Skip to content

Data Protection Addendum

Effective Date - November 2022

This Whispir Data Protection Addendum (“DPA”) forms part of all written agreements (“Agreement”) by and between the customer specified in an Application Form (as defined in the Terms of Service available at www.whispir.com/terms-of-service ("Terms")) or other document in which the Terms are referenced or attached (“Customer”) and the entity defined in the Terms as “Whispir” (“Whispir”).  Unless otherwise agreed in writing by the parties, this DPA is effective on the earlier of the date the Customer first accesses the Services following publication of this DPA on Whispir's website at www.whispir.com or the date of execution of this DPA(“DPA Effective Date”). By executing this DPA, or by executing an Application Form or other document to which this DPA is referenced or attached, Whispir and Customer agree that they are bound by and will comply with the terms of this DPA.

1. Defined Terms.  In this DPA, the following capitalized terms have the following meanings:

  • (i) “Affiliate” means an entity that controls, is controlled by or is under common control with Customer or Whispir (as applicable). For the purposes of this defined term “control” means ownership of more than fifty (50%) percent of the voting stock or other ownership interest in an entity. An Affiliate of Customer is a “Customer Affiliate” and an Affiliate of Whispir is an “Whispir Affiliate”.

  • (ii) “Applicable Data Protection Laws” means all laws relating to privacy and data protection and applicable to Processing of Customer Personal Information pursuant to the Agreement, including, where applicable, EU/UK Data Protection Law, each as amended, or superseded from time to time.

  • (iii) “Customer Personal Information” means the Personal Information submitted by, on behalf of or for Customer as Controller through use of the Services and described in Attachment 1.

  • (iv) “Controller” means the person or entity who or that that is responsible under Applicable Data Protection Laws for the Processing of Personal Data and who or that determines the purposes and means of Processing Personal Information under Applicable Data Protection Laws.

  • (v)“Data Subject” means a natural person to whom Customer Personal Information relates.

  • (vi) “EU/UK Data Protection Law” means (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data and the implementing laws in the Member States ("EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under or pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

  • (vii) “Personal Information” has the meaning given to "personal information", "personal data" or any similar terms under Applicable Data Protection Laws, and includes any information relating to an identified or identifiable natural person (where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier).

  • (viii) “Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Personal Information that requires notification to third parties pursuant to Applicable Data Protection Laws.

  • (ix) “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means.

  • (x) “Personnel” means the employees, contractors, sub-contractors and agents of a party to the Agreement.

  • (xi) “Processor” means any person or entity who or that Processes (directly or indirectly) Customer Personal Information for or on behalf of Customer.

  • (xii) “Services” means the "Whispir Services" as defined in the Agreement or, if not defined, the products and/or services provided by Whispir to Customer.

  • (xiii) “Standard Contractual Clauses” means except as set forth in Section B of Attachment 3 (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the UK Data Protection Act 2018 ("UK Addendum").

  • (xiv) “Sub-Processor” means a Processor that is engaged by Whispir to Process Customer Personal Information, which may include a Whispir Affiliate.

  • (xv) “Restricted Disclosure” means a disclosure of Customer Personal Information that is restricted by Applicable Data Protection Laws because the disclosure is made to a person or entity located in a jurisdiction with laws that do not require the same level of protection for Customer Personal Information as the jurisdiction from which the Customer Personal Information originates.

Any other capitalized term used but not defined in this DPA has the meaning given in the Agreement.

2. Description of Processing.  This DPA applies to Whispir’s Processing of Customer Personal Information pursuant to the Agreement.  The categories of Data Subjects, categories of Customer Personal Information, subject matter, nature, purposes, duration and locations of Processing and other Processing details are described in Attachment 1.

3. Processing of Customer Personal Information

a. Except as set forth in Section 3b,

  • i. Whispir acknowledges and agrees that Customer is the Controller of Customer Personal Information (or where Customer is acting on behalf of a third party Controller, a Processor) and Whispir is a Processor of Customer Personal Information (or where Customer is a Processor, a (sub)processor).

  • ii. Whispir agrees to Process Personal Information for the purposes set forth in the Agreement, as instructed by Customer in writing (which instructions, where Customer is a Processor, shall reflect the instructions of its Controller) and as required or permitted by applicable law (“Processing Instructions”). If applicable law requires Whispir to conduct Processing that is inconsistent with the Processing Instructions, then Whispir shall notify Customer prior to commencing the Processing, unless applicable law prohibits such notification. Whispir also shall notify Customer if Whispir believes that Processing Instructions violate Applicable Data Protection Laws.

  • iii. Customer hereby represents, on a continuous basis throughout the Term, that all Customer Personal Information provided or made available by Customer to Whispir for Processing in connection with the Agreement was collected by Customer and transmitted to Whispir in accordance with Applicable Data Protection Laws and Customer obtained all necessary consents, authorizations and licenses from and provided all necessary notifications to Data Subjects required under Applicable Data Protection Laws to enable Whispir to Process Customer Personal Information pursuant to the Agreement and to exercise its rights and fulfil its obligations under the Agreement.

  • iv. Whispir will not: (i) sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Customer Personal Information to a third party for monetary or other valuable consideration; (ii) retain, use or disclose Customer Personal Information outside of the direct business relationship between Customer and Whispir; or (iii) share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means, Customer Personal Information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. By execution of this DPA, Whispir certifies that it understands the specific restrictions contained in this sub-Section 3a.iv.

b. To the extent Whispir or a Whispir Affiliate Processes Customer Personal Information for Service Management, Customer hereby agrees that Whispir and each relevant Whispir Affiliate is a separate and independent Controller and such processing shall be in accordance with the Whispir Privacy Policy. In this DPA, “Service Management” means the processing of business contact information of Customer for the purpose of managing the customer relationship and fulfilment of the services including for billing and account management purposes.

c. The parties agree that Whispir may process anonymous and aggregated data for internal business purposes, including analytics and product improvements.

4. Confidentiality and Security Measures.

  • a. Whispir will impose confidentiality and non-disclosure obligations on all of its Personnel that Process Customer Personal Information and require that its Personnel comply with the relevant requirements of this DPA.

  • b. Whispir will implement and maintain reasonable and appropriate technical, physical and organizational security measures, including the measures set forth in Attachment 2 (collectively, “Technical and Organizational Security Measures”) to protect Customer Personal Information against unauthorized or unlawful Processing and to ensure a level of security appropriate to the risk. Customer agrees to promptly notify Whispir if Customer becomes aware of any actual or likely misuse of Customer’s accounts or account authentication credentials.

5. Personal Information Breaches.

  • a. Whispir will provide notification (“Personal Information Breach Notification”) to Customer without undue delay (and within no more than forty-eight (48) hours) after Whispir has a reasonable degree of certainty that a Personal Information Breach has occurred. Whispir shall deliver the Personal Information Breach Notification to the email address set forth in the Application Form or such other means as Whispir determines appropriate. Customer is responsible for ensuring that Whispir has Customer’s up-to-date contact information.

  • b. After delivering the Personal Information Breach Notification, Whispir will take all necessary steps to document, remediate and minimize the effects of the Personal Information Breach with respect to Customer Personal Information and to prevent recurrence. Customer is solely responsible for complying with its obligations under Applicable Data Protection Laws with respect to a Personal Information Breach but Whispir shall provide Customer timely assistance and cooperation as reasonably requested by Customer in order for Customer (or where Customer is a Processor, its Controller) to fulfil those obligations.

  • c. Customer understands and agrees that Whispir may make public or notify a third party of any Personal Information Breach as Whispir determines in its discretion is required by law or other binding obligation applicable to Whispir.

6. Sub-Processing.

  • a. The Sub-Processors and their respective Processing details as of the DPA Effective Date are available upon request (“Whispir Sub-Processor List”).

  • b. Customer hereby provides its general authorization to the Whispir Sub-Processor List and to the appointment of new or replacement Sub-Processors. At least fifteen (15) business days prior to any disclosure of Customer Personal Information to a new or replacement Sub-Processor, Whispir shall update Whispir Sub-Processor List to include the new or replacement Sub-Processor. Customer agrees that Whispir will provide notification of any change to the Whispir Sub-Processor List by email to the email address associated with Customer’s account (“Sub-Processor Notification”).

  • c. Customer may object in writing to a new or replacement Sub-Processor that Customer detects or reasonably suspects has violated Applicable Data Protection Laws or provides products or services to a direct competitor of Customer. If Customer objects to a Sub-Processor, Customer and Whispir will use good-faith efforts to agree on a replacement for the objected-to Sub-Processor. If the parties are unable to agree on the new or replacement Sub-Processor within fifteen (15) business days after the date of the applicable Sub-Processor Notification, Customer or Whispir may, upon written notice to the other party, terminate that part of the Agreement that relates to the Services provided by the objected-to Sub-Processor without penalty of any kind.

  • d. Prior to any disclosure of Customer Personal Information to a Sub-Processor, Whispir shall ensure that all Sub-Processors on the Whispir Sub-Processor List are contractually obligated to protect Customer Personal Information in compliance with Applicable Data Protection Laws and consistent with the obligations imposed on Whispir in this DPA.

  • e. Whispir is and will remain liable for the acts and omissions of its Sub-Processors to the same extent Whispir would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

7. Cross-Border Transfers.  The parties agree that where there is a Restricted Disclosure, Attachment 3 shall apply as applicable. With respect to onward transfers, Whispir shall not participate in (nor permit any Sub-Processor to participate in) any other Restricted Disclosure (whether as an exporter or an importer) unless the Restricted Disclosure is made in full compliance with Applicable Data Protection Laws.

8. Cooperation.

  • a. Whispir will provide to Customer timely assistance and cooperation as reasonably requested by Customer (at Customer's reasonable cost) for Customer to demonstrate its compliance with Applicable Data Protection Laws, including data protection impact assessments and consultations with government authorities.

  • b. Unless prohibited by applicable law, Whispir will notify Customer when Whispir (who, where Customer is a Processor, shall in turn inform its Controller) receives a valid request, complaint, demand, legal process or order related to Customer Personal Information received from a Data Subject, government authority or other third party (“

    Request”).

  • c. Whispir represents that it has and will maintain appropriate measures to assist Customer in responding to Requests, including processes to authenticate, record, investigate and resolve Requests. Whispir will not respond to any such Request unless authorized to do so in writing by Customer or if Whispir believes a response is required by applicable law.

  • d. Whispir will use its reasonable efforts to limit disclosure of Customer Personal Information in response to a Request and to cooperate with Customer with respect to any action taken with respect to a Request, such as a Customer’s efforts to obtain a protective order.

  • e. Whispir will promptly notify Customer in writing if Whispir: (i) believes that it is unable to comply with its obligations under this DPA or Applicable Data Protection Laws or cannot comply within a reasonable timeframe; or (ii) becomes aware of any circumstance or change in applicable law that may prevent Whispir from complying with this DPA.

9. Audits.

  • a. Whispir makes available audit reports, documentation and other compliance information (“Documentation”) for its customers upon request.

  • b. If the Documentation does not meet the audit requirements for Processing of Customer Personal Information under Applicable Data Protection Laws, then Whispir will allow for and contribute to any audit or inspection relating to Whispir’ Processing of Customer Personal Information (each, an “Audit”), whether conducted by Customer or a qualified third party mandated by Customer. If an Audit reveals material non-compliance with this DPA or Applicable Data Protection Laws, then Whispir will undertake all reasonably necessary corrective actions in a timely manner, provide periodic written updates to Customer and notify Customer when corrective actions are complete. Customer shall pay Whispir’s reasonable costs for any assistance in connection with an Audit unless such costs are incurred due to Whispir’ breach of Applicable Data Protection Laws.

  • c. Unless otherwise required by a government authority, Customer will use best efforts to ensure that an Audit is conducted during normal business hours in a manner that will result in minimal disruption to Whispir’s business and that Customer’s third-party auditor is not a competitor of Whispir. Customer acknowledges and agrees that an Audit shall not oblige Whispir to provide or permit access to information concerning Whispir’ internal pricing information or relating to other recipients of products or services from Whispir shall be subject to Whispir’ reasonable policies, procedures or instructions for the purposes of preserving security and confidentiality. Customer acknowledges that an Audit involving Sub-Processors (other than Whispir Affiliates) is subject to the relevant agreement between Whispir and the Sub-Processor.

  • d. Prior to an Audit conducted by a third party on Customer’s behalf, Customer shall require that all of the third party’s personnel execute a confidentiality agreement with Whispir that requires the third party’s personnel to (i) use information accessed during the Audit solely for purposes of performing the Audit and (ii) handle that information in accordance with the same procedures that apply to Whispir’s handling of its own confidential information, including as described in any applicable provision of the Agreement.

10. Personal Information Return or Destruction.

  • a. Customer understands and agrees that the functionality of the Services allows Customer to download and access its Customer Personal Information, and if it wishes to delete any Customer Personal Information, it may do so by sending a request to Whispir at privacy@whispir.com.

  • b. After the end of the performance of its obligations under the Agreement, Whispir, when acting as a Processor and to the extent that Customer is unable to delete Customer Personal Information using the functionality of the Services, will permanently delete all Customer Personal Information in Whispir’s possession or control unless otherwise specified in the Agreement and, if Customer requests, provide a written certification upon completion of deletion.

  • c. If law applicable to Whispir, when acting as Processor, requires storage of Customer Personal Information in Whispir’s possession or control after Whispir has performed its obligations under the Agreement, Whispir will store Customer Personal Information in compliance with the relevant terms of this DPA until such time as Whispir can anonymize or destroy the Customer Personal Information.

  • d. Whispir, acting as a Controller pursuant to Section 3.b, may continue to Process Customer Personal Information after the end of the performance of its obligations under the Agreement provided that such Processing complies with Applicable Data Protection Law.

11. General Terms.

a. Order of Precedence. If a term of this DPA (including all addenda, annexes and attachments incorporated herein) and any term of the Agreement conflict, the terms of this DPA will prevail with respect to the Processing of Customer Personal Information.

If requirements set forth in Attachment 3 for a Restricted Disclosure apply in connection with any Restricted Disclosure and any term of this DPA conflict with requirements in Attachment 3, then the applicable requirements in Attachment 3 will prevail.

b. Survival. Notwithstanding any contrary provision of the Agreement, the obligations of Whispir under this DPA shall survive for as long as Whispir has access to Customer Personal Information, even if all agreements between Whispir and Customer are expired or terminated.

c. Additional Terms.

  • (i) This DPA will inure to the benefit of and will be binding upon Whispir and Customer and their respective successors and assigns. Customer may not assign or transfer any right or obligation under this DPA as a whole or in part without the prior written consent of Whispir.

  • (ii) The parties agree to treat the terms of this DPA as confidential information.

  • (iii) If any provision of this DPA is determined invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force.  In place of the invalid or unenforceable provision, a provision shall be deemed to be agreed which comes closest to the economic meaning and purpose of the invalid or unenforceable provision.

  • (iv) This DPA may be executed in any number of counterparts (including delivery via facsimile or electronic mail), all of which will be deemed to be an original but all of which together will constitute one and the same instrument.  Each party agrees that electronic signatures of the parties are intended to authenticate this writing and to have the same force and effect as manual signatures. Electronic signature means any electronic sound, symbol or process attached to or logically associated with a record and executed and adopted by a party with the intent to sign such record or, if different, as defined in Laws of the Governing Location.

  • (v) Except as amended hereby, the Agreement remains in full force and effect in accordance with its terms.

  • (vi) To the maximum extent permitted by applicable law, any claim arising from or related to this DPA is subject to the exclusions and limitations in the Agreement.

Attachment 1

PROCESSING DESCRIPTION

Last updated: DPA Effective Date

This Attachment 1 forms part of this DPA and describes the processing that Whispir as Processor (or subprocessor (as applicable)) will perform on behalf of Customer as Controller or, where acting on behalf of its Controller, as Processor.

A. LIST OF PARTIES

Data exporter(s): Customer (as defined in this DPA)

Data importer(s): Whispir (as defined in this DPA)

В. DESCRIPTION OF TRANSFER

Data Subjects

Customer determines in its sole discretion the Customer Personal Information relating to Data Subjects that is Processed via the Services.

Typically, the Personal Information made available by Customer in connection with the Services will relate to one of the following categories of Data Subjects:

(a) internal Customer users - that is, the Personnel and other representatives authorized by Customer to access and use the Services, including use of Whispir’s customer support services; and

(b) the Customer's end users - that is, Data Subjects that receive communications through Whispir's communications channels, including SMS, email, voice, social media, and push notifications through the Services from the Customer (such as the Customer's end customers) but who do not have a direct relationship with Whispir.

Categories of Personal Information

Customer determines the Customer Data it uploads and makes available to Whisipir in its sole discretion, including the categories of Customer Personal Information that is Processed via the Services, including but not limited to name, title, contact information (email, phone, physical business address) of Data Subjects authorized by Customer to access and use the Services, including use of Whispir’ customer support services.

Whispir's privacy policy outlines further details of the types of Personal Information that is Processed in connection with the Data Subject categories outlined above.

Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous.

Nature of the Processing

The nature of Processing of the Customer Personal Information is the performance of the Services pursuant to the Agreement.

Purpose(s) of Processing

Customer Personal Information is Processed by Whispir for the purpose of providing the products and services specified in the Agreement and otherwise performing the Agreement.

Location(s) of the Processing

Whispir will store the Customer Personal Information in the region / country specified in the Application Form (home region). Processing of Customer Personal Information occurs in the home region, as well as in Australia, Singapore and the Philippines. .

Duration of the Processing

The duration of the Processing is the term of the Agreement unless agreed in writing by the parties.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As permitted by the Agreement. In particular, transfers to data hosting Sub-Processors for storage and remote data processing, credit card Sub-Processors for payment collections and telecommunications network access providers to facilitate communications such as email and SMS, and shall be for a nature and duration as permitted by the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority will be in accordance with clause 13 of SCCs.

Attachment 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The following Technical and Organizational Security Measures apply to Customer Personal Information Processed by Whispir pursuant to the Agreement.

Description of TOM

Customer Minimum Requirement(s), if any

Measures of pseudonymisation and encryption of Personal Information

Whispir:

Stores Customer Personal Information (archives and disk and data system backups) using strong encryption techniques with a minimum of Advanced Encryption Standard with a 256-bit key size (AES-256);

Encrypts Customer Personal Information and Confidential Information prior to moving and/or using encrypted connections (HTTPS, TLS, FTPS, etc.) to protect the information in transit;

Does not use Customer Personal Information in development or test environments unless no alternative exists, in which case Customer Personal Information is anonymized.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Whispir implements and maintains a comprehensive written information security and compliance program that includes administrative, physical, and technical controls based on ongoing risk assessment (the “Information Security Program”). Whispir’ Information Security Program is aligned to recognized international security standards such as ISO 27001 and the National Institute of Standards and Technology (NIST).

Whispir conducts periodic risk assessments and reviews at least annually its Information Security Program or whenever a material change in Whispir’s business practices may affect the security, confidentiality or integrity of Customer Personal Information. Whispir adjust controls and revises its Information Security Program to address risks identified.

Whispir employ high-availability and redundant infrastructure which is designed to minimize associated risks and eliminate single points of failure. Whispir follows the approach of need plus one (N+1) for greater redundancy across all hardware layers of its infrastructure. This helps to ensures that a failure in a hardware-layer component does not affect Whispir’ critical infrastructure or Whispir customers.

Whispir stores Customer Personal Information though its own software-defined storage solution, using proprietary Whispir CloudRAID technology, which provides additional data redundancy.

Measures for ensuring the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident

Whispir implements appropriate back-up, disaster recovery and business resumption plans to enable recovery from events that impact Whispir’s ability to perform in accordance with the Agreement. These plans include defined criteria to determine if a system is critical to the operation of Whispir’s business and its prioritization for recovery. Whispir regularly (and no less than annually) tests these plans and makes changes as needed based on its risk assessments and testing to ensure that they are up to date and effective.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Whispir undertakes and documents network assessments, change logs and scan results.

Whispir performs at least annual penetration tests on Whispir’ systems and infrastructure and facilities in accordance with Whispir’ policies and industry best practices.

Whispir performs periodic scanning of operating systems, databases, server applications and network devices for vulnerability and configuration compliance.

Whispir reviews the security of applications processing Customer Personal Information including automated and manual testing for common vulnerabilities.

Whispir maintains a policy for its mobile devices containing Customer Personal Information that, at a minimum, enforces device encryption and prohibits use of blacklisted applications.

Measures for user identification and authorisation

Whispir has strict and granular access control, identification and lockout procedures.

Whispir has an established process to review user access to Customer Personal Information, including clearly defined user roles and procedures to approve and justify roles. Whispir enforces access and confidentiality restrictions through disciplinary measures.

Whispir has documented password management practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed; monitor repeated attempts to gain access to its information systems using an invalid password; deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.); deactivate passwords that are corrupted or inadvertently disclosed; ensure that de-activated or expired identifiers and/or passwords are not granted to other individuals; deactivate authentication credentials when not used; and ensure that where more than one individual has access to its systems containing Customer Personal Information, the individuals have unique identifiers/log-ins (i.e. no shared IDs).

Whispir enforces “least privilege” by restricting access to Customer Personal Information to those individuals who require access to perform their job functions and supporting segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest (e.g. developer/ reviewer, developer/tester).

Measures for the protection of data during transmission

Whispir transmits Customer Personal Information using the following secure protocols and methods: SFTP, TLS, SSH, Site-to-Site VPN with IPSec.

Measures for the protection of data during storage

Whispir stores Customer Personal Information using strong encryption techniqueswith a minimum of Advanced Encryption Standard with a 256-bit key size (AES-256).

Whispir provides its Customers additional encryption capabilities to protect and restrict access to the data.

Measures for ensuring physical security of locations at which Personal Information are processed

Whispir maintains commercially-reasonable security systems and processes at all Whispir facilities at which information systems that use or store Customer Personal Information are located, such as allowing only authorized individuals to access its facilities.

Measures for ensuring events logging

Whispir maintains appropriate logs and records of processing of Customer Personal Information and records user activity and actions to Customer Personal Information.

Measures for ensuring system configuration, including default configuration

Whispir ensures that, for as long as Whispir holds Customer Personal Information, Whispir does not and will not purposefully create any process (e.g. “back doors” or similar programming) that does or could permit or facilitate unauthorized access to Customer Personal Information.

Whispir does not use software or hardware that is past its ‘End of Life’ in connection with the Services without a mutually agreed risk management process.

Measures for internal IT and IT security governance and management

Whispir identifies dedicated security officer who is responsible for coordinating and monitoring the Information Security Program.

Whispir incorporates (and ensures its sub-contractors incorporate) security-by-design principles in software development.

Whispir has a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of Customer Personal Information in connection with the Agreement.

Whispir promptly take actions to mitigate any actual or potential harm caused by a unauthorized or unlawful Processing of Customer Personal Information.

Whispir maintains (and requires Sub-Processors and sub-contractors each maintain) a record of actual and suspected security incidents (including Personal Information Breaches), which contains at least a description of the incident, the time period, the consequences of the incident, the name of the reporter and to whom the incident was reported, and the process for recovering data, and otherwise complies with the requirements of the Agreement.

Measures for certification/assurance of processes and products

If Customer requests, Whispir provides to Customer no less than annually valid ISO 27001 or SOC 2 reports and those of its Sub-Processors, if available, provided Whispir has the necessary rights and consents from the Sub-Processor to disclose such reports to Customer.

If Whispir or a Sub-Processor does not have a valid ISO 27001 or SOC 2 report, Whispir provides to Customer documentation that demonstrates that Whispir or the applicable Sub-Processors conform to an industry-recognized cybersecurity framework.

Measures for ensuring data minimisation

Whispir limits access to Customer Personal Information in its systems to only that data minimally necessary to perform the services.

Whispir conducts data protection impact assessments to ensure that the Customer Personal Information collected by or on behalf of Customer is limited to what is necessary in relation to the purposes for Processing. Whispir’ data minimization measures are accompanied by technical measures to ensure that Customer Personal Information is not subject to unauthorized access.

Whispir conducts regular audits and strong disciplinary measures to monitor and enforce compliance with the data minimization measures, including for cross-border transfers.

Measures for ensuring data quality

Whispir uses up-to-date security controls to protect against SQL injection, cross-site scripting, unauthorized resource access, remote file inclusion, and other Open Web Application Security (OWASP) threats.

Whispir system interfaces go through input validation testing which prevents improperly formed data from entering an information system.

Measures for ensuring accountability

Whispir compiles and maintains all Processing Instructions and ensures that they are accessible to all Personnel, including Sub-Processors.

Whispir trains its personnel about privacy and security principles, policies and procedures and their respective roles and possible consequences of breaching the principles, policies and procedures and applicable laws. Whispir maintains records of training attendance.

Measures for allowing for data portability, processing restrictions, erasure and consent

Whispir maintains commercially reasonable and documented procedures for complying with Data Subjects’ exercise of their privacy rights, including ensuring that privacy rights requests are timely and effectively addressed.

Whispir maintains records of the date and time of requests, involvement of Sub-Processors (if applicable), Whispir’ response to the request (whether requests are denied) and evidence of when Customer was informed and Customer’s review and approval.

Whispir posts the complete and current Whispir Privacy Statement as appropriate when Whispir collects Customer Personal information from Data Subjects.

Attachment 3

ADDITIONAL TERMS APPLICABLE TO RESTRICTED DISCLOSURES

Whispir agrees to the following contractual clauses and other requirements with respect to Restricted Disclosures. By executing this DPA, or by executing an Application Form or other document to which this DPA is referenced or attached, Customer shall be deemed to have signed and accepted the relevant contractual terms set forth below which are incorporated into this DPA and the Agreement.

A. FOR RESTRICTED DISCLOSURES SUBJECT TO EU GDPR

When Customer or a Customer Affiliate as a Controller (“data exporter”) makes a Restricted Disclosure of Customer Personal Information subject to EU GDPR to Whispir or a Whispir Affiliate as a Processor (each, a “data importer”) who or that is located in a non-EEA jurisdiction which is not covered by an adequacy decision by the EU Commission , then such disclosure shall be subject to the EU SCCs (Module 2 – Controller to Processor) as completed below.

When Customer or a Customer Affiliate as a Processor (“data exporter”) makes a Restricted Transfer of Customer Personal Information subject to EU GDPR to Whispir or an Whispir Affiliate as a Processor (each, a “data importer”) who or that is located in a non-EEA jurisdiction which is not covered by an adequacy decision by the EU Commission, then such disclosure shall be subject to the EU SCCs (Module 3 – Processor to Processor) as completed below.

The parties agree to complete the EU SCCs as follows:

1) Clause 7 (Docking Clause) of the EU SCCs (Module Two and Module Three) does not apply.

2) Before disclosing a copy of the EU SCCs (Module Two and Module Three) per Clause 8.3, the disclosing party must use commercially-reasonable efforts to redact all commercial terms but will provide a meaningful summary if the data subject would otherwise not be able to understand the content or exercise his/her rights as a result of the redaction.

3) Per Clause 9(a) of the EU SCCs (Module Two and Module Three), the data exporter hereby provides a general authorization (Option 2) for the Processing of Customer Personal Information as set forth in the Addendum. The data importer shall specifically inform the data exporter in writing of any intended change to Sub-Processors as set forth in the Addendum.

4) The optional provision in Clause 11(a) (Redress) of the EU SCCs (Module Two and Module Three) does not apply.

5) The parties choose Option 1 of Clause 17 of the EU SCCs (Module Two and Module Three), and agree that the law of the EU Member State in which the data exporter is established will govern and per Clause 18(b) disputes arising under the EU SCCs (Module Two and Module Three)shall be resolved in the courts of the same EU Member State.

6) Attachment 2 to this Addendum shall serve as ANNEX II to the EU SCCs (Module Two and Module Three).

7) The Whispir Sub-Processor List described in Section 6a of the Addendum shall serve as the list of Sub-Processors for ANNEX III to the EU SCCs (Module Two and Module Three).

8) Attachment 1 to this Addendum includes the description of Processing for ANNEX 1 and ANNEX III to the EU SCCs(Module Two and Module Three).

9) Nothing in the EU SCCs shall make data importer responsible for the implementation and maintenance of any security controls relating to the equipment or information systems of data exporter. All such controls shall be the responsibility of data exporter except as otherwise expressly agreed in the Agreement.

10) All audits by data exporter specified in the EU SCCs (Module Two and Module Three) shall be carried out in accordance with the terms of the Addendum unless otherwise expressly required by Data Protection Laws.

11) Any limitations of liability, including limitations on indemnities, set forth in the Agreement apply with respect to liability arising under the EU SCCs.

B. FOR RESTRICTED DISCLOSURES OF CUSTOMER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF ARGENTINA

For a Restricted Disclosure subject to the Applicable Data Protection Laws of Argentina, Customer and Whispir hereby agree to the model contract set forth in the Annexes to Regulation No. 60-E/2016.

Jurisdictions considered to provide an adequate level of data protection under the Applicable Data Protection Laws of Argentina are set forth at http://servicios.infoleg.gob.ar/infolegInternet/anexos/265000-269999/267922/norma.ht and include the EU Member States and members of the European Economic Area, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Canada (only for the private sector), the Principality of Andorra, New Zealand, the Republic of Uruguay, the State of Israel (only for data that is automated processing), and the United Kingdom of Great Britain and Northern Ireland. An international transfer of personal information to any other jurisdiction requires use of the model contract set forth in the Annexes to Regulation No. 60-E/2016.

C. FOR RESTRICTED DISCLOSURES OF CUSTOMER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF SWITZERLAND

For Restricted Disclosures subject exclusively to the Applicable Data Protection Laws of Switzerland (“Swiss Data Protection Law”), the standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner shall apply as follows: (i) The EU SCCs, completed as set out above at Section A shall apply to transfers of personal data subject to the modifications and amendments prescribed by the Swiss Federal Data Protection and Information Commissioner.

D. FOR RESTRICTED DISCLOSURES OF CUSTOMER PERSONAL INFORMATION SUBJECT TO THE PRIVACY LAWS OF UNITED KINGDOM

When Customer or a Customer Affiliate as a Controller (or Processor, as applicable) (“data exporter”) makes a Restricted Disclosure of Customer Personal Information subject to UK GDPR to Whispir or a Whispir Affiliate as a Processor (each, a “data importer”) who or that is located outside the UK in a country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, then such disclosure shall be subject to the UK Addendum and will apply completed as follows:

1) The EU SCCs, completed as set out above in Section A, shall also apply to transfers of such Personal Data subject to sub-paragraph 2 below;

2) Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above in Section A, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA).