Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between JCAM Global LLC dba Rystik (the "Processor"), with its registered address at 16055 Brookhurst St, Ste B, Fountain Valley, CA 92708, USA, and the customer that has executed the Rystik Terms of Service or an Order Form referencing the Service (the "Controller" or "Customer").

This DPA is incorporated into and forms part of the Customer's executed Terms of Service or Order Form (the "Agreement"), which governs the Controller's use of the Service and is the binding instrument between the parties. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls.

2. Definitions

Capitalized terms not defined here have the meanings given in the Agreement. The following definitions are aligned with Article 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):

Personal Data means any information relating to an identified or identifiable natural person ("Data Subject").

Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, alteration, retrieval, use, disclosure, erasure, or destruction.

Data Subject means an identified or identifiable natural person to whom Personal Data relates.

Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Processor means a natural or legal person which Processes Personal Data on behalf of the Controller.

Subprocessor means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

3. Subject Matter and Duration

The subject matter of the Processing is the provision of the Rystik Service to the Controller as described in the Agreement. Processing will continue for the duration of the Controller's active subscription. This DPA survives termination of the Agreement only for the limited deletion grace period described in Section 15 (Return or Deletion).

4. Nature and Purpose of Processing

The Processor Processes Personal Data for the purpose of operating an AI receptionist on behalf of the Controller, including: capturing inbound phone calls, transcribing calls and producing summaries, scheduling and managing appointments, sending SMS and email replies and notifications, storing customer contact records (CRM-style data), and generating analytics and reporting on call and message activity.

5. Type of Personal Data

The Personal Data Processed under this DPA includes: names, phone numbers, email addresses, voice recordings, call transcripts, appointment data, and business addresses (as supplied by the Controller's end-customers).

6. Categories of Data Subjects

The Data Subjects are the Controller's end-customers, including callers, contacts, leads, and other individuals who interact with the Controller's business through the Service.

7. Processor Obligations

The Processor agrees to:

(a) Process Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do so by applicable law (in which case the Processor will inform the Controller of that legal requirement before Processing, unless that law prohibits such notice).

(b) Ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Assist the Controller, by appropriate technical and organizational measures, in responding to Data Subject rights requests within thirty (30) days of receiving a request from the Controller.

(d) Assist the Controller in meeting its obligations relating to Personal Data Breach notification, security of Processing, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the Processing and the information available to the Processor.

8. Subprocessors

The Controller authorizes the Processor to engage Subprocessors to assist in providing the Service. The Processor will impose data protection terms on each Subprocessor that are no less protective than those set out in this DPA.

The Processor's current Subprocessors are:

• Twilio — telephony and SMS delivery
• Deepgram — speech-to-text transcription
• OpenAI — AI conversation and language processing
• ElevenLabs — text-to-speech voice synthesis
• Stripe — payment processing
• Clerk — authentication and identity
• Resend — transactional and marketing email delivery
• Vercel — application hosting and CDN
• Railway — voice gateway hosting and Postgres database
• Upstash — Redis-backed rate limiting
• Sentry — error monitoring and session replay (gated by user consent — see Cookie Notice)

By executing the Agreement, the Controller is deemed to consent to the Processor's use of the Subprocessors listed above. The Processor will provide at least thirty (30) days' notice of any new Subprocessor by updating this DPA page. If the Controller objects to a new Subprocessor on reasonable data-protection grounds, the Controller may terminate the Agreement with respect to the affected Service before the new Subprocessor begins Processing.

9. International Data Transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the Processor relies on the European Commission's Standard Contractual Clauses (SCCs) (Module Two: Controller to Processor, or Module Three: Processor to Subprocessor, as applicable), the UK International Data Transfer Addendum, and the Swiss equivalents, as applicable. Subprocessors handling such transfers are bound by equivalent terms.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. Notice will be sent to the email address on file for the Controller and will include, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

11. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of Personal Data in transit (TLS), encryption at rest, role-based access controls and least-privilege provisioning, audit logging of administrative actions, and periodic vulnerability scanning. A detailed description of the Processor's technical and organizational measures is available to the Controller on request.

12. Data Subject Rights

The Processor will provide reasonable assistance to the Controller, taking into account the nature of the Processing, to enable the Controller to respond to Data Subject requests for access, correction, erasure, restriction of Processing, data portability, and objection. Where Data Subject requests are forwarded to the Processor by the Controller, the Processor will action them within the timeframe set out in Section 7(c).

13. Audit

Upon reasonable written notice, and not more than once per twelve (12) month period (unless required more frequently by a supervisory authority or following a Personal Data Breach), the Controller may either (a) request a copy of the Processor's most recent SOC 2 report or equivalent independent third-party audit, or (b) conduct a remote audit of the Processor's relevant policies and controls. Audits will be conducted during normal business hours, will not unreasonably interfere with the Processor's operations, and will be subject to confidentiality obligations.

14. Return or Deletion of Data

Upon termination or expiration of the Agreement, the Processor will, at the Controller's election, return or delete all Personal Data Processed on behalf of the Controller within thirty (30) days, except where retention is required by applicable law. This thirty-day window aligns with the Account Deletion grace period described in the Agreement.

15. Liability

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the master Terms of Service. Nothing in this DPA limits or excludes either party's liability where it cannot be limited or excluded by applicable law.

16. Governing Terms

This DPA forms part of, and is governed by, the Agreement. Any matters not expressly addressed in this DPA are governed by the Agreement and applicable law. The Processor may update this DPA from time to time; material changes will be communicated via the notice mechanism in the Agreement and reflected in the "Last updated" date above.

17. Contact

DPO and legal questions relating to this DPA should be directed to support@rystik.com. Formal legal notices should be sent to:

JCAM Global LLC dba Rystik
16055 Brookhurst St, Ste B
Fountain Valley, CA 92708
USA
Email: support@rystik.com