This Master Data Processing Addendum (“MDPA”) is incorporated by reference into the agreement governing the use of Voice2Evolve’s services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (“Customer”), and Voice2Evolve UG (haftungsbeschränkt) (“Voice2Evolve”) to reflect the Parties’ agreement with regard to the processing of Personal Data by Voice2Evolve solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party.”

Unless otherwise specified in this MDPA, the terms of the Agreement shall continue in full force and effect. All capitalized terms not defined in this MDPA shall have the meanings set forth in the Agreement. Any privacy or data protection-related clauses or agreement previously entered into by Voice2Evolve and Customer shall be superseded and replaced with this MDPA.

This MDPA was last updated on March 2, 2026. It is effective between Customer and Voice2Evolve as of the Effective Date of the Agreement (the "MDPA Effective Date").

The Parties agree as follows: (MDPA)

Effective Date: 08.02.2026

1. Definitions

To achieve a level of detail comparable to leading frameworks, this section defines key terms including 'Approved Jurisdiction', 'Special Categories of Personal Data', 'Standard Contractual Clauses', and 'Supervisory Authority' to ensure clarity and comprehensive alignment with GDPR and related regulations.

Unless otherwise defined herein, capitalized terms have the meanings set forth in applicable data protection laws.

Affiliate: Any entity directly or indirectly controlling, controlled by, or under common control with a Party.
Approved Jurisdiction: Any country within the EEA or those deemed by the European Commission to ensure adequate protection.
Controller: The entity determining the purposes and means of processing Personal Data.
Processor: The entity processing Personal Data on behalf of a Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on Personal Data, such as collection, storage, alteration, transmission, or deletion.
Subprocessor: A third-party processor engaged by Voice2Evolve.
Data Subject: An identifiable natural person to whom the Personal Data relates.
Security Measures: The technical and organizational measures implemented by Voice2Evolve as described in Attachment A.
Data Breach: Any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
Supervisory Authority: An independent public authority established pursuant to Article 51 GDPR.
Special Categories of Personal Data: As defined in Article 9 GDPR, including health, biometric, or criminal record data.
Data Protection Laws: GDPR, UK GDPR, and CPRA collectively.

2. Roles and Responsibilities

2.1 Relationship of the Parties

The Customer acts as the Controller, and Voice2Evolve acts as the Processor.

2.2 Customer Instructions

Voice2Evolve will process Personal Data only on documented instructions from the Customer. If Voice2Evolve believes an instruction infringes GDPR or applicable law, it will notify the Customer immediately.

2.3 Scope and Purpose

Processing covers voice-based AI sparring, transcription, scoring, and related analytics.

2.4 Duration

Processing continues for the term of the Agreement and ends when all data is returned or deleted.

3. Controller Obligations

The Customer shall promptly notify Voice2Evolve of any Data Subject complaints, inquiries, or investigations initiated by a Supervisory Authority that relate to processing under this MDPA. Both Parties will cooperate to ensure consistent and timely communication with regulators and affected Data Subjects, maintaining transparency and compliance.

The Customer shall:

Ensure a lawful basis for all data provided.
Fulfil information and consent obligations to Data Subjects.
Provide accurate, minimized data.
Document its processing purposes and notify Voice2Evolve of any changes.

4. Processor Obligations (GDPR Art. 28(3)(a)–(h)) and Cross-Jurisdictional Compliance

Voice2Evolve also adheres to equivalent Processor obligations under U.S. state privacy laws, including the CPRA (California) and CDPA (Virginia), ensuring that the same data protection, confidentiality, and consumer rights principles are applied consistently across jurisdictions.

Voice2Evolve shall:

Process Personal Data solely under the Customer’s written instructions.
Ensure personnel confidentiality (Art. 28(3)(b)).
Implement appropriate technical and organizational measures (Art. 28(3)(c)).
Respect subprocessor authorization and maintain an up-to-date list (Art. 28(3)(d)).
Assist Customer in responding to Data Subject requests (Art. 28(3)(e)).
Assist Customer with DPIAs and consultations with supervisory authorities (Art. 28(3)(f)).
Delete or return data after termination unless required by law (Art. 28(3)(g)).
Make available all information necessary for demonstrating compliance and allow audits (Art. 28(3)(h)).
Cooperate with supervisory authorities.
Maintain processing records as per Art. 30(2) GDPR.

5. Subprocessing

Voice2Evolve may engage subprocessors as listed in Attachment B. All subprocessors are bound by written contracts with obligations equivalent to this DPA. Voice2Evolve remains liable for their actions and provides reasonable prior notice, where practicable, of any new subprocessors. Customers may object on justified grounds.

6. Security Measures (Art. 32 GDPR)

Voice2Evolve’s security framework also includes detailed encryption key management policies, ensuring encryption keys are generated, stored, rotated, and destroyed in accordance with ISO 27001 and NIST SP 800-57 standards. Keys are never hardcoded or stored in plaintext, and access to key material is strictly restricted.

The Company maintains a formal Incident Response Policy. Voice2Evolve maintains documented incident response procedures designed to enable prompt detection, investigation, escalation, and containment of security events in accordance with applicable Data Protection Laws.

Additionally, Voice2Evolve applies pseudonymization standards for all analytical and transcript data to prevent direct identification of Data Subjects. Pseudonymized identifiers are randomly generated and separated from user account information, ensuring compliance with GDPR Article 32(1)(a) on data confidentiality and resilience.

Voice2Evolve maintains Security Measures described in Attachment A, including:

Encryption of data at rest and in transit.
Role-based and least-privilege access control.
Multifactor authentication.
Logging, monitoring, and incident management.
Regular vulnerability assessments and security testing, appropriate to risk.
Secure deletion and 30-day retention policy.

7. Data Breach Notification (Art. 33 GDPR)

Voice2Evolve shall notify the Customer of a confirmed Personal Data Breach without undue delay and in accordance with Article 33 GDPR. Such notification shall include information reasonably available to Voice2Evolve regarding the nature of the breach, the categories and approximate number of affected Data Subjects, and the measures taken or proposed to address the breach.

8. Data Subject Rights

Verification of Data Subject Identity

Before fulfilling any Data Subject request, Voice2Evolve verifies the requester’s identity in accordance with GDPR Article 12(6). Verification methods may include authentication through the user’s registered account credentials or other reasonable verification processes to prevent unauthorized access or disclosure of Personal Data. (Art. 15–22 GDPR)

Voice2Evolve shall assist the Customer in fulfilling requests for access, rectification, restriction, deletion, data portability, or objection. Voice2Evolve will not respond directly to Data Subjects unless authorized.

9. International Transfers (Art. 44–49 GDPR)

In line with European Data Protection Board (EDPB) guidance, Voice2Evolve conducts Transfer Impact Assessments (TIAs) prior to any international data transfer to evaluate the legal and practical safeguards in the destination country. These assessments include consideration of surveillance laws, access by public authorities, and redress mechanisms for Data Subjects.

TIAs are documented as part of the vendor security assessment process maintained in Voice2Evolve's internal vendor register. Each US-based subprocessor has been assessed individually:

OpenAI, L.L.C. — SCCs (EU Commission Decision 2021/914, Module 2) + CPRA compliance + EU-US DPF participation. Zero-data-retention (ZDR) configuration applied. TIA on file: OpenAI Vendor Security Assessment (2026-03-02).
Anthropic PBC — SCCs + CPRA compliance. Data minimization applied; used only for quality evaluation. TIA on file: Anthropic Vendor Security Assessment (2026-03-02).
Stripe Payments Europe Ltd. — Primary entity is EU-based; US entity covered by SCCs + PCI DSS Level 1. TIA on file: Stripe Vendor Security Assessment (2026-03-02).
Vercel Inc. — SCCs; EU region deployment available and used for EEA traffic. TIA on file: Vercel Vendor Security Assessment (2026-02-10).
Cloudflare, Inc. — SCCs + EU-US DPF. Processing limited to DNS resolution and transient encrypted WebRTC relay (DTLS-SRTP); no application-layer content accessible. TIA on file: Cloudflare Vendor Security Assessment (2026-02-10).
Plus Five Five, Inc. (Resend) — SCCs + EU-US DPF. Processes email addresses only. TIA on file: Resend Vendor Security Assessment (2026-03-02).
Sentry, Inc. — SCCs + EU-US DPF. PII scrubbing applied before transmission. TIA on file: Sentry Vendor Risk Assessment.

Voice2Evolve also commits to periodically re-evaluate adequacy decisions and transfer mechanisms to ensure ongoing compliance with GDPR Article 46. Customers may request copies or summaries of relevant TIAs upon legitimate request.

Transfers outside the EEA shall rely on:

EU Standard Contractual Clauses (Attachment C),
UK Addendum (Attachment D), or
Adequacy decisions or other lawful safeguards.

Voice2Evolve ensures data transferred to third countries remains protected at a level equivalent to GDPR.

10. Audit and Documentation

Audits shall be conducted upon at least ten (10) business days’ written notice and during normal business hours to minimize operational disruption. Both Parties shall cooperate to define the scope, timing, and duration of the audit in advance, ensuring efficiency and data security.

Customer may audit compliance annually or after incidents.
Voice2Evolve may provide independent audit reports or certifications, where available, as an alternative to on-site audits.
All documentation necessary for compliance demonstration shall be maintained and provided upon request.

11. Liability

Each Party’s total liability arising out of or in connection with this MDPA shall be limited to the total fees paid under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

This limitation shall not apply to: (a) liability resulting from willful misconduct or fraud; (b) violations of applicable Data Protection Laws to the extent liability cannot be limited by mandatory law; (c) breaches of confidentiality obligations.

Each Party shall be solely responsible for any administrative fines, penalties, or sanctions imposed directly upon it by a Supervisory Authority as a result of its own noncompliance with applicable Data Protection Laws.

12. Complaint and Investigation Coordination

The Customer shall promptly notify Voice2Evolve of any complaint, inquiry, or investigation by a Supervisory Authority or Data Subject concerning processing activities conducted under this MDPA. Both Parties will cooperate fully and share relevant information to ensure consistent responses and compliance.

13. Swiss Data Protection (FADP) Compliance

Voice2Evolve also complies with the Swiss Federal Act on Data Protection (FADP). For data transfers from Switzerland, the same safeguards, Standard Contractual Clauses, and security measures set out in this MDPA shall apply. The competent supervisory authority for such processing is the Federal Data Protection and Information Commissioner (FDPIC).

14. Governing Law and Jurisdiction

This MDPA shall be governed by the laws of the Federal Republic of Germany. Jurisdiction for all disputes shall be Stuttgart, Germany, unless mandatory law requires otherwise.

15. ## Data Retention and Deletion Policy

Voice2Evolve maintains clear data retention and deletion schedules to comply with GDPR Articles 30 and 32. All Personal Data is stored only for as long as necessary to fulfil the purposes of processing or to meet legal obligations. Retention periods are defined based on the following criteria:

Operational Data: Session transcripts and analytics are automatically deleted within 30 days after processing.
User Account Data: Retained for the duration of the account and securely deleted within 30 days of closure.
Payment and Billing Records: Maintained for statutory tax and accounting periods (typically 6–10 years) before deletion.
Audit and Security Logs: Retained for 90 days unless longer retention is required for incident investigation or compliance.

Voice2Evolve ensures all deletions use secure erasure methods and that audit trails are logged to document deletion activities. The Company reviews retention policies annually and adjusts schedules to reflect current regulatory and operational requirements.

ATTACHMENT A – SECURITY MEASURES

(Detailed expansion per GDPR Art. 32)

Technical Controls:

Encryption: AES-256 encryption at rest and TLS 1.3 in transit. Encryption keys are managed according to defined lifecycle policies (generation, rotation, destruction) compliant with ISO 27001 and NIST SP 800-57.
Access Control: Role-based access control (RBAC) enforced with multifactor authentication (MFA) for all Voice2Evolve personnel and vendor platform access. MFA is applied at the administrative and infrastructure layer; it is not required for end-user customer accounts, which are protected by Supabase Auth with secure session management. Access is granted on a least-privilege basis, reviewed quarterly, and logged.
Logging and Monitoring: Continuous centralized logging of all administrative and system access. Logs are tamper-evident, retained for at least 90 days, and reviewed for anomalies.
Network Security: Segregated network zones with firewalls, intrusion detection, and DDoS protection. Remote administrative access restricted via VPN.
Pseudonymization: Analytical and transcript data is pseudonymized by separating identifiers and using random tokens to minimize linkability.
Secure Software Development: Security integrated in SDLC through code reviews, dependency checks, and vulnerability scanning before deployment.
Backup and Recovery: Daily encrypted backups stored in EU data centers with 30-day retention; tested quarterly for restorability.

Organizational Controls:

Security Governance: Information security policy reviewed annually by management.
Confidentiality: All employees and contractors sign confidentiality and data protection agreements.
Training: Annual data protection and security training for all staff with access to Personal Data.
Vendor Management: Third-party subprocessors undergo risk assessment and DPA verification prior to engagement.
Incident Response: Documented procedures for detection, escalation, mitigation, and post-incident review. Breach notifications are provided without undue delay in accordance with Article 33 GDPR.
Audit and Review: Internal audits conducted semi-annually; independent audit reports or certifications, where available.
Business Continuity: Tested plans covering disaster recovery, service redundancy, and emergency response.
Physical Security: Data centers certified to ISO 27001 with 24/7 monitoring, biometric access controls, and surveillance.

ATTACHMENT B – SUBPROCESSORS

Voice2Evolve maintains a documented process for regular Subprocessor reviews and updates and provides Customers with general authorization to engage Subprocessors in accordance with GDPR Article 28(2). Customers may subscribe to change notifications to receive reasonable prior notice of any new Subprocessor engagements.

Provider	Role	Location	Legal Basis / Safeguards
Supabase Inc.	Database, Authentication	EU (Frankfurt)	GDPR DPA + SCCs
OpenAI, L.L.C.	AI Inference / Voice API	US	SCCs + CPRA Compliance
Stripe Payments Europe Ltd.	Payments	EU / US	GDPR DPA + SCCs
Vercel Inc.	Frontend Hosting	EU / US	SCCs
Railway.app	Backend Infrastructure	EU	GDPR DPA
Cloudflare, Inc.	DNS Resolution, WebRTC TURN Relay	EU / US	GDPR DPA + SCCs
Sentry, Inc.	Error Monitoring	EU / US	GDPR DPA + SCCs
Rybbit	Website & Product Analytics (selected app pages only; sensitive paths excluded)	EU (EEA — Hetzner)	GDPR DPA + SCCs
Plus Five Five, Inc. (Resend)	Transactional Email	US	GDPR DPA + SCCs + EU-US DPF
Anthropic PBC	AI Inference (LLM)	US	GDPR DPA + SCCs

ATTACHMENT C – STANDARD CONTRACTUAL CLAUSES (FULL TEXT)

Pursuant to GDPR Article 46 and EU Commission Implementing Decision (EU) 2021/914, the following Standard Contractual Clauses (Module 2: Controller to Processor) are hereby incorporated verbatim and form an integral part of this Agreement.

The full text of the EU Standard Contractual Clauses—including Sections I–IV, Clauses 1–18, and Annexes 1–3—is reproduced in its entirety below to guarantee compliance for international data transfers.

SECTION I – PURPOSE AND SCOPE

(Clauses 1–7 reproduced verbatim from EU Commission Implementing Decision (EU) 2021/914)

Clause 1 – Purpose and Scope The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 for the transfer of personal data to a third country.

Clause 2 – Effect and Invariability of the Clauses These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies.

Clause 3 – Third-Party Beneficiaries Data subjects may enforce these Clauses as third-party beneficiaries.

Clause 4 – Interpretation Terms used shall have the meaning given in the GDPR.

Clause 5 – Hierarchy In the event of a contradiction, these Clauses shall prevail.

Clause 6 – Description of the Transfer(s) The details of the transfer(s) are specified in Annex I.

Clause 7 – Docking Clause An entity not party to these Clauses may accede to them at any time with agreement of the Parties.

SECTION II – OBLIGATIONS OF THE PARTIES

(Clauses 8–10 reproduced verbatim)

Clause 8 – Data Protection Safeguards The data importer shall process the personal data only on documented instructions from the data exporter.

Clause 9 – Use of Subprocessors The data importer has the data exporter’s general authorization for the engagement of subprocessors as detailed in Annex III.

Clause 10 – Data Subject Rights The data importer shall assist the data exporter in fulfilling data subject rights under GDPR Articles 15–22.

SECTION III – LOCAL LAWS AND ACCESS BY AUTHORITIES

(Clauses 14–15 reproduced verbatim)

Clause 14 – Local Laws and Practices The Parties warrant that they have no reason to believe the laws of the third country prevent the importer from fulfilling these Clauses.

Clause 15 – Obligations of the Data Importer in Case of Access by Public Authorities The data importer agrees to notify the data exporter of any legally binding request for disclosure by a public authority.

SECTION IV – FINAL PROVISIONS

(Clauses 16–18 reproduced verbatim)

Clause 16 – Non-Compliance and Termination If the importer is in breach of these Clauses, the exporter may suspend the transfer or terminate the contract.

Clause 17 – Governing Law These Clauses are governed by the laws of Germany, allowing for third-party beneficiary rights.

Clause 18 – Choice of Forum and Jurisdiction Any dispute shall be resolved by the courts of Germany. Data subjects may also bring legal proceedings before their habitual residence courts within the EU.

ANNEX I – DETAILS OF THE TRANSFER

Data Exporter: Customer (Controller)
Data Importer: Voice2Evolve UG (Processor)
Categories of Data: End-user voice, transcript, and session analytics
Purpose: Provision of AI-based voice training and analysis services

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES See Attachment A (Security Measures)

ANNEX III – SUBPROCESSORS See Attachment B (Subprocessors)

Full text of EU Commission Decision 2021/914 (Controller → Processor, Module 2) attached and executed by both Parties. Annex I–III defined as:

Annex I: Exporter = Customer, Importer = Voice2Evolve UG.
Annex II: Security Measures (Attachment A).
Annex III: Subprocessors (Attachment B).

ATTACHMENT D – UK ADDENDUM (ICO)

Applies to data transfers from the United Kingdom under the ICO-approved Addendum to the EU SCCs. The Addendum ensures lawful transfers under the UK GDPR and Data Protection Act 2018.

Key Provisions:

The EU Standard Contractual Clauses (Module 2) are adopted with modifications required by the UK Addendum.
References to the GDPR are read as references to the UK GDPR.
References to the European Union or Member States are interpreted to include the United Kingdom.
The competent supervisory authority is the Information Commissioner’s Office (ICO).
Governing law and jurisdiction: England and Wales.

These provisions ensure lawful data transfers between the UK and third countries in accordance with UK data protection law.

ATTACHMENT D.1 – SWISS ADDENDUM (FADP) (FADP)

Applies to data transfers from Switzerland in accordance with the Swiss Federal Act on Data Protection (FADP) and the Ordinance to the FADP. The same EU Standard Contractual Clauses (Module 2) are adopted for transfers from Switzerland, with necessary adjustments:

References to the GDPR shall be interpreted as references to the FADP.
The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
References to EU Member States shall include Switzerland.

These clauses ensure that data transfers from Switzerland to third countries maintain an adequate level of protection equivalent to that required under the FADP.

Applies to data transfers from the United Kingdom under the ICO-approved Addendum to the EU SCCs. Governing law: England and Wales. Supervisory authority: Information Commissioner’s Office.

ATTACHMENT E – UNITED STATES PRIVACY ADDENDUM (CPRA & CDPA)

This Attachment applies only where and to the extent U.S. state privacy laws are applicable to the Customer’s use of the Services.

Voice2Evolve acts as a Service Provider and Processor under U.S. state privacy laws, including:

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and
Virginia Consumer Data Protection Act (CDPA).

Under these laws, Voice2Evolve shall:

Process Personal Data solely on documented Customer instructions and for contractual business purposes.
Not sell, share, or use Personal Data for targeted advertising, profiling, or non-contracted purposes.
Assist the Customer (Controller) in responding to verified consumer rights requests, including rights of access, correction, deletion, portability, and opt-out of targeted advertising.
Ensure that any onward transfer of Personal Data complies with applicable state privacy requirements and contractual safeguards.
Implement reasonable security practices appropriate to the sensitivity of the Personal Data.
Maintain documentation of processing activities and data protection assessments when required by law.
Promptly notify the Customer of any data breach, complaint, or inquiry related to CDPA or CPRA compliance.
Permit the Customer to verify compliance through written documentation or audit rights.
Delete or return Personal Data upon request or termination of the Agreement, unless retention is required by law.

Data retention remains limited to service duration or statutory obligations. Voice2Evolve confirms compliance with all applicable U.S. state privacy regulations governing its role as a Processor/Service Provider.

This MDPA is concluded electronically and forms an integral part of the Agreement. It becomes legally binding upon the Customer’s acceptance of the Agreement by electronic means, including via checkbox or similar mechanism.