Parties agree on the transitional period for the provision of services, or on the transfer of data to another processor or the continuation, transfer, storage or termination of other data processing operations. In all cases data must be stored by the Processor until it is returned (transferred) to the Controller or the Controller instructs the Processor to delete the data or the Controller instructs the Processor to store the data for a shorter storage period in the Processor system’s Admin Panel.

    3. The Processor must ensure that in all cases, the actions of the data correction or deletion initiated by the Controller (for example, removal of the data subject from the system) are immediately implemented in the Processor’s information system at the Controllers request, except for the purposes of data archiving, backup and storage purposes, to the extent that it does not contradict the documented instructions of the Controller.

  3. INSTRUCTIONS FROM THE CONTROLLER ON DATA PROCESSING

    1. The Processor shall process the personal data controlled by the Controller and entrusted to the Processor only on the basis of the documented instructions from the Controller in line with Main Agreement.

    2. The Controller’s initial instructions provided to the Processor regarding the subject matter, duration, nature and purpose of the data processing, as well as the types of data subjects and data types are specified in this Agreement and in Appendix 1. The functional description of the Processor’s conducted operations with the Controller controlled data is provided in the Main Agreement and related documentation.

    3. If the Processor does not have instructions on how to process personal data in a particular situation or if any of the given instructions violate applicable data protection laws, the Processor shall inform the Controller in writing without delay.

    4. The Processor may not comply with the Controller’s instructions for processing data only in cases where certain data processing operations are required by the EU law or EU Member State law applicable to the Processor. In such a case, the Processor shall notify the Controller about such legal requirement in writing prior to processing the data, unless the applicable law prohibits such informing on important grounds of public interest.

  4. PERSONAL DATA CONFIDENTIALITY

    1. The Processor must ensure that only those persons who require direct access to personal data controlled by the Controller and entrusted to the Processor are authorised to access it in order to fulfil the Processor's obligations under the Main Agreement. The Processor ensures that all persons involved in processing of personal data have committed themselves to indefinite confidentiality or are under applicable statutory obligation of indefinite confidentiality as regards the personal data.

  5. SECURITY OF DATA PROCESSING

    1. The Processor must implement, at its own cost, the appropriate technical and organisational measures to ensure a level of security appropriate to the risk upon the terms specified in Article 32 of the Regulation.

    2. The minimum security measures applied by the Processor at the time of concluding the Agreement are described in Appendix 2 to the Agreement. The Controller confirms that the measures specified in Appendix 2 to the Agreement are, at the time of concluding the Agreement, sufficient to be considered minimum security measures.

    3. Adherence to an approved code of conduct or an approved certification mechanism, insofar as it complies with the Regulation, may be used as an element by which the Processor may demonstrate his compliance with security obligations.

    4. The Processor must ensure that any natural person acting under the authority of the Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by applicable EU or Member State law.

  6. SUB-PROCESSORS

    1. The Processor may not engage other sub-processors without the prior written consent of the Controller. The sub-processors approved by the Controller as of signing the Agreement are specified in Appendix 3 of the Agreement.

    2. The Processor may engage only those data processors who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject. The Controller has, at any time, the right to request the Processor to remove any sub-processors who do not fulfil those requirements. The Parties will then negotiate whether the performance of the Agreement is possible without the respective subprocessor. If it is not, the Parties shall terminate the Agreement and if performance of the Main Agreement is not possible without the Agreement (i.e., without the processing of personal data), the Parties shall also terminate the Main Agreement.

    3. Where the Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on the sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation. The Processor must provide copies of these contracts to the Controller upon the Controller’s request.

    4. Where the sub-processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the performance of that other processor's obligations within the limits of liability limitations under this Agreement.

    5. The Controller may require the Processor to verify the sub-processors engaged by the Processor or to provide the confirmation of the execution of such verification or, if possible, to obtain or assist the Controller in obtaining findings of external auditor regarding the subprocessor’s activities in order to ensure compliance with the Agreement, the Regulation and other applicable requirements.

  7. THE PROCESSOR’S ASSISTANCE TO THE CONTROLLER

    1. Since the Processor's activities relate to the day-to-day management of the data controlled by the Controller, the Processor must assist the Controller in fulfilling its legal obligations under the Regulation and other applicable legislation.

    2. The Processor shall together with the Controller cooperate with data protection supervisory authorities.

    3. Implementation of data subject rights. The Processor, taking into account the nature of processing and the information available, assists the Controller by employing appropriate technical and organisational measures to the extent possible to fulfil the obligation of the Controller to respond to requests of data subjects to exercise their rights under the Regulation (right of access, right to rectification, right to erasure, right to restriction of processing, right to object, right to data portability, where applicable). The Processor must appoint a specific person who would be responsible for accepting requests of data subjects to exercise their rights, as received by the Controller, assign them for examination and responding or performing other actions which are necessary to exercise the rights of the data subject. The Processor must immediately notify the Controller about the appointment or change of such person and his contact details. Parties can use automated query management systems to manage their inquiries. The Processor shall forward any data subjects’ requests received by it to the Controller without delay. The Processor may not respond to any data subjects’ requests directly unless the Controller has specifically asked the Processor to do that.

    4. Data breaches. In case of an actual or potential personal data breach, the Processor must immediately, but no later than within 24 hours, notify the Controller’s data protection officer about the actual or potential personal data breach, irrespective of whether the breach is likely to result in a risk to the rights and freedoms of natural persons.

    5. When reporting a personal data breach, the Processor must provide at least the following information:

      1. contact details of the person providing a report;

      2. a brief description of the incident;

      3. description of affected data:

        • types of personal data related to the breach;

        • whether the data affected by the incident was encrypted or was subject to other technical safeguards, if such information is known;

      4. description of the incident:

        • incident time or duration of the incident;

        • type of incident (e.g., loss or abduction of files or devices, disposal before erasing data, disclosure of data to known contacts, data publication, data modification, destruction or restriction of access, premature destruction of data);

        • location of the data (e.g., on a computer, a mobile device, on a network, on a storage medium);

        • where unauthorised access occurred (inside or outside Processor);

        • cause of the breach (mistake or intentional action);

        • volume of personal data and number of data subjects related to the breach;

        • what are the expected consequences of the incident.

If the Processor is not able to provide all information with the initial notification, the Processor should provide the information as soon as possible but not later than within 48 hours.

    1. The Processor is also required to inform the Controller about the steps that the Processor has taken, proposes to take, or that the Controller should take in order to reduce or eliminate the negative consequences of the incident and data breach.

    2. The Processor must document all personal data breaches, including the facts relating to the personal data breach, its effects and corrective actions taken. The Processor, at the Controller’s request, must submit these documents to the Controller for familiarising, in particular when required by the supervisory authority.

    3. The Processor must also provide all possible assistance to the Controller which is required to properly report the data breach to the data subject.

    4. The Processor is not allowed to notify the data breach to the supervisory authority or the data subjects by itself. Any notifications are to be decided by the Controller.

    5. Data protection impact assessment and prior consultations. The Processor shall provide the Controller with the necessary assistance in conducting personal data impact assessment on data processing operations, including providing all required technical and other available information about data processing carried out or to be carried out by the Processor and consulting on these matters. When the Controller performs prior consultations with the supervisory authority, Processor must provide all necessary information which is required for consultations.

    6. Obligations to inform. The Processor shall provide the Controller with all information necessary to demonstrate that the obligations laid down in this Agreement, the Regulation and other legal acts are being complied with. Upon the Controller’s request, among other things, the Processor must provide copies of data protection policies and records of data processing activities.

    7. The Processor shall inform the Controller’s data protection officer about changes in technical and organisational security measures, which may have an impact on data processing activities of the Controller.

    8. Reporting. The Processor shall provide to the Controller’s data protection officer upon request reports about data processing, which should contain the following information:

      1. how the confidentiality commitments are implemented for employees authorised to process personal data;

      2. implementation of changes in technical and security measures and their impact on data processing;

      3. engagement of sub-processors and their monitoring;

      4. investigation of requests of data subjects to exercise their rights;

      5. personal data breaches;

      6. cooperation with supervising authority, any investigations of the Processor, if any;

      7. complaints received from data subjects regarding inappropriate processing of their personal data, and results of investigation of such complaints;

      8. other information, relevant to ensure compliance of the Controller and the Processor with applicable data protection requirements.

  1. RIGHTS OF THE CONTROLLER AND AUDIT

    1. The Processor must allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

    2. If results of the audit or inspections are negative, the Controller may immediately terminate or suspend this Agreement and the Main Agreement. In such a case, the Processor must immediately implement the Controller’s instructions regarding return, storage, restriction of access to, deletion of the data, or implementation of security measures.

    3. Processor must ensure the following rights to the Controller:

      1. To organise audits of the data processing operations performed by the Processor, or assign such audit to be organised by the Processor or an external auditor, with results to be provided to the Controller;

      2. To review records of data processing activities of the Processor and provide proposals for their modification;

      3. Review and if necessary revise documented instruction of the Controller regarding data processing;

      4. Review the Processor’s internal documentation governing data processing and provide proposals for their modification;

      5. Perform inspections to review compliance of data protection operations with the Regulation.

    4. The Processor’s data protection officer (if it has to be appointed) or other responsible employee, shall cooperate with the Controller’s data protection officer (or other responsible employee), exchange information relevant for performance of this Agreement, and consult in case of questions.

  2. CONSEQUENCES OF END OF THIS AGREEMENT

    1. Unless terminated before, the Agreement will terminate upon termination of the Main Agreement, unless agreed otherwise by the Parties in writing. However, the provisions of this Agreement apply as long as the Processor processes personal data on behalf of the

Controller.

    1. In case of termination of this Agreement, the Processor’s obligations to implement appropriate level of security of the personal data may only terminate after the data is returned to the Controller (or other person assigned by the Controller), or deleted.

    2. Upon termination of the Agreement, at the choice of the Controller, the Processor shall delete or return all personal data to the Controller (or other person assigned by the Controller) and shall delete existing copies unless EU or Member State law requires storage of the personal data.

    3. The Processor must submit a written notice of the measures Processor has taken to erase the data on the Controller’s request.

    4. If the Processor is required to retain the personal data under the applicable law after the termination of this Agreement, the Processor shall notify the Controller thereof, including the specific legal basis thereof.

  1. APPLICABLE LAW AND DISPUTE RESOLUTION

    1. This Agreement shall be governed and interpreted in accordance with the laws of the Republic of Latvia.

    2. The Parties agree that the courts of the Republic of Latvia shall have exclusive jurisdiction to resolve any disputes arising out of this Agreement.

  2. MISCELLANEOUS PROVISIONS

    1. The Processor shall only be liable for damages caused by processing under this Agreement if it failed to fulfil the obligations under the Regulation expressly pertaining to data processors, or if it willfully or grossly negligently or negligently failed to obey the instructions of the Controller, including those provided in this Agreement.

    2. Upon breach of the Agreement or failing to fulfil the obligations in the Regulation expressly pertaining to data processors, the Processor shall indemnify and hold the Controller harmless of any final liability for damages (including final fines or penalties). In case of negligent (not gross negligent or willful) breach of the Agreement, damages claimable by the Controller towards the Processor may not exceed 3 month’s subscription fee under Main Agreement.

    3. Regardless of any limitations of liability stipulated herein, if either of the Parties breaches this Agreement willfully or in gross negligence, the Party in breach shall fully compensate the other Party for the damages incurred to it.

    4. This Agreement may be amended, supplemented or terminated only in writing.

Signed on behalf of the Operator:

Signed on behalf of the Client:

/ Signature /

/ Signature /

Jānis Grīnbergs

Member ofthe Board



Appendix 1

Data processing instructions

Purposes

Specify all purposes for which the personal data will be processed by the Processor

The purposes of the processing are the delivery of the services or tasks by the Processor to the Controller under the Main Agreement, incl. provision of the cloudbased call centre system and IP telephony.

Categories of data

Specify the categories personal data that will be processed by the Processor

Name, surname, gender, email address, phone number, address, personal identification code, date of birth, financial data (credit liabilities, income, information on bank accounts), employer, contact information of additional contact person, client data (number, status), service data (title, date), agreement data (number, date, amount), payment data (amount, payments) and any other data provided and received via the services and saved in call audio recordings, SMS messages, and email messages.

Categories of data subjects

Specify the categories of data subjects whose personal data will be processed by the Processor

Anyone who contacts or contacted by the Controller using the call centre system and IP telephony and other services provided by the Processor under the Main Agreement, incl. Controller’s existing or potential clients, Controller’s cooperation partners, Controller’s employees, and any representatives of the previous, Controller’s clients, legal persons, which have unsettled liabilities and contact information of the representatives.

Processing operations

Specify all processing activities to be conducted by the Processor

Processing operations necessary for the provision of the services under the Main Agreement, incl. collecting and storing any personal data received during the provision of those services.

Location of processing operations

Specify all locations where the personal data will be processed by the processor and – when applicable – by other processors.

The European Economic Area

Appendix 2

Minimum security measures

Technical measures taken

Antivirus software is installed to provide protection against malware.

An antivirus software has been installed to provide protection of e-mail and Internet browser.

Company's computer network is protected by a firewall.

A regular backup of personal data is automatically performed.

The company's Wi-Fi network is password protected.

Remote access to company's computer network is only possible through a virtual private network or VPN.

Privileged accounts are not used for daily tasks. Privileged user login is only available from special devices and limited to authorized persons.

Access to sensitive/personal data is controlled and restricted. Access is allowed only to persons who need it.

The data leak prevention software is used to protect sensitive/personal data.

Monitoring procedures shall be disclosed, analyzed and reports of security incidents shall be developed and communicated to the company.

Encryption

Encrypting sensitive/personal data files.

Encryption of laptop hard drives is provided.

Partially encryption of portable media (USB flash drives, portable hard drives, CDs, DVDs, etc.) is provided.

Network / cloud folder encryption is provided.

E-mail encryption is provided.

Physical security

The physical security perimeter of the company is defined.

Measures have been taken to protect the company's resources from security threats caused by physical exposure (unauthorized access, theft of equipment / documents, disclosure of confidential information, etc.).

Data recovery

Regular data backups are performed.

Organizational events

The security risks of IT systems have been evaluated.

Evaluation of security categories of IT systems.

Developed IT system security policy.

Internal rules of IT system security have been developed.

IT system usage rules have been developed.

Developed system security risk management plan.

A recovery plan has been developed.



Appendix 3

Approval of sub-processor

In accordance with that which is laid down in the Main Agreement and into this Agreement the Processor is only allowed to attract another processor (hereinafter - Sub-processor) for the fulfilment of the obligations which he or she performs on behalf of the Controller by written consent of the Controller. Consent from the Controller must be obtained in respect of other attracted processors which are performing the processing of personal data transferred within the framework of the co-operation of the Parties within the meaning of the GDPR.

The Processor shall enter into a written agreement with the Sub-processor in accordance with which the Sub-processor has an obligation to comply with the same duties as those which are laid down in the Contract. Upon the request of the Controller, the Processor shall, immediately and without requesting any charge from the Controller, submit an extract of the contract to the Controller with the Sub-processor attesting the performance of the abovementioned requirements. The Processor shall establish and keep a list with current data regarding the identity and location of all Sub-processors. This list must be accessible by the Controller and the relevant supervisory authorities. The Processor shall remain fully responsible for ensuring that Sub-processors comply with the provisions of the Contract, for an indefinite period of time.

The Controller hereby authorises the Sub-contractors referred to hereinafter to process personal data in accordance with the laws and regulations in force and contracts entered into between the Parties:

  1. DigitalOcean, LLC, with registered office in New York, 101 Avenue of the Americas, New York 10013 Purpose of processing: Provisioning of cloud hosting for various services – voice processing, data analysis, email campaigns, proxying and balancing for white-label customers. That includes auxiliary utilities such as DNS, monitoring and support. Storage, provision of products and services used for communication between TelTel platform and other origination or termination points for various communication services

Type of personal data: Any data uploaded by customer into TelTel system including voice calls and messages.Place of processing: Can be located in any DigitalOcean Europe server regions and transferred between regions.

Processing time period/storage time period: custom

  1. Amazon Web Services, Inc., with registered office in Seattle, 2021 Seventh Ave, Washington 98121

Purpose of processing: Provisioning of cloud hosting for various services – voice processing, data analysis, email campaigns, proxying and balancing for white-label customers. That includes auxiliary utilities such as DNS, monitoring and support. Storage, provision of products and services used for communication between TelTel platform and other origination or termination points for various communication services; supporting services for Text-to-Speech (TTS) like Amazon Polly.

Type of personal data: Any data uploaded by customer into TelTel system including voice calls and messages.

Place of processing: Can be located in any Amazon AWS Europe server regions and transferred between regions.

Processing time period/storage time period: custom

  1. Backblaze, Inc., with registered office in San Mateo, 500 Ben Franklin Court, California 94401 Purpose of processing: Additional backup of all data – audio recording, log files, all data uploaded into TelTel system

Type of personal data: Any data uploaded by customer into TelTel system including voice calls and messages.

Place of processing: Backblaze Europe Amsterdam region data center

Processing time period/storage time period: custom

Contact us to see TelTel in action!