DATA PROCESSING AGREEMENT

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, and deletion. "Data Subject" means an individual whose Personal Data is processed. "Services" means the SalesEcho platform and related services as described in our Terms of Service.

2. Roles & Responsibilities

You (the Customer) act as the Data Controller, determining the purposes and means of processing Personal Data through the Services.

SalesEcho acts as the Data Processor, processing Personal Data on your behalf according to your instructions and this DPA.

We will process Personal Data only in accordance with your documented instructions, which include providing the Services as described in our Terms of Service, unless required by applicable law to process data for other purposes.

3. Categories of Data Processed

When you use SalesEcho, we process the following categories of Personal Data on your behalf:

• Audio recordings of sales conversations you choose to record
• Transcripts generated from recorded audio
• Contact information you provide about prospects (names, emails, job titles, companies)
• Publicly available information about meeting attendees
• Company materials and sales context you upload
• Usage data and interaction logs from your use of the Services

4. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit using TLS for all data transmissions
• Row-level security policies ensuring users can only access their own data
• Secure authentication through industry-standard OAuth and magic link protocols
• Infrastructure hosted by Supabase, which maintains SOC 2 Type II certification
• Regular monitoring and logging of system access

While we implement industry-standard security practices, no method of transmission or storage is 100% secure. We leverage certified infrastructure providers but do not independently hold SOC 2 or ISO 27001 certifications.

5. Sub-processors

We use the following categories of sub-processors to provide the Services:

• Infrastructure & Hosting: Cloud database and storage providers
• Speech Processing: Real-time audio transcription services
• AI Processing: Large language model inference providers
• Payments: Payment processing services
• Analytics: Usage analytics and monitoring services

We may update our sub-processors from time to time. Material changes will be reflected in updates to our Privacy Policy.

6. Data Subject Rights

We will assist you in responding to requests from Data Subjects exercising their rights under applicable data protection laws. If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law. You may fulfill Data Subject deletion requests through the Account settings in the Services or by contacting ben@sales-echo.com.

7. Data Retention & Deletion

We retain Personal Data for as long as your account is active and as needed to provide the Services. Audio recordings and transcripts are retained until you request deletion. Upon termination of the Services or upon your written request, we will delete or return all Personal Data in our possession, except where retention is required by applicable law or for legitimate business purposes such as resolving disputes.

8. Data Breach Notification

In the event of a Personal Data breach affecting your data, we will notify you without undue delay after becoming aware of the breach. We will provide you with sufficient information to enable you to meet any obligations to report the breach to supervisory authorities or Data Subjects, to the extent such information is reasonably available to us.

9. International Data Transfers

Personal Data is processed and stored in the United States. By using the Services, you acknowledge and consent to this transfer. We do not currently offer Standard Contractual Clauses (SCCs) or region-specific data residency. If you require GDPR-compliant data transfers with SCCs, please contact us to discuss your requirements.

10. Audits & Compliance

Upon reasonable request and subject to confidentiality obligations, we will provide you with information necessary to demonstrate our compliance with this DPA. We may satisfy audit requests through provision of relevant documentation, certifications from our infrastructure providers, or other reasonable means.

11. Liability

Our liability under this DPA is subject to the limitations set forth in our Terms of Service. Each party is liable for damages caused by its processing of Personal Data in violation of applicable data protection laws.

12. Term & Termination

This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination of the Services, we will cease processing and delete Personal Data as described in Section 7, unless retention is required by law.

13. Contact

For questions about this DPA or to exercise your rights, contact us at ben@sales-echo.com. For formal data processing inquiries, please include "DPA Inquiry" in the subject line.

14. Legal Entity

This DPA is entered into by SalesEcho, based in New York, United States.