Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between ValidPixel LLC ("Ringzy," "Data Processor," "we") and the customer ("Business," "Data Controller," "you") who uses the Ringzy Service under the Terms of Service.

This DPA governs the processing of personal data by Ringzy on behalf of the Business in connection with providing the AI call answering Service. It supplements and is incorporated into the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to data processing matters.

This DPA is designed to satisfy the requirements of the GDPR, CCPA, and other applicable data protection laws to the extent they apply to your use of the Service.

In this DPA:

• "Data Controller" means the Business, who determines the purposes and means of processing personal data.
• "Data Processor" means Ringzy, who processes personal data on behalf of the Data Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, transmission, and deletion.
• "Data Subject" means a natural person whose personal data is processed under this DPA (e.g., your callers).

Ringzy processes personal data solely to provide the AI call answering Service to the Business. Processing activities include:

• Receiving and routing inbound phone calls
• Recording and transcribing phone conversations
• Generating AI summaries of call content
• Booking appointments on behalf of the Business
• Sending call summaries and notifications to Business users
• Storing call logs and transcripts in the Business's dashboard

In providing the Service, Ringzy may process the following categories of personal data relating to callers:

• Caller names (when provided during the call)
• Caller phone numbers (from caller ID)
• Conversation content (full audio recording and transcript)
• Appointment details (date, time, service requested)
• Any other personal information voluntarily shared by the caller during the call

The Business, as Data Controller, represents and warrants that:

• It has a lawful basis for processing personal data under applicable data protection law
• It has provided callers with adequate notice that their calls may be recorded and handled by AI
• Its instructions to Ringzy comply with all applicable laws and regulations
• It is solely responsible for determining the retention period and any downstream use of call data

Ringzy, as Data Processor, agrees to:

• Process personal data only on documented instructions from the Business, and for no other purpose
• Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 8)
• Not engage sub-processors without informing the Business (see Section 7)
• Assist the Business in fulfilling Data Subject rights requests
• Delete or return all personal data upon termination of the Service, as chosen by the Business
• Make available to the Business all information necessary to demonstrate compliance with this DPA

The Business authorizes Ringzy to engage the following sub-processors to deliver the Service:

Ringzy will provide at least 14 days' notice before adding new sub-processors that process personal data. The Business may object in writing within that period.

Ringzy implements and maintains the following technical and organizational security measures:

• Encryption of personal data in transit (TLS 1.2 or higher)
• Encryption of personal data at rest (AES-256)
• Role-based access controls limiting data access to authorized personnel
• Regular security assessments and vulnerability testing
• Incident response procedures and breach notification processes
• Secure data deletion practices upon contract termination

If Ringzy receives a request directly from a Data Subject to exercise their rights (access, rectification, erasure, portability, objection), Ringzy will promptly forward the request to the Business and will provide reasonable assistance in fulfilling it.

The Business, as Data Controller, is responsible for responding to Data Subject rights requests within the timeframes required by applicable law.

Ringzy's sub-processors are located in the United States. Where personal data is transferred from the European Economic Area (EEA) or United Kingdom to the United States, such transfers are made pursuant to Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

By using the Service, you acknowledge that personal data may be processed in the United States and other countries where our sub-processors operate.

Ringzy will notify the Business without undue delay, and in any event within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to Data Subjects' rights and freedoms.

The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences of the breach, and measures taken or proposed to address it.

Call recordings and transcripts are retained for 90 days by default. The Business may configure shorter retention periods from the dashboard. Upon account termination, Ringzy will delete all personal data within 30 days, unless a longer retention period is required by law.

The Business may request immediate deletion of specific call records via the dashboard or by contacting privacy@ringzy.ai.

For DPA-related inquiries, contact: privacy@ringzy.ai

ValidPixel LLC, operating as Ringzy.ai