Data Processing Agreement (DPA)

Parties to this Agreement

This Data Processing Agreement ("DPA") is entered into by and between:

DATA CONTROLLER ("Controller" or "Customer"):

The entity identified in the subscription agreement or Terms of Use that determines the purposes and means of processing Personal Data through the Rexpt Platform.

DATA PROCESSOR ("Processor" or "Rexpt"):

Rexpt Corp., a Delaware corporation with registered offices at c/o Gust Delaware, Inc., 16192 Coastal Highway, Lewes, Delaware 19958, Sussex County, United States.

Controller and Processor are each referred to as a "Party" and collectively as the "Parties."

This DPA is incorporated into and forms part of the Terms of Use or other master agreement (the "Principal Agreement") between Controller and Processor for the provision of Voice AI platform services (the "Services").

1. Definitions

In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Principal Agreement.

"Applicable Data Protection Law"

means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); and (d) any other applicable privacy or data protection laws.

"Controller"

means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Subject"

means an identified or identifiable natural person whose Personal Data is Processed.

"Data Subject Request"

means a request from a Data Subject to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, or objection.

"EEA"

means the European Economic Area, comprising the member states of the European Union plus Iceland, Liechtenstein, and Norway.

"Personal Data"

means any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller in connection with the Services.

"Personal Data Breach"

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

"Processing" or "Process"

means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor"

means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs"

means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as amended or replaced from time to time.

"Sub-processor"

means any third party engaged by Processor to Process Personal Data on behalf of Controller.

"Supervisory Authority"

means an independent public authority established by a member state pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under Applicable Data Protection Law.

"Technical and Organizational Measures"

means the security measures implemented by Processor to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage.

2. Scope and Roles

2.1 Scope of Processing

This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Services under the Principal Agreement.

2.2 Roles of the Parties

The Parties acknowledge and agree that:

Controller is the Data Controller with respect to Personal Data Processed under this DPA
Processor is the Data Processor acting on behalf of Controller
Processor shall Process Personal Data only on documented instructions from Controller, unless required to do so by applicable law

2.3 Controller Responsibilities

Controller is responsible for:

Ensuring it has a lawful basis for Processing Personal Data and transferring it to Processor
Providing all necessary notices and obtaining all necessary consents from Data Subjects
Ensuring the accuracy of Personal Data provided to Processor
Complying with all Applicable Data Protection Laws in its use of the Services
Responding to Data Subject Requests (with Processor's assistance as required)

2.4 Details of Processing

The details of the Processing activities are set forth in Schedule 1 (Details of Processing) attached to this DPA.

3. Processor Obligations

3.1 Compliance with Instructions

Processor shall:

Process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country, unless required to Process by applicable law (in which case Processor shall inform Controller of that legal requirement before Processing, unless prohibited by law)
Immediately inform Controller if, in Processor's opinion, an instruction infringes Applicable Data Protection Law

3.2 Confidentiality

Processor shall:

Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Not disclose Personal Data to any third party except as permitted by this DPA or with Controller's prior written consent

3.3 Security Measures

Processor shall implement and maintain appropriate Technical and Organizational Measures to protect Personal Data, including:

Encryption of Personal Data in transit using TLS 1.3 or equivalent
Encryption of Personal Data at rest using AES-256 or equivalent
Access controls ensuring only authorized personnel can access Personal Data
Regular testing and evaluation of the effectiveness of security measures
Measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems

4. Personal Data Breach

4.1 Breach Notification

Processor shall notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.

4.2 Breach Information

The notification shall include, to the extent known:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
The name and contact details of Processor's data protection contact
A description of the likely consequences of the Personal Data Breach
A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate possible adverse effects

4.3 Ongoing Obligations

Processor shall:

Cooperate with Controller in investigating and remediating the Personal Data Breach
Take reasonable steps to mitigate the effects and minimize any damage
Provide additional information as it becomes available
Not notify any Supervisory Authority or Data Subject on behalf of Controller unless expressly authorized in writing

4.4 Documentation

Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and make such documentation available to Controller upon request.

5. International Data Transfers

5.1 Transfer Restrictions

Processor shall not transfer Personal Data to a country outside the EEA or the UK unless:

The transfer is to a country deemed by the European Commission or UK Government (as applicable) to provide an adequate level of data protection
Appropriate safeguards are in place, such as Standard Contractual Clauses, Binding Corporate Rules, or an approved certification mechanism
A derogation under Article 49 of the GDPR applies

5.2 Standard Contractual Clauses

To the extent that Processing involves transfers of Personal Data from the EEA or UK to countries not recognized as providing adequate protection, the Parties agree that the Standard Contractual Clauses shall apply as follows:

For transfers from the EEA: The EU SCCs (Commission Implementing Decision (EU) 2021/914) shall apply, with Processor as "data importer" and Controller as "data exporter," Module Two (Controller to Processor)
For transfers from the UK: The UK International Data Transfer Addendum to the EU SCCs shall apply
The details required by the SCCs are set forth in Schedule 4 (International Transfer Mechanisms)

5.3 Additional Safeguards

Processor shall implement supplementary measures as necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, including:

Technical measures such as encryption and pseudonymization
Organizational measures such as access controls and confidentiality obligations

6. Audits and Inspections

6.1 Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

6.2 Audit Procedures

Audits shall be subject to the following conditions:

Controller shall provide at least thirty (30) days' prior written notice of any audit
Audits shall be conducted during Processor's normal business hours
Audits shall not unreasonably interfere with Processor's business operations
Audits shall be limited to once per twelve (12) month period, unless required by a Supervisory Authority or following a Personal Data Breach
Controller shall bear all costs associated with the audit, including Processor's reasonable costs for staff time and resources
Auditors must execute a confidentiality agreement acceptable to Processor

6.3 Third-Party Certifications

Processor may satisfy audit requirements by providing:

SOC 2 Type II reports or equivalent third-party audit reports
ISO 27001 certification or equivalent
Results of third-party penetration tests (summary form)
Completed security questionnaires

Controller agrees to accept such documentation in lieu of an on-site audit where it reasonably addresses Controller's audit requirements.

7. Data Retention and Deletion

7.1 Retention Period

Processor shall retain Personal Data only for as long as necessary to provide the Services and fulfill its obligations under the Principal Agreement, unless a longer retention period is required by applicable law.

7.2 Retention Schedule

The standard retention periods for Personal Data are:

Call recordings: Ninety (90) days from call date
Call transcripts: Ninety (90) days from call date
Call metadata: Duration of the subscription plus ninety (90) days
Account data: Duration of the subscription plus thirty (30) days

7.3 Deletion Upon Termination

Upon termination or expiration of the Principal Agreement, Processor shall, at Controller's election:

Return all Personal Data to Controller in a commonly used, machine-readable format; and/or
Delete all Personal Data and certify such deletion in writing

Controller must make its election within thirty (30) days of termination. If no election is made, Processor shall delete the Personal Data.

7.4 Exceptions to Deletion

Processor may retain Personal Data to the extent required by applicable law, provided that:

Processor informs Controller of the legal requirement (unless prohibited)

8. General Terms

8.1 Term

This DPA shall remain in effect for the duration of the Principal Agreement and for as long as Processor Processes Personal Data on behalf of Controller.

8.2 Precedence

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

8.3 Liability

Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Principal Agreement, except that such limitations shall not apply to:

Fines, penalties, or sanctions imposed by a Supervisory Authority directly attributable to a Party's breach of this DPA
A Party's willful misconduct or gross negligence
Claims by Data Subjects to the extent such limitation is prohibited by Applicable Data Protection Law

8.4 Indemnification

Each Party shall indemnify and hold harmless the other Party from and against any losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from:

The indemnifying Party's breach of this DPA
The indemnifying Party's violation of Applicable Data Protection Law
Any claim by a Data Subject or Supervisory Authority resulting from the indemnifying Party's acts or omissions

8.5 Governing Law

Schedule 1: Details of Processing

Subject Matter

The provision of Voice AI platform services, including AI-powered telephone call handling, call recording, transcription, appointment booking, and related services.

Duration

For the duration of the Principal Agreement, plus any retention period required for data deletion.

Nature and Purpose

Receiving and handling inbound telephone calls via AI Agent
Recording and storing telephone conversations
Transcribing telephone conversations
Generating AI summaries and analysis of calls
Processing appointment booking requests
Sending SMS and email communications on behalf of Controller
Integrating with Controller's third-party services (calendars, CRM, etc.)
Providing analytics and reporting
Maintaining and improving the Services

Categories of Data Subjects

End Users: Individuals who call Controller's AI Agent (callers)
Controller's customers and prospective customers
Controller's employees and authorized users
Any individuals whose information is included in Controller's Knowledge Base

Categories of Personal Data

Contact information: Name, phone number, email address
Voice data: Call recordings, voiceprints

Acceptance

This Data Processing Agreement is incorporated into and forms part of the Terms of Use or other master agreement between Controller and Processor.

By using the Rexpt Platform, Controller agrees to be bound by this DPA. For customers requiring a signed copy of this DPA, please contact legal@rxpt.us.

Ability to restore availability and access to Personal Data in a timely manner following an incident

The Technical and Organizational Measures are further detailed in Schedule 2 (Security Measures) attached to this DPA.

3.4 Sub-processing

Controller provides general authorization for Processor to engage Sub-processors, subject to the following conditions:

Processor shall maintain a list of Sub-processors (set forth in Schedule 3)
Processor shall notify Controller of any intended changes to Sub-processors by updating Schedule 3 and providing at least thirty (30) days' notice before engaging a new Sub-processor
Controller may object to a new Sub-processor by providing written notice within fourteen (14) days of receiving notification. If Controller objects, the Parties shall discuss the concern in good faith. If no resolution is reached, Controller may terminate the affected Services without penalty
Processor shall ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA
Processor remains fully liable to Controller for the performance of Sub-processors' obligations

3.5 Assistance to Controller

Taking into account the nature of Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as possible, with:

Responding to Data Subject Requests within ten (10) business days of receiving Controller's request for assistance
Ensuring compliance with Controller's obligations regarding security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities

3.6 Data Subject Requests

If Processor receives a Data Subject Request directly, Processor shall:

Promptly notify Controller within five (5) business days
Not respond to the request directly unless authorized by Controller or required by applicable law
Provide reasonable assistance to Controller in responding to the request

Contractual measures with Sub-processors

5.4 Transfer Impact Assessment

Upon Controller's request, Processor shall provide information necessary for Controller to conduct a transfer impact assessment, including information about the laws and practices of the destination country that may affect the protection of Personal Data

6.4 Supervisory Authority Audits

If a Supervisory Authority requires an audit of Processor's Processing activities, Processor shall cooperate with such audit to the extent required by law, and Controller shall be entitled to participate to the extent the audit relates to Controller's Personal Data.

Processor limits the Processing to that required by law

Processor maintains confidentiality of the retained data

Processor deletes the data as soon as the legal obligation expires

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, except that:

For Personal Data subject to the GDPR, the governing law for data protection matters shall be the law of the EEA member state where Controller is established
For Personal Data subject to the UK GDPR, the governing law for data protection matters shall be the laws of England and Wales

8.6 Amendments

This DPA may be amended by Processor to reflect changes in Applicable Data Protection Law. Processor shall provide Controller with at least thirty (30) days' notice of material amendments. Controller's continued use of the Services after the notice period constitutes acceptance of the amended DPA.

8.7 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

8.8 Entire Agreement

This DPA, together with the Principal Agreement and any Schedules attached hereto, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior agreements and understandings.

Communication content: Transcripts, messages, inquiries

Appointment data: Scheduled times, service requests

Location data: Address, general geographic location

Device data: Caller ID, device type

Usage data: Call duration, call outcomes, interaction history

Any additional Personal Data provided by Controller in the Knowledge Base

Special Categories of Data

The Services are not intended for Processing special categories of Personal Data (sensitive data). However, such data may incidentally be captured in call recordings if disclosed by callers. Controller is responsible for implementing appropriate safeguards if special categories of data may be Processed.

Controller's Instructions

Process Personal Data only as necessary to provide the Services
Store Personal Data in accordance with the retention periods specified
Delete Personal Data upon Controller's request or upon termination
Implement the security measures specified in Schedule 2
Transfer Personal Data only in accordance with Section 5 of this DPA

Schedule 2: Technical and Organizational Security Measures

Access Control

Role-based access control (RBAC) for all systems
Unique user accounts with strong password requirements
Multi-factor authentication for administrative access
Principle of least privilege applied to all access rights
Regular access reviews and prompt deprovisioning
Maximum three (3) concurrent sessions per user account

Encryption

TLS 1.3 encryption for all data in transit
AES-256 encryption for all data at rest
Encryption key management using cloud provider key management services
Encrypted backups with separate key storage

Network Security

Firewall protection with default-deny rules
Intrusion detection and prevention systems
DDoS protection via cloud provider services
Network segmentation between production and development environments
VPN required for administrative access

Application Security

Secure software development lifecycle (SDLC)
Regular security code reviews
Input validation and output encoding
Protection against common vulnerabilities (OWASP Top 10)
Regular penetration testing by qualified third parties

Infrastructure Security

Cloud hosting with SOC 2 Type II certified providers
Automatic security patching and updates
Container isolation for application workloads
Immutable infrastructure deployments

Data Protection

Data classification and handling procedures
Automated data retention and deletion
Secure data disposal procedures
Backup and recovery procedures tested regularly

Physical Security

Data centers with physical access controls
24/7 security monitoring
Environmental controls (fire suppression, climate control)
Redundant power and connectivity

Organizational Measures

Information security policies and procedures
Employee background checks
Security awareness training for all employees
Confidentiality agreements for all personnel
Incident response plan and team

Business Continuity

Disaster recovery plan tested annually
Geographic redundancy for critical systems
Recovery time objective (RTO): Four (4) hours
Recovery point objective (RPO): One (1) hour

Monitoring and Logging

Centralized logging of security events
Real-time alerting for security incidents
Log retention for at least twelve (12) months
Regular log reviews and analysis

Schedule 3: Authorized Sub-processors

The following Sub-processors are authorized to Process Personal Data on behalf of Processor:

Cloud Infrastructure Providers

Sub-processor	Purpose	Location
Google Cloud Platform (GCP)	Cloud hosting, storage, database	USA
Amazon Web Services (AWS)	Cloud hosting, storage	USA
Microsoft Azure	Cloud hosting	USA

Telephony and Communications

Sub-processor	Purpose	Location
Telnyx	Telephony, phone numbers, SMS	USA
Twilio	Backup SMS gateway	USA
SendGrid	Email delivery services	USA

Business Services

Sub-processor	Purpose	Location
Stripe	Payment processing	USA
Google (Maps/Places API)	Business data extraction	USA

Analytics and Monitoring

Sub-processor	Purpose	Location
Mixpanel	Product analytics	USA
Google Analytics	Website analytics	USA

AI and Voice Processing Services

Rexpt engages proprietary AI voice processing providers and AI language model providers to deliver core platform functionality, including voice synthesis, speech recognition, natural language processing, and AI-powered conversation handling.

These providers process voice data, call recordings, and transcripts to enable the AI Agent functionality of the Platform. All such providers are bound by data protection obligations consistent with this DPA and maintain appropriate security certifications.

Complete Sub-processor List

A complete and detailed list of all Sub-processors, including AI and voice processing providers, is available upon written request for customers with legitimate due diligence requirements. To request the complete Sub-processor list, please contact:

Email: legal@rxpt.us

Subject: Sub-processor List Request

Please include your company name, the name of the authorized requestor, and a brief description of your due diligence requirements.

Sub-processor list last updated: January 19, 2026

Controller may object to the addition of new Sub-processors by providing written notice to legal@rxpt.us within fourteen (14) days of receiving notification of the change.

Schedule 4: International Data Transfer Mechanisms

Transfer Mechanisms

For transfers of Personal Data from the EEA or UK to countries not recognized as providing adequate protection (including the United States), the following mechanisms apply:

1.1 EU Standard Contractual Clauses

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and shall apply to transfers from the EEA, with the following specifications:

Module: Module Two (Controller to Processor)
Clause 7 (Docking clause): Not applicable
Clause 9 (Use of sub-processors): Option 2 (General written authorization)
Clause 11 (Redress): Optional language not included
Clause 17 (Governing law): Laws of Ireland
Clause 18 (Choice of forum): Courts of Ireland

1.2 UK International Data Transfer Addendum

For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018) shall apply in addition to the EU SCCs.

2. Annex I to Standard Contractual Clauses

2.1 List of Parties

Data Exporter:

The Customer identified in the Principal Agreement (Controller)

Address: As specified in the Principal Agreement

Contact: As specified in the Principal Agreement

Role: Controller

Data Importer:

Rexpt Corp.

Address: c/o Gust Delaware, Inc., 16192 Coastal Highway, Lewes, Delaware 19958, USA

Contact: legal@rxpt.us

Role: Processor

2.2 Description of Transfer

The details of the transfer are as described in Schedule 1 (Details of Processing) of this DPA.

2.3 Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs, being the supervisory authority of the EEA member state where the data exporter is established, or for UK transfers, the UK Information Commissioner's Office (ICO).

3. Annex II to Standard Contractual Clauses

Technical and Organizational Security Measures: As described in Schedule 2 (Security Measures) of this DPA.

4. Annex III to Standard Contractual Clauses

List of Sub-processors: As described in Schedule 3 (Authorized Sub-processors) of this DPA.

5. Supplementary Measures

Processor implements the following supplementary measures to ensure adequate protection of Personal Data transferred internationally:

End-to-end encryption of Personal Data in transit and at rest
Strict access controls limiting access to Personal Data to authorized personnel only
Regular assessment of laws in the destination country
Commitment to challenge any government access request that conflicts with the SCCs
Transparency reporting on government access requests (where legally permitted)

Data Processing Agreement (DPA)

Parties to this Agreement

DATA CONTROLLER ("Controller" or "Customer"):

DATA PROCESSOR ("Processor" or "Rexpt"):

Table of Contents

1. Definitions

2. Scope and Roles

2.1 Scope of Processing

2.2 Roles of the Parties

2.3 Controller Responsibilities

2.4 Details of Processing

3. Processor Obligations

3.1 Compliance with Instructions

3.2 Confidentiality

3.3 Security Measures

4. Personal Data Breach

4.1 Breach Notification

4.2 Breach Information

4.3 Ongoing Obligations

4.4 Documentation

5. International Data Transfers

5.1 Transfer Restrictions

5.2 Standard Contractual Clauses

5.3 Additional Safeguards

6. Audits and Inspections

6.1 Audit Rights

6.2 Audit Procedures

6.3 Third-Party Certifications

7. Data Retention and Deletion

7.1 Retention Period

7.2 Retention Schedule

7.3 Deletion Upon Termination

7.4 Exceptions to Deletion

8. General Terms

8.1 Term

8.2 Precedence

8.3 Liability

8.4 Indemnification

8.5 Governing Law

Schedule 1: Details of Processing

Subject Matter

Duration

Nature and Purpose

Categories of Data Subjects

Categories of Personal Data

Acceptance

3.4 Sub-processing

3.5 Assistance to Controller

3.6 Data Subject Requests

5.4 Transfer Impact Assessment

6.4 Supervisory Authority Audits

8.6 Amendments

8.7 Severability

8.8 Entire Agreement

Special Categories of Data

Controller's Instructions

Schedule 2: Technical and Organizational Security Measures

Access Control

Encryption

Network Security

Application Security

Infrastructure Security

Data Protection

Physical Security

Organizational Measures

Business Continuity

Monitoring and Logging

Schedule 3: Authorized Sub-processors

Cloud Infrastructure Providers

Telephony and Communications

Business Services

Analytics and Monitoring

AI and Voice Processing Services

Schedule 4: International Data Transfer Mechanisms

Transfer Mechanisms

1.1 EU Standard Contractual Clauses

1.2 UK International Data Transfer Addendum

2. Annex I to Standard Contractual Clauses

2.1 List of Parties

2.2 Description of Transfer