Data Processing Agreement (DPA) – CallBotIA™

Last updated: November 5, 2025

1. Definition of Roles and Purpose of the Agreement

CallBotIA™ (the “Processor”) acts solely as a data processor on behalf of the client (the “Controller”), who defines the purposes and means of processing. CallBotIA™ only follows the Controller’s documented instructions and assumes no responsibility for decisions, data use, or violations resulting from such instructions or the misuse of platforms by the Controller or its users.

2. General Definitions

Includes key definitions such as personal data, processing, security breach, and supervisory authority to ensure clarity within the agreement.

3. Controller Obligations

The Controller must define purposes and means, provide documented instructions, ensure lawful processing, conduct impact assessments if applicable, respond to data subject rights, notify security incidents, evaluate third-party platforms, maintain records, and take full responsibility for platforms, systems, and decisions related to processing.

4. Processor Obligations (CallBotIA™)

CallBotIA™ commits to processing data in accordance with documented instructions, ensuring staff confidentiality, applying appropriate technical and organizational measures, assisting in fulfilling data subject rights, notifying security incidents without undue delay, and deleting or returning data upon contract termination.

5. Technical and Organizational Security Measures

CallBotIA™ implements encryption, access control, backups, monitoring, and other security measures in its internal systems. Security on integrated external platforms is the sole responsibility of the Client, who must manage access and passwords.

6. Third-Party Platforms and Limitation of Liability

CallBotIA™ uses third-party platforms (Amazon, Google, Azure, Twilio, etc.) to provide its services. It is not liable for incidents, failures, data loss, or unauthorized access on such platforms, except in cases of proven willful misconduct or gross negligence. The Controller releases CallBotIA™ from liability for processing carried out by external providers and is responsible for the use, configuration, and security of those platforms.

7. Liability and Indemnification

CallBotIA™ assumes no liability for Controller decisions, misuse of solutions, regulatory breaches by the Controller, or incidents involving external infrastructure. The Client shall indemnify and hold CallBotIA™ harmless from any claim, fine, or sanction arising from service use, Controller decisions, misuse of platforms, provided content, or actions of third parties.

8. International Data Transfers

The Client acknowledges that data may be transferred outside the European Economic Area or country of origin, including to countries without equivalent legislation. CallBotIA™ will apply appropriate safeguards (standard contractual clauses or other mechanisms). The Controller is responsible for legal compliance when integrating proprietary platforms.

9. Data Security Breaches

CallBotIA™ will notify the Client of any security breach in its systems without undue delay and will assist in managing notifications. Incident management on external platforms is the Client’s responsibility.

10. Data Subject Rights

CallBotIA™ will assist the Client in exercising data subject rights only with regard to data under its direct control.

11. Audits, Requests, and Supervision

The Client may request limited and reasonable audits of CallBotIA™’s compliance, with prior notice and under confidentiality conditions. Abusive audits or those compromising infrastructure will be denied. CallBotIA™ may offer reports or certifications as an alternative.

12. Confidentiality

CallBotIA™ will maintain the confidentiality of processed data and will require its personnel to honor this obligation, even after the agreement’s termination.

13. Termination of the Agreement and Data Deletion

This DPA shall remain in effect as long as CallBotIA™ processes data on behalf of the Client. Upon termination, CallBotIA™ will delete or return the data within a maximum of 30 business days, unless legally required to retain it. Backup data will be deleted according to established retention cycles.

14. Force Majeure

In the event of termination due to prolonged force majeure, no refund shall be due for fees already paid for the period prior to the effective termination date.

15. Governing Law and Jurisdiction

This agreement shall be governed by the laws of the Republic of Argentina, and any dispute shall be submitted to the exclusive jurisdiction of the Federal Courts of the City of Buenos Aires, with express waiver of any other jurisdiction.

16. Entire Agreement, Amendments, and Notices

This DPA constitutes the entire agreement between the parties regarding the processing of personal data, superseding any prior communication. Amendments must be in writing and signed by both parties. Notices shall be made in writing via email or certified mail to the designated addresses.