Data Processing Addendum

This Data Processing Addendum ("DPA") applies to any Client ("Client" or "Controller") that has agreed to the Call Flows AI Terms of Service ("Agreement"), and is entered into by and between such Client and Call Flows AI Ltd., a company incorporated in Bulgaria with registered number BG207810941 and registered address at Bulgaria, Sofia, blvd Vitosha 1A ("Call Flows AI" or "Processor").

This DPA is incorporated into and forms an integral part of the Agreement between Call Flows AI and the Client for the provision of Call Flows AI's Services.

1. Definitions

For the purposes of this DPA:

"Agreement" refers to the Call Flows AI Terms of Service agreed to by the Client.
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the GDPR, the UK GDPR, the CCPA/CPRA, and any other national, state, or local data protection laws.
"Client Personal Data" means any Personal Data Processed by Processor on behalf of Controller in connection with the provision of the Services under the Agreement. This primarily includes data originating from the Client's Shopify store and interactions of End-Users with the Services.
"Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Client is the Controller of Client Personal Data.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates. This includes End-Users of the Client's Shopify store.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" means any information relating to a Data Subject which is subject to Applicable Data Protection Law.
"Processing" (and its cognates like "Process") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Call Flows AI is the Processor.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise Processed by Processor or its Sub-processors.
"Services" means the AI-powered voice assistant services and related functionalities provided by Call Flows AI to Client through its Shopify Application, as further described in the Agreement.
"Sub-processor" means any third-party data processor engaged by Processor to Process Client Personal Data.
"UK GDPR" means the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Scope and Purpose of Processing

2.1. This DPA applies when Client Personal Data is Processed by Call Flows AI as part of its provision of the Services to the Client.

2.2. Nature and Purpose of Processing: Call Flows AI will Process Client Personal Data for the purpose of providing the Services as described in the Agreement and this DPA. This includes, but is not limited to: enabling AI-powered voice assistant interactions with Client's End-Users, processing and managing orders, providing product information, offering shipping and delivery support, integrating with Client's Shopify store, analyzing service usage to improve the Services for the Client, and fulfilling other instructions from the Client in accordance with the Agreement.

2.3. Duration of Processing: Call Flows AI will Process Client Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing or as required by Applicable Data Protection Law.

2.4. Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be Processed include, but are not limited to:

End-Users of the Client's Shopify store and the Services (e.g., customers making inquiries or purchases).
Client's employees or representatives who interact with or administer the Services.

2.5. Types of Personal Data: The types of Client Personal Data that may be Processed include, but are not limited to:

Shopify Store Data: Information accessed via the Shopify API as authorized by the Client, such as product details, order information (including items, value, status), customer contact information (name, email, phone, shipping/billing address), and customer purchase history.
End-User Interaction Data: Voice recordings and transcripts of interactions between End-Users and the AI voice assistant, chat logs, AI-generated summaries, End-User inquiries, and session identifiers.
Technical Data: IP addresses, device information, browser type, and usage logs related to interactions with the Services.

3. Obligations of the Processor (Call Flows AI)

3.1. Instructions: Call Flows AI shall only Process Client Personal Data on behalf of and in accordance with Client's documented instructions, including with regard to transfers of Client Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Call Flows AI is subject; in such a case, Call Flows AI shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA) constitutes Client's complete and final instructions to Call Flows AI for the Processing of Client Personal Data. Any additional or alternate instructions must be agreed upon in writing by both parties.

3.2. Confidentiality: Call Flows AI shall ensure that its personnel authorized to Process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security: Call Flows AI shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures are further detailed in Annex 2 (Technical and Organizational Security Measures) to this DPA. Call Flows AI may update these measures from time to time, provided such updates do not materially decrease the overall security of the Services.

3.4. Sub-processing:

3.4.1. Client provides a general written authorization for Call Flows AI to engage Sub-processors to Process Client Personal Data. Call Flows AI shall make available to Client a current list of Sub-processors. Such list is provided in Annex 3 to this DPA and will be updated by Call Flows AI providing notice to the Client of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Client the opportunity to object to such changes in accordance with the terms of this DPA.

3.4.2. Where Call Flows AI engages a Sub-processor, it shall do so by way of a written contract which imposes on the Sub-processor data protection obligations that are at least as protective as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Law.

3.4.3. Call Flows AI shall remain fully liable to Client for the performance of that Sub-processor's data protection obligations. A current list of Call Flows AI's Sub-processors and their locations is available in Annex 3 and will be maintained by Call Flows AI at callflows.ai/subprocessors.

3.5. Data Subject Rights: Taking into account the nature of the Processing, Call Flows AI shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client's obligation to respond to requests for exercising Data Subject rights laid down in Applicable Data Protection Law. If Call Flows AI receives a request directly from a Data Subject, Call Flows AI will promptly notify Client and will not respond to the request itself, except to inform the Data Subject that the request should be directed to Client.

3.6. Assistance to Controller: Taking into account the nature of Processing and the information available to Call Flows AI, Call Flows AI shall assist Client in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Notification of a Personal Data Breach to the supervisory authority, Communication of a Personal Data Breach to the Data Subject, Data Protection Impact Assessment, and Prior Consultation), where applicable.

3.7. Deletion or Return of Client Personal Data: Upon termination of the Agreement or at Client's request, Call Flows AI shall, at Client's choice, delete or return all Client Personal Data to Client, and delete existing copies unless Union or Member State law requires storage of the Personal Data. The specific terms for data deletion or return may be further detailed in the Agreement.

3.8. Audits and Inspections: Call Flows AI shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, upon reasonable prior notice and subject to appropriate confidentiality obligations. Such audits shall be conducted no more than once annually, during Call Flows AI's normal business hours, and in a manner that does not unreasonably interfere with Call Flows AI's business operations.

4. Obligations of the Controller (Client)

4.1. Lawful Basis: Client warrants that it has a lawful basis for the Processing of all Client Personal Data transferred to or accessed by Call Flows AI under the Agreement and this DPA (e.g., consent, performance of a contract, legitimate interest).

4.2. Instructions: Client shall ensure that its instructions to Call Flows AI for the Processing of Client Personal Data comply with Applicable Data Protection Law. Client is responsible for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired it.

4.3. Data Subject Notifications and Consents: Client is responsible for providing all necessary privacy notices to Data Subjects and obtaining any required consents from Data Subjects regarding the Processing of their Personal Data by Call Flows AI as contemplated by the Agreement and this DPA.

5. Data Transfers

5.1. Client Personal Data may be Processed by Call Flows AI and its authorized Sub-processors in various locations globally, including the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and the United States (US). Call Flows AI's primary data storage and processing locations for Client Personal Data include servers in the EU (Frankfurt, Germany) and the US (Ohio and Oregon). All transfers of Client Personal Data will be made in compliance with Applicable Data Protection Law.

5.2. For transfers of Client Personal Data from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection by the European Commission or relevant UK/Swiss authorities (such as the United States), Call Flows AI shall ensure such transfers are safeguarded by appropriate transfer mechanisms. This primarily includes reliance on the Standard Contractual Clauses (SCCs) as approved by the European Commission (and the UK Addendum thereto, where applicable). By entering into this DPA, Client and Call Flows AI are deemed to have executed the applicable SCCs, which are incorporated herein by reference. The relevant modules of the SCCs will apply as determined by legal counsel to be appropriate for the transfers contemplated herein. Further details regarding the SCCs, including the selection of optional clauses and relevant annexes, will be completed as required and made available to the Client upon request.

5.3. Where Call Flows AI or its Sub-processors rely on the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF for transfers to the United States, Call Flows AI shall ensure that such entities maintain their DPF certification.

6. Security Incident Notification

In the event of a Security Incident, Call Flows AI shall notify Client without undue delay after becoming aware of the Security Incident. The notification shall, as far as possible, describe the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the Security Incident, and the measures taken or proposed to be taken by Call Flows AI to address the Security Incident and mitigate its possible adverse effects. Call Flows AI shall provide reasonable cooperation to Client in dealing with the Security Incident and in complying with Client's notification obligations under Applicable Data Protection Law.

7. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit a party's liability towards Data Subjects under Applicable Data Protection Law.

8. General Provisions

8.1. Precedence: In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail with regard to the Processing of Client Personal Data.

8.2. Amendments: This DPA may only be amended by a written agreement signed by both parties, or as otherwise permitted for updates to the Agreement.

8.3. Governing Law and Jurisdiction: This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by Applicable Data Protection Law.

(Acceptance of this DPA is made through acceptance of the Call Flows AI Terms of Service, into which this DPA is incorporated.)

Annex 1: Details of Processing (as required by Article 28(3) GDPR)

This Annex forms part of the DPA and describes the Processing of Client Personal Data.

A. List of Parties

Data exporter (Controller):

Name: The Client, as defined in the Call Flows AI Terms of Service.
Address: As provided by Client during account registration or Shopify store integration.
Contact person's name, title and contact details: As provided by Client via their account information.
Activities relevant to the data transferred under these Clauses: Using Call Flows AI's Services to manage customer interactions, orders, and support for their Shopify store.
Role (controller/processor): Controller

Data importer (Processor):

Name: Call Flows AI Ltd.
Address: Bulgaria, Sofia, blvd Vitosha 1A
Contact person's name, title and contact details: For DPA queries, please contact: privacy@callflows.ai
Activities relevant to the data transferred under these Clauses: Provision of AI-powered voice assistant services, including processing data via the Shopify App integration as per the Agreement.
Role (controller/processor): Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred: As described in Section 2.4 of this DPA (End-Users of Client's Shopify store, Client's employees/representatives).
Categories of personal data transferred: As described in Section 2.5 of this DPA (Shopify Store Data including customer details and order information, End-User Interaction Data including voice recordings and transcripts, Technical Data).
Sensitive data transferred (if applicable) and applied restrictions or safeguards: Call Flows AI does not intend to Process sensitive data as defined by GDPR Article 9 unless explicitly agreed with the Client and subject to appropriate safeguards. Voice recordings are Processed for the purpose of service provision; Clients are responsible for ensuring they have a lawful basis for the recording and Processing of such voice data, including obtaining End-User consent where required.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis, as End-Users interact with the Services and as data is synchronized with the Client's Shopify store.
Nature of the processing: As described in Section 2.2 of this DPA.
Purpose(s) of the data transfer and further processing: Provision, maintenance, and improvement of the Services as per the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: For the duration of the Agreement, or as per Client's instructions for deletion, or as required by law. Specific retention periods for certain data types (e.g., voice recordings) may be configurable by the Client where such functionality is provided by the Services, or otherwise will be retained as per Call Flows AI service policies, which will be designed to retain data no longer than necessary for the provision of Services or as required by law.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: To be detailed in the list of Sub-processors maintained by Call Flows AI (see Annex 3 and the link provided therein, e.g., at callflows.ai/subprocessors). Sub-processors are engaged for purposes such as hosting, AI model provision (e.g., OpenAI for voice transcription and AI response generation), communication services (e.g. Voip.ms for voice call handling), and analytics. Duration is typically for as long as Call Flows AI uses their services for the provision of Services to the Client, or as per the Sub-processor agreement.

C. Competent Supervisory Authority

In accordance with Clause 13 of the Standard Contractual Clauses (where applicable), the competent supervisory authority will be: For matters related to the processing of personal data of individuals in the European Union, and where the Client is established in the EU, the supervisory authority of the EU Member State in which the Client is established. Where the Client is not established in the EU but is subject to GDPR, the supervisory authority will be determined as per GDPR Article 27 or by mutual agreement. For Call Flows AI Ltd., as a Bulgarian entity, the primary supervisory authority is the Commission for Personal Data Protection, Bulgaria. For data subjects in the UK, the competent supervisory authority is the Information Commissioner's Office (ICO).

Annex 2: Technical and Organizational Security Measures

This Annex forms part of the DPA and describes the technical and organizational security measures implemented by Call Flows AI. Call Flows AI commits to maintaining robust security measures, recognizing its responsibilities even when utilizing third-party infrastructure like AWS.

1. Infrastructure and Network Security:
- Services are hosted on Amazon Web Services (AWS) infrastructure. Call Flows AI leverages AWS security features for the underlying infrastructure, including but not limited to:
- Use of Virtual Private Clouds (VPCs) for network isolation of processing environments.
- Implementation of Security Groups and Network Access Control Lists (ACLs) to act as firewalls, restricting traffic to and from servers to only necessary ports and protocols.
- Leveraging AWS Shield or similar services for Distributed Denial of Service (DDoS) mitigation.
- Firewalls are implemented at network and host levels as appropriate.
2. Data Encryption:
- All Client Personal Data is encrypted in transit using industry-standard protocols such as SSL/TLS (HTTPS) for web application traffic, REST APIs, and WebSocket communications. Voice call signaling (e.g., SIP over TLS) and media (e.g., SRTP) are encrypted.
- Client Personal Data is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256). This is applied to data stored in databases (e.g., AWS RDS encryption), object storage (e.g., AWS S3 server-side encryption), and on server volumes (e.g., AWS EBS volume encryption).
- Encryption key management is handled via AWS Key Management Service (KMS) or an equivalent robust key management system.
3. Access Control:
- Role-Based Access Control (RBAC) is implemented for Call Flows AI personnel (e.g., distinct roles for support, sales, administration) to ensure access to Client Personal Data is strictly limited to those who require it for their job functions, adhering to the principle of least privilege.
- Multi-Factor Authentication (MFA) is enforced for all Call Flows AI administrative access to production systems, sensitive data, and underlying AWS accounts.
- AWS Identity and Access Management (IAM) is utilized to manage and control access to AWS resources, enforcing the principle of least privilege for users and services.
- Strong password policies (complexity, length, rotation where appropriate) are enforced for all accounts with access to systems processing Client Personal Data.
- Access to production environments, applications, and data is logged and monitored for unauthorized attempts or suspicious activity.
- Client access to the Services is authenticated via Shopify OAuth and their own secure credentials managed within Shopify.
- Physical access to Call Flows AI offices is controlled. No Client Personal Data is stored at physical office locations; all processing occurs within secure cloud environments (AWS data centers). AWS maintains robust and certified physical security for their data centers.
4. Application Security:
- Secure software development lifecycle (SSDLC) practices are integrated into the development process. This includes following secure coding guidelines (e.g., based on OWASP recommendations) and conducting security-focused code reviews.
- Regular automated vulnerability scanning of applications is performed.
- Periodic penetration testing by independent third parties is conducted to identify and remediate potential vulnerabilities.
- The application is designed to protect against common web vulnerabilities, including those listed in the OWASP Top 10.
5. Logging and Monitoring:
- Comprehensive logging of system activity, application events, access attempts, and security events is implemented (e.g., using AWS CloudTrail for API activity and AWS CloudWatch for application logs and performance metrics).
- Logs are securely stored and regularly reviewed. Automated alerting mechanisms are in place for suspicious activity and critical security events.
6. Availability and Resilience (Business Continuity & Disaster Recovery):
- Use of multiple AWS Availability Zones (AZs) within primary regions (EU Frankfurt, US Ohio, US Oregon) for high availability and fault tolerance of critical service components.
- Regular automated backups of critical Client Personal Data are performed. Backup procedures include encryption of backup data and secure storage in a separate AWS region from the primary processing region.
- Backup and restoration procedures are periodically tested to ensure their effectiveness and timeliness.
- A disaster recovery (DR) plan is maintained and periodically reviewed and tested. The DR plan outlines procedures for recovering services and data in the event of a major outage or disaster affecting a primary processing region.
7. Data Minimization and Separation:
- Call Flows AI processes only the Client Personal Data necessary to provide and improve the Services as described in the Agreement and this DPA.
- Client data is logically separated within multi-tenant systems to prevent unauthorized access or disclosure between different clients.
8. Incident Management:
- A documented incident response plan is in place to address Security Incidents. This plan includes procedures for:
  - Detection and Reporting: Systems and processes for identifying, monitoring, and reporting potential security incidents.
  - Containment: Actions to limit the scope and impact of an ongoing incident.
  - Investigation and Analysis: Determining the root cause, nature, and extent of an incident.
  - Eradication and Recovery: Removing the cause of the incident and restoring affected systems and data securely.
  - Notification: Complying with notification obligations to Clients (as per Section 6 of this DPA) and relevant data protection authorities, where required by Applicable Data Protection Law.
  - Post-Incident Review (Lessons Learned): Analyzing the incident handling process to identify areas for improvement in security measures and incident response procedures.
9. Personnel Security:
- Employees and contractors with access to Client Personal Data are subject to confidentiality obligations.
- Regular security awareness training is provided to personnel.
10. Sub-processor Management:
- Due diligence is performed on Sub-processors to assess their security and data protection practices before engagement.
- DPAs are in place with Sub-processors imposing data protection obligations consistent with this DPA.

Call Flows AI may update these security measures from time to time, provided that such updates do not materially decrease the overall security of the Services. Client acknowledges that security requires a shared responsibility, and Client is responsible for configuring and using the Services securely, including managing its own user access credentials and ensuring the security of its Shopify store integration.

Annex 3: List of Sub-processors

This Annex forms part of the DPA. Call Flows AI is authorized to engage the following Sub-processors (this list is illustrative and the authoritative list will be maintained by Call Flows AI at callflows.ai/subprocessors):

Sub-processor Name	Service Provided	Location of Processing (Primary)
OpenAI, L.L.C.	AI model provider (for voice transcription, natural language understanding, response generation)	United States (and other locations as per OpenAI policy)
Amazon Web Services (AWS)	Cloud hosting, infrastructure, database, storage, and network services	EU (Frankfurt, Germany), US (Ohio), US (Oregon)
Voip.ms (a service of FNOBOX Inc.)	Telecommunications carrier for VoIP services (voice traffic is encrypted in transit to/from Call Flows AI servers).	France (Paris), United States (San Jose) (Points of Presence used by Call Flows AI).