This Data Processing Agreement (“DPA”) is hereby entered into by and between Univonix and its Affiliates (“Univonix” or “Company”) and its Partners & Customers (“Partners”) (“Customers”), for the purpose of using the Service.

This DPA forms an integral part of the Software Service Agreement entered into between the parties (“Agreement“). Capitalized terms used herein but not defined herein shall have the respective meanings given to them in the Agreement.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.

Background

1. Univonix provides computer software as a service aiming to help with migration of PBXs and Contact Centers. In providing these Services, Univonix may process personal data (as defined below) on behalf of the Partner or Customer.
2. Parties have concluded a Software Service agreement regarding these Services, which they now wish to amend in respect of their data processing obligations under Applicable Data Protection Law (as defined hereunder).
3. The Parties have hereunder agreed the terms upon which Univonix will process such personal data.

2 Definitions

In this Agreement, the following terms shall have the following meanings:

1. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time.
2. “Customer Data” means any and all Personal Data provided and uploaded by the Partner to the Univonix software during its use of the Service.
3. “Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law and the CCPA) as may be amended or superseded from time to time.
4. “EEA” means the European Economic Area.
5. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
6. "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" (and "Process") shall have the meanings given in Applicable Data Protection Law.

Relationship of the parties

The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Univonix is acting as a Data Processor and Partner or Customer is acting as a Data Controller. For the purpose of the CCPA (and to the extent applicable), Partner or Customer is the Business and Univonix is the Service Provider. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law.

Processing of Personal Data and Compliance with Data Protection Law

1. The Partner or Customer represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of the Services. Unless otherwise agreed to in writing by the parties, the Partner shall not share any Personal Data with Univonix that contains Personal Data relating to children under 16 years old.
2. As between the parties, the Partner or Customer undertakes, accepts, and agrees that the Data Subjects do not have a direct relationship with Univonix and that Univonix relies on Partner’s and Customers lawful basis (as required under Data Protection Law). In the event consent is needed under Data Protection Law, the Partner or Customer shall ensure that it obtains a proper act of consent from Data Subjects and present all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process the Data and enable the lawful transfer and Processing of the Data to and by Univonix, as well as where applicable, provide the Data Subjects with the ability to opt out. In the event Data Subject consent is required under Data Protection Law, Partner or Customer shall be fully responsible to support and transmit to Univonix, the parameter of consent, or opt-out, as applicable. The Partner or Customer shall maintain a record of all consents obtained from a Data Subject, including the time and date on which consent was obtained, the information presented to the Data Subject in connection with their giving consent, and details of the mechanism used to obtain consent, as well as a record of the same information in relation to all withdrawals of consent by Data Subject. Partner shall make these records available to Univonix promptly upon request.

5 Rights of Data Subjects and Parties Cooperation Obligations

1. It is agreed that where Univonix receives a request from a Data Subject or an applicable authority in respect of Customer Data Processed by Univonix, where relevant, Univonix will direct the Data Subject or the applicable authority to the Partner or Customer in order to enable the Partner or Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
2. Where applicable, Univonix shall assist the Partner or Customer in ensuring that Customer Data Processed is accurate and up to date, by informing the Partner or Customer without delay if the Partner or Customer becomes aware of the fact that the Customer Data it is Processing is inaccurate or has become outdated.

Company Personnel

Univonix shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; (ii) that persons authorized to process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.

No Sale of Personal Information

It is hereby agreed that any sharing of Personal Data between the parties is made solely in order to fulfill a Business Purpose and Univonix does not receive or process any Personal Data in consideration for the Service. Thus, such Processing of Personal Data shall not be considered as a “Sale” of Personal Information under the CCPA.

Sub-Processor

1. The Partner or Customer acknowledges that Univonix may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Partner or Customer hereby authorizes Univonix to engage and appoint such Sub-Processors to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Univonix may continue to use those Sub-Processors already engaged by Univonix, as listed in Annex III, or to engage an additional or replace an existing Sub-Processor to process Customer Data, subject to the provision of a 30-day prior notice of its intention to do so to the Partner or Customer. In case the Partner or Customer has not objected to the adding or replacing of a Sub-Processor within five (5) days of Univonix’s notice, such Sub-Processor shall be considered approved by the Partner or Customer. In the event the Partner or Customer objects to the adding or replacing of a Sub-Processor, Univonix may, under Univonix’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
2. Univonix shall, where it engages any Sub-Processor, impose, through a legally binding contract between Univonix and the Sub-Processor, data protection obligations similar to those set out in this DPA. Univonix shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
3. Univonix shall remain responsible to the Partner or Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA. Univonix shall notify the Partner or Customer of any failure by the Sub-Processor to fulfill its contractual obligations.

Security

Univonix shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Such measures shall include, as appropriate:

1. encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Security Incident

1. Univonix will notify the Partner or Customer upon becoming aware of any confirmed Security Incident involving the Customer Data in Univonix’ possession or control. Univonix’ notification regarding or response to a Security Incident under this Section ‎10 shall not be construed as an acknowledgment by Univonix of any fault or liability with respect to the Security Incident. Univonix will, in connection with any Security Incident affecting the Customer Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Partner or Customer and provide the Partner or Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Partner or Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Partner or Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Partner or Customer and assist Partner or Customer with its obligation to notify the affected individuals in the case of a Security Incident.
2. Univonix’s notification regarding or response to a Security Incident under this Section ‎10 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.

Audit Rights

1. Univonix shall respond promptly and adequately with respect to any inquiries from the Partner or Customer regarding the Processing of Personal Data in accordance with this DPA. Company shall make available to the Partner or Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law.
2. Univonix shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Partner or Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Univonix may object to an auditor appointed by the Customer in the event Univonix reasonably believes the auditor is not suitably qualified or independent, is a competitor of Univonix or otherwise unsuitable (“Objection Notice”). The Partner or Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Univonix. Partner or Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Univonix’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Univonix immediately.

Data Transfer

1. The Partner or Customer acknowledges and agrees that in order to be provided with the Service, Univonix may access and Process the Customer Data from territories that are not part of the EEA. Moreover, the Customer further agrees that Company may engage a Sub-Processor which is not established in the EEA, in accordance with Section ‎8. In the event the Processing includes transferring of Customer Data to a country that has not received an adequacy decision from the European Commission or is not exempt under Article 49 of the GDPR (“Restricted Transfer”), the following shall apply:
   1. In order to maintain the integrity, security, and confidentiality of the Customer Data, a Restricted Transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of Module II of the Standard Contractual Clauses in which event Univonix shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
   2. The purpose and description of the transfer is set forth in Annex I.
   3. In case Univonix engages any Sub-Processor, such Restricted Transfer shall be subject, in addition to the terms of the Contract, to the terms and obligations of Module III of the Standard Contractual Clauses in which event Univonix shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer.
   4. The UK SCC shall incorporate ANNEX I, II and III herein.
2. Univonix agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory Authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Subject to Clause 13 of the Standard Contractual Clauses the jurisdiction of the competent Supervisory Authority shall be either in the jurisdiction of the lead Supervisory Authority or the EU representative or an EU establishment. Further, subject to Clause 17 the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable). Notwithstanding the above, subject to Clause 18 the Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence. Notwithstanding the above the UK SCCs shall be governed by the laws of England and Wales.
3. Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) are further detailed in ANNEX II.

Conflict

In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail.

Term & Termination

1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates.
2. Univonix shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Customer Data under the Partner’s or Customers instructions or this DPA infringe applicable legal requirements.
3. Following the termination of this DPA, Univonix shall, at the choice of the Partner or Customer, delete all Customer Data processed on behalf of the Partner or Customer and certify to the Partner or Customer that it has done so, or, return all Customer Data to the Partner or Customer and delete existing copies, unless applicable law or regulatory requirements requires that Univonix continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.

This Annex includes certain details of the Processing and transferring of Personal Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.

Categories of data subjects whose personal data is processed or transferred:

Partner employees, Partner’s customers, Customers employees.

Categories of personal data processed and transferred:

Name, contact information (email, office address, phone numbers), title.

Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:

NA

Nature of the processing and transfer:

To provide the Service.

Purpose(s) for which the Personal Data is processed or transferred on behalf of the Customer:

To provide the Service.

Duration of the processing:

For as long as is necessary to provide the Service by the Company; provided there is no legal obligation to retain the Personal Data past termination.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Whenever the Partner or Customer decide to upload data to the Service.

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing

Hosting server providers as detailed in Annex III

Univonix’s security policy describes the technical and organizational measures implemented by it in order to ensure an appropriate level of security for its Processing of Personal Data.

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:

• Encryption both in transit and at rest;
• As of the date included in the “Last Updated” header above, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
• No court has found the Company to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
• The Company will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
• The Company will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
• The Company will notify Partner or Customer (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.