This Master Data Processing Addendum (“MDPA”) is incorporated by reference into the agreement governing the use of Voice2Evolve’s services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (“Customer”), and Voice2Evolve UG (haftungsbeschränkt) (“Voice2Evolve”) to reflect the Parties’ agreement with regard to the processing of Personal Data by Voice2Evolve solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party.”

Unless otherwise specified in this MDPA, the terms of the Agreement shall continue in full force and effect. All capitalized terms not defined in this MDPA shall have the meanings set forth in the Agreement. Any privacy or data protection-related clauses or agreement previously entered into by Voice2Evolve and Customer shall be superseded and replaced with this MDPA.

This MDPA was originally effective as of 08.02.2026 and was last updated on April 27, 2026. It is effective between Customer and Voice2Evolve as of the Effective Date of the Agreement (the "MDPA Effective Date").

The Parties agree as follows: (MDPA)

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings set forth in applicable data protection laws.

Affiliate: Any entity directly or indirectly controlling, controlled by, or under common control with a Party.
Approved Jurisdiction: Any country within the EEA or those deemed by the European Commission to ensure adequate protection.
Controller: The entity determining the purposes and means of processing Personal Data.
Processor: The entity processing Personal Data on behalf of a Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on Personal Data, such as collection, storage, alteration, transmission, or deletion.
Subprocessor: A third-party processor engaged by Voice2Evolve.
Data Subject: An identifiable natural person to whom the Personal Data relates.
Security Measures: The technical and organizational measures implemented by Voice2Evolve as described in Attachment A.
Data Breach: Any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
Supervisory Authority: An independent public authority established pursuant to Article 51 GDPR.
Special Categories of Personal Data: As defined in Article 9 GDPR, including health, biometric, or criminal record data.
Data Protection Laws: GDPR, UK GDPR, CPRA, and, where applicable, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector (as amended by Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25, "Law 25"), collectively.

2. Roles and Responsibilities

2.1 Relationship of the Parties

The Customer acts as the Controller, and Voice2Evolve acts as the Processor.

2.2 Customer Instructions

Voice2Evolve will process Personal Data only on documented instructions from the Customer. If Voice2Evolve believes an instruction infringes GDPR or applicable law, it will notify the Customer immediately.

2.3 Scope and Purpose

Processing covers voice-based AI sparring, transcription, scoring, and related analytics.

2.4 Duration

Processing continues for the term of the Agreement and ends when all data is returned or deleted in accordance with Section 14.

2.5 Special Categories and Voice Data

The Services process voice recordings for AI-powered conversational sparring, training, and analysis. Voice2Evolve does not process voice data for the purpose of uniquely identifying a natural person (biometric identification) within the meaning of GDPR Article 9(1). Accordingly, voice recordings processed under this MDPA are not treated as Special Categories of Personal Data. The Customer shall not submit Special Categories of Personal Data (Article 9 GDPR) to the Services unless expressly agreed in writing.

2.6 Automated Decision-Making

The Services generate scores, analytics, and feedback using AI models. These outputs are provided for informational and training purposes only and do not produce legal effects or similarly significant effects on Data Subjects within the meaning of GDPR Article 22(1). No decisions with legal or equivalent consequences are made solely on the basis of automated processing.

2.7 Tenant Data Isolation

Voice2Evolve contractually guarantees logical separation of each Customer's Personal Data from that of other customers. Isolation is enforced through database-level row-level security policies, tenant-scoped authentication, and application-layer access controls. No Customer's Personal Data is commingled with or accessible to another customer.

2.8 Data Protection Contact

The designated contact for all data protection matters under this MDPA is: Voice2Evolve UG (haftungsbeschränkt) — Email: help@voice2evolve.com

3. Controller Obligations

The Customer shall promptly notify Voice2Evolve of any Data Subject complaints, inquiries, or investigations initiated by a Supervisory Authority that relate to processing under this MDPA. Both Parties will cooperate to ensure consistent and timely communication with regulators and affected Data Subjects, maintaining transparency and compliance.

The Customer shall:

Ensure a lawful basis for all data provided.
Fulfil information and consent obligations to Data Subjects.
Provide accurate, minimized data.
Document its processing purposes and notify Voice2Evolve of any changes.

4. Processor Obligations (GDPR Art. 28(3)(a)–(h)) and Cross-Jurisdictional Compliance

Voice2Evolve also adheres to equivalent Processor obligations under U.S. state privacy laws, including the CPRA (California) and CDPA (Virginia), and under Canadian privacy laws, including PIPEDA and Quebec Law 25, ensuring that the same data protection, confidentiality, and consumer rights principles are applied consistently across jurisdictions.

Voice2Evolve shall:

Process Personal Data solely under the Customer’s written instructions.
Ensure personnel confidentiality (Art. 28(3)(b)).
Implement appropriate technical and organizational measures (Art. 28(3)(c)).
Respect subprocessor authorization and maintain an up-to-date list (Art. 28(3)(d)).
Assist Customer in responding to Data Subject requests (Art. 28(3)(e)).
Assist Customer with DPIAs and consultations with supervisory authorities (Art. 28(3)(f)).
Delete or return data after termination unless required by law (Art. 28(3)(g)).
Make available all information necessary for demonstrating compliance and support verification as described in Section 10 (Art. 28(3)(h)).
Cooperate with supervisory authorities.
Maintain processing records as per Art. 30(2) GDPR.

5. Subprocessing

Voice2Evolve may engage subprocessors as listed in Attachment B. All subprocessors are bound by written contracts imposing data protection obligations equivalent to those set out in this MDPA. Voice2Evolve remains liable for the acts and omissions of its subprocessors.

5.1 Prior Notice of New Subprocessors

Voice2Evolve shall notify the Customer at least thirty (30) calendar days before authorizing a new subprocessor to process Personal Data. Notification shall be provided via the contact details associated with the Customer's account or through a change-notification mechanism to which the Customer may subscribe.

5.2 Right to Object

The Customer may object to a new subprocessor on reasonable data-protection grounds by notifying Voice2Evolve in writing within the thirty (30)-day notice period. Voice2Evolve shall make commercially reasonable efforts to address the objection, including by offering an alternative subprocessor or configuration. If Voice2Evolve cannot reasonably accommodate the objection within thirty (30) days of receiving it, the Customer may terminate the affected Services — or, where the subprocessor is integral to the entire Service, the Agreement — without penalty, by providing written notice before the new subprocessor begins processing.

6. Security Measures (Art. 32 GDPR)

Voice2Evolve maintains Security Measures described in Attachment A, including:

Encryption of data at rest and in transit.
Role-based and least-privilege access control.
Multifactor authentication.
Logging, monitoring, and incident management.
Regular vulnerability assessments and security testing, appropriate to risk.
Secure deletion and 30-day retention policy.

7. Data Breach Notification (Art. 33 GDPR)

Voice2Evolve shall notify the Customer of any Personal Data Breach without undue delay and no later than seventy-two (72) hours after becoming aware of it. The initial notification shall include, to the extent reasonably available at that time, the nature of the breach, the categories and approximate number of affected Data Subjects and Personal Data records, the likely consequences, and the measures taken or proposed to address the breach. Where full details are not yet available within the notification window, Voice2Evolve shall provide the remaining information in phases without further undue delay.

8. Data Subject Rights

Verification of Data Subject Identity

Before fulfilling any Data Subject request, Voice2Evolve verifies the requester’s identity in accordance with GDPR Article 12(6). Verification methods may include authentication through the user’s registered account credentials or other reasonable verification processes to prevent unauthorized access or disclosure of Personal Data. (Art. 15–22 GDPR)

Voice2Evolve shall assist the Customer in fulfilling requests for access, rectification, restriction, deletion, data portability, or objection. For data portability requests, Voice2Evolve shall make the relevant Personal Data available in a structured, commonly used, and machine-readable format (JSON or CSV). Voice2Evolve will not respond directly to Data Subjects unless authorized by the Customer.

9. International Transfers (Art. 44–49 GDPR)

Voice2Evolve conducts Transfer Impact Assessments (TIAs) prior to any international data transfer in line with EDPB guidance, considering surveillance laws, public authority access, and redress mechanisms. TIAs are maintained in Voice2Evolve's internal vendor register and are available to Customers upon legitimate request.

Transfers outside the EEA shall rely on:

EU Standard Contractual Clauses (Attachment C),
UK Addendum (Attachment D), or
Adequacy decisions or other lawful safeguards.

Voice2Evolve ensures data transferred to third countries remains protected at a level equivalent to GDPR.

10. Compliance Verification and Documentation

Voice2Evolve will make available information reasonably necessary to demonstrate compliance through written documentation and remote assurance measures designed to protect security, confidentiality, and the privacy of other customers. Routine on-site inspections of private residences, home offices, or third-party data center facilities are not offered.

Customer may request compliance information annually or after a confirmed Personal Data Breach affecting the Customer Data.
Voice2Evolve may satisfy such requests through policies, security summaries, questionnaire responses, summaries of independent audit reports or certifications, and remote clarification sessions.
Any inspection beyond documentary or remote review requires Voice2Evolve's prior written agreement or a clear mandatory legal requirement from a competent supervisory authority.
All documentation necessary for compliance demonstration shall be maintained and provided upon request, subject to confidentiality, security, and proportionality safeguards.

11. Liability

Each Party’s total liability arising out of or in connection with this MDPA shall be limited to the total fees paid under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

This limitation shall not apply to: (a) liability resulting from willful misconduct or fraud; (b) violations of applicable Data Protection Laws to the extent liability cannot be limited by mandatory law; (c) breaches of confidentiality obligations.

Each Party shall be solely responsible for any administrative fines, penalties, or sanctions imposed directly upon it by a Supervisory Authority as a result of its own noncompliance with applicable Data Protection Laws.

12. Swiss Data Protection (FADP) Compliance

Voice2Evolve also complies with the Swiss Federal Act on Data Protection (FADP). For data transfers from Switzerland, the same safeguards, Standard Contractual Clauses, and security measures set out in this MDPA shall apply. The competent supervisory authority for such processing is the Federal Data Protection and Information Commissioner (FDPIC).

13. Governing Law and Jurisdiction

This MDPA shall be governed by the laws of the Federal Republic of Germany. Jurisdiction for all disputes shall be Stuttgart, Germany, unless mandatory law requires otherwise.

14. Data Retention and Deletion Policy

Voice2Evolve maintains clear data retention and deletion schedules to comply with GDPR Articles 30 and 32. All Personal Data is stored only for as long as necessary to fulfil the purposes of processing or to meet legal obligations. Retention periods are defined based on the following criteria:

Session Transcripts: Subject to the Customer's configurable retention setting (7–365 days; default: 30 days). On expiry, the Customer may elect to anonymize transcripts in place — replacing spoken content with a redacted marker while preserving session metadata — rather than delete them outright. The anonymize-on-expiry option is enabled by default. Where no retention setting has been configured by the Customer, transcripts are anonymized or deleted within 30 days of session completion.
Session Analytics and Scores (non-transcript): Scores, analysis results, behavioral metrics, and other non-transcript session data are retained for the duration of the user account and deleted within 30 days of account closure, unless earlier deletion is requested by the Customer or the Data Subject.
Internal Quality Evaluation Reports: Reports generated by Voice2Evolve's automated internal quality evaluation system are retained for 30 days and then deleted. These reports assess Voice2Evolve's own AI system components and do not contain user evaluation data. See Section 15.1.
Anonymized Aggregate Data: Fully anonymized, k-anonymous behavioral aggregate data — from which no individual, session, or tenant can be re-identified — is retained indefinitely as it falls outside the definition of Personal Data under GDPR Article 4(1) and Recital 26. See Section 15.2.
Post-Termination Data Return: Upon termination or expiry of the Agreement, Voice2Evolve shall make the Customer's Personal Data available for export for a period of ninety (90) calendar days. After expiry of this transition period, Voice2Evolve shall securely delete or anonymize all remaining Personal Data in accordance with this Section 14, unless retention is required by applicable law.
User Account Data: Retained for the duration of the account and securely deleted within 30 days of closure.
Payment and Billing Records: Maintained for statutory tax and accounting periods (typically 6–10 years) before deletion.
Audit and Security Logs: Retained for 90 days unless longer retention is required for incident investigation or compliance.

Voice2Evolve ensures all deletions use secure erasure methods and that audit trails are logged to document deletion activities. The Company reviews retention policies annually and adjusts schedules to reflect current regulatory and operational requirements.

15. Voice2Evolve's Permitted Secondary Purposes

Notwithstanding Section 4.1, the following secondary uses of Customer Data are expressly authorized by the Agreement and do not constitute processing outside the Customer's documented instructions:

15.1 Internal Quality Evaluation

Voice2Evolve operates an automated quality evaluation system that processes session transcripts and analysis outputs using third-party LLM subprocessors (as listed in Attachment B) solely to evaluate the performance of Voice2Evolve's own AI system components — including the conversation planner, realtime dialogue agent, orchestrator, and post-session analyzer. This processing serves the purpose of maintaining and continuously improving the technical quality of the Services delivered to the Customer. It does not evaluate individual users, produces no user-facing output, and generates no user scores or profiles. Quality evaluation reports are internal to Voice2Evolve, are not accessible via the customer-facing application, and are deleted within 30 days.

15.2 Anonymized Aggregate Analytics

As authorized by the Agreement and this Section 15.2, Voice2Evolve derives fully anonymized, aggregated behavioral statistics from session data to improve the Services and develop product benchmarks. Prior to aggregation, all direct and indirect identifiers — including tenant_id, session_id, and user_id — are removed. Aggregation is subject to k-anonymity thresholds (minimum 50 sessions per dimension group); groups below this threshold are excluded entirely. Once anonymized to this standard, the resulting data is no longer Personal Data within the meaning of GDPR Article 4(1) and Recital 26 and is not subject to the restrictions of this MDPA.

ATTACHMENT A – SECURITY MEASURES

(Detailed expansion per GDPR Art. 32)

Technical Controls:

Encryption: AES-256 encryption at rest and TLS 1.3 in transit. Encryption keys are managed according to defined lifecycle policies (generation, rotation, destruction) compliant with ISO 27001 and NIST SP 800-57.
Access Control: Role-based access control (RBAC) enforced with multifactor authentication (MFA) for all Voice2Evolve personnel and vendor platform access. MFA is applied at the administrative and infrastructure layer; it is not required for end-user customer accounts, which are protected by Supabase Auth with secure session management. Access is granted on a least-privilege basis, reviewed quarterly, and logged.
Logging and Monitoring: Continuous centralized logging of all administrative and system access. Logs are tamper-evident, retained for at least 90 days, and reviewed for anomalies.
Network Security: Voice2Evolve operates exclusively on managed platform-as-a-service (PaaS) infrastructure. Network-level protections — including DDoS mitigation, firewall rules, traffic isolation, and intrusion detection — are provided and maintained by the respective infrastructure providers (see Attachment B). Administrative access to provider platforms is secured with multifactor authentication and restricted to authorized personnel.
Pseudonymization: Analytical and transcript data is pseudonymized by separating identifiers and using random tokens to minimize linkability.
Secure Software Development: Security integrated in SDLC through code reviews, dependency checks, and vulnerability scanning before deployment.
Backup and Recovery: Daily encrypted backups stored in EU data centers with 30-day retention; tested quarterly for restorability.

Organizational Controls:

Security Governance: Information security policy reviewed annually by management.
Confidentiality: All employees and contractors sign confidentiality and data protection agreements.
Training: Annual data protection and security training for all staff with access to Personal Data.
Vendor Management: Third-party subprocessors undergo risk assessment and DPA verification prior to engagement. Subprocessors are contractually required to maintain data protection training for personnel who process Personal Data.
Incident Response: Documented procedures for detection, escalation, mitigation, and post-incident review. Breach notifications are provided without undue delay in accordance with Article 33 GDPR.
Audit and Review: Internal audits conducted semi-annually; independent audit reports or certifications, where available.
Business Continuity: Tested plans covering disaster recovery, service redundancy, and emergency response.
Physical Security: Voice2Evolve does not operate its own data centers. All infrastructure is hosted by third-party providers whose facilities maintain industry-standard physical security controls, including ISO 27001 or SOC 2 certification, access controls, and environmental monitoring. Provider certifications are verified as part of the vendor management process described above.

ATTACHMENT B – SUBPROCESSORS

Voice2Evolve maintains a documented process for regular Subprocessor reviews and updates and provides Customers with general authorization to engage Subprocessors in accordance with GDPR Article 28(2). Customers may subscribe to change notifications to receive reasonable prior notice of any new Subprocessor engagements.

Provider	Role	Location	Legal Basis / Safeguards
Supabase Inc.	Database, Authentication	EU (Stockholm, Sweden primary hosting); onward transfers to US / Singapore subprocessors	Supabase DPA + SCCs + supplementary safeguards documented in Supabase TIA
OpenAI, L.L.C.	AI Inference / Voice API	US	SCCs + CPRA Compliance
Stripe Payments Europe Ltd.	Payments	EU / US	GDPR DPA + SCCs
Vercel Inc.	Frontend Hosting (CDN)	EU / US (AWS + Microsoft Azure + GCP; EU edge regions: Paris, Frankfurt, Sweden)	SCCs (Module 2, C2P) + UK IDTA
Railway Corp. (railway.com)	Backend Infrastructure	US / EU-region deployment (underlying infrastructure: GCP)	Executed DPA + EU SCCs (Module 2, C2P) + DPF
Cloudflare, Inc.	DNS Resolution, WebRTC TURN Relay	EU / US	GDPR DPA + SCCs
Sentry, Inc.	Error Monitoring	EU / US	GDPR DPA + SCCs
Rybbit	Website & Product Analytics (selected app pages only; sensitive paths excluded; session replay not enabled)	EU (EEA — Hetzner; Cloudflare Object Storage)	GDPR DPA (accepted by use) + SCCs
Plus Five Five, Inc. (Resend)	Transactional Email	US	GDPR DPA + SCCs + EU-US DPF
Anthropic PBC	AI Inference (LLM)	US	GDPR DPA + SCCs
Haufe-Lexware GmbH & Co. KG (Lexware)	Invoice & Accounting Synchronisation	EU (Germany)	GDPR DPA (AVV)

ATTACHMENT C – STANDARD CONTRACTUAL CLAUSES (FULL TEXT)

Pursuant to GDPR Article 46 and EU Commission Implementing Decision (EU) 2021/914, the Standard Contractual Clauses (Module 2: Controller to Processor) are hereby incorporated by reference in their entirety and form an integral part of this Agreement. The official full text is published in the Official Journal of the European Union (OJ L 199, 7.6.2021, p. 31–61) and is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

ANNEX I – DETAILS OF THE TRANSFER

A. List of Parties

Data Exporter (Controller): The Customer as identified in the Agreement.
Data Importer (Processor): Voice2Evolve UG (haftungsbeschränkt), registered in Germany. Contact: help@voice2evolve.com.

B. Description of Transfer

Categories of Data Subjects: End users (employees, candidates, or other individuals) who use the Services on behalf of or at the direction of the Customer.
Categories of Personal Data: Voice recordings, session transcripts, session analytics and scores, user account data (name, email address), usage metadata, and IP addresses.
Special Categories of Data: None (see Section 2.5).
Frequency of Transfer: Continuous, for the duration of the Agreement.
Nature and Purpose of Processing: Provision of AI-based voice sparring, training, transcription, scoring, and analysis services as described in the Agreement and Section 2.3.
Retention Period: As specified in Section 14.

C. Competent Supervisory Authority The competent supervisory authority is the data protection authority of the EU Member State in which the Data Exporter is established, or — where the Data Exporter is not established in the EU — the supervisory authority of the Member State in which the Data Exporter's EU representative is established. Where neither applies, the competent authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (Germany).

For Customer Data subject to Canadian law: the competent authority is the Office of the Privacy Commissioner of Canada (OPC) (www.priv.gc.ca). For processing involving Quebec residents, the additional competent authority is the Commission d'accès à l'information du Québec (CAI) (www.cai.quebec.ca).

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES See Attachment A (Security Measures)

ANNEX III – SUBPROCESSORS See Attachment B (Subprocessors)

ATTACHMENT D – UK ADDENDUM (ICO)

Applies to data transfers from the United Kingdom under the ICO-approved Addendum to the EU SCCs. The Addendum ensures lawful transfers under the UK GDPR and Data Protection Act 2018.

Key Provisions:

The EU Standard Contractual Clauses (Module 2) are adopted with modifications required by the UK Addendum.
References to the GDPR are read as references to the UK GDPR.
References to the European Union or Member States are interpreted to include the United Kingdom.
The competent supervisory authority is the Information Commissioner’s Office (ICO).
Governing law and jurisdiction: England and Wales.

These provisions ensure lawful data transfers between the UK and third countries in accordance with UK data protection law.

ATTACHMENT D.1 – SWISS ADDENDUM (FADP) (FADP)

Applies to data transfers from Switzerland in accordance with the Swiss Federal Act on Data Protection (FADP) and the Ordinance to the FADP. The same EU Standard Contractual Clauses (Module 2) are adopted for transfers from Switzerland, with necessary adjustments:

References to the GDPR shall be interpreted as references to the FADP.
The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
References to EU Member States shall include Switzerland.

These clauses ensure that data transfers from Switzerland to third countries maintain an adequate level of protection equivalent to that required under the FADP.

ATTACHMENT E – UNITED STATES PRIVACY ADDENDUM

This Attachment applies only where and to the extent applicable U.S. state privacy laws govern the Customer’s use of the Services.

Voice2Evolve acts as a Service Provider and Processor under applicable U.S. state privacy laws, including but not limited to:

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA),
Virginia Consumer Data Protection Act (CDPA),
Colorado Privacy Act (CPA),
Connecticut Data Privacy Act (CTDPA),
and any other U.S. state privacy statute that imposes processor or service-provider obligations on Voice2Evolve in connection with the Services.

Under these laws, Voice2Evolve shall:

Process Personal Data solely on documented Customer instructions and for contractual business purposes.
Not sell, share, or use Personal Data for targeted advertising, profiling, or non-contracted purposes.
Assist the Customer (Controller) in responding to verified consumer rights requests, including rights of access, correction, deletion, portability, and opt-out of targeted advertising.
Ensure that any onward transfer of Personal Data complies with applicable state privacy requirements and contractual safeguards.
Implement reasonable security practices appropriate to the sensitivity of the Personal Data.
Maintain documentation of processing activities and data protection assessments when required by law.
Promptly notify the Customer of any data breach, complaint, or inquiry related to CDPA or CPRA compliance.
Permit the Customer to verify compliance through written documentation and remote assurance measures, subject to Section 10.
Delete or return Personal Data upon request or termination of the Agreement, unless retention is required by law.

Data retention remains limited to service duration or statutory obligations. Voice2Evolve confirms compliance with all applicable U.S. state privacy regulations governing its role as a Processor/Service Provider.

Illinois Biometric Information Privacy Act (BIPA) — Scope Note: Voice2Evolve's use of the OpenAI Realtime API is limited to conversational AI and speech-to-text processing in one-on-one sessions between a user and an AI persona. Voice2Evolve does not perform speaker diarization, speaker identification, or any processing of voice data for the purpose of uniquely identifying a natural person. Voice audio transmitted to the Realtime API endpoint is subject to Zero Data Retention (ZDR), meaning no voice data persists at OpenAI after real-time inference is complete. Because Voice2Evolve does not collect voiceprints as defined under 740 ILCS 14 (data extracted and processed for the purpose of identifying an individual), BIPA's collection and consent obligations are not triggered by the Services as designed. Voice2Evolve obtains explicit user consent before each voice session begins; this consent encompasses the recording and AI processing of voice during the session. Customers whose users include Illinois residents should ensure their session-start consent clearly discloses voice processing.

ATTACHMENT F – CANADIAN PRIVACY ADDENDUM

This Attachment applies where and to the extent that Canadian federal or provincial privacy law governs the Customer's use of the Services or Voice2Evolve's processing of Personal Data on behalf of the Customer.

F.1 Applicable Laws

This Addendum addresses obligations under:

PIPEDA — Canada's Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), as amended;
Quebec Law 25 — Quebec's Act respecting the protection of personal information in the private sector (CQLR c P-39.1), as amended by S.Q. 2021, c. 25;
Alberta's Personal Information Protection Act (PIPA, SA 2003, c P-6.5) and British Columbia's Personal Information Protection Act (PIPA, SBC 2003, c 63), to the extent applicable.

F.2 Roles

Voice2Evolve acts as an organization processing Personal Data on behalf of the Customer (as Controller) in accordance with the Customer's documented instructions, consistent with the roles set out in Section 2 of this MDPA.

F.3 PIPEDA Obligations

Voice2Evolve shall, in relation to Personal Data of Canadian residents:

Collect, use, and disclose Personal Data only for the purposes identified to the Customer and only with the Customer's authorization, consistent with PIPEDA's principle of identifying purposes and limiting collection.
Implement appropriate technical and organizational safeguards commensurate with the sensitivity of the Personal Data, consistent with PIPEDA's safeguards principle and the measures set out in Attachment A.
Retain Personal Data only as long as necessary to fulfil the purposes for which it was collected, consistent with PIPEDA's limiting use, disclosure, and retention principle and the retention schedule in Section 14.
Assist the Customer in fulfilling individual access and correction requests from Canadian residents within a reasonable time, consistent with PIPEDA Principles 9 and 10.
Notify the Customer as soon as feasible following discovery of a breach of security safeguards involving Personal Data where it is reasonable to believe the breach creates a real risk of significant harm to an individual, consistent with PIPEDA's breach notification requirements (ss. 10.1–10.3 PIPEDA). Voice2Evolve shall maintain records of all such breaches for a minimum of two (2) years.
Ensure that any onward transfer of Personal Data of Canadian residents to subprocessors is subject to contractual protections equivalent to those in this MDPA.

F.4 Quebec Law 25 Additional Obligations

In addition to the obligations in F.3, for Personal Data of Quebec residents, Voice2Evolve shall:

Process Personal Data only for the specific purposes communicated to the Customer, consistent with Law 25's purpose-limitation requirements.
Cooperate with the Customer in responding to requests for de-indexing (right to have information made less accessible) and data portability (delivery of Personal Data in a structured, commonly used technological format) from Quebec residents, to the extent technically feasible.
Notify the Customer of any confidentiality incident (breach of security safeguards) involving Personal Data of Quebec residents without undue delay, enabling the Customer to fulfill its own notification obligations to the Commission d'accès à l'information (CAI) and affected individuals where required by Law 25.
Apply data minimization and purpose limitation consistently with Law 25's requirements for any automated processing of Personal Data of Quebec residents.

F.5 Subprocessors

Subprocessors listed in Attachment B that process Personal Data of Canadian residents do so under contractual terms that impose data protection obligations materially equivalent to those set out in this Addendum. Voice2Evolve remains liable for the acts and omissions of its subprocessors with respect to such processing.

F.6 Governing Authority

Disputes or complaints relating to processing of Personal Data of Canadian residents under this Addendum may be directed to the Office of the Privacy Commissioner of Canada (OPC) (www.priv.gc.ca) or, for Quebec residents, to the Commission d'accès à l'information du Québec (CAI) (www.cai.quebec.ca), in addition to any rights under the main body of this MDPA.

This MDPA is concluded electronically and forms an integral part of the Agreement. It becomes legally binding upon the Customer’s acceptance of the Agreement by electronic means, including via checkbox or similar mechanism.