Data Processing Agreement

Last Updated: April 16, 2026 Effective Date: April 16, 2026

This Data Processing Agreement (the "DPA") is entered into by and between Bizangle, LLC, a Florida limited liability company with its principal office at 1343 Main Street, Suite 705, Sarasota, FL 34236 ("Bizangle" or "Processor"), and the customer that has agreed to Bizangle's Terms of Service (the "Customer" or "Controller"). It forms part of, and is incorporated by reference into, the Terms of Service between the parties (the "Agreement").

This DPA applies only when and to the extent Bizangle processes Customer Personal Data (as defined below) on behalf of the Customer in the course of providing the Service. Where a conflict arises between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls.

This DPA becomes effective automatically upon Customer's acceptance of the Terms of Service and requires no signature to be binding. A countersigned copy is available on request by emailing support@bizangle.com with the subject "DPA signature request."

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable data-protection law.

• "Applicable Data-Protection Law" means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other U.S. state privacy laws.
• "Customer Personal Data" means Personal Data that Customer or its end users submit to, or generate through use of, the Service, and that Bizangle processes on Customer's behalf.
• "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to European Commission Decision 2021/914 of 4 June 2021, as updated.

2. Roles and Scope

2.1 Parties. For Customer Personal Data, Customer is the Controller and Bizangle is the Processor. Each party is responsible for compliance with the Applicable Data-Protection Law that applies to it.

2.2 Customer Instructions. Bizangle will process Customer Personal Data only on documented instructions from Customer, including as set forth in the Agreement, this DPA, Customer's configuration of the Service, and any written instruction reasonably required for the Service. Bizangle will notify Customer if, in Bizangle's opinion, an instruction violates Applicable Data-Protection Law.

2.3 Subject Matter, Nature, and Purpose. The subject matter is the provision of the Service. The nature and purpose of processing is described in Annex I.

2.4 Duration. Bizangle will process Customer Personal Data for the duration of the Agreement and as described in Section 10.

3. Obligations of Bizangle

Bizangle will:

• process Customer Personal Data only on Customer's documented instructions (Section 2.2);
• ensure that persons authorized to process Customer Personal Data are under a written confidentiality obligation;
• implement the technical and organizational measures described in Annex II;
• engage Sub-processors only in accordance with Section 4;
• assist Customer, insofar as reasonably possible and at Customer's cost for anything beyond standard support, in responding to Data Subject requests (Section 6) and in fulfilling Customer's obligations under Articles 32–36 GDPR;
• notify Customer of Security Incidents in accordance with Section 7;
• at the end of the Agreement, return or delete Customer Personal Data in accordance with Section 10;
• make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as described in Section 8.

4. Sub-processors

4.1 General Authorization. Customer provides a general authorization for Bizangle to engage Sub-processors to process Customer Personal Data in connection with the Service, subject to the conditions below.

4.2 Current List. Bizangle maintains a list of current Sub-processors available at support@bizangle.com on request. As of the Effective Date, the Sub-processors include (non-exhaustive):

4.3 Terms With Sub-processors. Bizangle will enter into a written agreement with each Sub-processor imposing obligations substantially similar to those in this DPA.

4.4 Notice of New Sub-processors. Bizangle will provide at least 14 days' notice of any new Sub-processor by email to the address Customer has designated for notices or by posting to our website.

4.5 Objection. Customer may object to a new Sub-processor on reasonable data-protection grounds within 14 days of notice. If the parties cannot agree on a resolution, Customer may terminate the Agreement as to the affected portion of the Service for convenience, subject to a pro-rata refund of any prepaid fees.

4.6 Liability. Bizangle remains liable to Customer for the acts and omissions of Sub-processors to the same extent Bizangle would be liable if performing the services directly.

5. International Data Transfers

5.1 Mechanism. Where Bizangle processes Customer Personal Data originating in the EEA, UK, or Switzerland in a country that is not deemed adequate by the European Commission (or the UK or Switzerland, as applicable), the parties agree that the Standard Contractual Clauses apply as follows:

• Module 2 (Controller-to-Processor) applies when Customer is a Controller.
• Module 3 (Processor-to-Processor) applies when Customer is acting as a Processor for its own customers.
• The optional docking clause is included; clause 7 is optional.
• Clause 9(a) Option 2: general written authorization (Section 4 above).
• Clause 11: the optional independent-dispute-resolution provision is not included.
• Clause 17: the governing law is the law of Ireland.
• Clause 18: disputes will be resolved in the courts of Ireland.
• Annex I and Annex II of the SCCs are completed by this DPA's Annex I and Annex II.

5.2 UK and Swiss Addenda. For transfers subject to the UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner's Office applies. For transfers subject to Swiss law, references to the GDPR in the SCCs are deemed references to the Swiss FADP, and the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

5.3 Supplementary Measures. Bizangle will take the supplementary technical, organizational, and contractual measures described in Annex II to ensure the transferred Customer Personal Data receives an essentially equivalent level of protection.

6. Data Subject Rights

6.1 Assistance. Taking into account the nature of the processing, Bizangle will assist Customer by appropriate technical and organizational measures, insofar as reasonably possible, to fulfill Customer's obligation to respond to Data Subject requests.

6.2 Direct Requests. If Bizangle receives a request directly from a Data Subject relating to Customer Personal Data, Bizangle will promptly forward the request to Customer and will not respond substantively except on Customer's instruction or as required by law.

7. Security Incidents

7.1 Notification. Bizangle will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data.

7.2 Contents of Notice. The notice will include, to the extent then known: the nature of the incident; categories and approximate number of affected Data Subjects and records; likely consequences; and measures taken or proposed to address the incident and mitigate its effects.

7.3 Cooperation. Bizangle will provide Customer reasonable cooperation and information needed for Customer to meet its own notification obligations under Applicable Data-Protection Law.

7.4 No Admission. Bizangle's notification of, or response to, a Security Incident is not an acknowledgment by Bizangle of any fault or liability.

8. Audits

8.1 Information. Bizangle will make available to Customer, on reasonable request, the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, including relevant third-party audit reports (e.g., SOC 2 Type II, if available) and a summary of security certifications.

8.2 On-Site Audits. If the information made available under Section 8.1 is insufficient, and only where required by Applicable Data-Protection Law, Customer may conduct an audit of Bizangle's relevant facilities at Customer's expense, subject to reasonable advance notice (not less than 30 days), during normal business hours, no more than once per 12 months (except following a Security Incident or at the direction of a Supervisory Authority), and pursuant to a mutually agreed scope that respects the confidentiality and security of other customers.

8.3 Fees. Except where an audit is required by a Supervisory Authority or follows a confirmed material breach by Bizangle, Customer will pay Bizangle's reasonable costs of cooperating with the audit at Bizangle's then-current professional-services rates.

9. Processing Details (Annex I)

A. List of Parties

• Controller: Customer (as identified in the Customer's account profile).
• Processor: Bizangle, LLC, 1343 Main Street, Suite 705, Sarasota, FL 34236. Contact: support@bizangle.com.

B. Description of Processing

Categories of Data Subjects:

• Customer's end users, employees, contractors, and agents;
• Customer's customers, leads, and other individuals who call, message, or otherwise communicate with Customer through the Service;
• Individuals whose data Customer uploads to the knowledge base.

Categories of Personal Data:

• Name, email, phone number, business role, communication preferences;
• Voice recordings, call audio, call transcripts, call metadata;
• SMS and email content;
• Calendar events and appointment details;
• Uploaded documents and business content;
• Device identifiers, IP addresses, push tokens;
• Inferences (e.g., caller sentiment) and agent-generated context.

Special Categories: Customer is responsible for ensuring that any special categories of personal data (GDPR Art. 9) are submitted only where it has a lawful basis and has implemented appropriate safeguards. Bizangle is not a HIPAA-regulated entity and does not knowingly process Protected Health Information [REVIEW: update if HIPAA posture changes].

Nature of Processing: storage, organization, retrieval, transmission, adaptation, AI analysis, and deletion as necessary to provide the Service.

Purpose: provision of the Service as described in the Agreement.

Duration: the term of the Agreement and for retention periods described in the Privacy Policy.

Frequency of Transfer: on a continuous basis.

C. Competent Supervisory Authority

For transfers subject to the GDPR, the competent Supervisory Authority is the Data Protection Commission of Ireland (because Ireland is the governing law of the SCCs under Section 5.1).

10. Return and Deletion

Upon termination or expiration of the Agreement, Bizangle will, at Customer's choice, return or delete Customer Personal Data within a reasonable period (generally within 90 days), except to the extent Bizangle is required by applicable law to retain some or all of the data. Backups containing Customer Personal Data will be overwritten in the ordinary course within 90 days.

11. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.

12. Governing Law

Except as provided in Section 5.1 for the SCCs, this DPA is governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws rules.

13. Annex II — Technical and Organizational Measures

Bizangle has implemented, and will maintain, the following technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

• Access Controls: role-based access control (RBAC), least-privilege provisioning, and regular access reviews; multi-factor authentication for administrative access.
• Encryption: TLS 1.2+ for data in transit; encryption at rest using industry-standard algorithms (AES-256 or equivalent) for databases, object storage, and backups.
• Network Security: segmented networks, firewalls, intrusion detection, rate limiting, DDoS protection at the edge.
• Application Security: secure software-development lifecycle, dependency scanning, code review, periodic vulnerability testing.
• Personnel: background checks (where permitted by law), security awareness training, written confidentiality obligations.
• Incident Management: a documented incident-response plan covering detection, containment, eradication, recovery, notification, and post-incident review.
• Business Continuity: regular backups, disaster-recovery testing, geographically redundant storage for critical data.
• Logging and Monitoring: audit logs of administrative actions, authentication events, and data-access activity retained consistent with the Privacy Policy.
• Sub-processor Management: written agreements, due-diligence reviews, and ongoing monitoring.
• Physical Security: reliance on cloud providers (AWS and equivalent) with certified physical-security controls (ISO 27001, SOC 2, etc.).

These measures may evolve over time; Bizangle may substitute controls of equivalent or greater protection.

14. Contact

Bizangle, LLC — Data Protection 1343 Main Street, Suite 705 Sarasota, FL 34236 support@bizangle.com