Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between you and WorkDial Pvt Ltd, an Indian private limited company for the WorkDial service (the "Agreement") and applies where we process personal data on your behalf. Where this DPA conflicts with the rest of the Agreement on the processing of personal data, this DPA governs.

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", and "data subject" have the meanings given in applicable data protection law, including the GDPR and UK GDPR where they apply. "Customer Personal Data" means personal data we process on your behalf under the Agreement.

For Customer Personal Data, you are the controller (or a processor acting for your own controller) and WorkDial is the processor. Each party complies with the obligations that apply to it under data protection law.

We process Customer Personal Data to provide the Service: to place and record calls, deliver WhatsApp voice where you enable it, and generate AI transcripts, sentiment, and summaries, writing the results into your Salesforce org. Processing continues for the term of the Agreement. The categories of data and data subjects are set out in Annex 1.

We process Customer Personal Data only to provide the Service and only on your documented instructions, including those in the Agreement and this DPA, unless the law requires otherwise (in which case we tell you, unless that law forbids it). We do not sell Customer Personal Data and do not use the content of your calls to train third-party AI models.

We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality and access it only as needed. We maintain the technical and organisational measures set out in Annex 2.

Storage: your Salesforce org and your own Twilio

Your records, transcripts, and sentiment reside inside your Salesforce organisation as native objects throughout the term; call recordings reside in your own Twilio account or your own connected storage. WorkDial maintains no external database of your calls, recordings, transcripts, or sentiment. You control access, retention, and deletion through Salesforce and your own Twilio.

Processing: transient, written back

AI call analysis is transient: call audio and text are processed to produce a transcript, sentiment, and summary, which are written straight back into your Salesforce. WorkDial does not retain the audio or text after processing.

Telephony and bring-your-own-AI-key

Telephony runs on your own Twilio account, which carries the call and stores none of it. By default, AI analysis is processed by our AI provider (a sub-processor named in Annex 3). If you bring your own AI API key (BYOAK), analysis is processed by your own provider, which is then your vendor and not a WorkDial sub-processor.

You give general authorisation for us to engage sub-processors to process Customer Personal Data for the features you enable. We impose data protection obligations on each that are no less protective than this DPA, and we remain responsible for their performance.

Our current sub-processors are listed in Annex 3, incorporated into this DPA by reference. We give at least 30 days' notice before adding or replacing a sub-processor, and you may object on reasonable data protection grounds during that window. Your own Twilio account is your vendor, and Salesforce is not a WorkDial sub-processor because Customer Personal Data already resides in your org.

WorkDial is established in India. Where we transfer Customer Personal Data to a country without an adequacy decision, we put in place an appropriate transfer mechanism. The Standard Contractual Clauses (Module 2, controller-to-processor, and Module 3, processor-to-processor) are incorporated by reference for EEA transfers, and the UK International Data Transfer Addendum for UK transfers. Where they conflict with this DPA on transfer matters, the Clauses prevail.

We notify you without undue delay, and in any event within 72 hours where technically feasible, after becoming aware of a personal-data breach affecting Customer Personal Data, and provide the information you reasonably need to meet your own notification obligations.

We make available the information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable notice, confidentiality, and frequency limits. Because Customer Personal Data resides in your own Salesforce org, much of the audit surface is already under your direct control.

Customer Personal Data resides in your Salesforce org throughout the term, so you can delete or export it directly at any time, and it stays with you when the Agreement ends. WorkDial retains no external copy to return or delete, beyond ceasing the transient processing described above. Transient processing data is not retained after processing completes.

Taking into account the nature of the processing, we assist you with appropriate measures to respond to data-subject requests. If we receive such a request directly, we forward it to you and do not respond ourselves except on your instruction or as required by law.

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. This DPA is governed by the same law as the Agreement (India), except that the Standard Contractual Clauses are governed by their own stated law for transfer matters.

This DPA, together with the Agreement, is the entire agreement on the processing of Customer Personal Data and prevails over any conflicting term in the Agreement on that subject. We may update it to reflect changes in law or the Service, provided protection is not materially reduced.

Questions about this DPA, or to request a counter-signed copy, email legal@workdial.io.

Controller and processor

You are the controller (or a processor for your own controller). WorkDial is the processor.

Data subjects

(a) the people your team calls or messages through WorkDial; and (b) your own personnel who use the WorkDial package inside your Salesforce org.

Categories of personal data

• Contact identifiers (such as a phone number or name) of the people on a call
• Call content: recordings, transcripts, sentiment, and summaries
• Account and access data: names and work emails of your personnel

Purpose and duration

To provide the Service (calling, WhatsApp voice, and AI call analysis), for the term of the Agreement and thereafter only as the law requires.

Storage and encryption

• Customer Personal Data is stored as native Salesforce objects (Call__c, Recording__c, Transcript__c, Sentiment__c) inside your own org, encrypted inherited from Salesforce, in transit and at rest by Salesforce
• Transient AI processing uses TLS 1.2 or higher in transit, on Amazon Web Services (US East, us-east-2), with no persistent customer-data store

Access control and audit

• Access to the native records is governed by your Salesforce sharing rules, permission sets, and field-level security
• Audit runs through Salesforce field history plus login and event monitoring on the native records
• Least-privilege access for WorkDial personnel, with multi-factor authentication on internal systems

Incident response and sub-processor controls

WorkDial maintains an incident response process and notifies confirmed breaches as set out above. Each sub-processor is assessed before engagement and contracted under data protection obligations no less protective than this DPA.

We currently engage the 2 sub-processors below to process Customer Personal Data for the features you enable. Your own Twilio account is your vendor, not a sub-processor, and Salesforce is not a sub-processor.