Data Processing Addendum

Effective: March 16, 2026

This Data Processing Addendum (“DPA”) supplements and is incorporated into Carbon Voice’s Workspace Terms of Service or other agreement between the Workspace Owner and Carbon Voice governing Carbon Voice’s use of and access to the Carbon Voice Services (“Agreement”). Capitalized terms used below that are not otherwise defined have the meanings given to them in the Agreement.

1. Scope

1.1 Scope of DPA. This DPA applies to Carbon Voice’s processing of Personal Data on behalf of Workspace Owner in connection with the provision of the Services to Workspace Owner and any Authorized Workspace Users pursuant to the Agreement. Processing of Personal Data outside the Workspace Services is governed by Carbon Voice’s Privacy Policy and the Agreement. This DPA is incorporated into and forms part of the Agreement.

1.2 Processor. The parties agree that, with respect to Personal Data processed under this DPA, Carbon Voice acts as a processor under Data Protection Law and/or service provider under CCPA for Workspace Owner in providing Services to Workspace Owner.

1.3 Processing Activities. The subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and categories of data subjects are described in Exhibit A. The parties agree that Exhibit A reflects the processing of Personal Data by Carbon Voice on behalf of Workspace Owner in connection with the Services.

2. Processing of Personal Data

2.1 Carbon Voice Obligations. Carbon Voice will:

2.1.1. Process Personal Data only on documented instructions from Workspace Owner, including transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Carbon Voice is subject, in which case Carbon Voice will inform Workspace Owner of the legal requirement before processing, unless prohibited by law; and Carbon Voice shall not process Personal Data for its own purposes except as expressly permitted under the Agreement or this DPA;

2.1.2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

2.1.3. Implement appropriate technical and organizational measures, designed to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed and to ensure a level of security appropriate to the risk; including, as applicable, encryption of Personal Data in transit and at rest, access controls based on least privilege principles, and regular testing and evaluation of security measures.

2.1.4. Respect the conditions for engaging other processors as required by applicable Data Protection Law and set forth in Section 4 below;

2.1.5. Taking into account the nature of the processing, assist Workspace Owner by appropriate technical and organizational measures, to the extent possible, to enable Workspace Owner to fulfill its legal obligations as a controller to respond to requests for exercising data subject rights pursuant to applicable Data Protection Law;

2.1.6. Taking into account the nature of processing and the information available to Carbon Voice, assist Workspace Owner in ensuring compliance with its legal obligations pursuant to applicable Data Protection Law regarding (i) security of processing, (ii) notification of and communication of Security Incidents, (iii) data protection impact assessments, and (iv) prior consultation with the applicable supervisory authority;

2.1.7. At Workspace Owner’s choice, delete or return all Personal Data to Workspace Owner after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of Personal Data; provided that Carbon Voice may retain Personal Data in backup systems for a limited period consistent with its standard backup retention policies, after which such data will be securely deleted.

2.1.8. Make available to Workspace Owner all information necessary to demonstrate compliance with its obligations under applicable Data Protection Law and allow for and assist with audits in accordance with Section 6 below, in each case at Workspace Owner’s expense; and

2.1.9. Inform Workspace Owner if, in its opinion, an instruction infringes applicable Data Protection Law.

2.1.10. Carbon Voice will not use Personal Data processed on behalf of Workspace Owner to train, retrain, or improve any general-purpose machine learning or artificial intelligence models, except where (a) such use is expressly authorized by Workspace Owner, or (b) the data has been aggregated and de-identified such that it no longer constitutes Personal Data. Carbon Voice will ensure that any Subprocessors providing machine learning or AI-related services process Personal Data solely for the purpose of providing the Services and not for their own independent purposes.

2.2. Workspace Owner Instructions. Workspace Owner instructs Carbon Voice to process Personal Data as documented in this DPA and the Agreement, and as otherwise necessary to provide the Services to Workspace Owner. Workspace Owner’s instructions to Carbon Voice for the processing of Personal Data will comply with all applicable laws, including Data Protection Laws. The parties agree that Workspace Owner’s instructions include the use of Subprocessors in accordance with Section 4, and the performance of processing necessary to operate, maintain, and improve the Services in accordance with the Agreement.

2.3. Controller Authorization. If Workspace Owner is a processor, Workspace Owner warrants to Carbon Voice that Workspace Owner’s instructions and actions with respect to Personal Data, including its appointment of Carbon Voice as a subprocessor, have been authorized by the relevant controller.

3. Data Transfers

3.1. Workspace Owner Authorization. Workspace Owner authorizes Carbon Voice to perform Data Transfers of Personal Data processed under this DPA to:

(a) any country subject to an adequacy determination by the European Commission;

(b) recipients that have implemented appropriate safeguards for Data Transfers in accordance with applicable Data Protection Law, including the Standard Contractual Clauses; or

3.2 Standard Contractual Clauses. To the extent that Carbon Voice processes Personal Data subject to the GDPR and such processing involves Data Transfers, the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914, as may be amended or replaced from time to time (“SCCs”), are incorporated by reference into this DPA.

The SCCs will apply in a manner consistent with the roles of the parties under this DPA. Where Workspace Owner acts as a controller and Carbon Voice acts as a processor, Module 2 (Controller-to-Processor) will apply. Where Workspace Owner acts as a processor and Carbon Voice acts as a subprocessor, Module 3 (Processor-to-Processor) will apply.

In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

3.3 UK Transfers. To the extent that any Data Transfer is subject to the UK GDPR, the SCCs shall apply as supplemented by the UK International Data Transfer Addendum (version B1.0, in force as of 21 March 2022), which is incorporated by reference, as applicable. In the event of any conflict between the SCCs and the UK Addendum, the UK Addendum shall prevail in respect of such transfers.

3.4 Swiss Transfers. To the extent that any Data Transfer is subject to the Swiss Federal Act on Data Protection, the SCCs shall apply with the following modifications:

(a) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection;

(b) references to “EU”, “Union”, and “Member State” shall be interpreted as references to Switzerland; and

4. Subprocessors

4.1. General Authorization. Workspace Owner hereby grants Carbon Voice general authorization to engage Subprocessors, subject to the terms of this DPA and the Agreement. Carbon Voice will maintain an up-to-date list of its Subprocessors at a publicly available URL (currently https://www.getcarbon.app/subprocessors). Carbon Voice will notify Workspace Owner, including via updates to such list or via email of any intended changes concerning the addition or replacement of a Subprocessor at least 15 days before it is used on any Workspace Data. If Workspace Owner provides a reasonable written objection to a new Subprocessor within 10 days of receiving notice, and Carbon Voice chooses not to suggest an alternative, Workspace Owner may terminate the Agreement after 30 days’ notice to Carbon Voice.

4.2. Subprocessor Requirements. Prior to the engagement of a Subprocessor, Carbon Voice will enter into a written agreement with the Subprocessor containing at least the same data protection obligations as those set out in this DPA, including providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable Data Protection Law, taking into account the nature of the services provided by the Subprocessor. If a Subprocessor fails to fulfill its data protection obligations, Carbon Voice will be liable to Workspace Owner for the performance of that Subprocessor’s obligations.

4.3. Carbon Voice uses Subprocessors to provide the Services, including those listed at the URL referenced in Section 4.1.

4.4. Subprocessor Roles. Carbon Voice will ensure that each Subprocessor processes Personal Data for the purpose of providing the Services and in accordance with Carbon Voice’s obligations under this DPA. Carbon Voice will remain responsible for the performance of each Subprocessor’s obligations under this DPA.

5. Security Incidents

5.1. Security Incident Notification. Upon becoming aware of a Security Incident, Carbon Voice will notify Workspace Owner without undue delay and, where feasible, within 72 hours of becoming aware of such Security Incident, and will promptly take reasonable steps to minimize harm and secure Personal Data.

5.2. Notification Description. To the extent possible, notification to Workspace Owner will describe the nature of the Security Incident, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident. Carbon Voice may provide such information in phases as it becomes available. Carbon Voice’s notification of or response to a Security Incident will not be construed as an acknowledgement by Carbon Voice of any fault or liability with respect to the incident.

5.3. Cooperation. Carbon Voice will reasonably cooperate with Workspace Owner in connection with any Security Incident, including by providing information reasonably requested to enable Workspace Owner to comply with its obligations under applicable Data Protection Laws.

6. Audits

6.1. Workspace Owner Audit. Upon Workspace Owner’s prior written request and subject to the confidentiality obligations, Carbon Voice will allow Workspace Owner or an independent third-party auditor that is not a competitor of Carbon Voice to access information including by providing relevant summaries of independent third-party audit reports or certifications, where available, or inspect Carbon Voice’s procedures relevant to the protection of Workspace Data in order to audit Carbon Voice’s compliance with this DPA.

6.2. Process for Inspections. Inspections may be conducted no more than once per year and only in a manner that does not interfere with Carbon Voice’s normal business operations and only upon at least 30 days’ prior written notice, unless required by applicable law or a competent authority. Workspace Owner and Carbon Voice will mutually agree upon the scope, timing, and duration, which shall be reasonable and limited to information necessary to demonstrate compliance with this DPA of the inspection, and Workspace Owner will reimburse Carbon Voice for all reasonable costs and expenses incurred in connection with such inspection. Any deficiencies or reports created based on such access or inspection must be promptly shared with Carbon Voice and will be Carbon Voice’s Confidential Information.

6.3. Limitations. Nothing in this Section will require Carbon Voice to disclose information or grant access to the extent doing so would (a) compromise the security of Carbon Voice’s systems or data, (b) disclose confidential information of other customers, or (c) violate applicable law or contractual obligations.

7. CCPA Certification. Carbon Voice will not:

7.1.1. Sell or share personal information provided by Workspace Owner;

7.1.2. Retain, use, or disclose any Workspace Owner or Authorized Workspace User personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing such personal information for a commercial purpose other than providing the Services; or

7.1.3. Retain, use, or disclose Workspace Owner or Authorized Workspace User personal information outside of the direct business relationship between Workspace Owner and Carbon Voice, except as permitted by applicable Data Protection Laws.

7.2. Service Provider Status. The parties acknowledge and agree that Carbon Voice is a “service provider” or “contractor” (as applicable) under the CCPA with respect to the processing of personal information under this DPA.

7.3. No Combining of Personal Information. Carbon Voice will not combine personal information received from Workspace Owner with personal information received from other sources, except as permitted under the CCPA.

8. General

8.1. This DPA is subject to the terms of the Agreement, including without limitation, those regarding dispute resolution, limitation of liability, and termination. If any of the provisions of this DPA conflict with the provisions of the Agreement, the provisions of this DPA will prevail.

8.2. Incorporation and Acceptance. This DPA is incorporated into the Agreement and becomes effective upon Customer’s acceptance of the Agreement.

9. Definitions

9.1. “CCPA” means the California Consumer Privacy Act of 2018 and any legislation or regulation that amends, replaces, or re-enacts it.

9.2. “Data Protection Law” means (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data effective 25 May 2018 (the General Data Protection Regulation) and any legislation or regulation that amends, replaces, or re-enacts it; and (b) any other applicable data protection law or regulation of the European Union or the European Economic Area and their member states, Switzerland, and the United Kingdom.

9.3. “Data Transfer” means any transfer or onward transfer of Workspace Owner Personal Data out of the European Economic Area, Switzerland, or the United Kingdom to another country.

9.4. “Personal Data” means personal data contained in Workspace Data that is subject to applicable Data Protection Law or the CCPA.

9.5. “Security Incident” means a breach of security measures causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Carbon Voice.

9.6. “Standard Contractual Clauses” or "SCCs" means the standard contractual clauses adopted by the European Commission under Decision 2021/914 of 4 June 2021, as may be amended or replaced from time to time.

9.7. “Subprocessor” means a third party engaged by Carbon Voice to process Personal Data in order to provide parts of the Services under the Agreement.

9.8. The terms “controller”, “processor”, “data subject”, “personal data,” “processing" and “appropriate technical and organizational measures” have the meanings provided in applicable Data Protection Laws.

9.9. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings provided in the CCPA.

Exhibit A

Subject Matter of Processing

The subject matter of the processing is the Personal Data submitted to the Services by Workspace Owner pursuant to the Agreement.

Duration of Processing

The processing will continue until the expiration or termination of the Agreement, or as otherwise determined by Workspace Owner by deleting Personal Data from its account.

Nature and Purpose of Processing

Processing by Carbon Voice to provide the Services to Workspace Owner pursuant to the Agreement.

Types of Personal Data

Personal Data provided to Carbon Voice by Workspace Owner or Authorized Workspace Users, including:

Name, email and other Account Data
Audio, transcript data, and other message content containing Personal Data
Information about the hardware and software used to access the Service;
Information and analytics about use of the Service;
Employee authentication information, such as user ID and department information;
Cookies and Usage Data and Log Data
Contacts Data
Other Personal Data uploaded or submitted by Authorized Workspace Users or Workspace Owners to the Services.

Categories of Data Subjects

Employees and other Authorized Workspace Users of Workspace Owner and any other individual whose Personal Data is uploaded or submitted by Workspace Owner or Authorized Workspace Users to the Services.

Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with applicable Data Protection Law.

Exhibit B - Technical and Organizational Measures

Carbon Voice implements the following technical and organizational measures to ensure an appropriate level of security:

- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)

- Access controls based on least-privilege principles with role-based

access management

- Role-based permissions with logging for internal systems access

- Regular security testing and vulnerability assessments

- Incident detection and response procedures

- Employee security training and confidentiality obligations

- Sub-processor due diligence

- Data minimization and retention controls