EngageCloud

Data Processing Agreement

Effective Date: May 2026

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Master Services Agreement (MSA) between engagecloud.ai (“Data Processor” or “Company”) and the customer entity identified in the applicable Order Form (“Data Controller” or “Customer”). This DPA governs the processing of Personal Data by ENGAGECLOUD AI INC on behalf of Customer in connection with the Service.

1. Definitions

For the purposes of this DPA:

  • “Applicable Data Protection Law” means any data protection, privacy, or similar law applicable to the processing of Personal Data under this DPA, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, and applicable U.S. state privacy laws.
  • “Customer Data” means any Personal Data that engagecloud.ai processes on behalf of Customer as a data processor, including End-User data and Customer Content submitted to the Service.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “GDPR” means the EU General Data Protection Regulation 2016/679, and “UK GDPR” means the GDPR as retained in UK law.
  • “Personal Data” has the meaning given in Applicable Data Protection Law.
  • “Processing” means any operation or set of operations performed on Personal Data.
  • “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission.
  • “Subprocessor” means any third party engaged by engagecloud.ai to process Personal Data on behalf of Customer.

2. Scope and Role of the Parties

Customer is the Data Controller of Customer Data. engagecloud.ai is the Data Processor, processing Customer Data only on behalf of and under the instructions of Customer. Customer acknowledges that engagecloud.ai is also a Data Controller of certain data for its own purposes (e.g., account, billing, and marketing data), which is governed by the Privacy Policy, not this DPA.

3. Processing Instructions

engagecloud.ai will process Customer Data only on documented instructions from Customer, including as set out in the Terms of Service and any Order Forms. Customer’s use of and configuration of the Service constitutes its instructions. engagecloud.ai will inform Customer if it believes an instruction violates Applicable Data Protection Law.

Customer warrants that it has all necessary rights, consents, and legal bases to provide Customer Data to engagecloud.ai for processing under this DPA.

4. Nature, Purpose, and Categories of Processing

Subject Matter

Processing of Customer Data to provide, operate, support, and improve the engagecloud.ai AI-enabled communication and engagement platform.

Duration

For the term of the Customer’s subscription, plus any applicable retention period, or until Customer requests deletion — whichever is earlier.

Nature of Processing

  • Hosting and storage of Customer Data on cloud infrastructure.
  • AI-powered processing of messages, voice, and interactions.
  • Transmission of communications (SMS, voice, email) on behalf of Customer.
  • Analytics, reporting, and performance monitoring.
  • Backup, archiving, and recovery.

Categories of Personal Data

  • Identifiers: names, email addresses, phone numbers, account IDs.
  • Communication content: SMS, voice call recordings, transcripts, chat messages.
  • Contact and lead records: CRM data submitted by Customer.
  • Usage metadata: timestamps, interaction logs, device identifiers.
  • Billing data: name, billing address, payment method reference (tokenized).

Categories of Data Subjects

  • Customer’s employees, administrators, and authorized users of the platform.
  • End-users and prospects contacted by Customer through the Service.

5. Confidentiality

engagecloud.ai will ensure that personnel authorized to process Customer Data are subject to binding confidentiality obligations and have received appropriate data protection training. Personnel will process Customer Data only as needed to provide the Service.

6. Security Measures

engagecloud.ai will implement and maintain appropriate technical and organizational measures to protect Customer Data. These measures will be consistent with Provider’s security policy under MSA Article V, including but not limited to:

  • Encryption of data in transit and at rest
  • Role-based access controls
  • Multi-factor authentication
  • Logging and monitoring
  • Vulnerability scans and penetration testing

7. Subprocessors

Customer authorizes engagecloud.ai to engage Subprocessors per MSA Section 2.6. A current list will be maintained for transparency, but Customer’s prior approval is not required.

    8. Security Incident Notification

    engagecloud.ai will notify Customer of a confirmed Security Incident without undue delay and in any event within 72 hours of becoming aware of it. Notification will be sent to the Customer’s designated contact email. Each notification will include:

    • A description of the nature of the Security Incident.
    • Categories and approximate number of Data Subjects and Personal Data records affected.
    • Contact details of the engagecloud.ai data protection point of contact.
    • Likely consequences of the Security Incident.
    • Measures taken or proposed to address the Security Incident.

    engagecloud.ai will cooperate with Customer’s reasonable requests for information to assist in regulatory notifications or communications with affected Data Subjects. Notification of a Security Incident does not constitute an admission of fault or liability.

    9. Data Subject Rights

    To the extent Customer is required by Applicable Data Protection Law to respond to requests from Data Subjects exercising their rights (e.g., access, deletion, portability, correction), engagecloud.ai will provide reasonable assistance to Customer in responding to such requests, taking into account the nature of processing and information available. Customer is the primary point of contact for Data Subject requests relating to Customer Data.

    10. Data Retention and Deletion

    Upon expiry or termination of the Service, or upon Customer’s written request, engagecloud.ai will, at Customer’s election, delete or return Customer Data and delete existing copies, unless applicable law requires retention. Retention periods apply as follows, but restoration follows MSA Backup Policy (Article VI).

    Default retention periods are:

    • Call recordings: 90 days.
    • Transcripts: 180 days.
    • Interaction logs: 365 days.
    • Account and billing data: retained while account is active, plus 90-day backup.
    • Billing and invoicing records: 7 years (regulatory requirement).

    Customer may request custom retention periods or data export via the platform settings or by contacting support@engagecloud.ai. Upon request, engagecloud.ai will provide written certification of deletion.

    11. International Transfers

    Customer Data is primarily hosted in the United States. Where engagecloud.ai transfers Customer Data to countries that do not provide an adequate level of data protection under Applicable Data Protection Law, the transfer will be made pursuant to appropriate safeguards, including:

    • Standard Contractual Clauses (SCCs) as approved by the European Commission.
    • The UK International Data Transfer Addendum (UK IDTA) for UK transfers.
    • Adequacy decisions where applicable.

    By entering into this DPA, Customer agrees to the applicable SCCs as set out in Schedule 1 to this DPA, which are incorporated herein by reference. Customer may request a copy of the applicable SCCs at legal@engagecloud.ai.

    12. Audit Rights

    Audit rights are limited to documentation review only, consistent with MSA confidentiality obligations.

    13. Data Protection Impact Assessments

    Where required by Applicable Data Protection Law, engagecloud.ai will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) and in prior consultations with supervisory authorities, taking into account the nature of processing and the information available to engagecloud.ai.

    14. CCPA Provisions

    To the extent engagecloud.ai processes Personal Data on behalf of Customer that is subject to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), engagecloud.ai agrees that:

    • It acts as a “Service Provider” (as defined in the CCPA) and will not sell or share Customer Data.
    • It will not retain, use, or disclose Customer Data for any purpose other than providing the Service.
    • It will not combine Customer Data with Personal Data received from other sources, except as permitted by the CCPA.
    • It will cooperate with Customer in responding to Consumer rights requests under the CCPA.
    • It will delete or return Customer’s Personal Data upon request and at the end of the Service relationship.

    15. Governing Law and Dispute Resolution

    This DPA is governed by Delaware law and disputes will be resolved in accordance with the MSA.

    16. Service Levels

    The Service will be available 99.25% of the time per calendar month, excluding exceptions defined in the MSA.

    • Service credits capped at 5% of monthly fees.
    • Credits applied against future invoices or refunded if no invoices remain.

    17. Precedence

    In the event of any conflict between the terms of this DPA and the Terms of Service, the terms of this DPA will prevail with respect to the subject matter of data protection and processing. In all other respects, the Terms of Service govern.

    18. Contact

    For data protection inquiries, Data Subject requests, or DPA-related matters: