Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Client ("Data Controller") and PremiumClients.ai ("Data Processor") pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Aria AI voice agent platform and related services.

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR. "Processing" means any operation performed on personal data as defined in Article 4(2) GDPR. "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

All terms not defined herein shall have the meanings ascribed to them in the GDPR.

Data Subjects include: callers and prospective clients of the Controller; existing customers of the Controller; appointment requestors and contacts.

Categories of Personal Data processed: phone numbers and caller identification; voice recordings and call transcripts; names and contact details shared during calls; appointment scheduling preferences; call metadata (duration, timestamps, outcomes).

The Processor shall process personal data solely for: operating the AI voice agent on behalf of the Controller; generating call transcripts and summaries; scheduling appointments as directed by callers; providing analytics and reporting to the Controller; maintaining and improving service quality.

The Processor shall not process personal data for any other purpose without prior written authorization from the Controller.

The Processor shall: process personal data only on documented instructions from the Controller; ensure persons authorized to process data are bound by confidentiality obligations; implement appropriate technical and organizational security measures as described in Section 7; engage sub-processors only with prior authorization and equivalent contractual obligations.

The Processor shall assist the Controller in: responding to data subject requests (access, rectification, erasure, restriction, portability, objection); conducting data protection impact assessments where required; consulting with supervisory authorities where required.

The Processor shall not transfer personal data outside the EEA without appropriate safeguards, including EU Standard Contractual Clauses (SCCs) or an adequacy decision.

The Controller provides general authorization for the Processor to engage sub-processors. Current sub-processors include: LiveKit Inc. (voice infrastructure, WebRTC); Stripe Inc. (payment processing); SendGrid/Twilio (transactional email delivery).

The Processor shall: inform the Controller of any intended changes to sub-processors at least 30 days in advance; ensure all sub-processors are bound by equivalent data protection obligations; remain liable for the acts and omissions of its sub-processors.

The Processor implements the following technical and organizational measures: encryption of data in transit (TLS 1.3) and at rest (AES-256); strict role-based access controls and multi-factor authentication; regular security assessments and vulnerability scanning; audit logging of all data access and processing activities; network segmentation and intrusion detection systems.

Security measures are reviewed and updated regularly to address evolving threats and maintain compliance with Article 32 GDPR.

The Processor shall notify the Controller of any personal data breach without undue delay and no later than 48 hours after becoming aware of the breach.

Notification shall include: the nature of the breach including data categories and approximate number of data subjects affected; the name and contact details of the data protection officer; the likely consequences of the breach; measures taken or proposed to address the breach and mitigate its effects.

The Processor shall assist the Controller in fulfilling data subject rights requests under Articles 15-22 GDPR, including: access to personal data (Art. 15); rectification of inaccurate data (Art. 16); erasure of personal data (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); objection to processing (Art. 21).

The Processor shall respond to the Controller's requests regarding data subject rights within 10 business days.

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits by the Controller or an independent auditor.

Audits shall be conducted with reasonable notice (at least 30 days), during business hours, and without disrupting the Processor's operations. The Processor may provide SOC 2 Type II reports or equivalent certifications as an alternative to on-site audits.

Upon termination of the service agreement or upon the Controller's request, the Processor shall: return all personal data to the Controller in a commonly used, machine-readable format within 30 days; securely delete all remaining copies of personal data within 60 days, unless retention is required by EU or member state law.

This DPA is governed by the laws of the Republic of Cyprus and applicable EU data protection law. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution mechanisms set forth in the main Terms of Service.