DATA PROCESSING AGREEMENT

1. INTRODUCTION AND SCOPE

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NuLink LLC ("Data Processor," "we," "us") and the Customer ("Data Controller," "you") and governs the processing of personal data in connection with NuLink's communication services.

This DPA applies where and only to the extent that NuLink processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to Data Protection Laws.

2. DEFINITIONS

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Data Protection Laws" means all applicable privacy and data protection laws including GDPR, CCPA, and others
• "Sub-processor" means any third party engaged by NuLink to process Personal Data
• "Security Incident" means any unauthorized access to Personal Data

3. DATA PROCESSING DETAILS

Subject Matter

Processing of Personal Data necessary to provide communication services including VoIP calling, messaging, and related features.

Duration

Processing will continue for the duration of the service agreement plus any legally required retention period.

Nature and Purpose

• Provisioning and maintaining communication services
• Call and message routing and delivery
• Billing and account management
• Customer support and troubleshooting
• Analytics and service improvement

Categories of Data

• Contact information (names, email addresses, phone numbers)
• Communication metadata (call logs, message history)
• Account and billing information
• Device and connection information
• Call recordings (if enabled by Customer)

Categories of Data Subjects

• Customer employees and authorized users
• Customer's customers and contacts
• Call and message recipients

4. OBLIGATIONS OF THE DATA PROCESSOR

NuLink agrees to:

• Process Personal Data only on documented instructions from the Customer
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer with Data Subject requests
• Notify the Customer of any Security Incidents without undue delay
• Delete or return Personal Data upon termination of services
• Make available information necessary to demonstrate compliance

5. SECURITY MEASURES

NuLink implements the following security measures:

• Encryption of data in transit and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Backup and disaster recovery procedures
• Employee security training and background checks
• Physical security controls at data centers

6. SUB-PROCESSORS

Customer authorizes NuLink to engage sub-processors to process Personal Data. NuLink maintains a list of current sub-processors available upon request.

NuLink will:

• Notify Customer of any intended changes to sub-processors
• Ensure sub-processors are bound by data protection obligations
• Remain liable for sub-processor compliance

7. DATA TRANSFERS

NuLink may transfer Personal Data to countries outside the European Economic Area (EEA) or other jurisdictions. Such transfers are protected by:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant authorities
• Other legally recognized transfer mechanisms

8. DATA SUBJECT RIGHTS

NuLink will assist Customer in responding to Data Subject requests to exercise their rights including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

9. SECURITY INCIDENT RESPONSE

In the event of a Security Incident, NuLink will:

• Notify Customer without undue delay (within 72 hours)
• Provide details of the incident and its likely consequences
• Describe measures taken or proposed to address the incident
• Cooperate with Customer in any required notifications

10. AUDITS

Upon reasonable notice, NuLink will allow Customer or an appointed auditor to conduct audits to verify compliance with this DPA. NuLink will provide reasonable assistance and access to relevant information. Customer bears the costs of any audits unless they reveal material non-compliance.

11. TERMINATION

Upon termination of services, NuLink will, at Customer's choice, delete or return all Personal Data and delete existing copies unless storage is required by applicable law. Deletion will be completed within 90 days of termination.

12. CONTACT INFORMATION

For questions about this DPA or to exercise data protection rights: