Data Processing Addendum (DPA)
1. Purpose and scope
This Data Processing Addendum (this Addendum) forms part of, and is incorporated into, the SmartAlex Terms of Service (the Agreement) between THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D) with its registered office at 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914 (SmartAlex, we, us or our), and the business that contracts for the Services (the Customer or you).
This Addendum governs the Processing of Personal Data that we carry out on the Customer's behalf in connection with the SmartAlex platform, websites, applications and APIs (the Services). It records the parties' respective obligations where SmartAlex acts as a Processor (or sub-processor) of Personal Data for which the Customer is a Controller (or processor), and it sets out the data-protection terms that the parties are required to put in place under Article 28 of the GDPR and the equivalent provisions of other Applicable Data Protection Law. This Addendum applies to the extent that such Processing is subject to Applicable Data Protection Law, including:
- the Personal Data Protection Act 2012 of Singapore (the PDPA);
- the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the EU GDPR) and the UK General Data Protection Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the Data Protection Act 2018 (the UK GDPR, and together with the EU GDPR, the GDPR);
- the Swiss Federal Act on Data Protection (the FADP); and
- the Protection of Personal Information Act 2013 of South Africa (POPIA).
By accepting the Agreement or by using the Services, the Customer enters into this Addendum on behalf of itself and, to the extent required, in the name and on behalf of its authorised affiliates whose Personal Data is Processed through the Customer's account. The Customer warrants that it is authorised to enter into this Addendum on behalf of those affiliates and that it will procure their compliance with the Customer obligations set out in the section Customer obligations as Controller, below.
This Addendum does not relieve either party of any obligation it owes directly to a Data Subject or a Supervisory Authority under Applicable Data Protection Law. Where the Customer is itself a processor acting on behalf of a third-party controller, references in this Addendum to the Customer as Controller are read as references to the Customer in its capacity as processor, and SmartAlex acts as a sub-processor; the parties' obligations apply on that basis, and the EU SCCs Module Three apply to any Restricted Transfer in that scenario as set out in the section International transfers, below.
2. Definitions
Capitalised terms used but not defined in this Addendum have the meaning given to them in the Agreement. In this Addendum:
- Applicable Data Protection Law means each data protection or privacy law that applies to a party's Processing of Personal Data under the Agreement, including the PDPA, the GDPR, the FADP and POPIA, together with any implementing regulation, code of practice, binding guidance or successor legislation.
- Customer Data means data that the Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, recordings, transcripts, derived analyses and summaries, contacts, messages, knowledge-base content and configuration data.
- Personal Data means information within Customer Data that relates to an identified or identifiable individual and that is Processed by SmartAlex on the Customer's behalf under the Agreement. References to Personal Data in this Addendum are to that data only, and do not extend to data that SmartAlex Processes as an independent Controller as described in the section Roles of the parties, below.
- Special Category Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, as listed in Article 9(1) GDPR, together with the corresponding categories of special personal data under POPIA. References to Special Category Data include personal data relating to criminal convictions and offences under Article 10 GDPR where the context requires.
- End User means an individual with whom the Customer interacts through the Services, such as a call recipient, a caller, a contact or a campaign target.
- Processing, Controller, Processor, Data Subject, personal data breach, profiling and Supervisory Authority have the meanings given in the GDPR, and equivalent terms under other Applicable Data Protection Law (such as responsible party and operator under POPIA, and organisation and data intermediary under the PDPA) are read accordingly.
- Subprocessor means a third party engaged by SmartAlex to Process Personal Data on the Customer's behalf in connection with the Services. An infrastructure, telephony, speech or language-AI provider that Processes Personal Data is a Subprocessor and is treated as such under this Addendum.
- Restricted Transfer means a transfer of Personal Data to, or access to Personal Data from, a country or territory that is not the subject of an adequacy decision or finding under the relevant Applicable Data Protection Law, where that law requires an additional safeguard for the transfer to be lawful.
- EU SCCs means the standard contractual clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
- UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner under section 119A of the Data Protection Act 2018, Version B1.0, in force from 21 March 2022, as amended or replaced.
- Subprocessor List means the list of Subprocessors published by SmartAlex at the Subprocessor List, as updated from time to time, which forms part of this Addendum.
3. Roles of the parties
For Personal Data contained in calls, recordings, transcripts, derived analyses, contacts and messages, the Customer is the Controller and SmartAlex is the Customer's Processor. The Customer is responsible for determining the purposes and means of that Processing, for the lawfulness of the data it provides and the instructions it gives, and for the relationship with the Data Subjects whose Personal Data it Processes through the Services.
SmartAlex is an independent Controller for the limited categories of data it Processes for its own purposes, namely account administration, authentication, billing and payment, security and fraud prevention, service operation and support, and product analytics carried out on aggregated or de-identified data. That data is described in our Privacy Policy and is outside the scope of this Addendum, save where this Addendum says otherwise. The two roles are distinct: SmartAlex does not Process Personal Data that it holds as a Processor for its own independent-Controller purposes, and it does not rely on the Customer's instructions as the basis for its independent-Controller Processing.
SmartAlex will not sell or share Personal Data within the meaning of any Applicable Data Protection Law, will not retain, use or disclose Personal Data for any purpose other than the specific purpose of performing the Services, and will not combine Personal Data with personal data it receives from another source, except in each case as instructed by the Customer or as required by law. SmartAlex certifies that it understands and will comply with these restrictions.
4. Details of the Processing
The Processing carried out by SmartAlex on the Customer's behalf is as described below. These details, together with the security measures in Annex 2 and the Subprocessor List, populate Annex I and Annex II of the EU SCCs where those clauses apply.
4.1 Subject matter
The provision of the SmartAlex AI voice agent, campaign, contact-management and analytics Services to the Customer, as configured by the Customer and as more fully described in the Agreement and the documentation.
4.2 Duration
The term of the Agreement, plus the retention period set out in the section Retention, below, the corresponding entries in our Privacy Policy, and the deletion timeframe in the section Return and deletion of data, below.
4.3 Nature and purpose
The placing and receiving of telephone calls over the public telephone network; the establishment and carriage of real-time call media; the recording, transcription and analysis of call audio; the synthesis of agent speech; the management of contacts and contact lists; the delivery of outbound calling and messaging campaigns; the generation of call outcomes, summaries, qualifications and analytics; and the storage and retrieval of the foregoing, all for the purpose of operating the Services as configured by the Customer.
4.4 Types of Personal Data
The categories of Personal Data Processed are set out in the section Data categories and sources, below, and in Annex 1. They include contact details, telephone numbers, call and message audio, recordings, transcripts, derived analyses, call and message metadata, and other Personal Data that the Customer or its End Users submit to or generate through the Services. Call audio and transcripts may contain Special Category Data; see the section Special category and biometric data, below.
4.5 Categories of Data Subject
The Customer's End Users, customers, leads, prospects, contacts, callers, call recipients and staff, and other individuals whose Personal Data the Customer chooses to Process through the Services.
4.6 Documented instructions
The Customer's complete and final instructions to SmartAlex in respect of the Processing of Personal Data are: the Agreement, including this Addendum; the configuration and settings the Customer selects in the Services (including which features, campaigns, integrations and Subprocessor-enabled functions it activates); and any further written instruction the Customer gives that the parties agree in writing. SmartAlex will not Process Personal Data outside these documented instructions unless required to do so by law as described in the section Process only on instructions, below.
5. Data categories and sources
This section describes, by category, the Personal Data Processed on the Customer's behalf and the sources from which it is obtained. It supplements Annex 1 and is intended to give the Customer the granularity it needs to complete its own records of processing and impact assessments.
| Category | Examples | Source |
|---|---|---|
| Identity and contact data | Names, telephone numbers, email addresses, organisation, role, and other contact-record fields | Uploaded or entered by the Customer, synced from a Customer-connected system, or captured during a call |
| Call media | Live and recorded call audio of the End User and the agent | Generated during a call carried over the telephony layer and the real-time voice infrastructure |
| Transcripts and derived content | Speech-to-text transcripts, speaker segmentation, call summaries, qualifications, sentiment and outcome labels | Generated by the speech and language AI providers from call audio |
| Communications content | SMS and messaging content sent or received through the Services | Composed by the Customer or its agents, or received from End Users |
| Call and message metadata | Caller and called numbers, timestamps, duration, direction, call status, routing and disposition | Generated by the telephony layer and the platform during call handling |
| Configuration and knowledge data | Agent prompts, scripts, knowledge-base documents, campaign settings and contact-list structure that may contain Personal Data | Created or uploaded by the Customer |
| Special category and biometric data (incidental) | Health, beliefs or other special-category information an End User may volunteer in a call; voice characteristics where used to identify an individual | Volunteered by an End User during a call, or derived from call audio |
SmartAlex does not require, and does not encourage the Customer to provide, Special Category Data. Where such data is Processed it is Processed incidentally to the operation of the Services and only on the Customer's instructions, subject to the section Special category and biometric data, below.
6. SmartAlex obligations as Processor
SmartAlex shall comply with the following obligations in respect of Personal Data Processed on the Customer's behalf.
6.1 Process only on instructions
Process Personal Data only on the Customer's documented instructions, including the Agreement, this Addendum and the Customer's configuration of the Services, including with regard to any Restricted Transfer, unless required to do otherwise by law to which SmartAlex is subject, in which case SmartAlex will inform the Customer of that legal requirement before Processing unless that law prohibits it on important grounds of public interest. If, in SmartAlex's opinion, an instruction infringes Applicable Data Protection Law, SmartAlex will inform the Customer without undue delay and may suspend performance of the affected instruction until the Customer confirms or amends it.
6.2 Confidentiality
Ensure that personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, limit access to Personal Data to those personnel who need it to perform the Agreement, and ensure that those personnel are trained on their data-protection responsibilities. These confidentiality obligations survive the end of the individual's engagement with SmartAlex.
6.3 Security
Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risk to the rights and freedoms of Data Subjects. Those measures are described in Annex 2 (Technical and organisational measures) and include the encryption of data in transit and at rest, access controls and least-privilege, tenant isolation, network security, logging and monitoring, resilience and backups, and a secure development lifecycle. Our infrastructure Subprocessors maintain SOC 2 or ISO/IEC 27001 attestations, and SmartAlex is working towards SOC 2 readiness for its own operations. SmartAlex does not represent that it currently holds its own SOC 2 or ISO/IEC 27001 certification.
6.4 Subprocessors
Engage Subprocessors only in accordance with the section Subprocessors, below, and impose on each Subprocessor, by a written contract, data-protection and security obligations that are equivalent in substance to those in this Addendum, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures.
6.5 Data Subject requests
Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to requests from Data Subjects to exercise their rights of access, rectification, erasure, restriction, portability and objection, and not to be subject to a solely automated decision. Where a Data Subject makes such a request directly to SmartAlex, SmartAlex will, without undue delay, notify the Customer and direct the Data Subject to the Customer, and will not respond to the request itself except on the Customer's documented instructions or as required by law. Our process for handling these requests is described in our DSAR Procedure.
6.6 Assistance with security, breach, impact assessments and consultation
Taking into account the nature of the Processing and the information available to SmartAlex, provide reasonable assistance to the Customer in ensuring compliance with its obligations relating to the security of Processing, the notification of personal data breaches to Supervisory Authorities and Data Subjects, the carrying out of data protection impact assessments, and prior consultation with a Supervisory Authority, under Articles 32 to 36 GDPR and the equivalent provisions of other Applicable Data Protection Law. To support the Customer's impact assessments for the AI voice features, SmartAlex makes available the information about the Services, the data flows and the Subprocessors that the Customer reasonably needs, including the materials referenced in our Trust and Security overview.
6.7 Personal data breach notification
Notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Personal Data Processed on the Customer's behalf. The notification will, to the extent then known and as it becomes available, describe the nature of the personal data breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; the likely consequences of the breach; and the measures taken or proposed to be taken to address the breach and to mitigate its possible adverse effects. SmartAlex will provide further information in phases as the investigation progresses, will document the facts relating to the breach, and will reasonably cooperate with the Customer and take the steps the Customer reasonably requests so that the Customer can meet its own notification obligations to Supervisory Authorities and Data Subjects. This is the single breach-notification standard under this Addendum; no other clause sets a different trigger or timeline. SmartAlex's notification is not, and may not be construed as, an acknowledgement of fault or liability.
6.8 Records
Maintain records of the categories of Processing activities carried out on the Customer's behalf as required by Article 30(2) GDPR and the equivalent provisions of other Applicable Data Protection Law, and make those records available to the Customer and, where required, to a Supervisory Authority on reasonable request.
6.9 Audits
Make available to the Customer the information reasonably necessary to demonstrate compliance with the obligations in this Addendum and with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. SmartAlex will satisfy audit requests in the first instance by providing relevant certifications, third-party audit reports and responses to a reasonable security questionnaire. Where that information does not reasonably satisfy the Customer's audit right, the Customer may, on at least 30 days' prior written notice, conduct or mandate an on-site or remote inspection. To minimise disruption, inspections will take place during normal business hours, no more than once in any twelve-month period, and are subject to reasonable confidentiality undertakings, with each party bearing its own costs. An additional audit may be conducted where required by a Supervisory Authority, or following a confirmed personal data breach affecting Personal Data Processed on the Customer's behalf.
6.10 Return and deletion of data
On expiry or termination of the Agreement, and at the Customer's election made before or within 30 days after termination, delete or return all Personal Data Processed on the Customer's behalf and delete existing copies, within 90 days, except to the extent that retention is required by applicable law. If the Customer makes no election, SmartAlex will delete the Personal Data after the period stated in the section Retention, below. Where SmartAlex is required by law to retain Personal Data, it will isolate and protect that data, restrict its further Processing to the purpose for which retention is required, and delete it when that requirement ends. Personal Data held in routine encrypted backups is deleted in line with the backup-rotation cycle described in the section Retention, below.
7. Retention
SmartAlex retains Personal Data Processed on the Customer's behalf only for as long as necessary to provide the Services and to meet the purposes set out in this Addendum, after which it is deleted or returned in accordance with the section Return and deletion of data, above. The following periods and criteria apply to Personal Data Processed as a Processor; the retention of data that SmartAlex Processes as an independent Controller is described in our Privacy Policy.
| Data category | Retention period or criterion |
|---|---|
| Contacts and contact lists | For the term of the Agreement, or until the Customer deletes them, whichever is earlier; deleted within 90 days of termination unless returned first |
| Call recordings and audio | For the period the Customer configures in the Services, or, if no period is configured, for the term of the Agreement; deleted within 90 days of termination |
| Transcripts and derived analyses | For the term of the Agreement, retained with or independently of the underlying audio per the Customer's configuration; deleted within 90 days of termination |
| Call and message metadata | For the term of the Agreement, to support analytics, billing reconciliation and dispute resolution; deleted within 90 days of termination |
| Configuration and knowledge-base data | For the term of the Agreement, or until the Customer deletes it; deleted within 90 days of termination |
| Data retained to meet a legal obligation | For the minimum period required by the applicable law, after which it is deleted |
| Encrypted backups | Overwritten on a rolling cycle not exceeding 180 days, after which deleted data is irretrievable from backups |
Where Personal Data has been transmitted to a speech or language AI Subprocessor for transcription, synthesis or analysis, that Subprocessor does not retain the data to train its models and either does not retain it or retains it only for the limited period stated in the Subprocessor List, after which it is deleted at that Subprocessor's layer.
8. Customer obligations as Controller
The Customer shall:
- establish and maintain a lawful basis for the Processing, and obtain and maintain all consents, authorisations and permissions required for SmartAlex and its Subprocessors to Process Personal Data under the Agreement;
- give SmartAlex only lawful Processing instructions, and ensure that those instructions, and the Customer's use of the Services, comply with Applicable Data Protection Law and do not cause SmartAlex to infringe it;
- provide all notices and disclosures required to be given to End Users and other Data Subjects, including notice that calls may be recorded and that the End User is interacting with an AI system, and obtain any call, recording and marketing consents required by the section Telephony and call consents, below;
- where Special Category Data is Processed, establish a valid condition for that Processing and give any notice that the condition requires, as set out in the section Special category and biometric data, below;
- implement and maintain its own appropriate technical and organisational measures to protect the Personal Data it controls, including securing its account credentials and managing the access rights of its users;
- ensure the accuracy of the Personal Data and contact lists it uploads, and honour suppression, opt-out and do-not-contact requests it receives; and
- notify SmartAlex without undue delay of any actual or suspected breach affecting the Personal Data it controls that requires SmartAlex's involvement, and of any Data Subject or Supervisory Authority correspondence that does.
The Customer is responsible for the consequences of its instructions, including any instruction that requires SmartAlex to retain, return, delete or disclose Personal Data, and it will indemnify SmartAlex in accordance with the Agreement against claims arising from the Customer's breach of this section, subject to the limitations of liability in the Agreement.
9. Special category and biometric data
Call audio and transcripts Processed through the Services may contain Special Category Data, because an End User may volunteer information about health, beliefs or other special categories during a call. In addition, an individual's voice may constitute biometric data where it is used for the purpose of uniquely identifying that individual. The standard Services use call audio to operate the Services, to transcribe and analyse calls and to synthesise agent speech, and not to create a biometric template for identification; the Customer must not configure or use the Services to perform biometric identification of End Users unless it has first established a valid condition for that Processing and notified SmartAlex.
SmartAlex Processes Special Category Data only on the Customer's instructions and as part of operating the Services, and applies the security measures in Annex 2 to it. The Customer is responsible for establishing a valid condition for Processing Special Category Data (under Article 9(2) GDPR this is typically the Data Subject's explicit consent), for meeting the equivalent conditions under sections 26, 27 and 32 of POPIA and under the PDPA, and for giving any notice that the condition requires. The Customer must not use the Services to Process Special Category Data of, or to direct calls to, individuals for whom it has not established such a condition.
10. Telephony and call consents
Because the Services place and receive real telephone calls, send messages and record and transcribe calls, the Customer is solely responsible for obtaining and maintaining every consent, authorisation and notice that the law requires for those activities, and for using the Services lawfully. Without limiting the section Customer obligations as Controller, above, the Customer is responsible for:
- obtaining call-recording consent where the applicable jurisdiction requires the consent of one, two or all parties to the call, and giving any recording notice that the law requires;
- obtaining any prior express consent or prior express written consent required for AI, automated or prerecorded calls and messages, including under the United States Telephone Consumer Protection Act and the rulings of the Federal Communications Commission, and the equivalent rules in other jurisdictions in the European Economic Area, the United Kingdom, Australia, Canada, Singapore and South Africa;
- honouring do-not-call and do-not-contact registers and internal opt-out and suppression lists, and not transmitting misleading or inaccurate caller-identification information;
- clearly and unconditionally disclosing to the End User, where required, that the End User is interacting with an AI system, consistent with Article 50 of the EU AI Act and applicable bot-disclosure laws, and enabling that disclosure in the Services; and
- recognising that the Services are not a substitute for, and cannot reliably reach, emergency services such as 911 or 112, and not using the Services for emergency calling.
Further detail on these responsibilities is set out in our Telephony and Call Recording Notice and our Acceptable Use Policy. SmartAlex provides the technical means to obtain and record consents and to honour suppression lists, but does not obtain consents on the Customer's behalf and does not verify that the Customer has done so.
11. Automated decision-making
SmartAlex does not make decisions based solely on automated Processing, including profiling, that produce legal effects concerning End Users or similarly significantly affect them. The Services use AI to handle, route, transcribe, qualify, summarise and analyse calls under the Customer's control. The Customer is responsible for the design of its workflows, for any decision it takes on the basis of an output of the Services, and for meeting its obligations under Article 22 GDPR and the equivalent provisions of other Applicable Data Protection Law, including providing meaningful information about the logic involved and any required human review where the Customer's own use of an output would otherwise produce a legal or similarly significant effect on a Data Subject.
12. Subprocessors
The Customer gives SmartAlex general written authorisation to engage Subprocessors to Process Personal Data in connection with the Services. The current Subprocessors, the Processing each performs, the categories of Personal Data each Processes and the safeguards that apply to each are set out in our Subprocessor List, which forms part of this Addendum and which the Customer should read alongside it. The core Subprocessors engaged for every Customer include the providers identified in Annex 3, below.
SmartAlex will notify the Customer of any intended addition or replacement of a Subprocessor by updating the Subprocessor List and by email to the Customer's designated contact at least 30 days before the new Subprocessor begins Processing Personal Data, so that the Customer has a meaningful opportunity to object. The Customer is responsible for keeping its designated contact details current and for subscribing to any change-notification mechanism that SmartAlex offers.
The Customer may object to a new Subprocessor on reasonable data-protection grounds by notifying SmartAlex in writing within 30 days of the notice. The parties will work together in good faith to resolve the objection, for example by the Customer using a feature that does not require the objected-to Subprocessor. If they cannot resolve it within a reasonable period, the Customer may, as its sole and exclusive remedy, terminate the part of the Services that cannot be provided without the objected-to Subprocessor, without prejudice to fees already incurred.
SmartAlex imposes on each Subprocessor, by a written contract, data-protection obligations equivalent in substance to those in this Addendum, and remains fully responsible to the Customer for the performance of each Subprocessor's data-protection obligations. Where a Subprocessor fails to fulfil those obligations, SmartAlex remains liable to the Customer for the performance of that Subprocessor's obligations, subject to the limitations of liability in the Agreement.
Certain features rely on optional Subprocessors that are engaged only if the Customer enables the relevant feature, as identified in the Subprocessor List. By enabling such a feature, the Customer instructs SmartAlex to engage the corresponding optional Subprocessor for the Personal Data that the feature Processes.
13. International transfers
SmartAlex and its Subprocessors may Process and transfer Personal Data in countries other than the country in which it was collected, including the United States and other regions in which our Subprocessors operate, as identified in the Subprocessor List. Where a transfer is a Restricted Transfer under Applicable Data Protection Law, SmartAlex will ensure an appropriate safeguard is in place and that the data receives a level of protection essentially equivalent to that in the country of export, including the supplementary measures of encryption in transit and at rest and strict access controls described in Annex 2.
13.1 Transfers subject to the EU GDPR
Where SmartAlex acts as data importer for Restricted Transfers from the European Economic Area, the parties incorporate the EU SCCs, which are deemed entered into and completed as follows. Where the Customer is a Controller, Module Two (Controller to Processor) applies; where the Customer is itself a processor, Module Three (Processor to Processor) applies. The Customer is the data exporter and SmartAlex is the data importer. The optional docking clause in Clause 7 applies. The option in Clause 9 is Option 2 (general written authorisation), with the notice period stated in the section Subprocessors, above. The option in Clause 11(a) (independent dispute resolution) does not apply. The governing law under Clause 17 is the law of the Republic of Ireland, and the forum under Clause 18 is the courts of the Republic of Ireland, unless the law of the Customer's establishing Member State provides for and allows the EU SCCs to be governed by that law and forum, in which case that law and forum apply. The parties, the Processing and the security measures are those set out in this Addendum and its Annexes, which populate Annex I and Annex II of the EU SCCs, and the Subprocessor List satisfies Annex III. In case of conflict between the EU SCCs and this Addendum, the EU SCCs prevail.
13.2 Transfers subject to the UK GDPR
For Restricted Transfers subject to the UK GDPR, the EU SCCs as incorporated above are supplemented and varied by the UK Addendum, which is incorporated by reference and completed as follows: the EU SCCs form the Approved EU SCCs to which the UK Addendum is appended; Table 1 is completed with the parties' details in this Addendum; Tables 2 and 3 are completed with the modules, clauses and Annex information set out above; and in Table 4 neither party may end the UK Addendum when the Approved Addendum changes, except as the UK Addendum permits. Where the UK Addendum applies, it prevails over the EU SCCs to the extent of any conflict.
13.3 Transfers subject to the FADP
For Restricted Transfers subject to the FADP, the EU SCCs as incorporated above apply with the following adaptations: the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner; references to the GDPR are understood as references to the FADP insofar as the transfer is subject to the FADP; the term Member State must not be interpreted to exclude Data Subjects in Switzerland from exercising their rights at their place of habitual residence; and, until the revised FADP no longer affords protection to legal entities, the EU SCCs also protect the data of legal entities in Switzerland.
13.4 Transfers subject to the PDPA and POPIA
Transfers of Personal Data out of Singapore comply with the Transfer Limitation Obligation under section 26 of the PDPA, including by ensuring that the recipient is bound by legally enforceable obligations to provide a comparable standard of protection to that under the PDPA. Transfers of Personal Data out of South Africa comply with section 72 of POPIA, including by ensuring that the recipient is subject to a law, binding corporate rules or a binding agreement that provides an adequate level of protection.
13.5 Adequacy and changes
Where the country of import is the subject of an adequacy decision or finding under the relevant Applicable Data Protection Law, or where SmartAlex or a Subprocessor is certified under a recognised data-transfer framework, the transfer may rely on that mechanism instead of the clauses above for as long as it remains valid. If a transfer mechanism on which a transfer relies is invalidated or ceases to provide an adequate safeguard, the parties will work together in good faith to put in place an alternative lawful mechanism without undue delay.
13.6 Copies of safeguards
A copy of the relevant transfer safeguards, with commercially sensitive terms redacted, is available on request from privacy@getsmartalex.com.
14. Liability
Each party's liability under or in connection with this Addendum is subject to, and counts towards, the exclusions and limitations of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this Addendum together. This applies to any liability arising under the EU SCCs, the UK Addendum or any other incorporated transfer mechanism as between the parties, except that nothing in this Addendum or the Agreement limits or excludes either party's liability to a Data Subject or a Supervisory Authority where Applicable Data Protection Law does not permit that liability to be limited, and the liability allocation between the parties under any incorporated transfer clauses applies as between them. Where SmartAlex and the Customer are both liable for the same damage to a Data Subject, each is liable to the other only for the part of the damage that corresponds to its responsibility.
15. Duration and termination
This Addendum takes effect on the effective date of the Agreement and continues for as long as SmartAlex Processes Personal Data on the Customer's behalf under the Agreement. The obligations in the section Return and deletion of data, the section Retention, the section Liability, and any other provisions that by their nature should survive, continue after termination. On termination, SmartAlex will return or delete Personal Data as set out in the section Return and deletion of data, above. Termination of this Addendum does not, by itself, terminate the Agreement; this Addendum terminates automatically on termination or expiry of the Agreement.
16. Order of precedence and general terms
16.1 Order of precedence
If there is a conflict between this Addendum and the Agreement, this Addendum prevails on matters of data protection. To the extent of any conflict on international-transfer matters, the incorporated EU SCCs and, where applicable, the UK Addendum prevail over both this Addendum and the Agreement. Annexes 1 to 3 form part of this Addendum.
16.2 Governing law and disputes
This Addendum is governed by the laws of Singapore, and disputes arising out of or in connection with it are resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with its Rules, with the seat in Singapore. This clause governs commercial disputes between the parties and does not affect the statutory rights of, or the redress available to, a Data Subject or a Supervisory Authority, and does not apply to the dispute-resolution and governing-law terms of any incorporated transfer clauses, which apply on their own terms.
16.3 Amendments
SmartAlex may update this Addendum to reflect changes in Applicable Data Protection Law, in the Services, or in its Subprocessors, provided that no update will materially reduce the protection given to Personal Data under this Addendum. We will give reasonable advance notice of any material change.
16.4 Severance and counterparts
If any provision of this Addendum is held to be invalid or unenforceable, the remaining provisions continue in full force, and the parties will replace the invalid provision with a valid one that achieves its purpose as closely as possible. This Addendum may be entered into electronically and forms a binding part of the Agreement on the Customer's acceptance of the Agreement.
17. Complaints and contact
For data-protection queries, to exercise rights, or to request copies of the transfer safeguards, contact our privacy function at privacy@getsmartalex.com, or write to THERCSGROUP PTE. LTD., 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914.
A Data Subject may also lodge a complaint with a Supervisory Authority, including the Personal Data Protection Commission of Singapore, the South Africa Information Regulator (complaints.ir@inforegulator.org.za, or by post to JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa), or the Data Subject's local data protection authority in the European Economic Area, the United Kingdom or Switzerland.
Annex 1. Description of the Processing
This Annex completes Annex I of the EU SCCs where those clauses apply.
| Item | Details |
|---|---|
| Data exporter | The Customer, acting as Controller (or, where the Customer is itself a processor, as processor) of the Personal Data it submits to or generates through the Services. Contact and role as stated in the Agreement and the Customer's account. |
| Data importer | THERCSGROUP PTE. LTD. trading as SmartAlex, 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, acting as Processor (or sub-processor). Contact: privacy@getsmartalex.com. |
| Categories of Data Subject | The Customer's End Users, customers, leads, prospects, contacts, callers, call recipients and staff, and other individuals whose Personal Data the Customer Processes through the Services. |
| Categories of Personal Data | Identity and contact data; call and message audio and recordings; transcripts and derived analyses; communications content; call and message metadata; configuration and knowledge-base data. Further detail is in the section Data categories and sources, above. |
| Special Category Data | Call audio and transcripts may contain Special Category Data, including voice that may constitute biometric data where used for identification. Processed only on the Customer's instructions and subject to the safeguards in this Addendum and the restrictions in the section Special category and biometric data, above. |
| Frequency of transfer | Continuous, for the duration of the Agreement. |
| Nature and purpose | Provision of AI voice agent, campaign, contact-management and analytics Services, including the carriage, recording, transcription, synthesis and analysis of calls. |
| Duration of Processing | The term of the Agreement plus the retention and deletion periods set out in the section Retention and the section Return and deletion of data, above. |
| Subprocessors | As set out in the Subprocessor List and summarised in Annex 3, which together satisfy Annex III of the EU SCCs. |
| Competent Supervisory Authority | For EU transfers, the Supervisory Authority of the Customer's establishing Member State, or, where the Customer is not established in the EU, the authority of the Member State in which its EU representative is established or in which the relevant Data Subjects are located; for UK transfers, the Information Commissioner; for Swiss transfers, the Federal Data Protection and Information Commissioner. |
Annex 2. Technical and organisational measures
This Annex describes the measures SmartAlex maintains under the section Security, above, and completes Annex II of the EU SCCs where those clauses apply. The measures are reviewed and updated as the Services evolve, and SmartAlex will not reduce the overall level of protection during the term of the Agreement.
- Encryption. Personal Data is encrypted in transit using current versions of TLS, and at rest in our databases, object storage and backups using strong, industry-standard algorithms. Call media is carried over encrypted channels.
- Access control and least privilege. Access to Personal Data is restricted to authorised personnel on a need-to-know basis, governed by role-based access controls, unique credentials, the principle of least privilege, and multi-factor authentication for administrative access. Access rights are reviewed periodically and revoked promptly on a change of role or departure.
- Tenant isolation. The platform is multi-tenant and enforces logical separation of each Customer's data, including row-level security controls that scope every data access to the authorised tenant.
- Network security. Production systems are protected by network controls, firewalls and segmentation, are not directly exposed except through controlled interfaces, and are hosted on infrastructure that maintains SOC 2 or ISO/IEC 27001 attestations.
- Logging and monitoring. Access to, and changes affecting, Personal Data are logged, logs are protected against tampering, and systems are monitored for security events and anomalies.
- Resilience and backups. Personal Data is backed up to support the restoration of availability and access in a timely manner following a physical or technical incident, and restoration is tested periodically.
- Pseudonymisation and minimisation. Personal Data is minimised to what the Services require, and is pseudonymised or de-identified where practicable when used for testing, analytics or model evaluation. Production Personal Data is not used in non-production environments except where strictly necessary and protected.
- Secure development. Changes follow a secure software development lifecycle that includes code review, dependency and vulnerability management, and separation of duties between development and production.
- Vulnerability management and incident response. SmartAlex operates a vulnerability-disclosure channel and an incident-response process for detecting, assessing, containing and remediating security events, as described in our Vulnerability Disclosure policy.
- Personnel. Personnel are subject to confidentiality obligations and receive data-protection and security training appropriate to their role.
- Subprocessor assurance. Subprocessors are assessed before engagement and bound by written contract to equivalent data-protection and security obligations, as set out in the Subprocessor List.
Annex 3. Core Subprocessors
This Annex summarises the core Subprocessors engaged for every Customer and supports Annex III of the EU SCCs. The authoritative and complete list, including optional Subprocessors engaged only when a Customer enables the relevant feature, the legal entities, processing locations and per-vendor sub-processing terms, is the Subprocessor List, which prevails over this summary in case of any inconsistency.
| Subprocessor | Purpose | Personal Data categories |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage and serverless backend | All Customer Data, including contacts, recordings, transcripts and metadata |
| Amazon Web Services, Inc. | Web-application hosting and serverless compute | Application and session data, processing payloads |
| Cloudflare, Inc. | DNS, content delivery, document rendering and object storage | Network and technical data, cached content, exported documents |
| Stripe, Inc. (Stripe Payments Europe, Ltd. for the EU) | Payment processing, billing and subscriptions | Billing contact details, payment-method metadata, transaction history |
| Twilio Inc. | Telephony connectivity, phone numbers and SMS | Phone numbers, call and message metadata, SMS content, call signalling |
| LiveKit, Inc. | Real-time voice-agent media infrastructure | Live and recorded call audio, session data |
| Google LLC | Large-language-model inference for the live voice agent | Call audio and transcript content during a live call |
| Deepgram, Inc. | Speech-to-text transcription of calls | Call audio, transcripts, speaker segmentation |
| ElevenLabs Inc. | Text-to-speech synthesis of agent voices | Agent text input, synthesised audio |
| OpenAI, L.L.C. | Language-model processing and fallback transcription | Call transcripts, contact data, prompts |
| Anthropic, PBC | Language-model processing for enrichment and summaries | Contact data, transcripts |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, email content |
| Fingerprint, Inc. | Device fingerprinting for signup fraud and abuse prevention | Device and browser identifiers, IP address |
Each Subprocessor Processes Personal Data only to provide the function described above, is bound by a written contract imposing data-protection obligations equivalent in substance to those in this Addendum, and, where it is located outside the country of export, is covered by the transfer safeguards described in the section International transfers, above. The speech and language AI Subprocessors do not use Customer Data transmitted through the Services to train their models.
This Data Processing Addendum is version 1.1 and is effective from 1 June 2026.