DATA PROCESSING ADDENDUM

Effective Date: 20th October 2025

INTRODUCTION

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement ("MSA") between Big Decisions and Client (each a "Party" and together the "Parties").

This DPA sets out the terms that apply when Big Decisions processes Personal Data on behalf of Client in connection with the Services provided under the MSA.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Client is the Controller.

"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including but not limited to: (i) the GDPR; (ii) the UK GDPR and Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection (FADP); (iv) the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA); and (v) any other applicable national, state or provincial data protection laws.

"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Big Decisions on behalf of Client under the MSA.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

"Processing" (and "Process", "Processes", "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, Big Decisions is the Processor.

"Services" means the services provided by Big Decisions to Client as described in the MSA, including but not limited to Forecast (NLP and predictive analytics), On the Call (real-time AI guidance), Train-AI (AI-based training), Insights (analytics and reporting), and any other services as may be agreed between the Parties.

"Standard Contractual Clauses" or"SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"Sub-processor" means any third party appointed by Big Decisions to Process Personal Data on behalf of Client.

"Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 GDPR or equivalent authority under other Data Protection Laws.

1.2 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the MSA, the following order of precedence shall apply with respect to the Processing of Personal Data and compliance with Data Protection Laws:

  1. This Data Processing Addendum (DPA)
  2. Standard Contractual Clauses (if applicable)
  3. The Master Services Agreement (MSA)

For all matters not related to Personal Data Processing or Data Protection Laws, the MSA shall prevail.

2. SCOPE AND ROLES

2.1 Scope of DPA

This DPA applies to all Processing of Personal Data by Big Decisions on behalf of Client in connection with the Services provided under the MSA.

2.2 Client as Controller

Client is the Controller of the Personal Data and is responsible for:

  • Determining the purposes and means of Processing Personal Data
  • Ensuring that it has a lawful basis for Processing under applicable Data Protection Laws
  • Providing any required notices to Data Subjects
  • Obtaining any required consents from Data Subjects
  • Ensuring that instructions to Big Decisions comply with Data Protection Laws

2.3 Big Decisions as Processor

Big Decisions is the Processor and shall:

  • Process Personal Data only on documented instructions from Client
  • Comply with all applicable Data Protection Laws in its role as Processor
  • Assist Client in meeting its obligations under Data Protection Laws

2.4 Details of Processing

Subject Matter: Processing of Personal Data in connection with the provision of AI-powered communication intelligence, analytics, and coaching services.

Duration: For the duration of the MSA, unless terminated earlier in accordance with this DPA.

Nature and Purpose: To enable Big Decisions to provide the Services, including analysis and insights, real-time guidance, training and development, reporting and analytics, service delivery, customer support, and service improvement (only with Client's consent).

Categories of Data Subjects:

  • Client's employees, contractors, and personnel
  • Client's customers and prospective customers
  • Client's suppliers and business partners
  • Third parties who communicate with Client's personnel
  • Any other individuals whose Personal Data is submitted to the Services by Client

Types of Personal Data:

  • Identity data (names, job titles, company name, employee ID)
  • Contact data (email addresses, telephone numbers, business addresses)
  • Communication data (voice recordings, call transcripts, email content and metadata, chat messages, video recordings, meeting notes)
  • Behavioural and performance data (communication patterns, performance metrics, training progress, user interactions, usage statistics)
  • Technical data (IP addresses, device identifiers, browser type, login credentials)
  • Derived data (AI-generated insights, sentiment analysis, topic classifications, performance scores)

Special Categories of Personal Data: Client warrants that it shall not submit Special Categories of Personal Data (as defined in Article 9 GDPR) or Personal Data relating to criminal convictions and offences without Big Decisions' prior written consent and implementation of additional safeguards.

3. PROCESSOR'S OBLIGATIONS

3.1 Processing Instructions

Big Decisions shall Process Personal Data only on documented instructions from Client, unless required to do so by applicable law. If Big Decisions believes that any instruction violates Data Protection Laws, it shall immediately inform Client and may suspend performance until Client confirms or modifies the instruction.

3.2 Confidentiality

Big Decisions shall ensure that all persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform the Services.

3.3 Records of Processing Activities

Big Decisions shall maintain written records of all categories of Processing activities carried out on behalf of Client as required by Article 30(2) GDPR.

4. DATA SUBJECT RIGHTS AND ASSISTANCE

4.1 Assistance with Data Subject Rights

Big Decisions shall assist Client by implementing appropriate technical and organisational measures to enable Client to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making.

If Big Decisions receives a request directly from a Data Subject, it shall forward the request to Client without undue delay and shall not respond except on Client's documented instructions or as required by law.

Big Decisions shall provide Client with commercially reasonable assistance in responding to Data Subject requests within thirty (30) calendar days of Client's written request, or such shorter period as required by applicable Data Protection Laws.

4.2 Assistance with Compliance

Big Decisions shall provide reasonable assistance to Client in:

  • Conducting data protection impact assessments (DPIAs) where required under Article 35 GDPR
  • Prior consultation with Supervisory Authorities where required under Article 36 GDPR
  • Responding to enquiries from Supervisory Authorities
  • Investigating Personal Data Breaches
  • Demonstrating compliance with Data Protection Laws

4.3 Demonstration of Compliance

Big Decisions shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws.

5. DATA BREACH NOTIFICATION

5.1 Notification to Client

In the event of a Personal Data Breach, Big Decisions shall notify Client without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach.

5.2 Breach Information

The notification shall include, to the extent possible:

  • A description of the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of Big Decisions' data protection officer or other contact point
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to address the breach and mitigate its adverse effects

5.3 Cooperation

Big Decisions shall cooperate with Client and provide such further information and assistance as reasonably required to enable Client to comply with its obligations under Data Protection Laws, including notification to Supervisory Authorities and Data Subjects where required.

5.4 Documentation

Big Decisions shall document all Personal Data Breaches and make such documentation available to Client upon request.

6. DATA SECURITY

6.1 Security Measures

Big Decisions shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

6.2 Security Standards

Such measures shall include, at a minimum:

Encryption:

  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • End-to-end encryption for communication data where technically feasible
  • Secure key management with regular key rotation

Access Controls:

  • Role-based access control (RBAC) on a need-to-know basis
  • Multi-factor authentication (MFA) for all systems Processing Personal Data
  • Regular reviews of user access rights (at least quarterly)
  • Immediate revocation of access upon termination of employment
  • Comprehensive logging and monitoring of all access

Network Security:

  • Firewalls and intrusion detection/prevention systems
  • Network segmentation
  • Regular security patching and updates
  • Anti-malware and anti-virus solutions

Data Integrity:

  • Data validation controls
  • Change management procedures
  • Audit trails for changes to Personal Data
  • Version control

Availability and Resilience:

  • Regular automated backups (encrypted and geographically separate)
  • Business continuity and disaster recovery plans (tested annually)
  • Redundant systems and automatic failover
  • Hosting on Microsoft Azure or equivalent Tier 1 cloud infrastructure with 99.9%+ uptime SLA

Testing and Evaluation:

  • Regular vulnerability scanning (at least monthly)
  • Annual penetration testing by independent third parties
  • Annual independent security audits
  • Regular testing of incident response procedures

Physical Security:

  • Tier III or higher certified data centres
  • 24/7 physical security and surveillance
  • Biometric access controls
  • Environmental controls (fire suppression, climate control, UPS, backup generators)

Organisational Measures:

  • Data Protection Officer or designated privacy lead
  • Mandatory annual data protection and security training for all personnel
  • Comprehensive information security policies and procedures
  • Documented incident response plan
  • Vendor management and due diligence for Sub-processors

6.3 Artificial Intelligence Processing

AI Services: Client acknowledges that certain Services incorporate artificial intelligence and machine learning technologies, including Forecast (NLP), On the Call (real-time AI guidance), and Train-AI (AI-based training).

Transparency: Big Decisions shall provide Client with reasonable information about the logic involved in AI-based Processing, the significance and consequences for Data Subjects, and measures to ensure accuracy and prevent bias.

Automated Decision-Making: Where Services involve automated decision-making that produces legal effects or similarly significantly affects Data Subjects (Article 22 GDPR):

  • Big Decisions shall only perform such Processing upon explicit written instruction from Client
  • Client remains responsible for ensuring compliance with Article 22 GDPR
  • Big Decisions shall provide information necessary to enable human intervention and the right to contest decisions

AI Training Data: Where Personal Data is used to train, test or improve AI models:

  • Such use shall only occur with Client's prior written consent
  • Personal Data shall be pseudonymised or anonymised where technically feasible
  • Big Decisions shall implement measures to prevent AI models from memorising or reproducing Personal Data
  • Client may request deletion of Personal Data used in AI training, subject to technical limitations

AI Security Measures:

  • Access controls and encryption for AI models
  • Secure training environments with restricted access
  • Output filtering to prevent disclosure of Personal Data
  • Regular testing for bias and fairness
  • Adversarial testing to identify vulnerabilities

7. AUDITS AND INSPECTIONS

7.1 Audit Rights

Client shall have the right, upon reasonable written notice (not less than thirty (30) calendar days) and during normal business hours, to audit Big Decisions' compliance with its obligations under this DPA.

7.2 Audit Frequency

Client may conduct or commission audits no more than once per calendar year, unless:

  • Required by a Supervisory Authority
  • Following a Personal Data Breach affecting Client's Personal Data
  • Where Client has reasonable grounds to believe Big Decisions is not complying with this DPA

7.3 Audit Procedure

Audits shall be conducted in a manner that does not unreasonably interfere with Big Decisions' business operations. Any auditor appointed by Client must execute a confidentiality agreement, be independent and not a competitor of Big Decisions, and conduct the audit in accordance with industry-standard practices.

7.4 Audit Costs

Client shall bear all costs associated with audits, including reasonable costs incurred by Big Decisions in facilitating the audit.

7.5 Remediation

If an audit reveals non-compliance, Big Decisions shall take prompt action to remedy such non-compliance within a timeframe agreed with Client, taking into account the nature and severity of the non-compliance.

8. SUB-PROCESSORS

8.1 General Authorisation

Client provides general authorisation for Big Decisions to engage Sub-processors to Process Personal Data, subject to the requirements of this Section 8.

8.2 Current Sub-processors

Current Sub-processors include:

  • Claude
  • Assembly AI
  • Elevenlabs
  • Rime
  • LiveKit
  • Open AI
  • Chat GPT API
  • Whisper for transcriptions
  • Google
  • Gemini API
  • Azure
  • Virtual machines
  • Databases

8.3 New Sub-processors

Big Decisions shall inform Client of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) calendar days prior to authorisation. Notification shall include the Sub-processor's name, location, description of Processing activities, and transfer mechanism if located outside the EEA.

8.4 Objection Rights

Client may object to Big Decisions' use of a new Sub-processor on reasonable grounds relating to data protection by notifying Big Decisions in writing within fifteen (15) calendar days. If the Parties cannot reach a resolution within thirty (30) calendar days, Client may terminate the affected Services without penalty.

8.5 Sub-processor Obligations

Big Decisions shall enter into a written agreement with each Sub-processor imposing data protection obligations substantially equivalent to those in this DPA. Big Decisions remains fully liable to Client for the performance of any Sub-processor's obligations.

9. DATA LOCATION AND INTERNATIONAL TRANSFERS

9.1 Data Location

Personal Data shall be Processed and stored primarily within the European Economic Area (EEA) or in countries recognised by the European Commission as providing an adequate level of data protection.

9.2 Transfers Outside the EEA

Client acknowledges that the provision of the Services may require the transfer of Personal Data to countries outside the EEA. Any such transfers shall be made in accordance with applicable Data Protection Laws and subject to appropriate safeguards.

9.3 Transfer Mechanisms

Where Personal Data is transferred to countries not recognised as providing adequate protection, Big Decisions shall implement appropriate safeguards, including:

Standard Contractual Clauses: The Standard Contractual Clauses adopted by European Commission Decision 2021/914 (Module Two: Controller to Processor) shall apply to such transfers. For UK transfers, the UK International Data Transfer Addendum applies. For Swiss transfers, the Swiss FDPIC-approved modifications apply.

Data Privacy Framework: Where Big Decisions or Sub-processors are certified under the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. DPF, such certification may serve as an additional transfer mechanism.

9.4 Supplementary Measures

In addition to SCCs, Big Decisions implements supplementary measures including:

  • Encryption of all Personal Data at rest and in transit
  • Strict access controls with multi-factor authentication
  • Contractual commitments from Sub-processors to challenge disproportionate government access requests
  • Regular audits and assessments
  • Transparency reporting regarding government requests (where legally permitted)

9.5 Government Access Requests

Big Decisions shall:

  • Immediately notify Client of any legally binding request for disclosure of Personal Data by law enforcement or government agencies (unless prohibited by law)
  • Challenge any request that appears unlawful, excessive or disproportionate
  • Provide the minimum information permissible when responding to such requests
  • Document all requests and responses for audit purposes

9.6 Transfer Destinations

Personal Data may be transferred to:

  • United States: Via SCCs and supplementary measures / EU-U.S. Data Privacy Framework
  • United Kingdom: Via UK Adequacy Decision and SCCs
  • Switzerland: Via Swiss Adequacy Decision and SCCs
  • Other countries: As specified in the Sub-processor list, with appropriate transfer mechanisms

10. DATA RETENTION AND DELETION

10.1 Retention Period

Big Decisions shall retain Personal Data only for as long as necessary to provide the Services or as required by applicable law.

10.2 Deletion or Return Upon Termination

Upon termination or expiry of the MSA, or upon Client's written request, Big Decisions shall, at Client's election:

  • Delete all Personal Data in its possession or control; or
  • Return all Personal Data to Client in a commonly used, machine-readable format

Client must notify Big Decisions of its election within thirty (30) calendar days of termination. If Client fails to provide such notification, Big Decisions shall delete all Personal Data.

Big Decisions shall complete the deletion or return within sixty (60) calendar days.

10.3 Certification of Deletion

Upon completion of deletion, Big Decisions shall provide Client with written certification that all Personal Data has been deleted.

10.4 Legal Retention

Big Decisions may retain Personal Data to the extent required by applicable law. Any such retained data shall continue to be subject to the confidentiality and security obligations of this DPA and shall be deleted as soon as the legal requirement no longer applies.

10.5 Backup Copies

Personal Data in backup systems shall be deleted in accordance with Big Decisions' standard backup retention procedures, which shall not exceed ninety (90) calendar days from the date of deletion of primary data.

11. DATA PORTABILITY

11.1 Data Export

Upon Client's request, Big Decisions shall provide Personal Data in a structured, commonly used and machine-readable format (JSON, CSV, XML, or other format as reasonably requested and technically feasible).

11.2 Timeframe

Big Decisions shall provide exported data within thirty (30) calendar days of receiving Client's written request, or such shorter timeframe as required by Data Protection Laws.

11.3 Secure Transfer

Exported data shall be transferred securely using encryption and secure file transfer protocols.

11.4 Fees

Data portability requests made in connection with termination of the MSA or as required by Data Protection Laws shall be provided at no additional cost. Additional or frequent requests may be subject to reasonable fees.

12. PROCESSING OF CHILDREN'S DATA

12.1 Age Restrictions

Client represents and warrants that:

  • It shall not submit Personal Data of children under sixteen (16) years of age (or such lower age as permitted by Member State law) without verifiable parental or guardian consent
  • It has implemented appropriate mechanisms to verify the age of Data Subjects where required
  • It has obtained any necessary parental consent where required by Data Protection Laws

12.2 Processor's Obligations

If Big Decisions becomes aware that it is Processing Personal Data of a child without appropriate consent, it shall notify Client immediately and shall delete such data upon Client's instruction.

12.3 Enhanced Protection

Big Decisions shall implement appropriate additional safeguards when Processing children's Personal Data, including stricter access controls, enhanced security measures, and limitations on profiling and automated decision-making.

13. LIABILITY AND INDEMNIFICATION

13.1 Processor's Liability

Big Decisions shall be liable for any damage caused by Processing where it has not complied with obligations specifically directed to Processors under applicable Data Protection Laws or where it has acted outside or contrary to lawful instructions of Client.

13.2 Indemnification

Big Decisions shall indemnify and hold harmless Client from and against all claims, losses, damages, liabilities, costs and expenses (including reasonable legal fees) arising from any breach by Big Decisions of its obligations under this DPA or applicable Data Protection Laws, except to the extent such claims arise from Client's instructions or Client's breach of its obligations.

13.3 Limitation

Any limitation of liability provisions in the MSA shall apply to this DPA, except where such limitations are prohibited by applicable Data Protection Laws. Nothing in this DPA shall limit or exclude either Party's liability for fraud, gross negligence, wilful misconduct, breach of confidentiality, or matters for which liability cannot be limited under applicable law.

14. TERMINATION

14.1 Duration

This DPA shall remain in effect for as long as Big Decisions Processes Personal Data on behalf of Client under the MSA.

14.2 Effect of Termination

Upon termination:

  • Big Decisions shall cease all Processing of Personal Data (except as required for legal retention)
  • The provisions of Section 10 (Data Retention and Deletion) shall apply
  • Sections that by their nature should survive shall continue in effect

14.3 Termination for Breach

Either Party may terminate this DPA (and, at its option, the MSA) with immediate effect by written notice if the other Party commits a material breach and fails to remedy such breach within thirty (30) calendar days of receiving written notice.

Client may terminate immediately if a Supervisory Authority orders suspension of transfers or if Big Decisions is unable to provide appropriate safeguards for international data transfers.

15. GENERAL PROVISIONS

15.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of Spain without regard to conflict of law provisions.

15.2 Jurisdiction

The courts of Madrid shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

15.3 Amendments

No amendment or modification to this DPA shall be valid unless made in writing and signed by authorised representatives of both Parties.

15.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.5 Entire Agreement

This DPA, together with the MSA, constitutes the entire agreement between the Parties regarding the Processing of Personal Data and supersedes all prior agreements relating to such subject matter.

15.6 Notices

All notices under this DPA shall be in writing and delivered by email or registered post to the addresses set out in the MSA. Notices by email are deemed received upon transmission; notices by post are deemed received five (5) business days after posting.

15.7 Third Party Rights

No person who is not a party to this DPA shall have any right to enforce any term, except that Data Subjects shall be third-party beneficiaries of Sections 4, 5, 6, and 9.

15.8 Contact Information

For questions or concerns regarding this DPA or data protection matters, please contact:

Big Decisions Data Protection Officer  Email: privacy@the297.com  Address: Calle Arroyo del Soto,2,28914, Leganés, Madrid

Last Updated: 20th October 2025