Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between Telyo.ai Limited ("Telyo.ai", "we", "us", or "our") and you ("Customer", "you", or "your") for the provision of AI voice agent services ("Services").

This DPA governs the processing of personal data by Telyo.ai on behalf of Customer in connection with the Services, ensuring compliance with applicable data protection laws, including the New Zealand Privacy Act 2020 and the General Data Protection Regulation (GDPR) where applicable.

2. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the Customer, who determines the purposes and means of processing personal data.
• "Processor" means Telyo.ai, who processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person processed through our Services.
• "Data Subject" means the identified or identifiable natural person whose personal data is processed.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party appointed by Telyo.ai to process personal data on behalf of the Controller.

3. Data Processing Details

Nature and Purpose of Processing

Telyo.ai processes personal data to provide AI voice agent services, including:

• Voice call handling and conversation management
• Natural language processing and voice recognition
• Customer interaction analytics and reporting
• Service optimization and AI model training
• Technical support and system maintenance

Categories of Personal Data

• Voice recordings and audio data
• Contact information (names, phone numbers, email addresses)
• Conversation transcripts and interaction logs
• Usage data and system logs
• Any other data provided through the Services

Categories of Data Subjects

• Customer's end users and customers
• Individuals calling or being called through the Services
• Customer's employees and authorized users

4. Telyo.ai's Obligations as Data Processor

Telyo.ai undertakes to:

• Process personal data only in accordance with Customer's documented instructions
• Ensure personnel processing personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Customer in responding to data subject requests
• Assist Customer with data protection impact assessments where required
• Delete or return personal data upon termination of services
• Maintain records of processing activities
• Notify Customer of any personal data breaches without undue delay

5. Customer's Obligations as Data Controller

Customer undertakes to:

• Ensure it has lawful basis for processing and transferring personal data
• Provide clear and documented processing instructions to Telyo.ai
• Obtain necessary consents and provide appropriate privacy notices
• Ensure personal data transferred is accurate and up-to-date
• Respond to data subject requests in accordance with applicable laws
• Notify relevant authorities of data breaches as required by law
• Indemnify Telyo.ai against claims arising from Customer's non-compliance

6. Security Measures

Telyo.ai implements appropriate technical and organizational measures to protect personal data, including:

• Encryption of data at rest and in transit using industry-standard protocols
• Access controls and multi-factor authentication
• Regular security assessments and penetration testing
• Employee security training and background checks
• Secure data centers with physical access controls
• Regular data backups and disaster recovery procedures
• Network monitoring and intrusion detection systems
• Data minimization and pseudonymization where possible

7. Sub-processors

Customer provides general authorization for Telyo.ai to engage sub-processors for specific processing activities. Telyo.ai will:

• Maintain a list of current sub-processors available upon request
• Notify Customer of any intended changes to sub-processors
• Ensure sub-processors are bound by equivalent data protection obligations
• Remain fully liable for any sub-processor's acts or omissions

Current Sub-processors

8. International Data Transfers

Personal data may be transferred to and processed in countries outside New Zealand. Where such transfers occur, Telyo.ai ensures:

• Transfers are made only to countries with adequate data protection laws
• Appropriate safeguards are implemented, including standard contractual clauses
• Data subjects' rights remain protected during and after transfer
• Customer is informed of transfer mechanisms and safeguards

9. Data Subject Rights

Telyo.ai will assist Customer in fulfilling data subject rights requests, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

Data subjects should direct requests to Customer. Telyo.ai will forward any requests received directly to Customer and provide reasonable assistance in responding within applicable timeframes.

10. Data Retention and Deletion

Personal data will be retained only as long as necessary for the purposes outlined in this DPA or as required by law. Upon termination of services, Telyo.ai will:

• Delete or return all personal data within 30 days of termination
• Provide certification of deletion upon Customer's request
• Retain data longer only if required by applicable law
• Ensure any retained data remains protected in accordance with this DPA

11. Data Breach Notification

In the event of a personal data breach, Telyo.ai will:

• Notify Customer without undue delay and within 72 hours of becoming aware
• Provide details of the nature of the breach and data involved
• Describe measures taken to address the breach and mitigate harm
• Recommend actions Customer should take
• Cooperate with Customer and authorities in breach response
• Implement measures to prevent similar breaches

12. Audits and Compliance

Telyo.ai will make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits. Customer may:

• Request compliance reports and certifications
• Conduct audits with reasonable notice and during business hours
• Engage qualified third-party auditors subject to confidentiality obligations
• Receive copies of relevant third-party audit reports

Customer will bear the costs of audits unless they reveal material non-compliance.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement. Additionally:

• Customer indemnifies Telyo.ai for claims arising from Customer's instructions or non-compliance
• Telyo.ai indemnifies Customer for claims arising from Telyo.ai's breach of this DPA
• Neither party excludes liability for fraud, gross negligence, or willful misconduct
• Liability caps do not apply to data protection violations where prohibited by law

14. Term and Termination

This DPA remains in effect for the duration of the main service agreement. Upon termination:

• Processing obligations cease except for data deletion/return requirements
• Confidentiality and security obligations survive termination
• Data retention obligations continue as specified in Section 10
• Either party may terminate for material breach with 30 days' notice

15. Changes to This DPA

Telyo.ai may update this DPA to reflect changes in:

• Applicable data protection laws and regulations
• Services provided or processing activities
• Industry standards and best practices
• Technical and organizational measures

Material changes will be communicated to Customer with at least 30 days' notice.

16. Governing Law and Disputes

This DPA is governed by New Zealand law. Any disputes arising from this DPA will be resolved through the dispute resolution mechanisms specified in the main service agreement.

Where Customer is subject to GDPR, data subjects may also exercise their rights under GDPR and seek remedies in EU courts.

17. Contact Information

For questions about this DPA or data processing matters, contact our Data Protection Officer: