How this DPA Applies

This Talkadot Data Processing Agreement (“DPA”) forms part of your Agreement with Talkadot and contains certain terms relating to data protection, privacy, and security in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 - 1798.199) (“CCPA”), where applicable. In the event (and to the extent only) that there is a conflict between the GDPR and the CCPA, the parties shall comply with the more onerous requirement or higher standard which shall, in the event of a dispute in that regard, be determined solely by Talkadot. 

​

DATA PROCESSING TERMS

1. Interpretation

In this DPA the following expressions shall, unless the context otherwise requires, have the following meanings: 

“Agreement” means any agreement between Talkadot Corp and a customer for the Services. Such an agreement may have various titles, such as “Order Form”, “Sales Order”, “Terms of Use” or “Master or Governing Services Agreement.”

​

“Article 28” means article 28 of GDPR. 

 

“Customer” or “you” means the customer that is identified on, and/or is a party to, the Agreement. 

 

“Customer Data” means all data (including but not limited to Customer Personal Data and End User data) that is provided to Talkadot by, or on behalf of, Customer through Customer’s use of the Services, and any data that third parties submit to Customer through the Services. 

​

“Customer Personal Data” means all personal data (including that of End Users) that is submitted to the Services by or to Customer, processed by Talkadot for the purposes of delivering the Services to the Customer including but not limited to the personal data set out in Appendix 2 to this DPA. 

 

“Data Protection Legislation” means: 

 

(i) the GDPR and all other applicable EU, EEA or European single market Member State laws or regulations or any update, amendment or replacement of same that apply to processing of personal data under the Agreement;

​

(ii) all U.S. laws and regulations that apply to processing of personal data under the Agreement including but not limited to CCPA; 

​

(iii) all laws and regulations that apply to processing of personal data under the Agreement from time to time in place in the United Kingdom and Canada, and the terms "controller”, “data subject”, "data protection impact assessment", “personal data”, “process”, “processing”, “processor”, "supervisory authority" have the same meanings as in the GDPR and with respect to CCPA (as defined above), Talkadot and Customer hereby agree that Talkadot is a "Service Provider" and Customer is the "Business", as defined under the CCPA and with respect to Personal Information (as defined under the CCPA). 

​

“End Users” means, in the case of an Enterprise Customer under our Governing Services Agreement, Customer’s employees, agents, independent contractors and other individuals authorized by Customer to access and use the Services. 

​

“Talkadot” or “us” means Talkadot Corp., a Delaware corporation located at 3225 McCleod Drive, Las Vegas, NV, United States.

​

“Talkadot Privacy Notice” means the Talkadot Privacy Notice at https://www.talkadot.com/privacy-policy

​

“Services” means the services ordered by Customer from Talkadot under the Agreement. 

 

“Standard Contractual Clauses” means the “Standard Contractual Clauses” annexed to the European Commission Decision of: i) 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR or ii) (until such times as Talkadot has entered into the Standard Contractual Clauses outlined at i)), the 5 February 2010 for the Transfer of Customer Personal Data to Processors established in Third Countries under Directive 95/46/EC).

​

2. Status of Talkadot

In the provision of the Services to the Customer, Talkadot is a processor of Customer Personal data for the purposes of GDPR. 

​

3. Term

This DPA shall remain in force until such time as the Agreement is terminated (in accordance with its terms) or expires.

 

4. Customer's Obligations

Customer shall ensure and hereby warrants and represents that it is entitled to transfer the Customer Data to Talkadot so that Talkadot may lawfully process and transfer the personal data in accordance with this DPA. Customer shall ensure that any relevant data subjects have been informed of such use, processing, and transfer as required by the Data Protection Legislation and that lawful consents have been obtained (where appropriate). Customer shall ensure that any personal data processed or transferred to Talkadot will be done lawfully and properly.

​

5. Talkadot's Obligations

Where Talkadot is processing Customer Personal Data for Customer as a processor, Talkadot will:
 

(a) only do so on documented Customer instructions and in accordance with the Data Protection Legislation, including with regard to transfers of personal data to other jurisdictions or an international organization, and the parties agree that the Agreement constitutes such documented instructions of the Customer to Talkadot to process Customer Personal Data (including to locations outside of the EEA) along with other reasonable instructions provided by the Customer to Talkadot (e.g. via email) where such instructions are consistent with the Agreement; 

(b) ensure that all Talkadot personnel involved in the processing of Customer Personal Data are subject to confidentiality obligations in respect of the personal data; 

(c) make available information necessary for Customer to demonstrate compliance with its Article 28 obligations (if applicable to the Customer) where such information is held by Talkadot and is not otherwise available to Customer through its account and user areas or on Talkadot websites, provided that Customer provides Talkadot with at least 14 days' written notice of such an information request;

(d) co-operate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a data subject afforded to data subjects by Data Protection Legislation in respect of personal data processed by Talkadot in providing the Services; 

(e) provide assistance, where necessary, with requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services;

(f) upon deletion by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; 

(g) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; 

(h) assist Customer as reasonably required where Customer: 

(i) conducts a data protection impact assessment involving the Services (which may include by provision of documentation to allow customer to conduct their own assessment); or

(ii) is required to notify a Security Incident (as defined below) to a supervisory authority or a relevant data subject

(i) will not (a) sell any Personal Information (as defined under the CCPA) for a commercial purpose, or (b) collect, retain, use, disclose, or otherwise process Personal Information other than (1) to fulfill its obligations to Customer under the Agreement, (2) on the Customer's behalf, (3) for the Customer's operational purposes, (4) for Talkadot's internal use as permitted by Data Protection Legislation, (5) to detect data security incidents or protect against fraudulent or illegal activity, or (6) as otherwise permitted under Data Protection Legislation; 
 

(j) Where required by Data Protection Legislation, Talkadot will inform Customer if it comes to its attention that any instructions received by Customer infringe the provisions of Data Protection Legislation. Notwithstanding the foregoing, Talkadot shall have no obligation to monitor or review the lawfulness of any instruction received from the Customer; and
 

(k) Talkadot certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. 

​

(l) Use of AI in Processing: Where Talkadot uses Customer Personal Data to develop or enhance artificial intelligence models or automated decision-making systems, Talkadot will:

1. Ensure such use complies with applicable Data Protection Legislation.

2. Provide transparency regarding the nature and purpose of AI processing upon Customer request.

3. Allow Customers to opt out of having their Customer Personal Data used for training AI models, unless such use is integral to the provision of the Services.

4. If such an opt-out materially affects Talkadot’s ability to provide the Services, Talkadot reserves the right to terminate or limit the affected Services after providing the Customer with notice and a reasonable opportunity to discuss the implications of such opt-out.

​

6. Subprocessors

6.1 Subprocessing. Customer provides a general authorization to Talkadot to engage onward subprocessors, subject to compliance with the requirements in this Section 6.
 

6.2 Subprocessor List. Talkadot will, subject to the confidentiality provisions of the Agreement or otherwise imposed by Talkadot:
 

(a) make available to Customer a list of the Talkadot subcontractors  who are involved in processing or subprocessing Customer Personal Data in connection with the provision of the Services (“Subprocessors”), together with a description of the nature of services provided by each Subprocessor (“Subprocessor List”). A copy of this Subprocessor List may be requested here; 

 

(b) ensure that all Subprocessors on the Subprocessor List are bound by contractual terms that are in all material respects no less onerous than those contained in this DPA; and 

 

(c) be liable for the acts and omissions of its Subprocessors to the same extent Talkadote would be liable if performing the services of each of those Subprocessors directly under the terms of this DPA, except as otherwise set forth in the Agreement. 

​

(d) AI Subprocessor Transparency: Talkadot will clearly identify subprocessors involved in AI or machine learning processes, including the scope of their involvement, and ensure they comply with equivalent obligations regarding Customer Personal Data as outlined in this DPA.
 

6.3 New / Replacement Subprocessors. Talkadot will provide Customer with written notice of the addition of any new Subprocessor or replacement of an existing Subprocessor at any time during the term of the Agreement (“New Subprocessor Notice”). The Customer will check on updates to the list. If Customer has a reasonable basis to object to Talkadot's use of a new or replacement Subprocessor, Customer will notify Talkadot promptly in writing and in any event within 30 days after receipt of a New Subprocessor Notice. In the event of such reasonable objection, either Customer or Talkadot may terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected-to new Subprocessor (which may, at Talkadot's discretion and election, involve termination of the entire Agreement) with immediate effect by providing written notice to the other party. Such termination will be without a right of refund for any fees prepaid by Customer for the period following termination.

​

7. Security

7.1 Security Measures. Talkadot has, taking into account the state of the art, cost of implementation and the nature, scope, context and purposes of the Services and the level of risk, implemented appropriate technical and organizational measures (in accordance with Appendix 1) to ensure a level of security appropriate to the risk of unauthorized or unlawful processing, accidental loss of and/or damage to Customer Data. At reasonable intervals, Talkaodt tests and evaluates the effectiveness of these technical and organizational measures for ensuring the security of the processing.

​

7.2 Security Incident and Breach Notification.

 

(a) If Talkadot becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer Personal Data (“Security Incident”), Talkadot will take reasonable steps to notify Customer without undue delay. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. Any notification of a Security Incident to the Customer does not constitute any acceptance of liability by Talkadot.

​

(b) AI Incident Reporting: In the event that an issue related to AI processing (e.g., algorithmic bias, data integrity compromise) is detected, Talkadot will promptly notify the Customer and take remedial actions to address the issue.

7.3 Talkadot will also reasonably cooperate with Customer with respect to any investigations relating to a Security Incident with preparing any required notices, and provide any information reasonably requested by Customer in relation to any Security Incident. 
 

8. Audits

8.1 Audits. Where Talkadot is processing Customer Personal Data for Customer as a processor (only), the Customer will provide Talkadot with at least one month's prior written notice of any audit, which may be conducted by Customer or an independent auditor appointed by Customer (provided that no person conducting the audit shall be, or shall act on behalf of, a competitor of Talkadot) (“Auditor”). The scope of an audit will be as follows:
 

(a) Customer will only be entitled to conduct an audit once per subscription year unless otherwise legally compelled or required by a regulator with established authority over the Customer to perform or facilitate the performance of more than 1 audit in that same year (in which circumstances Customer and Talkadot will, in advance of any such audits, agree upon a reasonable reimbursement rate for Talkadot's audit expenses).

(b) Talkadot agrees, subject to any appropriate and reasonable confidentiality restrictions, to provide evidence of any certifications and compliance standards it maintains and will, on request, make available to Customer an executive summary of Talkadot’s most recent annual penetration tests, which summary shall include remedial actions taken by Talkadot resulting from such penetration tests. 
 

(c) The scope of an audit will be limited to Talkadot systems, processes, and documentation relevant to the processing and protection of Customer Personal Data, and Auditors will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by Talkadot.
 

(d) Customer will promptly notify and provide Talkadot on a confidential basis with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.

8.2 The parties agree that, except as otherwise required by order or other binding decree of a supervisory authority or regulator with authority over the Customer, this Section 8 sets out the entire scope of the Customer’s audit rights as against Talkadot.

​

9. International Data Transfers

9.1 To the extent applicable, for transfers of Customer Personal Data from the European Economic Area to locations outside the European Economic Area (either directly or via onward transfer) that do not have adequate standards of data protection as determined by the European Commission, Talkadot relies upon:
 

(a) the Standard Contractual Clauses; or

(b) such other appropriate safeguards, or derogations (to the limited extent appropriate), specified or permitted under the Data Protection Legislation. 

9.2 With respect to Talkadot's reliance on the Standard Contractual Clauses for international transfers of Customer Personal Data under the Agreement, Talkadot shall act in its capacity as ‘data importer’ or 'data exporter' (as appropriate) as set out in the relevant modules of the Standard Contractual Clauses (as applicable). Upon written request and in accordance with the provisions of the Standard Contractual Clauses, Talkadot will provide copies of the Standard Contractual Clauses entered into with data importers in its capacity as processor to the Customer.

​

10. General Provisions

10.1 Liability for data processing. Each party's aggregate liability for any and all claims whether in contract, tort (including negligence), breach of statutory duty, or otherwise arising out of or in connection with this DPA shall be as set out in the Agreement, unless otherwise agreed in writing by the parties.
 

10.2 Conflict. In the case of conflict or ambiguity between: (i) the terms of this DPA and the terms of the Agreement, with respect to the subject matter of this DPA, the terms of this DPA shall prevail; (ii) the terms of any provision contained in this DPA and any provision contained in the Standard Contractual Clauses, the provision in the Standard Contractual Clauses shall prevail.

​

10.3 Customer remains exclusively liable for its own compliance with Data Protection Legislation with respect to any independent collection, use, or AI-based processing of personal data unrelated to the Services. This includes any use of AI-generated outputs for decision-making or recommendations not directly attributable to Talkadot’s documented processing activities. Customer hereby indemnifies Talkadot in full for any and all claims or liability arising as a result of such collection and use of personal data by it in those circumstances.

​

10.4 Entire Agreement. The Agreement (which incorporates this DPA) and any Order Form represent the entire agreement between the parties and it supersedes any other prior or contemporaneous agreements or terms and conditions, written or oral, concerning its subject matter. Each of the parties confirms that it has not relied upon any representations not recorded in the Agreement inducing it to enter into the Agreement.

10.5 Severance. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect. Nothing in this DPA is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, nor authorise any part to may or enter into any commitments for or on behalf of any other party except as expressly provided herein.

10.6 Electronic Copy. The DPA is delivered as an electronic document.

10.7 Governing Law. This DPA shall be governed by the laws of United States in the State of  Delaware and the parties submit to the exclusive jurisdiction of the Delaware  courts (in relation to all contractual and non-contractual disputes)  unless otherwise dictated by law.

​

Appendix 1

Description of the technical and organizational security measures implemented by Talkadot.

​

Talkadot will maintain appropriate administrative, physical, and technical safeguards (“Security Safeguards”) for protection of the security, confidentiality and integrity of personal data provided to it for provision of the Services to the Customer. 
 

The Security Safeguards include the following: 
(a) Domain: Organization of Information Security.

(i) Security Roles and Responsibilities. Talkadot personnel with access to data are subject to confidentiality obligations.

(ii) Risk Management Program. Talkadot performs a risk assessment where appropriate before processing the data.

(b) Domain: Asset Management.

(i) Asset Handling.

(1) Talkadot has procedures for disposing of printed materials that contain Customer Data.

(2) Talkadot maintains an inventory of all hardware on which Customer Data is stored.

(c) Domain: Human Resources Security.

(i) Security Training.

(1) Talkadot informs its personnel about relevant security procedures and their respective roles. Talkadot also informs its personnel of possible consequences of breaching the security rules and procedures.

​

(d) Domain: Physical and Environmental Security.

(i) Physical Access to Facilities. Talkadot limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.

(ii) Protection from Disruptions. Talkadot uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.

(iii) Component Disposal. Talkadot uses industry standard processes to delete Customer Data when it is no longer needed.

(e) Domain: Communications and Operations Management. 

​

(i) Operational Policy. Talkadot maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data. 

(ii) Data Recovery Procedures. 

(1) On a regular and ongoing basis, Talkadot creates backup copies of Customer Data from which Customer Data may be recovered in the event of loss of the primary copy. 

(2) Talkadot stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located. 

(3) Talkadot has specific procedures in place governing access to copies of Customer Data. 

(iii) Malicious Software. Talkadot has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.

(iv) Data Beyond Boundaries. 

(1) Talkadot encrypts Customer Data that is transmitted over public networks. 

(v) Event Logging.

(1) Talkadot logs the use of its data-processing systems. 

(2) Talkadot logs access and use of information systems containing Customer Data, registering the access ID, timestamp, and certain relevant activity.

​

(f) Domain: Information Security Incident Management.

(i) Incident Response Process. 

(1) Talkadot maintains an incident response plan.  

(2) Talkadot maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and remediation steps, if applicable.

​

(g) Domain: Business Continuity Management.

(i) Talkdot’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.   

​

(h) Access Control to Processing Areas.  Processes to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the Customer Personal Data are processed or used, to include: 

(i) establishing secure areas; 

(ii) protection and restriction of access paths;

(iii) securing the mobile/cellular telephones;   

(iv) data processing equipment and personal computers;

(v) all access to the data centers where Customer Personal Data are hosted is logged, monitored, and tracked;  

(vi) the data centers where Customer Personal Data are hosted is secured by a security alarm system, and other appropriate security measures; and 

(vii) the facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured by around-the-clock guards, keycard and/or biometric access (as appropriate to level of risk) screening and escort-controlled access, and is also supported by on-site back-up generators in the event of a power failure

​

(i) Access Control to Data Processing Systems. Processes to prevent data processing systems from being used by unauthorized persons, to include:  

(i) identification of the terminal and/or the terminal user to the data processor systems; 

(ii) automatic time-out after 30 minutes or less of user terminal if left idle, identification and password required to reopen;

(iii) issuing and safeguarding of identification codes;  

(iv) password complexity requirements (minimum length, expiry of passwords, etc.); and

(v) protection against external access by means of an industrial standard firewall.  

​

(j) Access Control to Use Specific Areas of Data Processing Systems. Measures to ensure that persons entitled to use data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Customer Personal Data cannot be read, copied, modified or removed without authorization, to include by:

(i) implementing binding employee policies and providing training in respect of each employee’s access rights to the Customer Personal Data;

(ii) effective and measured disciplinary action against individuals who access Customer Personal Data without authorization; 

(iii) release of data to only authorized persons; 

(iv) implementing principles of least privileged access to information which contains Customer Personal Data strictly on the basis of “need to know” requirements;

(v) production network and data access management governed by VPN, two factor authentication, and role-based access controls;

(vi) application and infrastructure systems log information to centrally managed log facility for troubleshooting, security reviews, and analysis; and 

(vii) policies controlling the retention of backup copies which are in accordance with applicable laws and which are appropriate to the nature of the data in question and corresponding risk.

​

(k) Transmission Control. Procedures to prevent Customer Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Customer Personal Data by means of data transmission facilities is envisaged, to include: 

(i) use of firewalls and encryption technologies to protect the gateways and pipelines through which the data travels;

(ii) implementation of VPN connections to safeguard the connection to the internal corporate network;

(iii) constant monitoring of infrastructure (e.g. ICMP-Ping at network level, disk space examination at system level, successful delivery of specified test pages at application level); and

(iv) monitoring of the completeness and correctness of the transfer of data (end-to-end check). 

 

(l) Storage Control. When storing any Customer Personal Data: it will be backed up as part of a designated backup and recovery processes in encrypted form, using a commercially supported encryption solution and all data defined as Customer Personal Data stored on any portable or laptop computing device or any portable storage medium is likewise encrypted. Encryption solutions will be deployed with no less than a 128-bit key for symmetric encryption and a 1024 (or larger) bit key length for asymmetric encryption;

​

(m) Input Control. Measures to ensure that it is possible to check and establish whether and by whom Customer Personal Data has been input into data processing systems or removed, to include:

(i) authentication of the authorized personnel;

(ii) protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;

(iii) utilization of user codes (passwords);

(iv) proof established within data importer’s organization of the input authorization; and

(v) ensuring that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are locked.

​

(n) Availability Control. Measures to ensure that Customer Personal Data are protected from accidental destruction or loss, to include infrastructure redundancy and regular backups performed on database servers. 

 

(o) Segregation of Processing. Procedures to ensure that data collected for different purposes can be processed separately, to include:

(i) separating data through application security for the appropriate users;

(ii) storing data, at the database level, in different tables, separated by the module or function they support;

(iii) designing interfaces, batch processes and reports for only specific purposes and functions, so data collected for specific purposes is processed separately; and

(iv) barring live data from being used for testing purposes as only dummy data generated for testing purposes may be used for such.

​

(p) Vulnerability management program. A program to ensure systems are regularly checked for vulnerabilities and any detected are immediately remedied, to include:

(i) all networks, including test and production environments, regularly scanned; and 

(ii) penetration tests are conducted regularly and vulnerabilities are remedied promptly.

​

(q) Data Destruction. In the event of expiration or termination of the Agreement by either side or otherwise on request from the Customer following receipt of a request from a data subject or regulatory body: 

(i) all Customer data shall be securely destroyed within 3 months; and

(ii) all Customer data shall be purged from all Talkadot and/or third party storage devices including backups within 6 months of termination or receipt of a request from Customer unless Talkadot is otherwise required by law to retain a category of data for longer periods. Talkadot will ensure that all such data which is no longer required is destroyed to a level where it can be assured that it is no longer recoverable.

 

(r) Standards and Certifications. Data storage solutions and/or locations have at least SOC 1 (SSAE 16) or SOC 2 reports – equivalent or similar certifications or security levels will be examined on a case by case basis.