Data Processing Agreement

Last Updated: August 27, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Use between Botmedica Ltd, trading as NovaVoiceRealty (“Processor”) and the client (“Controller”) and governs the Processor’s processing of Personal Data on behalf of the Controller.

1. Roles and Scope

1.1 Parties

Controller: The entity that determines the purposes and means of processing Personal Data.

Processor: Botmedica Ltd, trading as NovaVoiceRealty, which processes Personal Data on behalf of the Controller.

1.2 Purpose

Processor will process Personal Data solely for the purposes described in the Terms of Use and this DPA, including:

1. a)AI voice agent call handling (inbound/outbound)
2. b)Call recording, transcription, and storage
3. c)CRM/calendar integration
4. d)Customer service and account management
5. e)Service improvement (if permitted)

1.3 Applicability

This DPA applies to processing including UK GDPR, EU GDPR, and all applicable US state privacy laws (including CCPA/CPRA, Colorado Privacy Act, Virginia CDPA, Connecticut, Utah, and others as may come into effect).

2. Definitions

1. a)Personal Data means any information relating to an identified or identifiable natural person.
2. b)Processing means any operation performed on Personal Data, automated or otherwise.
3. c)Subprocessor means any third party engaged by Processor to process Personal Data on behalf of Controller.

3. Controller Instructions

Processor will process Personal Data only:

1. a)On documented instructions from Controller (including those in the Terms of Use)
2. b)To comply with legal obligations
3. c)If Processor believes an instruction violates applicable law, it will promptly notify Controller.

4. Categories of Data & Subjects

4.1 Categories of Data

1. a)Contact details (names, phone numbers, emails)
2. b)Audio data (call recordings, transcripts)
3. c)CRM and calendar integration data
4. d)Metadata (call logs, device/browser information)

4.2 Data Subjects

Controller’s customers, prospects, leads, and employees

5. Security Measures

Processor will implement appropriate technical and organizational measures, including:

1. a)Encryption of data in transit and at rest
2. b)Access controls and authentication
3. c)Logging and monitoring
4. d)Regular vulnerability assessments
5. e)A description of these measures is available upon request.
6. f)Minimum technical and organizational measures are set out in Appendix I (Security Standards).”

6. Subprocessors

6.1 Authorized Subprocessors

Controller authorizes the use of Subprocessors by the Processor to support the delivery of the Services. These include CRM/calendar providers as configured by Controller. The current list of authorized Subprocessors, including their purposes of processing, is maintained and publicly available here.

6.2 Subprocessor Obligations

Processor will:

1. a)Ensure subprocessors are bound by equivalent data protection obligations
2. b)Maintain a public list of subprocessors
3. c)Provide notice before adding or replacing subprocessors, Controller may object to a new Subprocessor by providing written notice within 30 days. If the Controller objects, its sole remedy shall be to terminate the Service without penalty.

7. International Transfers

1. a)For EU/EEA data: Processor will use the European Commission Standard Contractual Clauses (SCCs) (Module 2 Controller to Processor).
2. b)For UK data: Processor will use the UK Addendum to the EU SCCs.
3. c)For US state law compliance: Processor will not “sell” Personal Data as defined by the CCPA/CPRA.
4. d)Such transfers are carried out subject to appropriate safeguards as required under GDPR and UK GDPR

8. Assistance to Controller

Processor will assist Controller in:

1. a)Responding to data subject requests (access, deletion, portability, etc.)
2. b)Conducting data protection impact assessments
3. c)Meeting breach notification obligations

9. Data Breach Notification

Processor will notify Controller without undue delay, and no later than 72 hours after becoming aware of a Personal Data Breach with respect to EU/UK data, and without unreasonable delay where required by applicable US state laws. The notification will include:

1. a)Description of the breach
2. b)Categories and approximate number of data subjects affected
3. c)Measures taken to address the breach

10. Deletion or Return of Data

Upon termination of the Service, Processor will, at Controller’s choice:

1. a)Delete all Personal Data, or
2. b)Return all Personal Data to Controller
3. c)Unless retention is required by law, deletion will occur within 60 days of termination.
4. d)Secure backup or archival copies may be retained beyond 60 days where required by law or for limited technical reasons, but will remain subject to appropriate protections and will not be actively processed.

11. Audits

1. a)Controller may request audit information once per year.
2. b)Processor will provide relevant documentation to demonstrate compliance with this DPA.
3. c)On-site audits must be scheduled in advance, at Controller’s expense, and conducted without disrupting Processor’s operations.
4. d)The above limitation shall not restrict audits required by applicable law, supervisory authorities, or regulators

12. Liability

1. a)Liability under this DPA is governed by the limitations set out in the Terms of Use.
2. b)Processor shall not be liable for Controller’s failure to obtain a lawful basis for processing or for Controller’s misuse of Personal Data. Nothing in this DPA limits Processor’s liability for breaches of data security, confidentiality obligations, or any other liability that cannot be limited under applicable law.

13. General

1. a)This DPA prevails in case of conflict with the Terms of Use regarding data processing.
2. b)Changes to this DPA require written agreement.

NovaVoiceRealty

Email: solutions@novavoicerealty.co