Data Processing Addendum

Data Processing Agreement

SALESCALING, in its capacity as Data Processor (hereinafter the “PROCESSOR”) will process the personal data it receives from the CLIENT, as Data Controller (hereinafter the “CONTROLLER”), in relation to the performance of the Agreement for the provision of the Services following the instructions and purposes determined by the CONTROLLER.

For the purposes of this Agreement, “CLIENT” refers to any natural or legal person or affiliated entity of the Client that has entered into a service provision agreement with SALESCALING and processes personal data for which it is responsible to ensure the provision of the services under the agreement between them.

Both parties, in the exercise of their respective powers, agree to enter into this Data Processing Agreement (hereinafter, the “Agreement”), in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter “GDPR”) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), in accordance with the following,

Clauses

1. Object

1.1. The PROCESSOR, within the framework of this Agreement, will process personal data on behalf of the CONTROLLER in accordance with the terms and conditions set forth in this document.

1.2. The purpose of the processing is the provision of the Services specified in the service provision agreement that covers this Agreement.

1.3. The duration of the processing engagement will take place while the contractual relationship between the parties is maintained and until the deletion of the personal data in accordance with the provisions of this Agreement.

1.4. In relation to the Agreement, the CONTROLLER is the person who determines the purposes and means for which the Controller's Data are processed by the processor (as defined below).

1.5. The personal data provided by the CONTROLLER to the PROCESSOR refer to the categories of data and data subjects indicated in Appendix I.

2. Obligations of the Data Processor

The PROCESSOR and all its personnel commit to the following obligations:

2.1. Use the personal data subject to processing, or those it collects for inclusion, only for the purpose of this engagement. Under no circumstances may it use the data for its own purposes. 2.2. Process the data in accordance with the documented instructions of the CONTROLLER. 2.3. If the PROCESSOR considers that any of the instructions infringe the GDPR, LOPDGDD or any other data protection provision of the European Union or Member States, the PROCESSOR will inform the CONTROLLER immediately. 2.4. Not disclose the data to third parties, unless it has the prior express written authorization of the CONTROLLER, in the legally established and admissible cases. 2.5. The PROCESSOR may disclose the data to other processors of the same controller, in accordance with the instructions of the CONTROLLER. In this case, the CONTROLLER will identify, beforehand and in writing, the entity to which the data must be disclosed, the data to be disclosed and the security measures to be applied to proceed with the disclosure. 2.6. The PROCESSOR will make transfers of personal data to a third country or to an organization only under the documented instructions of the CONTROLLER. If the PROCESSOR must transfer such personal data to a third country or international organization by virtue of European Union or Member State law applicable to it, it will inform the CONTROLLER of that legal requirement in advance, unless such law prohibits it on important public interest grounds. 2.7. Likewise, the PROCESSOR undertakes to return to the CONTROLLER the medium or media containing the personal data, or to destroy them, at the latter's request, once the provision of services has concluded, without retaining any copy thereof, unless the CONTROLLER so provides.

2.8. Subcontracting.

a. The PROCESSOR may subcontract to third parties the performance of data processing activities required for the proper provision of the services covered by this Agreement, including certain necessary technical and IT services and necessary auxiliary services.

b. Pursuant to the GDPR and LOPDGDD, any subcontracting of the service that is carried out for the fulfillment of the contract that the PROCESSOR wishes to perform must be communicated to the CONTROLLER at the e-mail address indicated in the Specific Conditions, indicating the processing activities intended to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may proceed if the CONTROLLER does not express its opposition within 5 days of the communication.

c. The list of Authorized Subprocessors or providers is found in Appendix I.

d. The subcontractor, who will also have the status of data processor, is likewise obliged to comply with the obligations established in this document for the PROCESSOR and the instructions issued by the CONTROLLER.

e. It is the PROCESSOR's responsibility to enter into a new contract with the new processor so that it is subject to the same conditions and with the same formal requirements as it, regarding the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subprocessor, the PROCESSOR will remain fully liable to the CONTROLLER with respect to compliance with the obligations.

2.9. The PROCESSOR may share the CONTROLLER's personal data with those service providers or third companies, including artificial intelligence service providers, under the CONTROLLER's instruction. In such case, given that the PROCESSOR acts following the CONTROLLER's instructions it shall not be required to notify the CONTROLLER in advance, and it will be the CONTROLLER who will ensure that such provider complies with the guarantees regarding personal data protection and its compliance with applicable regulations.

2.10. Maintain the duty of secrecy with respect to personal data to which the PROCESSOR has had access by virtue of the services provided to the CONTROLLER, even after the relationship between them has ended.

2.11. Ensure that the persons authorized to process personal data expressly and in writing commit to respecting confidentiality and to complying with the corresponding security measures, of which they must be appropriately informed.

2.12. Keep available to the CONTROLLER the documentation proving compliance with the obligation established in the previous section.

2.13. Ensure the necessary training in personal data protection for the persons authorized to process such data.

2.14. Assist the CONTROLLER, taking into account the nature of the processing, through appropriate technical and organizational measures, insofar as possible, so that it can comply with its obligation to respond to requests aimed at the exercise of data subject rights.

2.15. When data subjects exercise the rights of access, rectification, erasure and objection, restriction of processing, data portability and not to be subject to automated individual decisions, before the PROCESSOR, it must notify it by email to the address indicated by the CONTROLLER. The communication must be made as soon as possible, making its best efforts to ensure it occurs within 3 working days from receipt of the request, and will include, where appropriate, other information that may be relevant to resolve the request.

2.16. Right to information. It is the CONTROLLER's responsibility to provide the right to information at the time of data collection.

2.17. Notification of personal data security breaches

a. The PROCESSOR will notify the CONTROLLER, without undue delay, and in any case within a maximum period of 36 hours, and through a simple communication, of security breaches concerning the data under its charge of which it becomes aware, together with all relevant information and documentation about the incident.

b. Notification will not be necessary when it is unlikely that such security breach will result in a risk to the rights and freedoms of natural persons.

c. The notification will include at least the following information:

2.18. Support the CONTROLLER in carrying out data protection impact assessments, where appropriate.

2.19. Support the CONTROLLER in carrying out prior consultations with the supervisory authority, where appropriate.

2.20. Make available to the CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as for the carrying out of audits or inspections conducted by the controller or another auditor authorized by it, when requested.

2.21. Security Measures. The PROCESSOR undertakes to apply the necessary security measures to the personal data to prevent its alteration, loss, processing or unauthorized access, taking into account the state of technology, the nature of the data stored and the risks to which they are exposed, whether arising from human action or the physical or natural environment. In this sense, in accordance with the provisions of Articles 24 and 32 of the GDPR, the PROCESSOR is obliged to have implemented appropriate technical and organizational security measures.

2.22. Specifically, the PROCESSOR will adopt the security measures set out in Appendix I.

2.23. Data destination. The PROCESSOR undertakes to destroy the data once the provision has been fulfilled. However, the PROCESSOR may retain a copy, with the data duly blocked, while liabilities may arise from the execution of the provision.

3. Obligations of the Data Controller

The CONTROLLER agrees to:

3.1. Be responsible for the personal data subject to processing.

3.2. Conduct a data protection impact assessment of the processing operations to be carried out by the processor when appropriate.

3.3. Guarantee the duty to inform data subjects in accordance with arts. 13 and 14 GDPR.

3.4. Carry out the prior consultations that correspond.

3.5. Ensure, prior to and during the entire processing, compliance with the GDPR and LOPDGDD by the PROCESSOR.

3.6. Communicate changes to the basic structure of the data that imply or may imply a change in the application of security measures.

3.7. Provide the PROCESSOR access only to those data that are adequate, pertinent and not excessive, by reason of the purpose of the contracted service.

3.8. THE CONTROLLER must guarantee to the holder of the personal data, according to the nature, scope, context and purposes of the processing, based on the provisions of Article 24 of the GDPR, that it has adopted appropriate technical and organizational measures to maintain the security of the personal data provided.

3.9. It is the CONTROLLER's responsibility to communicate to data subjects as soon as possible any personal data security breaches when it is likely that the breach will result in a high risk to the rights and freedoms of natural persons.

The communication must be made in clear and simple language and must, at a minimum:

a. Explain the nature of the data breach.

b. Indicate the name and contact details of the data protection officer or another point of contact where more information can be obtained.

c. Describe the possible consequences of the personal data security breach.

d. Describe the measures adopted or proposed by the controller to remedy the personal data security breach, including, where appropriate, the measures taken to mitigate possible adverse effects.

3.10. The CONTROLLER will ensure that the service providers or third companies to which the PROCESSOR communicates personal data under the CONTROLLER's instruction comply with the guarantees in data protection and other applicable legislation and is responsible to the PROCESSOR.

Appendix I to the Data Processing Agreement on the details of the processing

1. Purpose(s) of the processing:

Ensure the provision of the service(s) contracted by the CONTROLLER, in accordance with the service provision Agreement. Such processing may include different technological services, such as recording and transcribing calls and meetings, as well as the use of SDRs through AI Agents between the CONTROLLER and its employees or end customers.

2. Types of personal data provided by the CONTROLLER to the PROCESSOR:

1. Identification data (e.g.: first and last name, phone number, email, etc.)

2. Professional and company data (e.g.: position, company, industry sector, professional contact details, user identifier in internal systems)

3. System access and usage data (e.g.: user identifiers, access logs, IP addresses, cookies, logs)

4. Technical and operational data.

5. Audio and video recordings of calls.

6. The Parties will not intentionally collect or process any special categories of data. The PROCESSOR will immediately report any inadvertent receipt of special categories of data.

3. Categories of data subjects processed by the PROCESSOR:

1. Employees of the CONTROLLER.

2. Customers, potential customers, their employees, contacts or end users of the CONTROLLER.

4. Types of processing carried out

The engagement will involve the following processing operations of personal data:

1. Storage and retention of data, recording, retrieval and input of data.

2. Access and query of information

3. Voice recording.

4. Processing of information using AI.

5. Audio transcription using AI.

6. Semantic text analysis.

7. Data analysis and processing

8. Integration with AI platforms or third-party systems

9. Anonymization or pseudonymization of data.

10. Data deletion or destruction.

11. Updating of data, including its correction, adaptation, alteration, alignment and combination.

5. Security measures

Category | Implemented security measure

Organizational measures

• Periodic security assessments.

• Secure and automated processes (CI/CD).

Technical measures

• Encryption of data at rest and in transit.

• Session tokens.

• Antivirus scanning.

• Protection against attacks (injection, XSS, SSRF).

Access control measures

• Authentication by trusted providers and OTP.

• Role-based authorization (OpenFGA).

• 2FA on administrative interfaces.

Continuity and recovery measures

• Automated deployments with recovery <10 min.

• Monitoring and verification of configurations.

• Periodic backups.

6. Authorized subprocessors