Data Processing Addendum

Document version: dpa-v1-2026-05-07

Last updated: May 7, 2026 — Effective Date: TBD (upon counsel review and launch)

1. The Addendum

This Data Processing Addendum (this “DPA”) is entered into between Vaxio Inc. (“Frontbell”) and the Tenant identified in the Order Form (“Tenant” or “Customer”) and forms part of the Master Subscription Agreement (“MSA”). In the event of any conflict between this DPA and the MSA, this DPA governs with respect to the processing of Personal Information.

This DPA is structured to satisfy both:

• the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act (collectively “CCPA”); and
• Articles 28 and 32 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR, to the extent the Service is used in the processing of personal data of EU/UK data subjects.

2. Definitions

Capitalized terms not defined here have the meanings given in the MSA.

• “Business” has the meaning given in CCPA §1798.140(d).
• “Controller” has the meaning given in GDPR Art. 4(7).
• “Data Subject” means an identified or identifiable natural person.
• “DSAR” means a verifiable consumer request or data-subject request to exercise rights of access, deletion, correction, portability, opt-out, or limitation under applicable law.
• “Personal Information” or “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject — as defined under CCPA §1798.140(v) and GDPR Art. 4(1).
• “Processing” has the meaning given in GDPR Art. 4(2) and includes any operation performed on Personal Information.
• “Processor” has the meaning given in GDPR Art. 4(8).
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise processed.
• “Service Provider” has the meaning given in CCPA §1798.140(ag).
• “Sub-processor” means any processor engaged by Frontbell to process Personal Information on behalf of Tenant.

3. Roles of the Parties

For the purposes of this DPA:

• Tenant is the Business (CCPA §1798.140(d)) and the Controller (GDPR Art. 4(7)). Tenant determines the purposes and means of processing Personal Information of its end-customers (homeowners and other individuals who contact Tenant via the Service).
• Vaxio Inc. (“Frontbell”) is the Service Provider (CCPA §1798.140(ag)) and the Processor (GDPR Art. 4(8)). Frontbell processes Personal Information solely on Tenant's behalf and documented instructions, provides the technology infrastructure, and does not determine the purposes or means of processing.

Tenant is the recording party for all inbound calls placed to Tenant's designated phone number(s) on the Service. Frontbell acts as the technology intermediary on Tenant's behalf. Tenant warrants that it will comply with all applicable federal and state wiretapping, recording-consent, and consumer-privacy laws with respect to calls processed via the Service. Frontbell does not provide legal, tax, or compliance advice; templates and tools are illustrative. Tenant warrants jurisdictional fitness before use.

4. Subject Matter, Duration, Nature, Purpose, and Categories

4.1 Subject matter

The processing of Personal Information by Frontbell on behalf of Tenant in connection with Tenant's use of the Service.

4.2 Duration

For the term of the MSA and any post-termination period required to return or delete Personal Information.

4.3 Nature of processing

Hosting, storage, transmission, transcription, AI inference (intent classification, summarization, response drafting), text-to-speech synthesis, telephony origination/termination, SMS origination/termination, payment metadata exchange, analytics, support, and security operations.

4.4 Purpose of processing

To provide and operate the Service, in accordance with Tenant's documented instructions (the MSA, this DPA, and Tenant's configuration of the Service).

4.5 Categories of Data Subjects

• End-Customers of Tenant (typically homeowners)
• Authorized Users of Tenant (employees, contractors)
• Other individuals whose Personal Information Tenant submits to or generates within the Service

4.6 Categories of Personal Data

• Identifiers (name, email, phone, account ID)
• Postal address (service address, billing address)
• Audio recordings of calls and synthesized voice output
• Transcripts and AI-generated summaries
• SMS message content and metadata
• Photographs of property (with EXIF metadata stripped on ingest where feasible)
• Payment metadata (last-four card digits, payment status — card PAN remains with Stripe)
• Service appointments, estimates, invoices, work orders
• Authentication and access logs

4.7 Sensitive Categories

• Account credentials (hashed) — CCPA Sensitive PI
• Voice recordings — CCPA Sensitive PI (CCPA §1798.140(ae)(1)(F))
• Voice biometrics — NOT processed: Frontbell does not extract or store speaker embeddings or voiceprints for identification purposes at this time. Speaker diarization is architecturally disabled on all surfaces.
• Precise geolocation — NOT collected intentionally; Tenant is responsible for ensuring any photos uploaded do not contain unwanted GPS EXIF data (Frontbell strips EXIF on ingest where feasible).
• Health, racial/ethnic, religious, biometric, or government-ID data — NOT requested by the Service; Tenant warrants it will not submit such data. Frontbell does not sign HIPAA Business Associate Agreements.

4.8 Call Recording Retention

Frontbell records inbound PSTN calls on behalf of Tenant in accordance with the disclosure architecture described in Section 5. The default retention window for call audio recordings is 395 days from the date of the call. Tenants may configure a shorter or longer retention window via the DataRetentionPolicy configuration available in the Service settings.

Consumer deletion-on-request (CCPA §1798.105 / GDPR Art. 17) for call recordings is processed via Frontbell's customer-hard-delete workflow, which permanently deletes audio, transcripts, and associated AI metadata within 45 days of a verified deletion request. Tax-retention carve-outs (billing metadata required by law) are not deleted; audio and PII are deleted. See Section 13 (Return and Deletion) for termination-triggered deletion.

5. Frontbell Service-Provider Obligations (CCPA)

Frontbell shall:

1. Process only for permitted business purposes. Process Personal Information only to perform the Services as specified in the MSA, this DPA, and Tenant's documented instructions.
2. No sale. Not sell or share Personal Information (as those terms are defined in CCPA §§1798.140(ad), (ah)).
3. No retention/use/disclosure outside the contract. Not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the MSA and this DPA.
4. No combining. Not combine Personal Information received from Tenant with Personal Information received from any other Tenant or source, except as permitted by 11 CCR §7050(b).
5. Comply with applicable law. Comply with all applicable obligations under the CCPA, and provide the same level of privacy protection required by the CCPA.
6. Notify on inability to comply. Promptly notify Tenant if Frontbell determines it can no longer meet its obligations under the CCPA.
7. Permit reasonable steps to remediate. Grant Tenant the right to take reasonable and appropriate steps to ensure Frontbell uses Personal Information in a manner consistent with Tenant's CCPA obligations.
8. Permit audits. Make available to Tenant such information as is reasonably necessary to demonstrate compliance, and allow for and contribute to audits as set out in Section 11.
9. Engage sub-processors only under written contract with terms that are at least as protective as those in this DPA.
10. Assist with DSARs and impact assessments as set out in Sections 9 and 10.
11. Delete or return Personal Information at the end of the provision of services as set out in Section 13.

6. Frontbell Processor Obligations (GDPR Art. 28)

To the extent the GDPR or UK GDPR applies, Frontbell shall:

1. Process Personal Data only on documented instructions from Tenant, including with regard to transfers, unless required to do so by law.
2. Ensure that persons authorised to process Personal Data are committed to confidentiality.
3. Take all measures required pursuant to Article 32 (security of processing).
4. Engage Sub-processors only with the prior general written authorization granted in Section 7 and subject to flow-down terms that are at least as protective as this DPA.
5. Taking into account the nature of the processing, assist Tenant for the fulfilment of Tenant's obligation to respond to requests for exercising Data Subject rights.
6. Assist Tenant in ensuring compliance with Articles 32 to 36 (security, breach notification, DPIAs, prior consultation).
7. At Tenant's choice, delete or return all Personal Data after the end of the provision of services.
8. Make available to Tenant all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits.

7. Sub-Processors

7.1 General authorization

Tenant grants Frontbell a general written authorization to engage Sub-processors, subject to this Section 7.

7.2 Current Sub-processor List

The following Sub-processors are authorized as of the document version date noted above. The live list is maintained at frontbell.ai/legal/subprocessors.

7.3 New Sub-processors

Frontbell will provide Tenant with at least thirty (30) days' prior notice (by email or in-Service notice) before authorizing a new Sub-processor to process Personal Information.

7.4 Right to object

Tenant may object on reasonable grounds within fifteen (15) days of notice. If Frontbell cannot accommodate the objection, Tenant's exclusive remedy is to terminate the affected portion of the Service for convenience without penalty and receive a pro-rated refund of pre-paid, unused fees.

7.5 Flow-down

Frontbell will impose data-protection obligations on each Sub-processor that are at least as protective as those in this DPA, and remains liable to Tenant for the acts and omissions of its Sub-processors as if they were its own.

8. Security

Frontbell implements and maintains the following technical and organisational measures:

• Encryption in transit: TLS 1.2 or higher for all data in transit.
• Encryption at rest: AES-256 (or equivalent) for data at rest in production databases and object storage; encrypted backups with keys managed via cloud KMS.
• Access controls: Role-based access control (RBAC) enforced at the application layer; MFA required for all administrative access; just-in-time elevation for production-database administrative actions; quarterly access reviews.
• Network security: Production network segmented from corporate network; WAF at the edge; DDoS protection; default-deny ingress rules; least-privilege egress.
• BIPA / voice biometric shield: Speaker diarization disabled on all surfaces (architectural invariant); Deepgram MIPP opt-out active on every STT request; no voiceprint extraction or storage at any pipeline layer.
• Application security: Code review required for all production changes; automated static analysis; dependency vulnerability scanning (daily); secrets management via cloud secret manager.
• Logging and monitoring: Centralized logs with at least 12-month retention for security events; real-time alerting on anomalous authentication and data-egress events.
• Incident response: Documented incident-response runbook; post-incident review for any P1 / Security Incident.
• Business continuity: Daily automated backups (encrypted at rest); RTO target: 24 hours; RPO target: 24 hours.

9. Data-Subject Requests

9.1 Routing

Frontbell will not respond to a DSAR received directly from a Data Subject except as required by law. Instead, Frontbell will route the request to Tenant within five (5) business days of receipt.

9.2 Assistance to Tenant

Frontbell will provide Tenant with reasonable assistance to enable Tenant to fulfil its obligations to respond to DSARs, including providing self-service tools where available and responding to reasonable assistance requests within fifteen (15) business days.

Tenant is responsible for verifying the Data Subject's identity, evaluating the request, and determining the appropriate response.

9.3 Costs

Reasonable assistance up to two (2) DSARs per calendar quarter is included in Tenant's subscription. Additional volume or expedited assistance may be subject to professional-services fees disclosed in advance.

9.4 Deletion-on-Request (CCPA §1798.105 / GDPR Art. 17)

When Tenant receives and verifies a consumer deletion request, Frontbell will execute deletion of the consumer's Personal Information — including call audio, transcripts, AI-generated summaries, and identifiers — within 45 days of a verified deletion request submitted by Tenant via the platform's DSAR workflow. Billing metadata required by law (tax-retention carve-out) is not deleted. Audio and PII are deleted regardless of the configured recording retention window.

10. Security Incident Notification

10.1 Notice to Tenant

Frontbell will notify Tenant of a confirmed Security Incident affecting Personal Information without undue delay and in any event within seventy-two (72) hours of confirmation.

10.2 Contents of notice

The notice will include, to the extent then known: the nature of the Security Incident, likely consequences, measures taken or proposed, and contact information for further inquiries. If full information is not yet available, Frontbell will provide updates as the investigation progresses.

10.3 Cooperation

Frontbell will reasonably cooperate with Tenant's investigation and any required notifications to regulators or Data Subjects. Frontbell's notice is not an admission of fault or liability.

11. Audits

11.1 Documentation

On request (no more than once per year, except where required by a regulator or following a Security Incident), Frontbell will make available the most recent third-party audit reports (e.g., SOC 2 Type II once available), penetration-test summaries, and policy summaries reasonably necessary to demonstrate compliance.

11.2 On-site / supplemental audit

If documentation is insufficient and Tenant has reasonable grounds, Tenant may request a supplemental audit by an independent third-party auditor reasonably acceptable to Frontbell, subject to: thirty (30) days' prior written notice; mutually agreed scope and timing; a written NDA; conduct during normal business hours; and Tenant bearing its own costs.

12. International Transfers

At launch, Frontbell processes Personal Information only in the United States. Frontbell does not market the Service in the EU/EEA/UK. If, during the term of the MSA, processing involves the transfer of Personal Data of EU/EEA/UK Data Subjects, Standard Contractual Clauses (Module Two, Controller-to-Processor, Commission Implementing Decision (EU) 2021/914) will apply automatically, with Tenant as data exporter and Frontbell as data importer. The UK ICO International Data Transfer Addendum (version B1.0) is incorporated by reference for UK transfers.

13. Return and Deletion of Personal Information

13.1 Export window

For thirty (30) days following termination of the MSA or the relevant Subscription, Tenant may export Personal Information through the Service or by written request to Frontbell.

13.2 Deletion

After the export window expires, Frontbell will delete Personal Information from production systems within ninety (90) days, except for data retained in routine backups (deleted in the ordinary backup cycle, typically within thirty-five (35) days), and except where retention is required by law. Personal Information retained in backups remains subject to this DPA until deleted.

13.3 Certification

On Tenant's written request, Frontbell will provide written confirmation of deletion.

14. Liability

The liability provisions of the MSA apply to claims arising under this DPA, except as required by applicable law (e.g., GDPR Art. 82's joint and several liability among controllers and processors for the same processing activity, which cannot be contractually excluded as to Data Subjects).

15. Order of Precedence

In the event of conflict: (a) this DPA prevails over the MSA with respect to processing of Personal Information; and (b) any applicable Standard Contractual Clauses prevail over this DPA.

16. Term

This DPA takes effect on the Effective Date of the MSA and remains in effect for so long as Frontbell processes Personal Information for Tenant.

Contact

Document version: dpa-v1-2026-05-07 — Last updated: 2026-05-07 — Status: DRAFT (pending lawyer review) — Vaxio Inc.