Data Processing Agreement

1. Introduction and Parties

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller ("Customer") — the organization that has agreed to the Call Coach IQ Terms of Service and is using the platform to process call recordings and agent data.
• Data Processor ("Call Coach IQ", "we", "us") — Call Coach IQ, operated in the United States, providing AI-powered call coaching software as a service.

This DPA applies where Call Coach IQ processes personal data that is subject to applicable data protection laws, including but not limited to the California Consumer Privacy Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR), the UK GDPR, or any similar applicable legislation.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

• Customer Data— personal data that the Customer submits to, or that Call Coach IQ collects on the Customer's behalf through, the platform. This includes call recordings, PII-redacted transcripts, agent profiles, and performance data.
• Personal Data — any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
• Processing — any operation performed on personal data, including collection, storage, use, disclosure, deletion, or destruction.
• Sub-processor— any third-party service provider engaged by Call Coach IQ to process Customer Data on Call Coach IQ's behalf.
• Data Subject — any living individual whose personal data is processed under this DPA, including call center agents and their end customers whose calls are uploaded to the platform.
• Security Incident — any breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Data.
• Services — the Call Coach IQ platform, including call transcription, AI scoring, coaching hub, business analytics, and all related features as described at https://callcoachiq.com.

3. Scope and Nature of Processing

Call Coach IQ processes Customer Data solely to provide the Services described in the Terms of Service and as instructed by the Customer. The nature and purpose of processing are:

• Receiving call audio via API or direct upload
• Passing audio transiently to Google Gemini AI for transcription and analysis
• Automatically redacting PII from transcripts before storage
• Storing redacted transcripts, scores, summaries, and coaching data in Firestore
• Generating reports, dashboards, and coaching content accessible to the Customer
• Sending transactional email notifications relating to the Customer's account

Categories of personal data processed: name, email address, job role, call audio (transiently, not stored), PII-redacted call transcripts, performance scores, and sentiment and behavioral analysis derived from call content.

Categories of data subjects:the Customer's employees and agents who use the platform, and end customers of the Customer whose voice calls are processed through the platform.

Call Coach IQ will process Customer Data only for the duration of the active service subscription and will not process Customer Data for any purpose other than performing the Services, unless required by applicable law.

4. Call Coach IQ Obligations as Processor

Call Coach IQ agrees to:

• Process Customer Data only on documented instructions from the Customer as set out in this DPA and the Terms of Service, unless required to do so by applicable law.
• Ensure that personnel authorized to process Customer Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the technical and organizational security measures described in Section 8 of this DPA.
• Assist the Customer in responding to data subject requests to exercise their rights under applicable data protection law, to the extent possible given the nature of the processing.
• Assist the Customer in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the Customer's choice, delete or return all Customer Data upon termination of the Services, and delete existing copies unless retention is required by applicable law.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality obligations.
• Notify the Customer promptly if Call Coach IQ receives an instruction that, in its opinion, violates applicable data protection law.

5. Customer Obligations as Controller

The Customer represents and warrants that:

• It has a valid legal basis under applicable law for processing the personal data it submits to the platform, including call recordings that contain data about end customers.
• It has provided all required notices to, and obtained all required consents from, data subjects (including call center agents and end customers) before submitting their personal data to the platform. This includes any consent or notice required for call recording under applicable wiretapping, telecommunications, or privacy law.
• It is responsible for the accuracy, quality, and lawfulness of the personal data submitted to the Services.
• It will comply with all applicable data protection laws in its use of the Services and its role as Data Controller.

6. Sub-processors

The Customer grants Call Coach IQ general authorization to engage the following sub-processors to process Customer Data:

Call Coach IQ will notify account administrators by email at least 30 days before engaging any new sub-processor that will process Customer Data, or before making material changes to existing sub-processor arrangements. The Customer may object in writing within 14 days of notification. If the Customer objects and Call Coach IQ cannot accommodate the objection, the Customer may terminate the Services with a pro-rated refund of any prepaid fees.

Call Coach IQ will impose data protection obligations on each sub-processor that are substantially equivalent to those in this DPA, and remains liable to the Customer for the performance of sub-processors.

7. Data Subject Rights

Where Call Coach IQ receives a request from a data subject seeking to exercise their rights (access, correction, deletion, portability, objection), Call Coach IQ will:

• Promptly forward the request to the Customer where it relates to Customer Data, as the Customer is the Data Controller responsible for responding.
• Not respond directly to the data subject about Customer Data without the Customer's prior authorization, except as required by applicable law.
• Provide commercially reasonable assistance to help the Customer fulfil its obligations to respond to data subject requests within the legally required timeframes.

8. Security Measures

Call Coach IQ implements and maintains the following technical and organizational security measures to protect Customer Data:

• Encryption — All Customer Data is encrypted at rest (AES-256 via Google Cloud infrastructure) and in transit (TLS 1.2+). API credentials and sensitive configuration values are stored using server-side encryption and are never exposed in client-facing responses.
• Access controls — Role-based access control (RBAC) is enforced at the database level. Agents access only their own records; managers access their team; admins access company-wide data. Super-admin access is restricted to Call Coach IQ personnel for platform operation.
• Authentication — Platform access requires authenticated sessions via Firebase Authentication. Multi-factor authentication (TOTP) is available and recommended. Brute-force lockout protection is active on all login endpoints.
• IP allowlisting — Access to the platform is restricted by IP address. Only traffic originating from approved IP addresses is permitted to reach the application, providing an additional network-level barrier against unauthorized access.
• Audit logging — Administrative actions (user creation, deletion, data reprocessing) are written to a tamper-evident audit log accessible to Customer admins.
• Audio and transcript storage — Call audio recordings are stored in Firebase Storage. Transcripts are stored in Firestore. All stored data is encrypted at rest. Access is restricted by role-based security rules enforced at the database level.
• PII redaction — Sensitive personal data categories (card numbers, SSNs, PINs, dates of birth, security answers) are automatically detected and redacted from transcripts during processing — before any text is written to the database — so stored transcripts never contain raw sensitive values.
• Sub-processor security— Google Cloud infrastructure (where all data is stored) maintains SOC 2 Type II and ISO 27001:2013 certifications. These are Google's own certifications; they do not represent independent certification of Call Coach IQ.
• Internal security reviews — We conduct periodic internal reviews of our security configuration, access controls, and Firestore security rules.

9. Security Incident Notification

In the event that Call Coach IQ becomes aware of a Security Incident involving Customer Data, Call Coach IQ will:

• Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the incident, by email to the account's primary administrator address.
• Provide, to the extent known, the nature of the incident, the categories and approximate number of data subjects affected, the categories and approximate volume of Customer Data records affected, the likely consequences of the incident, and the measures taken or proposed to address the incident.
• Cooperate with the Customer and take such reasonable steps as are necessary to remediate the incident and limit its effects.

Notification by Call Coach IQ of a Security Incident is not an acknowledgement of fault or liability. The Customer is responsible for notifying its own end customers, employees, and regulatory authorities as required by applicable law.

10. Data Deletion and Return

Upon termination or expiry of the Customer's subscription, Call Coach IQ will:

• Provide the Customer with a 30-day window after termination to export Customer Data from the platform in machine-readable format (JSON or CSV where available).
• Securely delete all Customer Data from active systems within 90 days of account termination, unless a longer retention period is required by applicable law.
• Upon written request, provide the Customer with written confirmation that deletion has been completed.

Call Coach IQ may retain Customer Data beyond this period only to the extent required by applicable law, and will limit processing of such data to what is required by that law.

11. Audit Rights

Upon reasonable written request (with at least 30 days' notice), Call Coach IQ will make available to the Customer — or an independent auditor appointed by the Customer — information reasonably necessary to demonstrate compliance with this DPA.

Audit activities must be conducted during normal business hours, must not unreasonably disrupt Call Coach IQ's operations, and must be subject to confidentiality obligations at least as protective as those in the Terms of Service. Customers may conduct no more than one audit per 12-month period unless a Security Incident has occurred.

The Customer will bear all costs associated with any audit it requests, unless the audit reveals a material breach of this DPA by Call Coach IQ, in which case Call Coach IQ will bear its own reasonable costs.

12. International Data Transfers

Call Coach IQ is based in the United States and processes all Customer Data within Google Cloud infrastructure located primarily in the United States.

For Customers who are subject to GDPR or UK GDPR and whose Customer Data includes personal data of data subjects located in the EEA or United Kingdom, the following applies:

• Google Cloud (our primary infrastructure provider) has executed Standard Contractual Clauses (SCCs) with EU data protection authorities and maintains an adequacy mechanism for data transfers from the EEA to the US. By using Call Coach IQ, the Customer acknowledges that personal data may be transferred to and processed in the United States under these SCC arrangements.
• Enterprise Customers who require execution of supplementary SCCs directly with Call Coach IQ should contact us at support@callcoachiq.com to arrange a bespoke data transfer agreement.

13. Liability

Each party's liability under this DPA is subject to and governed by the limitations on liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be excluded under applicable data protection law.

Call Coach IQ will be liable for any breach of this DPA caused by the acts or omissions of its sub-processors to the same extent as if Call Coach IQ had committed those acts or omissions directly, except where the sub-processor has its own independent Data Controller obligations under applicable law.

14. Duration and Termination

This DPA takes effect upon the Customer's acceptance of the Terms of Service and remains in force for the duration of the Customer's subscription. It terminates automatically upon termination or expiry of the subscription, subject to the survival of provisions relating to data deletion (Section 10), security incident notification (Section 9), and governing law (Section 15).

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the United States and the state specified in the Terms of Service, without regard to conflict of law principles. Where GDPR or UK GDPR apply, this DPA is supplemented by the applicable EU or UK Standard Contractual Clauses as required.

16. Accepting This DPA

This DPA forms part of the Call Coach IQ Terms of Service. By using the Call Coach IQ platform, the Customer acknowledges that it has read, understood, and agrees to be bound by this DPA.

Enterprise customers who require a countersigned DPA for procurement purposes — for example, for GDPR compliance or vendor due diligence — should contact us at support@callcoachiq.com with the subject line "DPA Countersignature Request". We will provide a PDF version for execution within 5 business days.