Data Processing Addendum

Last updated: February 21, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Talkom Ltd. ("Talkom", "Processor", or "Service Provider") and the customer ("Customer", "Controller", or "Business") and applies to the extent Talkom processes Personal Data on Customer's behalf in connection with the Talkom AI services (the "Services").

This DPA is intended to satisfy the requirements of:

• Article 28 of the EU General Data Protection Regulation (GDPR)
• The UK GDPR and Data Protection Act 2018
• Applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the CPRA

1. Definitions

Personal Data / Personal Information

Any information relating to an identified or identifiable natural person that is processed by Talkom on behalf of Customer.

Processing

Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transmission, or deletion.

Controller / Business

The entity that determines the purposes and means of processing Personal Data. In this context, the Customer.

Processor / Service Provider

The entity that processes Personal Data on behalf of the Controller. In this context, Talkom Ltd.

Sub-processor

Any third party engaged by Talkom to assist in providing the Services and processing Personal Data on Customer's behalf.

Applicable Data Protection Laws

All laws and regulations applicable to the processing of Personal Data under this DPA, including GDPR, UK GDPR, and applicable U.S. state privacy laws.

2. Roles and Scope of Processing

2.1 Relationship of the Parties

As between the parties:

• Customer acts as Controller (or Business under U.S. law).
• Talkom acts as Processor (or Service Provider under U.S. law).

Customer is responsible for:

• Determining the lawful basis for processing
• Providing required privacy notices
• Obtaining any required consents

Talkom processes Personal Data only on documented instructions from Customer.

2.2 Subject Matter and Duration

The subject matter of processing is the provision of the Talkom AI conversational assistant service.

Processing continues for the duration of the parties' service agreement.

Upon termination, Personal Data will be deleted in accordance with Section 7 of this DPA.

2.3 Nature and Purpose of Processing

Talkom processes Personal Data solely to:

• Provide AI-driven conversational responses
• Retrieve relevant order and product information
• Maintain session continuity
• Ensure service functionality and reliability
• Improve service performance and response quality

Talkom does not:

• Sell Personal Data
• Share Personal Data for cross-context behavioral advertising
• Use Personal Data for advertising targeting

3. Categories of Data

3.1 Categories of Data Subjects

• Customer's end users and customers
• Customer's employees or agents (if applicable)

3.2 Types of Personal Data

Personal Data processed may include:

• Names
• Email addresses
• Order numbers
• Shipping or delivery details
• Transaction information
• Conversation content voluntarily submitted by users
• Technical information such as IP addresses or device data necessary for system operation

The Services are not intended to process special categories of data (such as health, biometric, or religious data). Customer agrees not to use the Services for such data unless separately agreed in writing.

4. Processing Instructions

Talkom processes Personal Data only:

• In accordance with the parties' service agreement
• As configured or instructed by Customer
• As necessary to provide the Services

Customer authorizes Talkom to use aggregated and anonymized data to improve overall service performance, provided no Personal Data is disclosed.

If Talkom believes a Customer instruction violates applicable law, Talkom will inform Customer.

5. Processor Obligations

Talkom agrees to:

5.1 Confidentiality

Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

5.2 Security Measures

Implement appropriate technical and organizational measures, including:

• Encryption of data in transit (TLS/HTTPS)
• Secure cloud infrastructure
• Role-based access controls
• Monitoring and logging systems
• Vulnerability management practices

The Services are hosted using Microsoft cloud infrastructure.

5.3 Assistance with Data Subject Requests

Upon Customer's documented instruction, Talkom will:

• Delete specific conversation data
• Export relevant data
• Restrict processing where required

If Talkom receives a request directly from a data subject, it will redirect the individual to Customer unless legally required to respond.

5.4 Assistance with Compliance

Taking into account the nature of processing, Talkom will assist Customer with:

• Security documentation
• Data Protection Impact Assessments (reasonable scope)
• Information required for breach reporting

6. Sub-processors

Customer provides general authorization for Talkom to engage Sub-processors.

Categories of Sub-processors include:

• Microsoft (cloud infrastructure and AI services)
• Shopify (platform integration)
• Google (analytics services, where applicable)

Talkom ensures that Sub-processors are subject to data protection obligations consistent with this DPA.

Talkom remains responsible for the performance of its Sub-processors.

Customer will be notified of material changes to Sub-processors and may object on reasonable grounds.

7. Data Retention and Deletion

Conversation data is retained while Customer actively uses the Services.

Upon termination of the service agreement:

• Personal Data will be deleted following a defined cleanup process.
• Data may remain temporarily in secure backup systems before automatic deletion in accordance with backup rotation policies.

During the service term, Talkom will delete specific Personal Data upon Customer's documented instruction.

Talkom may retain Personal Data only where required by applicable law.

8. Personal Data Breach

In the event of a confirmed Personal Data Breach affecting Customer data, Talkom will notify Customer without undue delay and provide:

• A description of the nature of the breach
• Categories of data involved
• Remedial measures taken

Customer is responsible for regulatory notifications unless otherwise required by law.

9. International Data Transfers

Talkom is established in the United Kingdom.

Where Personal Data is transferred outside the EEA or UK, Talkom ensures appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (where required)
• UK International Data Transfer Addendum
• Equivalent lawful transfer mechanisms

10. U.S. Service Provider Commitments

To the extent U.S. state privacy laws apply, Talkom:

• Processes Personal Information solely to provide the Services
• Does not sell Personal Information
• Does not share Personal Information for cross-context behavioral advertising
• Does not retain, use, or disclose Personal Information outside the direct business relationship
• Does not combine Personal Information from multiple customers except as permitted by law

These commitments are intended to satisfy the definition of a "Service Provider" under applicable U.S. privacy laws.

11. Audits

Talkom will provide information reasonably necessary to demonstrate compliance.

Customer audits:

• Must be reasonable in scope
• Limited to once annually unless legally required otherwise
• Subject to confidentiality obligations

Talkom may satisfy audit requirements through existing security documentation or certifications where appropriate.

12. Liability

Liability under this DPA is subject to the limitations of liability set forth in the parties' service agreement.

13. Governing Law

This DPA is governed by the same law and jurisdiction as the parties' service agreement, unless required otherwise by applicable data protection law.