This Master Data Processing Addendum (“MDPA”) is incorporated by reference into the agreement governing the use of Voice2Evolve’s services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement) (“Customer”), and Voice2Evolve UG (haftungsbeschränkt) (“Voice2Evolve”) to reflect the Parties’ agreement with regard to the processing of Personal Data by Voice2Evolve solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party.”

Unless otherwise specified in this MDPA, the terms of the Agreement shall continue in full force and effect. All capitalized terms not defined in this MDPA shall have the meanings set forth in the Agreement. Any privacy or data protection-related clauses or agreement previously entered into by Voice2Evolve and Customer shall be superseded and replaced with this MDPA.

This MDPA was originally effective as of 08.02.2026 and was last updated on March 13, 2026. It is effective between Customer and Voice2Evolve as of the Effective Date of the Agreement (the "MDPA Effective Date").

The Parties agree as follows: (MDPA)

1. Definitions

To achieve a level of detail comparable to leading frameworks, this section defines key terms including 'Approved Jurisdiction', 'Special Categories of Personal Data', 'Standard Contractual Clauses', and 'Supervisory Authority' to ensure clarity and comprehensive alignment with GDPR and related regulations.

Unless otherwise defined herein, capitalized terms have the meanings set forth in applicable data protection laws.

Affiliate: Any entity directly or indirectly controlling, controlled by, or under common control with a Party.
Approved Jurisdiction: Any country within the EEA or those deemed by the European Commission to ensure adequate protection.
Controller: The entity determining the purposes and means of processing Personal Data.
Processor: The entity processing Personal Data on behalf of a Controller.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on Personal Data, such as collection, storage, alteration, transmission, or deletion.
Subprocessor: A third-party processor engaged by Voice2Evolve.
Data Subject: An identifiable natural person to whom the Personal Data relates.
Security Measures: The technical and organizational measures implemented by Voice2Evolve as described in Attachment A.
Data Breach: Any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
Supervisory Authority: An independent public authority established pursuant to Article 51 GDPR.
Special Categories of Personal Data: As defined in Article 9 GDPR, including health, biometric, or criminal record data.
Data Protection Laws: GDPR, UK GDPR, and CPRA collectively.

2. Roles and Responsibilities

2.1 Relationship of the Parties

The Customer acts as the Controller, and Voice2Evolve acts as the Processor.

2.2 Customer Instructions

Voice2Evolve will process Personal Data only on documented instructions from the Customer. If Voice2Evolve believes an instruction infringes GDPR or applicable law, it will notify the Customer immediately.

2.3 Scope and Purpose

Processing covers voice-based AI sparring, transcription, scoring, and related analytics.

2.4 Duration

Processing continues for the term of the Agreement and ends when all data is returned or deleted in accordance with Section 15.

2.5 Special Categories and Voice Data

The Services process voice recordings for AI-powered conversational sparring, training, and analysis. Voice2Evolve does not process voice data for the purpose of uniquely identifying a natural person (biometric identification) within the meaning of GDPR Article 9(1). Accordingly, voice recordings processed under this MDPA are not treated as Special Categories of Personal Data. The Customer shall not submit Special Categories of Personal Data (Article 9 GDPR) to the Services unless expressly agreed in writing.

2.6 Automated Decision-Making

The Services generate scores, analytics, and feedback using AI models. These outputs are provided for informational and training purposes only and do not produce legal effects or similarly significant effects on Data Subjects within the meaning of GDPR Article 22(1). No decisions with legal or equivalent consequences are made solely on the basis of automated processing.

2.7 Tenant Data Isolation

Voice2Evolve contractually guarantees logical separation of each Customer's Personal Data from that of other customers. Isolation is enforced through database-level row-level security policies, tenant-scoped authentication, and application-layer access controls. No Customer's Personal Data is commingled with or accessible to another customer.

2.8 Data Protection Contact

The designated contact for all data protection matters under this MDPA is: Voice2Evolve UG (haftungsbeschränkt) — Email: privacy@voice2evolve.com

3. Controller Obligations

The Customer shall promptly notify Voice2Evolve of any Data Subject complaints, inquiries, or investigations initiated by a Supervisory Authority that relate to processing under this MDPA. Both Parties will cooperate to ensure consistent and timely communication with regulators and affected Data Subjects, maintaining transparency and compliance.

The Customer shall:

Ensure a lawful basis for all data provided.
Fulfil information and consent obligations to Data Subjects.
Provide accurate, minimized data.
Document its processing purposes and notify Voice2Evolve of any changes.

4. Processor Obligations (GDPR Art. 28(3)(a)–(h)) and Cross-Jurisdictional Compliance

Voice2Evolve also adheres to equivalent Processor obligations under U.S. state privacy laws, including the CPRA (California) and CDPA (Virginia), ensuring that the same data protection, confidentiality, and consumer rights principles are applied consistently across jurisdictions.

Voice2Evolve shall:

Process Personal Data solely under the Customer’s written instructions.
Ensure personnel confidentiality (Art. 28(3)(b)).
Implement appropriate technical and organizational measures (Art. 28(3)(c)).
Respect subprocessor authorization and maintain an up-to-date list (Art. 28(3)(d)).
Assist Customer in responding to Data Subject requests (Art. 28(3)(e)).
Assist Customer with DPIAs and consultations with supervisory authorities (Art. 28(3)(f)).
Delete or return data after termination unless required by law (Art. 28(3)(g)).
Make available all information necessary for demonstrating compliance and support verification as described in Section 10 (Art. 28(3)(h)).
Cooperate with supervisory authorities.
Maintain processing records as per Art. 30(2) GDPR.

5. Subprocessing

Voice2Evolve may engage subprocessors as listed in Attachment B. All subprocessors are bound by written contracts imposing data protection obligations equivalent to those set out in this MDPA. Voice2Evolve remains liable for the acts and omissions of its subprocessors.

5.1 Prior Notice of New Subprocessors

Voice2Evolve shall notify the Customer at least thirty (30) calendar days before authorizing a new subprocessor to process Personal Data. Notification shall be provided via the contact details associated with the Customer's account or through a change-notification mechanism to which the Customer may subscribe.

5.2 Right to Object

The Customer may object to a new subprocessor on reasonable data-protection grounds by notifying Voice2Evolve in writing within the thirty (30)-day notice period. Voice2Evolve shall make commercially reasonable efforts to address the objection, including by offering an alternative subprocessor or configuration. If Voice2Evolve cannot reasonably accommodate the objection within thirty (30) days of receiving it, the Customer may terminate the affected Services — or, where the subprocessor is integral to the entire Service, the Agreement — without penalty, by providing written notice before the new subprocessor begins processing.

6. Security Measures (Art. 32 GDPR)

Voice2Evolve’s security framework also includes detailed encryption key management policies, ensuring encryption keys are generated, stored, rotated, and destroyed in accordance with ISO 27001 and NIST SP 800-57 standards. Keys are never hardcoded or stored in plaintext, and access to key material is strictly restricted.

The Company maintains a formal Incident Response Policy. Voice2Evolve maintains documented incident response procedures designed to enable prompt detection, investigation, escalation, and containment of security events in accordance with applicable Data Protection Laws.

Additionally, Voice2Evolve applies pseudonymization standards for all analytical and transcript data to prevent direct identification of Data Subjects. Pseudonymized identifiers are randomly generated and separated from user account information, ensuring compliance with GDPR Article 32(1)(a) on data confidentiality and resilience.

Voice2Evolve maintains Security Measures described in Attachment A, including:

Encryption of data at rest and in transit.
Role-based and least-privilege access control.
Multifactor authentication.
Logging, monitoring, and incident management.
Regular vulnerability assessments and security testing, appropriate to risk.
Secure deletion and 30-day retention policy.

7. Data Breach Notification (Art. 33 GDPR)

Voice2Evolve shall notify the Customer of any Personal Data Breach without undue delay and no later than seventy-two (72) hours after becoming aware of it. The initial notification shall include, to the extent reasonably available at that time, the nature of the breach, the categories and approximate number of affected Data Subjects and Personal Data records, the likely consequences, and the measures taken or proposed to address the breach. Where full details are not yet available within the notification window, Voice2Evolve shall provide the remaining information in phases without further undue delay.

8. Data Subject Rights

Verification of Data Subject Identity

Before fulfilling any Data Subject request, Voice2Evolve verifies the requester’s identity in accordance with GDPR Article 12(6). Verification methods may include authentication through the user’s registered account credentials or other reasonable verification processes to prevent unauthorized access or disclosure of Personal Data. (Art. 15–22 GDPR)

Voice2Evolve shall assist the Customer in fulfilling requests for access, rectification, restriction, deletion, data portability, or objection. For data portability requests, Voice2Evolve shall make the relevant Personal Data available in a structured, commonly used, and machine-readable format (JSON or CSV). Voice2Evolve will not respond directly to Data Subjects unless authorized by the Customer.

9. International Transfers (Art. 44–49 GDPR)

In line with European Data Protection Board (EDPB) guidance, Voice2Evolve conducts Transfer Impact Assessments (TIAs) prior to any international data transfer to evaluate the legal and practical safeguards in the destination country. These assessments include consideration of surveillance laws, access by public authorities, and redress mechanisms for Data Subjects.

TIAs are documented as part of the vendor security assessment process maintained in Voice2Evolve's internal vendor register. Each relevant third-country transfer and each direct subprocessor with documented onward transfers has been assessed individually:

Supabase Inc. — primary project region configured in the EU (Stockholm, Sweden), with documented onward transfers to subprocessors in the United States and Singapore for support, observability, and ancillary tooling. Transfers rely on SCCs and supplementary measures documented in Supabase's DPA and TIA. TIA on file: Supabase Vendor Security Assessment (2026-03-02) and Supabase Transfer Impact Assessment (2025-03-14).
OpenAI, L.L.C. — SCCs (EU Commission Decision 2021/914, Module 2) + CPRA compliance + EU-US DPF participation. Voice2Evolve maintains a zero-data-retention (ZDR) API configuration and shall not downgrade or disable this setting without prior written notice to affected Customers. TIA on file: OpenAI Vendor Security Assessment (2026-03-02).
Anthropic PBC — SCCs + CPRA compliance. Data minimization applied; used only for quality evaluation. TIA on file: Anthropic Vendor Security Assessment (2026-03-02).
Stripe Payments Europe Ltd. — Primary entity is EU-based; US entity covered by SCCs + PCI DSS Level 1. TIA on file: Stripe Vendor Security Assessment (2026-03-02).
Vercel Inc. — SCCs; EU region deployment available and used for EEA traffic. TIA on file: Vercel Vendor Security Assessment (2026-02-10).
Cloudflare, Inc. — SCCs + EU-US DPF. Processing limited to DNS resolution and transient encrypted WebRTC relay (DTLS-SRTP); no application-layer content accessible. TIA on file: Cloudflare Vendor Security Assessment (2026-02-10).
Plus Five Five, Inc. (Resend) — SCCs + EU-US DPF. Processes email addresses only. TIA on file: Resend Vendor Security Assessment (2026-03-02).
Sentry, Inc. — SCCs + EU-US DPF. PII scrubbing applied before transmission. TIA on file: Sentry Vendor Risk Assessment.
Haufe-Lexware GmbH & Co. KG (Lexware) — EU (Germany) based entity; directly subject to GDPR and BDSG. No cross-border transfer mechanism required. Processes invoice and accounting data, which may include Customer contact name, email address, postal address, and tax identifiers. TIA on file: Lexware Vendor Security Assessment (2026-03-13).

Voice2Evolve also commits to periodically re-evaluate adequacy decisions and transfer mechanisms to ensure ongoing compliance with GDPR Article 46. Customers may request copies or summaries of relevant TIAs upon legitimate request.

Transfers outside the EEA shall rely on:

EU Standard Contractual Clauses (Attachment C),
UK Addendum (Attachment D), or
Adequacy decisions or other lawful safeguards.

Voice2Evolve ensures data transferred to third countries remains protected at a level equivalent to GDPR.

10. Compliance Verification and Documentation

Voice2Evolve will make available information reasonably necessary to demonstrate compliance through written documentation and remote assurance measures designed to protect security, confidentiality, and the privacy of other customers. Routine on-site inspections of private residences, home offices, or third-party data center facilities are not offered.

Customer may request compliance information annually or after a confirmed Personal Data Breach affecting the Customer Data.
Voice2Evolve may satisfy such requests through policies, security summaries, questionnaire responses, summaries of independent audit reports or certifications, and remote clarification sessions.
Any inspection beyond documentary or remote review requires Voice2Evolve's prior written agreement or a clear mandatory legal requirement from a competent supervisory authority.
All documentation necessary for compliance demonstration shall be maintained and provided upon request, subject to confidentiality, security, and proportionality safeguards.

11. Liability

Each Party’s total liability arising out of or in connection with this MDPA shall be limited to the total fees paid under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

This limitation shall not apply to: (a) liability resulting from willful misconduct or fraud; (b) violations of applicable Data Protection Laws to the extent liability cannot be limited by mandatory law; (c) breaches of confidentiality obligations.

Each Party shall be solely responsible for any administrative fines, penalties, or sanctions imposed directly upon it by a Supervisory Authority as a result of its own noncompliance with applicable Data Protection Laws.

12. Complaint and Investigation Coordination

The Customer shall promptly notify Voice2Evolve of any complaint, inquiry, or investigation by a Supervisory Authority or Data Subject concerning processing activities conducted under this MDPA. Both Parties will cooperate fully and share relevant information to ensure consistent responses and compliance.

13. Swiss Data Protection (FADP) Compliance

Voice2Evolve also complies with the Swiss Federal Act on Data Protection (FADP). For data transfers from Switzerland, the same safeguards, Standard Contractual Clauses, and security measures set out in this MDPA shall apply. The competent supervisory authority for such processing is the Federal Data Protection and Information Commissioner (FDPIC).

14. Governing Law and Jurisdiction

This MDPA shall be governed by the laws of the Federal Republic of Germany. Jurisdiction for all disputes shall be Stuttgart, Germany, unless mandatory law requires otherwise.

15. Data Retention and Deletion Policy

Voice2Evolve maintains clear data retention and deletion schedules to comply with GDPR Articles 30 and 32. All Personal Data is stored only for as long as necessary to fulfil the purposes of processing or to meet legal obligations. Retention periods are defined based on the following criteria:

Session Transcripts: Subject to the Customer's configurable retention setting (7–365 days; default: 30 days). On expiry, the Customer may elect to anonymize transcripts in place — replacing spoken content with a redacted marker while preserving session metadata — rather than delete them outright. The anonymize-on-expiry option is enabled by default. Where no retention setting has been configured by the Customer, transcripts are anonymized or deleted within 30 days of session completion.
Session Analytics and Scores (non-transcript): Scores, analysis results, behavioral metrics, and other non-transcript session data are retained for the duration of the user account and deleted within 30 days of account closure, unless earlier deletion is requested by the Customer or the Data Subject.
Internal Quality Evaluation Reports: Reports generated by Voice2Evolve's automated internal quality evaluation system are retained for 30 days and then deleted. These reports assess Voice2Evolve's own AI system components and do not contain user evaluation data. See Section 16.1.
Anonymized Aggregate Data: Fully anonymized, k-anonymous behavioral aggregate data — from which no individual, session, or tenant can be re-identified — is retained indefinitely as it falls outside the definition of Personal Data under GDPR Article 4(1) and Recital 26. See Section 16.2.
Post-Termination Data Return: Upon termination or expiry of the Agreement, Voice2Evolve shall make the Customer's Personal Data available for export for a period of ninety (90) calendar days. After expiry of this transition period, Voice2Evolve shall securely delete or anonymize all remaining Personal Data in accordance with this Section 15, unless retention is required by applicable law.
User Account Data: Retained for the duration of the account and securely deleted within 30 days of closure.
Payment and Billing Records: Maintained for statutory tax and accounting periods (typically 6–10 years) before deletion.
Audit and Security Logs: Retained for 90 days unless longer retention is required for incident investigation or compliance.

Voice2Evolve ensures all deletions use secure erasure methods and that audit trails are logged to document deletion activities. The Company reviews retention policies annually and adjusts schedules to reflect current regulatory and operational requirements.

16. Voice2Evolve's Permitted Secondary Purposes

Notwithstanding Section 4.1, the following secondary uses of Customer Data are expressly authorized by the Agreement and do not constitute processing outside the Customer's documented instructions:

16.1 Internal Quality Evaluation

Voice2Evolve operates an automated quality evaluation system that processes session transcripts and analysis outputs using third-party LLM subprocessors (as listed in Attachment B) solely to evaluate the performance of Voice2Evolve's own AI system components — including the conversation planner, realtime dialogue agent, orchestrator, and post-session analyzer. This processing serves the purpose of maintaining and continuously improving the technical quality of the Services delivered to the Customer. It does not evaluate individual users, produces no user-facing output, and generates no user scores or profiles. Quality evaluation reports are internal to Voice2Evolve, are not accessible via the customer-facing application, and are deleted within 30 days.

16.2 Anonymized Aggregate Analytics

As authorized by the Agreement and this Section 16.2, Voice2Evolve derives fully anonymized, aggregated behavioral statistics from session data to improve the Services and develop product benchmarks. Prior to aggregation, all direct and indirect identifiers — including tenant_id, session_id, and user_id — are removed. Aggregation is subject to k-anonymity thresholds (minimum 50 sessions per dimension group); groups below this threshold are excluded entirely. Once anonymized to this standard, the resulting data is no longer Personal Data within the meaning of GDPR Article 4(1) and Recital 26 and is not subject to the restrictions of this MDPA.

ATTACHMENT A – SECURITY MEASURES

(Detailed expansion per GDPR Art. 32)

Technical Controls:

Encryption: AES-256 encryption at rest and TLS 1.3 in transit. Encryption keys are managed according to defined lifecycle policies (generation, rotation, destruction) compliant with ISO 27001 and NIST SP 800-57.
Access Control: Role-based access control (RBAC) enforced with multifactor authentication (MFA) for all Voice2Evolve personnel and vendor platform access. MFA is applied at the administrative and infrastructure layer; it is not required for end-user customer accounts, which are protected by Supabase Auth with secure session management. Access is granted on a least-privilege basis, reviewed quarterly, and logged.
Logging and Monitoring: Continuous centralized logging of all administrative and system access. Logs are tamper-evident, retained for at least 90 days, and reviewed for anomalies.
Network Security: Voice2Evolve operates exclusively on managed platform-as-a-service (PaaS) infrastructure. Network-level protections — including DDoS mitigation, firewall rules, traffic isolation, and intrusion detection — are provided and maintained by the respective infrastructure providers (see Attachment B). Administrative access to provider platforms is secured with multifactor authentication and restricted to authorized personnel.
Pseudonymization: Analytical and transcript data is pseudonymized by separating identifiers and using random tokens to minimize linkability.
Secure Software Development: Security integrated in SDLC through code reviews, dependency checks, and vulnerability scanning before deployment.
Backup and Recovery: Daily encrypted backups stored in EU data centers with 30-day retention; tested quarterly for restorability.

Organizational Controls:

Security Governance: Information security policy reviewed annually by management.
Confidentiality: All employees and contractors sign confidentiality and data protection agreements.
Training: Annual data protection and security training for all staff with access to Personal Data.
Vendor Management: Third-party subprocessors undergo risk assessment and DPA verification prior to engagement. Subprocessors are contractually required to maintain data protection training for personnel who process Personal Data.
Incident Response: Documented procedures for detection, escalation, mitigation, and post-incident review. Breach notifications are provided without undue delay in accordance with Article 33 GDPR.
Audit and Review: Internal audits conducted semi-annually; independent audit reports or certifications, where available.
Business Continuity: Tested plans covering disaster recovery, service redundancy, and emergency response.
Physical Security: Voice2Evolve does not operate its own data centers. All infrastructure is hosted by third-party providers whose facilities maintain industry-standard physical security controls, including ISO 27001 or SOC 2 certification, access controls, and environmental monitoring. Provider certifications are verified as part of the vendor management process described above.

ATTACHMENT B – SUBPROCESSORS

Voice2Evolve maintains a documented process for regular Subprocessor reviews and updates and provides Customers with general authorization to engage Subprocessors in accordance with GDPR Article 28(2). Customers may subscribe to change notifications to receive reasonable prior notice of any new Subprocessor engagements.

Provider	Role	Location	Legal Basis / Safeguards
Supabase Inc.	Database, Authentication	EU (Stockholm, Sweden primary hosting); onward transfers to US / Singapore subprocessors	Supabase DPA + SCCs + supplementary safeguards documented in Supabase TIA
OpenAI, L.L.C.	AI Inference / Voice API	US	SCCs + CPRA Compliance
Stripe Payments Europe Ltd.	Payments	EU / US	GDPR DPA + SCCs
Vercel Inc.	Frontend Hosting	EU / US	SCCs
Railway.app	Backend Infrastructure	EU	GDPR DPA
Cloudflare, Inc.	DNS Resolution, WebRTC TURN Relay	EU / US	GDPR DPA + SCCs
Sentry, Inc.	Error Monitoring	EU / US	GDPR DPA + SCCs
Rybbit	Website & Product Analytics (selected app pages only; sensitive paths excluded)	EU (EEA — Hetzner)	GDPR DPA + SCCs
Plus Five Five, Inc. (Resend)	Transactional Email	US	GDPR DPA + SCCs + EU-US DPF
Anthropic PBC	AI Inference (LLM)	US	GDPR DPA + SCCs
Haufe-Lexware GmbH & Co. KG (Lexware)	Invoice & Accounting Synchronisation	EU (Germany)	GDPR DPA (AVV)

ATTACHMENT C – STANDARD CONTRACTUAL CLAUSES (FULL TEXT)

Pursuant to GDPR Article 46 and EU Commission Implementing Decision (EU) 2021/914, the Standard Contractual Clauses (Module 2: Controller to Processor) are hereby incorporated by reference in their entirety and form an integral part of this Agreement. The official full text is published in the Official Journal of the European Union (OJ L 199, 7.6.2021, p. 31–61) and is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

The key provisions of the EU Standard Contractual Clauses are summarized below for convenience. In the event of any discrepancy between this summary and the official text, the official text shall prevail.

SECTION I – PURPOSE AND SCOPE

(Clauses 1–7 summarized from EU Commission Implementing Decision (EU) 2021/914)

Clause 1 – Purpose and Scope The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 for the transfer of personal data to a third country.

Clause 2 – Effect and Invariability of the Clauses These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies.

Clause 3 – Third-Party Beneficiaries Data subjects may enforce these Clauses as third-party beneficiaries.

Clause 4 – Interpretation Terms used shall have the meaning given in the GDPR.

Clause 5 – Hierarchy In the event of a contradiction, these Clauses shall prevail.

Clause 6 – Description of the Transfer(s) The details of the transfer(s) are specified in Annex I.

Clause 7 – Docking Clause An entity not party to these Clauses may accede to them at any time with agreement of the Parties.

SECTION II – OBLIGATIONS OF THE PARTIES

(Clauses 8–10 summarized)

Clause 8 – Data Protection Safeguards The data importer shall process the personal data only on documented instructions from the data exporter.

Clause 9 – Use of Subprocessors The data importer has the data exporter’s general authorization for the engagement of subprocessors as detailed in Annex III.

Clause 10 – Data Subject Rights The data importer shall assist the data exporter in fulfilling data subject rights under GDPR Articles 15–22.

SECTION III – LOCAL LAWS AND ACCESS BY AUTHORITIES

(Clauses 14–15 summarized)

Clause 14 – Local Laws and Practices The Parties warrant that they have no reason to believe the laws of the third country prevent the importer from fulfilling these Clauses.

Clause 15 – Obligations of the Data Importer in Case of Access by Public Authorities The data importer agrees to notify the data exporter of any legally binding request for disclosure by a public authority.

SECTION IV – FINAL PROVISIONS

(Clauses 16–18 summarized)

Clause 16 – Non-Compliance and Termination If the importer is in breach of these Clauses, the exporter may suspend the transfer or terminate the contract.

Clause 17 – Governing Law These Clauses are governed by the laws of Germany, allowing for third-party beneficiary rights.

Clause 18 – Choice of Forum and Jurisdiction Any dispute shall be resolved by the courts of Germany. Data subjects may also bring legal proceedings before their habitual residence courts within the EU.

ANNEX I – DETAILS OF THE TRANSFER

A. List of Parties

Data Exporter (Controller): The Customer as identified in the Agreement.
Data Importer (Processor): Voice2Evolve UG (haftungsbeschränkt), registered in Germany. Contact: privacy@voice2evolve.com.

B. Description of Transfer

Categories of Data Subjects: End users (employees, candidates, or other individuals) who use the Services on behalf of or at the direction of the Customer.
Categories of Personal Data: Voice recordings, session transcripts, session analytics and scores, user account data (name, email address), usage metadata, and IP addresses.
Special Categories of Data: None (see Section 2.5).
Frequency of Transfer: Continuous, for the duration of the Agreement.
Nature and Purpose of Processing: Provision of AI-based voice sparring, training, transcription, scoring, and analysis services as described in the Agreement and Section 2.3.
Retention Period: As specified in Section 15.

C. Competent Supervisory Authority The competent supervisory authority is the data protection authority of the EU Member State in which the Data Exporter is established, or — where the Data Exporter is not established in the EU — the supervisory authority of the Member State in which the Data Exporter's EU representative is established. Where neither applies, the competent authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (Germany).

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES See Attachment A (Security Measures)

ANNEX III – SUBPROCESSORS See Attachment B (Subprocessors)

The official text of EU Commission Implementing Decision (EU) 2021/914 (Controller → Processor, Module 2) is incorporated by reference and executed by both Parties. Annex I–III are populated as follows:

Annex I: See above (Details of the Transfer).
Annex II: Security Measures (Attachment A).
Annex III: Subprocessors (Attachment B).

ATTACHMENT D – UK ADDENDUM (ICO)

Applies to data transfers from the United Kingdom under the ICO-approved Addendum to the EU SCCs. The Addendum ensures lawful transfers under the UK GDPR and Data Protection Act 2018.

Key Provisions:

The EU Standard Contractual Clauses (Module 2) are adopted with modifications required by the UK Addendum.
References to the GDPR are read as references to the UK GDPR.
References to the European Union or Member States are interpreted to include the United Kingdom.
The competent supervisory authority is the Information Commissioner’s Office (ICO).
Governing law and jurisdiction: England and Wales.

These provisions ensure lawful data transfers between the UK and third countries in accordance with UK data protection law.

ATTACHMENT D.1 – SWISS ADDENDUM (FADP) (FADP)

Applies to data transfers from Switzerland in accordance with the Swiss Federal Act on Data Protection (FADP) and the Ordinance to the FADP. The same EU Standard Contractual Clauses (Module 2) are adopted for transfers from Switzerland, with necessary adjustments:

References to the GDPR shall be interpreted as references to the FADP.
The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).
References to EU Member States shall include Switzerland.

These clauses ensure that data transfers from Switzerland to third countries maintain an adequate level of protection equivalent to that required under the FADP.

ATTACHMENT E – UNITED STATES PRIVACY ADDENDUM

This Attachment applies only where and to the extent applicable U.S. state privacy laws govern the Customer’s use of the Services.

Voice2Evolve acts as a Service Provider and Processor under applicable U.S. state privacy laws, including but not limited to:

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA),
Virginia Consumer Data Protection Act (CDPA),
Colorado Privacy Act (CPA),
Connecticut Data Privacy Act (CTDPA),
and any other U.S. state privacy statute that imposes processor or service-provider obligations on Voice2Evolve in connection with the Services.

Under these laws, Voice2Evolve shall:

Process Personal Data solely on documented Customer instructions and for contractual business purposes.
Not sell, share, or use Personal Data for targeted advertising, profiling, or non-contracted purposes.
Assist the Customer (Controller) in responding to verified consumer rights requests, including rights of access, correction, deletion, portability, and opt-out of targeted advertising.
Ensure that any onward transfer of Personal Data complies with applicable state privacy requirements and contractual safeguards.
Implement reasonable security practices appropriate to the sensitivity of the Personal Data.
Maintain documentation of processing activities and data protection assessments when required by law.
Promptly notify the Customer of any data breach, complaint, or inquiry related to CDPA or CPRA compliance.
Permit the Customer to verify compliance through written documentation and remote assurance measures, subject to Section 10.
Delete or return Personal Data upon request or termination of the Agreement, unless retention is required by law.

Data retention remains limited to service duration or statutory obligations. Voice2Evolve confirms compliance with all applicable U.S. state privacy regulations governing its role as a Processor/Service Provider.

This MDPA is concluded electronically and forms an integral part of the Agreement. It becomes legally binding upon the Customer’s acceptance of the Agreement by electronic means, including via checkbox or similar mechanism.