Last Updated: December 5th, 2024
(A) The Parties have entered into one or more agreements under which TitanVox either (a) supplies certain Services to Company from time to time if Company is an end customer or (b) if Company is a distributor and TitanVox has granted the distributor the right to distribute and resell TitanVox’s services to end customers (referred to collectively as the “Main Agreement”).
(B) The Parties have agreed that in order for TitanVox to perform its obligations pursuant to such Main Agreement, it will Process certain Personal Data in respect of which, Company will be a Controller, or a Processor acting on behalf of a Controller, and TitanVox will be a Processor or a sub‑processor respectively (as defined below).
(C) Now therefore, the Parties have agreed to enter into this overarching DPA relating to the Processing of Personal Data by TitanVox in its capacity as a Processor or sub‑processor.
The following expressions are used in this DPA: In the event the definitions herein differ from the Main Agreement relating to data protection, this DPA shall prevail as to the specific subject matter of such definition.
(a) “Adequate Country” means, in each relevant jurisdiction, the meaning given to it (or in the nearest equivalent term) in the Data Protection Laws, including but not limited to those published by the European Commission in the Official Journal of the European Union for which it has decided that an adequate level of protection is ensured.
(b) “Biometric Data” has, in each relevant jurisdiction, the meaning given to (or in the nearest equivalent term) in the applicable Data Protection Laws for that jurisdiction, and “biometric identifiers” and “biometric information” will be interpreted accordingly.
(c) “Company” means the entity which is a party to this DPA and to the Main Agreement.
(d) “Data Protection Laws” means all laws and regulations, and amendments thereto, applicable to the Processing of Personal Data under the Main Agreement, including but not limited to the GDPR
(e) “Data Subject Request” means a request from or on behalf of a Data Subject to exercise its rights under Data Protection Laws.
(f) “EU Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including any subsequent amendments or replacements thereto.
(g) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (commonly referred to as the General Data Protection Regulation), as amended or replaced from time to time.
(h) “TitanVox” means the TitanVox entity which is a party to this DPA and to the Main Agreement with Company, being: (i) Corporation de Technologie TitanVox with address at 3590 av. Orient, Brossard (Québec) J4Y 2M2, Canada, or (ii) any other TitanVox entity in the United States, United Kingdom, Spain, or Italy, as identified in the Main Agreement or as otherwise notified in writing by TitanVox to the Company.
(i) “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws, including but not limited to terms such as “personally identifiable information” (PII), “personal information,” or equivalent terms under such laws.
(j) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as defined under Applicable Data Protection Laws, which is within TitanVox’s (or its sub-processors’) scope of responsibility. This includes any such breach caused by TitanVox’s staff, sub-processors, or any other identified or unidentified third party after TitanVox becomes aware of the incident with sufficient evidence to reasonably conclude that a Personal Data Breach has occurred.
(k) “Services” refers to the application, product, or services, including but not limited to support, maintenance, professional services, or any other related activities, supplied to or performed on behalf of the Company or any Company Affiliate pursuant to the Main Agreement.
(l) “UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the United Kingdom Information Commissioner’s Office for Parties making Restricted Transfers, effective as of 21 March 2022, including any subsequent amendments or replacements.
(m) “Process”, “Processing”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” shall have the meanings assigned to them under the GDPR, and, where applicable, equivalent terms under other Data Protection Laws.
TitanVox and Company are sometimes referred to individually as a “Party” and collectively as the “Parties”.
As Controller or Processor acting on behalf of a Controller, grants TitanVox the right to Process the Personal Data for the purposes of providing the Services to Company pursuant to this DPA and in accordance with the Main Agreement.
Company is responsible for establishing the lawful basis for Processing the Personal Data, including obtaining all necessary consent where required, and will comply with all applicable Data Protection Laws with respect thereto. The Processor shall process Personal Data only as instructed by the Company and in compliance with this DPA and Applicable Data Protection Laws.
The type of Personal Data Processed pursuant to this DPA as well as the subject matter, nature and purpose of the Processing, the categories of Data Subjects involved, the location(s) of processing, and the retention period are as described in the Data Processing Details located at www.titan-vox.com/data-processing-details. The duration of Processing will be the duration of the Main Agreement, unless otherwise required to comply with Applicable Data Protection Laws, resolve disputes, enforce agreements, or address legitimate business needs as specified in the Data Processing Details.
1. Processing Instructions: TitanVox shall only process the Personal Data to provide the Services and shall act only in accordance with Company’s documented instructions. This includes the transfer of Personal Data to any country or territory as necessary for providing the Services, except where required to comply with a legal obligation to which TitanVox is subject. In such cases, TitanVox shall inform the Company of the legal requirement before Processing, unless prohibited by law on important grounds of public interest.
2. Use of Data for Service Improvement: The Company instructs TitanVox, its sub-processors, and Affiliates to use, compile (including creating statistical and other models), annotate, and analyze the Personal Data for purposes such as operating, maintaining, enhancing, improving, and providing technical support for speech recognition, natural language understanding, and other TitanVox technologies embodied in the Services. TitanVox will apply privacy safeguards, such as anonymization or pseudonymization of Personal Data, where appropriate.
3. Modifications to Instructions: Instructions for Processing may be modified, amended, or replaced through a mutually agreed amendment to this DPA via the established change control process. Instructions not covered by the Main Agreement or this DPA will be treated as requests for amendments to this DPA. Any additional or alternate instructions must be agreed upon in writing and may be subject to additional charges.
4. Company’s Responsibilities: The Company is responsible for compliance with its obligations as a Controller under Data Protection Laws, including providing notice and obtaining all necessary consents. TitanVox will, without undue delay, notify the Company if:
a. (i) TitanVox believes an instruction infringes Data Protection Laws; or
b. (ii) additional information in the Company’s possession is required by a Supervisory Authority in relation to TitanVox’s data Processing activities under this DPA.
5. Requests for Information: TitanVox may request all necessary information from the Company to demonstrate compliance with the Company’s obligations under Data Protection Laws. The Company may redact Personal Data as appropriate to preserve confidentiality.
6. Accepted Instructions: The Company confirms that the following constitute agreed Processing instructions:
(a) Processing as described in the Main Agreement and, where applicable, any order form(s) or statement(s) of work.
(b) Processing initiated by users of the Services, such as sending an output file by email.
TitanVox Processes Personal Data that may be incorporated by Company into its official records. TitanVox does not act as the Company’s system of records and does not store, maintain, or manage any official records or parts thereof for the Company. The originals of any records, including sensitive records such as medical records, are maintained solely by the Company or its designated contractors. TitanVox’s access to such records is limited to the extent necessary for the provision of the Services as outlined in the Main Agreement and occurs only via secure, remote access to the Company’s systems. TitanVox does not retain or reproduce the Company’s records outside the scope of its contractual obligations and complies with all Applicable Data Protection Laws regarding data access and processing.
Without prejudice to any existing contractual arrangements between the Parties, TitanVox shall treat all Personal Data as strictly confidential and ensure that it is protected against unauthorized access, disclosure, or use. TitanVox shall take appropriate measures to ensure that only authorized personnel, who are bound by contractual or statutory confidentiality obligations, have access to Personal Data. TitanVox shall ensure that such personnel receive adequate training on data protection and confidentiality obligations. The confidentiality obligations set forth in this clause shall survive the termination or expiration of this DPA and remain binding for as long as TitanVox retains any access to Personal Data.
TitanVox shall ensure that access to Personal Data for the performance of the Services under this DPA is restricted to personnel who are authorized and required to perform the Services as specified in the Main Agreement. TitanVox will implement and maintain appropriate access controls to enforce this limitation, ensuring that personnel access is granted on a need-to-know basis and is regularly reviewed to prevent unauthorized access.
TitanVox has appointed a data protection officer, who can be reached at: privacy@titan-vox.com or by mail (Worldwide) at:
Data Protection Officer
Corporation de Technologie TitanVox
3690 av. Orient
Brossard (Québec)
J4Y 2M2
CANADA
Any changes to this contact information will be published at https://www.titan-vox.com/trust-center.
For Personal Data provided to TitanVox by the Company under the Main Agreement, the Company is responsible for providing any notices and information required by Applicable Data Protection Laws to Data Subjects at the time of collection. These notices shall include, but are not limited to:
i) The recipients or categories of recipients of the Personal Data, as permitted by Section 5 of this DPA; and
ii) The transfer of Personal Data to third countries, as outlined in the Sub-Processors List located at www.titan-vox.com/sub-processors-list, and for the purposes described in Section 3.2 above.
The Company must ensure that these notices comply with the transparency requirements of Applicable Data Protection Laws, such as GDPR Article 13 or equivalent provisions under other relevant laws. TitanVox shall comply with the transfer requirements set forth in Section 6 of this DPA and will provide reasonable assistance to the Company, upon request, to ensure compliance with applicable notification obligations.
As between the Parties, the Company shall be responsible for addressing all Data Subject Requests. TitanVox shall promptly notify the Company upon receiving any request from a Data Subject to exercise their rights under Applicable Data Protection Laws. TitanVox shall not respond directly to any such request unless explicitly instructed in writing by the Company or required to do so by Applicable Data Protection Laws.
Taking into account the nature of the Processing and the information available to TitanVox, TitanVox shall assist the Company, where necessary and feasible, by implementing appropriate technical and organizational measures to enable the Company to fulfill its obligations to respond to Data Subject Requests in accordance with Applicable Data Protection Laws.
To the extent legally permissible, the Company shall reimburse TitanVox for any reasonable costs incurred in providing such assistance, including costs related to technical resources, personnel, or third-party tools required for compliance.
TitanVox shall maintain an incident management policy and notify the Company without undue delay after becoming aware of a Personal Data Breach involving the Company’s Personal Data. Such notification shall include the information required under Applicable Data Protection Laws, to the extent reasonably available to TitanVox at the time of notification, including but not limited to:
(i) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(ii) the likely consequences of the Personal Data Breach; and
(iii) the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
TitanVox shall promptly investigate the cause of any Personal Data Breach and take reasonable steps, in accordance with industry standards, to remediate the cause and prevent future occurrences. TitanVox shall assist the Company, as necessary, in meeting the Company’s obligations under Applicable Data Protection Laws, including the obligation to notify Supervisory Authorities and affected Data Subjects, if required.
As soon as reasonably practicable following the termination of this DPA or the Main Agreement, and in accordance with the Company’s documented instructions, TitanVox shall delete or securely anonymize all Personal Data, except to the extent that Applicable Data Protection Laws require TitanVox to retain such Personal Data. TitanVox shall provide written confirmation of deletion or anonymization upon request by the Company.
The Company acknowledges that TitanVox’s deletion or anonymization of Personal Data fulfills any legal or contractual obligation to return such Personal Data to the Company, unless otherwise required by Applicable Data Protection Laws. Where deletion is not feasible (e.g., data stored in backup systems), TitanVox shall ensure that such Personal Data is subject to continued security and confidentiality obligations and is not processed for any other purpose.
Subject to reasonable prior written notice from the Company, TitanVox shall provide the Company with reasonable evidence to demonstrate its compliance with this DPA and Applicable Data Protection Laws. TitanVox shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company, as follows:
(a) Provision of Audit Reports. TitanVox may satisfy the Company’s right of audit by providing an audit report, issued within the last 18 months by an independent external auditor, demonstrating that TitanVox’s technical and organizational measures, as described in the Description of Technical and Organizational Measures located at www.titan-vox.com/description-technical-organization-measures, comply with an accepted industry audit standard (e.g., SSAE 18, SOC 1, SOC 2, SOC 3, ISO 27001, ISAE 3402).
(b) Response to Supervisory Authority Requests: TitanVox shall provide additional information reasonably available in its possession or control to a Supervisory Authority if requested or required in connection with TitanVox’s data processing activities under this DPA.
(c) On-Site Audits: If the Company requests to conduct an on-site audit of TitanVox’s control practices, including at TitanVox’s facilities, the Company shall contact TitanVox in accordance with the “Notices” section of the Main Agreement. Before commencing any on-site audit, the Parties shall mutually agree upon the scope, timing, duration, and reimbursement terms. The Company shall reimburse TitanVox for any time expended in supporting such an audit at TitanVox’s then-current professional services rates, which shall be provided to the Company upon request. All reimbursement rates shall be reasonable and proportionate to the resources expended.
(d) Minimizing Business Disruption: When carrying out any audit or inspection, the Company shall take all reasonable measures to minimize disruption to TitanVox’s business operations, including by limiting the scope and duration of the audit to what is strictly necessary to evaluate compliance.
In its role as a Processor, and only to the extent required under Applicable Data Protection Laws, TitanVox shall assist the Company in fulfilling its obligations as a Controller. This assistance, taking into account the nature of the Processing and the information available to TitanVox, may include:
- Ensuring a level of security for the Personal Data appropriate to the risk, as required by Applicable Data Protection Laws;
- Providing assistance in notifying Supervisory Authorities and, where applicable, affected Data Subjects in the event of a Personal Data Breach;
- Supporting the Company with reasonable assistance in conducting data protection impact assessments (DPIAs) and consulting Supervisory Authorities prior to engaging in Processing that presents a high risk to the rights and freedoms of Data Subjects.
Any assistance provided by TitanVox shall be subject to the terms of this DPA, including reasonable reimbursement of costs where applicable, and shall not exceed the obligations explicitly required of a Processor under Applicable Data Protection Laws.
Taking into account the most recent available technology, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TitanVox will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set forth in the Description of Technical and Organizational Measures, located at www.titan-vox.com/description-technical-organization-measures.
The Company grants a general authorization to TitanVox to appoint as sub‑processors to support the delivery of the Services any other entities controlling, under common ownership with, or under control of TitanVox’s parent corporation, Corporation de Technologie TitanVox, Inc. (“Affiliates”), as specified in the Sub‑Processors List located at www.titan-vox.com/sub-processors-list.
Company grants TitanVox and Affiliates a general authorization to appoint the sub‑processors listed at the Sub‑Processors List located at www.titan-vox.com/sub-processors-list.
TitanVox shall notify the Company of the names of any new or replacement Sub-processors prior to such Sub-processors beginning to process Personal Data. The Company shall have ten (10) business days from the date of such notification to object to the engagement of the Sub-processor by providing written notice to TitanVox. The objection notice must include reasonable grounds related to data protection concerns. Failure to notify TitanVox of an objection within this period shall constitute a waiver of the Company’s right to object.
If the Company provides a valid objection, TitanVox and the Company shall work together in good faith to resolve the objection. If no resolution is reached within thirty (30) days from the date of the objection notice, and if the Main Agreement cannot be performed without the use of the objected-to Sub-processor, the Company may terminate the affected Services by providing sixty (60) days’ written notice. Such termination notice must be issued no later than forty-five (45) days after the date of the initial objection notice.
The termination of affected Services due to an unresolved objection shall not result in liability for either Party, except for the Company’s obligation to pay for any Services rendered up to the effective date of termination.
TitanVox and its Affiliates shall ensure that all Sub-processors enter into a written agreement with TitanVox that imposes data protection obligations equivalent to those set forth in this DPA, including obligations to implement appropriate technical and organizational measures to protect Personal Data. TitanVox shall remain fully liable to the Company for any breach of such obligations by its Sub-processors.
TitanVox provides, operates, and maintains data hosting centers in the locations specified in the Data Processing Details, located at https://www.titan-vox.com/data-processing-details. These hosting centers are used to support the operation of the Services and ensure compliance with Applicable Data Protection Laws.
The Company acknowledges that TitanVox may Process or permit access to (“transfer”) Personal Data by Sub-processors:
(i) outside the jurisdiction(s) in which the Personal Data originated (“First Jurisdiction”); and
(ii) to a jurisdiction that is not deemed an “Adequate Country” under the laws of the First Jurisdiction.
TitanVox shall ensure that all such transfers are conducted in compliance with Applicable Data Protection Laws and are subject to mechanisms that ensure an adequate level of protection, such as:
(a) Data Privacy Frameworks. Requiring Sub-processors to self-certify under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
(b) Standard Contractual Clauses (SCCs). For Personal Data originating from the EEA, requiring:
(i) the execution of EU Standard Contractual Clauses (Module Three – Processor to Processor) between TitanVox and its Sub-processors, which will be made available to the Company upon request; and
(ii) Sub-processors to comply with onward transfer principles under the SCCs.
(c) Additional Safeguards. Adopting additional safeguards, where necessary, to ensure that Personal Data transferred remains subject to an equivalent level of protection to that of the First Jurisdiction. These safeguards may include, but are not limited to:
Anonymization or pseudonymization of Personal Data;
Encryption during transmission and storage; and
Assessment of the level of data protection in the recipient country and the nature of the Personal Data.
Further details on TitanVox’s safeguards are available in the Description of Technical and Organizational Measures, located at www.titan-vox.com/description-technical-organization-measures. The implementation of these safeguards by TitanVox does not release the Company from its own data protection obligations.
(d) Other Approved Mechanisms. Leveraging any other approved safeguard for data transfer under Applicable Data Protection Laws, such as a European Commission adequacy decision.
If Personal Data originating from the First Jurisdiction is disclosed by the Company or its Affiliates to TitanVox in:
(i) a jurisdiction outside the First Jurisdiction, and
(ii) a jurisdiction not deemed an “Adequate Country” under the laws of the First Jurisdiction:
(a) Transfers from the EEA. For Personal Data originating from a country within the EEA, the EU Standard Contractual Clauses (Module Two – Controller to Processor), located at www.titan-vox.com/standard-contractual-clauses-eu, shall apply. The Company or its Affiliate shall be deemed the “Exporter,” and the EU Standard Contractual Clauses are hereby agreed to and incorporated by reference into this DPA as an integral part. The onward transfer principles outlined in Section 6.2(a) and the obligations specified in Section 6.2(b) shall apply correspondingly.
(b) Transfers from Other Jurisdictions. For Personal Data originating from jurisdictions outside the EEA, the applicable cross-border data transfer provisions are detailed in Section 8 below.
Company hereby represents and warrants that;
(a) Where applicable, the Company’s website, services, and products comply with the General Data Protection Regulation (GDPR), the U.S. Children’s Online Privacy Protection Act of 1998 (COPPA), and other applicable Data Protection Laws protecting Personal Data of children under 16 (“Child Data”), including but not limited to compliance with consent requirements and related obligations.
(b) Company shall not use TitanVox’s Services in connection with an online site, service, or product that targets children under 16 as its primary audience (“Primarily Child‑Directed”). The determination of “Primarily Child‑Directed” shall be based on empirical evidence regarding audience composition, and evidence regarding the intended audience, such as subject matter, visual content, use of animated characters or child‑oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the web site or online service, as well as whether advertising promoting or appearing on the web site or online service is directed to children, as well as any child-targeted advertising.
(c) If the Company uses TitanVox’s licensed software for Primarily Child‑Directed online sites, services or products, websites, services, or products, the Company must not transmit to TitanVox any Child Data in connection with maintenance, support, tools, or any other purpose.
(d) For mixed or general audience websites, services, or products that may be accessed by children under 16 but are not Primarily Child-Directed, the Company shall implement verifiable parental consent mechanisms, direct notices, and web notices, as required by applicable Data Protection Laws. These notices shall adequately disclose the transfer of Child Data to TitanVox and ensure that such collection and processing is consistent with this DPA.
The Parties acknowledge and agree that TitanVox does not qualify as an “operator” as defined under COPPA.
To the extent that TitanVox receives from the Company any “personal information” of a “consumer” subject to the California Consumer Privacy Act (CCPA) for Processing on behalf of the Company pursuant to this DPA, both Parties agree to comply with all applicable provisions of the CCPA. Each Party shall, upon the other’s reasonable written request, cooperate in good faith to enter into additional or modified terms necessary to address any amendments to the CCPA or to ensure compliance with its requirements.
To the extent applicable, TitanVox shall act as a “service provider” to the Company under the CCPA and shall not:
(a) Retain, use, or disclose such personal information for any purpose other than for the specific purpose of performing the Services under this DPA or as otherwise permitted by the CCPA, including for a valid “business purpose”;
(b) Retain, use, or disclose such personal information for a “commercial purpose” other than providing the Services under this DPA;
(c) Retain, use, or disclose such personal information outside the direct business relationship between TitanVox and the Company; or
(d) “Sell” such personal information.
TitanVox certifies that it understands and will comply with these prohibitions. For the purposes of this paragraph, the terms “personal information,” “consumer,” “service provider,” “business purpose,” “commercial purpose,” and “sell” shall have the meanings set forth in the CCPA.
To the extent that TitanVox receives from the Company any “biometric identifiers” or “biometric information” (collectively, “Biometric Data”) subject to the Illinois Biometric Information Privacy Act (BIPA) for Processing on behalf of the Company pursuant to this DPA, both Parties agree to comply with all applicable provisions of BIPA. Each Party shall, upon the other’s reasonable written request, cooperate in good faith to enter into additional or modified terms necessary to address compliance with BIPA, including changes resulting from amendments to BIPA or related regulations.
To the extent applicable, TitanVox shall:
(a) Collect, capture, receive, store, and use Biometric Data solely for the purpose of providing the Services under this DPA or as otherwise required by law;
(b) Not sell, lease, trade, or otherwise profit from Biometric Data;
(c) Not disclose or disseminate Biometric Data to any third party unless required to complete the Services, with prior written consent from the Company, or as required by law;
(d) Implement and maintain a written policy governing the retention and destruction of Biometric Data that complies with BIPA’s requirements; and
(e) Ensure that Biometric Data is stored, transmitted, and processed using appropriate technical and organizational safeguards to protect its confidentiality, integrity, and availability.
TitanVox certifies that it understands and will comply with these obligations. For the purposes of this paragraph, the terms “biometric identifiers,” “biometric information,” and “Biometric Data” shall have the meanings set forth in BIPA.
7.4.1 With respect to the Personal Data defined in Section 1, Personal Data shall include biometric data to the extent that TitanVox creates or receives from Company biometric identifiers, biometric information or Personal Data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification or authentication of that natural person.
7.4.2 In addition to the requirements listed in Section 3.7, Company is responsible for providing any notices, written policy made available to the public and/or information related to Personal Data required by Data Protection Laws, including, but not limited to giving notice with respect to:
i) Recording of conversations with Company and disclosure of such recordings to TitanVox, TitanVox’s Affiliates and sub‑processors;
ii) Processing by TitanVox of physical, physiological or behavioral characteristics for the purpose of creating, collecting or storing Personal Data. Company acknowledges that such Processing is for the limited purpose of providing service and TitanVox is not buying, selling, leasing, trading, or otherwise profiting from a natural person's biometric identifier or biometric information;
iii) The retention period and guidelines for the permanent deletion of biometric data being collected, stored, and used.
7.4.3 Company shall obtain all necessary consents, releases or licenses, where required, to allow TitanVox to capture, store, process, disclose, use, and transfer internationally the Personal Data.
7.4.4 The Company shall make all necessary disclosures to, and obtain any required approvals from, Supervisory Authorities under applicable Data Protection Laws. This includes but is not limited to compliance with the Quebec Act to Establish a Legal Framework for Information Technology (R.S.Q., c. C-1.1) governing biometric data, as well as federal obligations under PIPEDA.
7.4.5 Upon unenrollment in biometric authentication, account closure, or satisfaction of the initial purpose for collecting biometric data, the Company shall provide TitanVox with written instructions for the deletion of such Personal Data as required under applicable Data Protection Laws. If the Company fails to provide instructions within [30 days], TitanVox shall delete the data in accordance with its retention and deletion policies.
7.4.6 The Company’s failure to comply with the terms of this Section 7.4 constitutes a material breach of this DPA and the Main Agreement, allowing TitanVox to suspend the Services.
Each one or more of the following additional provisions apply based on the location of the individual in the respective country whose Personal Data is being Processed.
8.1.1 Data Protection Law. With respect to the Personal Data of individuals in Argentina, the Data Protection Laws defined in Section 1 shall include the Argentinian Privacy Principles, as defined in Argentine Personal Data Protection Law 25 326.
8.1.2 General Processing Obligation. TitanVox will Process the Personal Data in a manner consistent with the provisions of the Data Protection Laws.
8.1.3 Transfer outside Argentina by Company. For Personal Data originating from Argentina, the Parties agree that the Argentina Standard Contractual Clauses executed between Company and TitanVox located at www.titan-vox.com/standard-contractual-clauses-argentina will apply.
8.1.4 Transfers outside Argentina by TitanVox. Where the transfer is to a sub‑processor which is not located in an Adequate Country, TitanVox shall ensure that a mechanism to achieve adequacy in respect to the Processing is in place, such as:
(a) The execution by TitanVox, for itself and/or on behalf of Company, of the Argentina Standard Contractual Clauses. Upon request, TitanVox will provide to Company for review such copies of agreements, subject to redaction for confidential commercial information not relevant to the requirements under this DPA. Company authorizes TitanVox and its Affiliates to enter into Argentina Standard Contractual Clauses consistent with this DPA and the Argentina Standard Contractual Clauses located at www.titan-vox.com/standard-contractual-clauses-argentina, controller‑to‑processor, on behalf of Company;
(b) The existence of any self‑regulation framework or binding corporate rules providing adequate protection to the transferred Personal Data.
8.2.1 Data Protection Law. With respect to the Personal Data of individuals in Australia, the Data Protection Laws defined in Section 1 shall include the applicable federal, state and territorial privacy legislation.
8.2.2 General Processing Obligation. TitanVox will Process the Personal Data in a manner consistent with Data Protection Laws.
8.2.3 Breach Notification Obligation. If Company is located in Australia, the definition of Personal Data Breach set forth in Section 1 shall include any “eligible data breaches” as defined under the Australian Notifiable Data Breach Scheme.
8.2.4 In addition to the requirements of Section 6.3, in the event that TitanVox transfers Personal Data outside Australia, TitanVox shall ensure that the transferees comply with contractual protections that are substantially similar to the Australian Privacy Principles (APPs) and ensure accountability for any onward transfers. TitanVox will take reasonable steps to ensure that the Personal Data transferred remains protected to the same extent required under this DPA and applicable Data Protection Laws in Australia.
8.3.1 Data Protection Law. With respect to the Personal Data of individuals in Brazil, the Data Protection Laws defined in Section 1 shall include the “LGPD” or the Brazilian General Data Protection Regulation, Law Nº 13.709/2018 which regulates the Processing of Personal Data in Brazil.
8.3.2 General Processing Obligation. TitanVox will Process the Personal Data in compliance with the Brazilian General Data Protection Regulation (LGPD), Law Nº 13.709/2018, including adhering to the principles of purpose limitation, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.
8.3.3 Transfers outside Brazil. In addition to the requirements of Section 6.3, in the event that TitanVox transfers Personal Data to a country outside Brazil that is not deemed an Adequate Country, TitanVox will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on TitanVox by this DPA.
8.4.1 Controller. With respect to the processing of Personal Data of individuals in Canada, the term Controller defined in Section 1 shall include an organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities; or a health information custodian, custodian, public body, enterprise, trustee, or similar designation under Applicable Data Protection Law.
8.4.2 Data Protection Laws. With respect to the Personal Data of individuals in Canada, the Data Protection Laws defined in Section 1 shall include applicable federal privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), and provincial privacy legislation, including but not limited to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector.
8.4.3 Personal Data. Personal Data defined in Section 1 shall include personal information and personal health information as those terms are defined in applicable Data Protection Law.
8.4.4 Processor. With respect to the processing of Personal Data of individuals in Canada, the term Processor defined in Section 1 shall include an agent, a provider, service provider or similar designation under Applicable Data Protection Law.
8.4.5 General Processing Obligation. TitanVox will Process the Personal Data in a manner consistent with Data Protection Laws. This DPA applies to all Personal Data processed by TitanVox on behalf of Company, regardless of whether the Personal Data is received directly or indirectly from Company, including Company Personal Data provided to TitanVox by a distributor or reseller in the provision of support services to Company.
8.4.6 Transfers outside Canada. Company acknowledges and consents that TitanVox may, in the performance of this DPA, transfer Personal Data outside Canada, and in such event, in compliance with the accountability principle TitanVox will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on TitanVox by this DPA.
8.4.7 Governing Law. This Agreement will be governed by the laws of the Province where the Company is located (“Applicable Province”), and the federal laws of Canada applicable therein, without regard to principles of conflict of laws. The Parties hereto agree to submit all disputes related to this Agreement exclusively to the courts in the Applicable Province, to which each Party consents to the jurisdiction of such courts and waives any objection it may have with respect to venue.
8.5.1 Data Protection Law. With respect to the Personal Data of individuals in Chile, the Data Protection Laws defined in Section 1 shall include Chilean Law 19,628 on the Protection of Private Life, as well as any other applicable regulations, guidelines, or amendments governing the Processing of Personal Data in Chile.
8.6.1 Data Protection Law. With respect to the Personal Data of individuals in Colombia, the Data Protection Laws defined in Section 1 shall include Colombian Law 1581 of 2012 and Decree 1074 of 2015.
8.6.2 General Processing Obligation. TitanVox will Process the Personal Data in a manner consistent with the Colombian Privacy Principles, as defined in article 4 Law 1581 of 2012, including legality, purpose, freedom, truthfulness or quality, transparency, access and restricted circulation, security, and confidentiality.
8.6.3 Adequacy Decisions. “Adequate Country” means a country and international organization published by the Colombian Data Protection Authority (Superintendence of Industry and Commerce).
8.6.4 Transfers outside Colombia. TitanVox may transfer or transmit the Personal Data Processed under the scope of this DPA and the Main Agreement, to any country or territory, even if it is not considered as an Adequate Country under Colombian law, except in cases where Company expressly and by writing requires not to transfer or transmit to a particular country. Company guarantees that transfers or transmissions by TitanVox are allowed under the scope of the consent provided by the Data Subject.
8.6.3 Adequacy Decisions. “Adequate Country” means a country and international organization published by the Colombian Data Protection Authority (Superintendence of Industry and Commerce).
8.6.4 Transfers outside Colombia. TitanVox may transfer or transmit the Personal Data Processed under the scope of this DPA and the Main Agreement, to any country or territory, even if it is not considered as an Adequate Country under Colombian law, except in cases where Company expressly and by writing requires not to transfer or transmit to a particular country. Company guarantees that transfers or transmissions by TitanVox are allowed under the scope of the consent provided by the Data Subject.
TitanVox shall cooperate with the Company to ensure compliance with Article 26 of Law 1581 of 2012 regarding the international transfer of Personal Data.
8.6.5 Notice of Personal Data Breach. Company and TitanVox will work cooperatively to meet their mutual obligation to report to the Superintendence of Industry and Commerce any violation of the security measures and the existence of risks in the administration of the Personal Data, within 15 working days from the date in which the Personal Data Breach is detected.
8.6.6 Retention and Deletion. TitanVox shall retain Personal Data only for as long as necessary to fulfill the purposes of Processing or as required under applicable laws. Upon termination of this DPA or at the Company’s instruction, TitanVox shall delete or anonymize Personal Data in compliance with Colombian Data Protection Laws.
8.7.1 Data Protection Laws. With respect to the Personal Data of individuals in Japan, the Data Protection Laws defined in Section 1 shall include the Japanese Act on Protection of Personal Information (APPI), its amendments, and relevant guidelines or enforcement actions issued by the Personal Information Protection Commission (PPC) of Japan.
8.7.2 Transfers outside Japan. TitanVox may transfer or transmit the Personal Data Processed under the scope of this DPA and the Main Agreement, to any country or territory, even if it is not considered as an Adequate Country under Japanese law, except in cases where Company expressly and by writing requires not to transfer or transmit to a particular country, in which case TitanVox may not be able to provide the Services, which for the avoidance of doubt shall not amount to a breach of the Main Agreement. Company guarantees that transfers or transmissions by TitanVox are allowed under the scope of the consent provided by the Data Subject.
8.8.1Data Protection Law. With respect to the Personal Data of individuals in Mexico, the Data Protection Laws defined in Section 1 shall include the Mexican Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, or "LFPDPPP") and its accompanying regulations.
8.8.2 Transfers outside Mexico. In the event that TitanVox transfers Personal Data outside Mexico, TitanVox shall ensure that such transfers comply with the requirements of the LFPDPPP, including entering into agreements with transferees that contain contractual protections consistent with those required under this DPA. TitanVox will not assume additional obligations beyond those set forth in the DPA or under applicable law.
8.9.1 Data Protection Laws. With respect to the Personal Data of individuals residing in the Republic of South Africa ("South Africa"), the Data Protection Laws defined in Section 1 shall include South Africa’s Protection of Personal Information Act, 2013 ("POPIA") and any regulations or guidance issued by the Information Regulator.
8.9.2 General Processing Obligation. TitanVox shall Process Personal Data in compliance with POPIA, ensuring adherence to principles such as lawfulness, minimality, purpose specification, and security safeguards, as applicable.
8.9.3 Transfer outside South Africa. If, in connection with this DPA, any Personal Data is provided by Company to TitanVox outside of South Africa, such transfer will be governed by the Standard Contractual Clauses set out in Section 6.3, with the following amendments: (i) the competent Supervisory Authority shall be South Africa's Information Regulator; (ii) the governing law shall be the laws of South Africa; (iii) the choice of forum shall be the courts of South Africa; and (iv) the obligations under Clauses 14 and 15 of the Standard Contractual Clauses shall not apply.
TitanVox may transfer or transmit the Personal Data Processed under the scope of this DPA and the Main Agreement to any country or territory, except in cases where Company expressly and by writing requires not to transfer or transmit to a particular country, in which case TitanVox may not be able to provide the Services, which for the avoidance of doubt shall not amount to a breach of the Main Agreement. Company guarantees that transfers or transmissions by TitanVox are allowed under the scope of the consent provided by the Data Subject.
8.11.1 Data Protection Laws. With respect to the Personal Data of individuals in United Kingdom, the Data Protection Laws and GDPR defined in Section 1 shall include the Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland pursuant to and as amended by any legislation arising out of the 2018 Withdrawal Act of the United Kingdom from the European Union.
8.11.2 Transfer outside of the United Kingdom by Company. For Personal Data originating from the United Kingdom, the Parties agree that the UK International Data Transfer Addendum between Company and TitanVox Affiliate outside the United Kingdom located at www.titan-vox.com/standard-contractual-clauses-eu-uk-addendum will apply.
8.11.3 Transfers outside United Kingdom by TitanVox. Where the transfer is to a sub‑processor which is not located in an Adequate Country, TitanVox shall ensure that a mechanism to achieve adequacy in respect to the Processing is in place, such as:
(a) The execution between TitanVox and its sub‑processors outside the United Kingdom of the UK International Data Transfer Addendum, a copy of which can be made available upon request;
(b) The existence of any self‑regulation framework or binding corporate rules providing adequate protection to the transferred Personal Data.
9.1 Order of Precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall govern with respect to the specific subject matter addressed herein. This DPA is intended to clarify the Parties’ obligations under the applicable Standard Contractual Clauses. If any provision of this DPA conflicts with the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail to the extent of the conflict.
9.2 Language. If TitanVox provides this DPA in more than one language for the country of Company’s address, and there is a discrepancy between the English text and the translated text, the English text will govern.
9.3 Updates to DPA terms. When Company renews or purchases a new subscription to Service or enters into a work order for a professional Services, the then‑current DPA terms will apply and will not change during Company’s subscription for that Service or term for that professional Service work order. Notwithstanding the aforementioned, when TitanVox introduces features, offerings, supplements or related software that are new (i.e., that were not previously included with the Services), TitanVox may provide terms or make updates to this DPA that apply to Company´s use of those new features, offerings, supplements or related software. If those terms include any material adverse changes to the DPA terms, TitanVox will provide Company a choice to use the new features, offerings, supplements, or related software, without loss of existing functionality of a generally available Service. If Company does not install or use the new features, offerings, supplements, or related software, the corresponding new terms will not apply.
9.4 Regulatory changes. Notwithstanding the terms under Section 9.3, TitanVox may modify or terminate a Service in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects TitanVox to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for TitanVox to continue operating the Services without modification, and/or (3) causes TitanVox to believe the DPA terms or the Services may conflict with any such requirement or obligation.
9.5 Entire agreement. This DPA shall supersede any prior agreements, arrangements and understandings between the Parties and constitutes the entire agreement between the Parties relating to the subject matter hereof.
9.6 Validity and enforceability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provisions shall be either (i) amended as necessary to ensure their validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
9.7 Non‑production environments may employ lesser or different privacy and security measures than those typically present in a production environment. If Company submits or allows Data Subjects to submit to a non‑production environment Personal Data or other data that is subject to legal or regulatory compliance requirements, Company acknowledges that it does so on its own responsibility. The following terms in this DPA do not apply to non‑production environments: Processing Requirements, Security, Additional Provisions for Specific Types of Personal Data, and Additional Provisions for Individuals Located in Certain Countries.
9.8 The Company is responsible for implementing and maintaining privacy protections and security measures for components that the Company provides or controls (such as Company credentials for accessing Web based reporting and self‑service tools that TitanVox makes available to Company in connection with the Services).
The following additional terms are part of this DPA and are incorporated, where applicable, as stated above.
Data Processing Details located at www.titan-vox.com/data-processing-details.
Description of Technical and Organizational Measures located at www.titan-vox.com/description-technical-organization-measures.
Sub-Processors List located at www.titan-vox.com/sub-processors-list.
EU Standard Contractual Clauses - (Module Two - Controller to Processor) located at www.titan-vox.com/standard-contractual-clauses-eu.
UK International Data Transfer Addendum located at www.titan-vox.com/standard-contractual-clauses-eu-uk-addendum.
Argentina Standard Contractual Clauses located at www.titan-vox.com/standard-contractual-clauses-argentina.
