Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between: Data Controller (Customer): The entity or person using Kallina AI services Data Processor: MEGA PROMOTING S.R.L. IDNO: 1019600021765 Address: mun. Chișinău, str. Alexandru cel Bun 51, of.51 Republic of Moldova IT Park Moldova Resident This DPA supplements the Terms of Service and defines the parties' obligations regarding the protection of personal data processed in the context of using Kallina AI services.

For the purposes of this DPA: "Personal Data" - any information relating to an identified or identifiable natural person (Art. 4(1) GDPR) "Processing" - any operation performed on personal data (Art. 4(2) GDPR) "Controller" - entity that determines purposes and means of processing (Art. 4(7) GDPR) "Processor" - entity that processes data on behalf of the controller (Art. 4(8) GDPR) "Sub-processor" - third party engaged by processor for processing "Data Breach" - security incident affecting personal data

Subject matter: Provision of Kallina AI Voice services, including: Processing phone calls through AI receptionist Transcription and analysis of conversations Storage of recordings and transcriptions Generation of reports and analytics Duration: Processing continues for the duration of the service agreement and the retention period specified thereafter.

Categories of personal data processed: User identification data (name, email, phone) Voice data (audio recordings of calls) Text transcriptions of conversations Call metadata (date, time, duration, caller number) Platform usage data Categories of data subjects: Controller's employees and representatives Controller's customers and potential customers Callers (persons contacting the Controller by phone)

MEGA PROMOTING S.R.L., as processor, undertakes to: Process only on instructions: Process personal data only based on Controller's documented instructions (Art. 28(3)(a) GDPR) Confidentiality: Ensure authorized persons are bound by confidentiality (Art. 28(3)(b) GDPR) Security: Implement technical and organizational measures per Art. 32 GDPR Sub-processors: Not engage another processor without prior authorization Assistance: Assist Controller in fulfilling data subject rights obligations Deletion/Return: Delete or return all personal data at end of services Audit: Make available all information for compliance demonstration

We implement the following security measures per Art. 32 GDPR: Encryption: AES-256 at rest, TLS 1.3 in transit Access Control: RBAC, mandatory MFA, least privilege principle Availability: Geographic redundancy, daily backups, RTO Monitoring: SIEM, intrusion detection, complete logging Physical: Certified data centers (ISO 27001, SOC 2) Organizational: Security policies, employee training, NDAs

Controller grants general authorization for sub-processor engagement with: 30 days prior notice of any changes Controller's right to object within 14 days Equivalent contractual obligations for sub-processors Processor remains liable for sub-processor actions Complete list: /legal/subprocessors

Data transfers outside EEA only with appropriate safeguards: Standard Contractual Clauses (SCC) - Decision (EU) 2021/914 Transfer Impact Assessments (TIA) - performed for each destination Supplementary measures - encryption, pseudonymization, access controls

In case of a personal data breach: Processor notifies Controller within 48 hours of becoming aware Notification includes all information required for authority notification (Art. 33(3) GDPR) Processor assists Controller in investigating and remedying the incident Processor documents all breaches in internal register

Processor assists Controller in responding to data subject requests regarding access, rectification, erasure, restriction, portability, and objection rights. Requests received directly are forwarded to Controller within 5 business days.

Each party is liable for damages caused by processing that violates GDPR, per Art. 82 GDPR. Controller is liable for its own breaches; Processor is liable only for breaches of processor-specific obligations or actions outside Controller's lawful instructions.

For questions regarding this DPA: MEGA PROMOTING S.R.L. IDNO: 1019600021765 Email: contact@kallina.info Phone: +373 61 066 888