2025 Rev 2 - May 2025

1. Background

1.1 In the course of performance of the Services, Natterbox will process Relevant Personal Data and the Parties agree that the terms of this Addendum shall govern such Processing.

1.2 This Addendum forms part of and is incorporated into the Master Agreement (as defined below) entered into between Natterbox and the Client on the Effective Date.

1.3 The terms of the Master Agreement apply in full to this Addendum, however in case of any conflict or inconsistency between the terms of this Addendum and the Master Agreement, the terms of this Addendum shall take precedence.

2. Definitions

2.1 In this Addendum, unless the context otherwise requires, the following terms shall have the following meanings:

AI Data	means data processed by AI Services, which may include input data provided by the Client and output data generated by the AI Model.
AI Model	means specific algorithm or set of algorithms used in providing AI Services.
AI Output	results, responses, or insights generated by the AI Services.
AI Services	means artificial intelligence-based services provided by Natterbox as part of the Natterbox Services, which may include AI Agents, AI Assistants, and other AI-powered features or functionalities;
Call Logs	means any data using the services that constitutes traffic data as defined in the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Client Personal Data	personal data for which Client is the Data Controller and which Natterbox Processes on Client's behalf as a Data Processor to provide the Services to Client.
Data Protection Laws	means any applicable laws and regulations in any applicable jurisdiction from which the Services are provided relating to the Processing of Personal Data including: (i) the EU GDPR; (ii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR (including, in the UK, the UK GDPR and Data Protection Act 2018 ("DPA"); (iii) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC) (including, in the United Kingdom, the Privacy and Electronic Communications (EC Directive) Regulations 2003), in each case, as updated, amended or replaced from time to time; (iv) any relevant data privacy laws or regulations affecting jurisdictions where the service is being used.
Enquiry	means any request, complaint, investigation, notice or communication from a Data Subject or a Supervisory Authority.
Logs	means any and all data systematically recorded, generated, processed, or stored by the Processor's systems, applications, or infrastructure in connection with the provision, operation, maintenance, monitoring, security, or troubleshooting of the Services provided under this Agreement.
Master Agreement	means the Master Services Agreement or Subscription Services Agreement (as applicable) entered into by Natterbox and Client for the provision of the Services.
Derived Data	means data derived or generated by Natterbox as part of the Services that is not information directly supplied or provided by the Client (such as call statistics, call metadata analytics, call quality metrics, etc).
Relevant Personal Data	means Personal Data that Client or a User discloses to Natterbox or which may be accessed or generated by Natterbox in the course of performance of the Services including Client Personal Data and, to the extent they are Personal Data, Call Logs and Natterbox Derived Data.
Sub-Processor(s)	a sub-contractor or supplier of Natterbox which Processes Client Personal Data on Natterbox's behalf in performance of the Services.
Home Region	a designated geographical location utilising AWS infrastructure where Natterbox stores and processes the data of customers using the services.

2.2 Any other capitalised terms used in this Addendum shall have the same meaning as defined in the Master Agreement.

3. General

3.1 In respect of Relevant Personal Data, each Party shall (and shall ensure that their personnel shall) cooperate with the other Party and provide such information and assistance as the other Party may reasonably require to enable that Party:

3.1.1 to comply with their obligations under Data Protection Laws;

3.1.2 to deal with and respond to any Enquiry; and

3.1.3 to demonstrate the Party's compliance with this Addendum and clause 7 of the Master Agreement.

3.2 If a Party receives an Enquiry which relates directly to its sharing of Relevant Personal Data pursuant to this Agreement, or to the other Party’s compliance with any Data Protection Laws, it shall notify the other Party if legally permissible as soon as reasonably practicable.

3.3 Subject to paragraph 3.2, no Party shall take any action in relation to any Enquiry where it relates to the other Party’s Processing of Relevant Personal Data as a Data Controller without prior written notice to the other Party and providing the other Party with a reasonable opportunity to contribute to the response to mitigate the impact of the action on the other Party.

3.4 Except as provided otherwise in this Addendum, any request to Natterbox under this Addendum shall be made to privacy@natterbox.com.

4. Data Processor obligations

4.1 To the extent that Natterbox Processes any Client Personal Data on behalf of Client, each Party shall comply with its respective obligations set out in this paragraph 4.

4.2 Natterbox shall process Client Personal Data only upon Client’s lawful written instructions exclusively set out in the Master Agreement unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, Natterbox shall notify Client of the relevant legal requirement before processing the relevant Client Personal Data). Such Processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes and durations set out in Annex A of this Addendum.

4.3 Client provides Natterbox general authorisation for the engagement of sub-processors from an agreed list. Sub-processors perform the Services as defined in Annex A to this Addendum including any suppliers, advisors, contractors and auditors. Natterbox shall maintain a list of all current Sub-processors at https://docs.natterbox.com/docs/natterbox-sub-processors. If Client supplies a relevant nominated email address, Natterbox will also notify Client of proposed changes by email to the Client-nominated email address twenty-one (21) days prior to the engagement of a new or replacement Sub-processor. Client can inform Natterbox of such email addresses to compliance@natterbox.com. If a change of Sub-processor is likely to cause material detriment to Client, Client may object (in writing to the relevant address for notices set out in the Master Agreement or email to legal@natterbox.com) within ten (10) business days with documented reasons, provided that such objection must be on reasonable, substantial grounds, directly related to such new Sub-Processor's ability to comply with substantially similar obligations to those set out in this Addendum. If the Parties are unable to come to a resolution within thirty (30) days after such notice of objection, then Client may, by thirty (30) days' notice in writing to Natterbox, terminate those Services which cannot be provided by Natterbox without the use of the new or replacement Sub-processor in accordance with the Master Agreement. If Client does not so object, the engagement of the new Sub-Processor shall be deemed accepted by Client.

4.4 Natterbox shall only share Client Personal Data with Sub-processors or transfer Client Personal Data to any country outside the European Economic Area and/or the United Kingdom, provided that:

4.4.1 Natterbox procures that GDPR requirements applicable in respect of any such transfer are complied with including, where applicable, that such transfer is subject to International Data Transfer Agreements approved by the UK Information Commissioner's Office, and EU Standard Contractual Clauses, for the transfer of Personal Data to Data Processors established in third countries; and

4.4.2 Natterbox ensures that any Sub-processor is under substantially similar data protection obligations as between Natterbox and Client as set out in this Addendum.

4.5 Client acknowledges and agrees that for compliance with paragraph 4.4.1, Natterbox will enter into UK Information Commissioner's Office International Data Transfer Agreements and EU Standard Contractual Clauses with sub-processors when required.

4.6 Appointment of any Sub-processor by Natterbox shall not relieve Natterbox of any of its liabilities, responsibilities or obligations to Client under this Addendum and Natterbox shall remain liable for the acts and omissions of its Sub-processors.

4.7 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, Natterbox shall implement technical and organisational measures and procedures to ensure a level of security for Client Personal Data appropriate to the risk as required by the GDPR, in particular to safeguard Client Personal Data against any unlawful or unauthorised: access, loss, destruction, theft, use or disclosure.

4.8 Natterbox shall take reasonable steps to ensure that its employees who are authorised to have access to Client Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when Processing Client Personal Data.

4.9 Natterbox shall make available to Client information necessary to demonstrate compliance with its obligations under this Addendum, and allow Client to conduct an audit of Natterbox's compliance with its obligations under this Addendum, subject to the following requirements:

4.9.1 Client may perform such audits once per year, or more frequently if required by the Data Protection Laws applicable to the Client;

4.9.2 Client may use a third party to perform the audit on its behalf, provided that such third party executes a confidentiality agreement acceptable to Natterbox before the audit;

4.9.3 audits must be conducted during regular business hours, subject to Natterbox's policies, and may not unreasonably interfere with Natterbox's business activities;

4.9.4 Client must provide Natterbox with any audit reports generated in connection with any audit at no charge unless prohibited by law. Client may use the audit reports only for the purposes of meeting its audit requirements under applicable Data Protection Laws and/or confirming compliance with the requirements of this Addendum. The audit reports shall be confidential;

4.9.5 to request an audit, Client must first submit a detailed audit plan to Natterbox at least 6 weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, requirements, form and start date of the audit. Natterbox will review the audit plan and inform Client of any concerns or questions (for example, any request for information that could compromise Natterbox's confidentiality obligations or its security, privacy, employment or other relevant policies). Natterbox will work cooperatively with Client to agree a final audit plan;

4.9.6 nothing in this clause 4.9 shall require Natterbox to breach any duties of confidentiality owed to any of its clients or employees; and

4.9.7 all audits are at Client's sole cost and expense.

4.10 Natterbox shall inform Client without undue delay upon becoming aware of any Personal Data Breach in respect of Client Personal Data whilst within Natterbox’s or any of its Sub-processors' possession or control.

4.11 Subject to paragraph 4.12, and except as required by applicable law or in order to defend any actual or possible legal claims, on termination of the Master Agreement, Natterbox shall, as Client so directs, either return to Client all Client Personal Data and copies thereof in its possession; or delete applicable Client Personal Data as soon as practicable.

4.12 Natterbox will cooperate with all valid and lawful requests by a Data Subject to exercise its rights as detailed in the GDPR or other applicable Data Protection Laws in respect of Client Personal Data and where such requests are sent directly to Natterbox rather than Client, Natterbox shall redirect the Data Subject to submit their request to Client as soon as reasonably practicable.

4.13 Notwithstanding any other provision of the Master Agreement or this Addendum, Client acknowledges and agrees that: (a) as a registered telecommunications operator, Natterbox is subject to national and international telecommunications laws and regulations that require certain Relevant Personal Data such as Client records and Call Logs to be maintained for security and regulatory purposes; and (b) accordingly Natterbox shall not be obliged to comply with Client or Data Subject deletion requests in these circumstances.

5. Artificial Intelligence

5.1 Natterbox processes AI Data to provide AI Services as described in the Master Agreement or any applicable service-specific terms.

5.2 Client grants Natterbox the right to process AI Data for the purpose of providing AI Services.

5.3 Responses, feedback and data derived from the use of the AI Services is used to reinforce and enhance Natterbox’s AI models and technologies, provided such data is anonymised, aggregated and unidentifiable.

5.4 Natterbox will design products to comply with the EU AI Act and other AI Regulations where applicable.

5.4.1 Applicability of the AI Act depends on the use case and the geographical location of the Client's users.

5.4.2 Natterbox will take reasonable steps to ensure that AI Services comply with the AI Act when used in the European Union.

5.4.3 Client agrees that their use of Natterbox AI products must be in line with applicable AI Regulations, depending on geographical locations of use and data types processed across the platform.

5.5 Client is responsible for ensuring that it has the right to provide AI Data to Natterbox.

5.6 AI Output is provided "as is" and that Natterbox does not guarantee the accuracy, completeness, or suitability of AI Output for any particular purpose.

5.7 Due to the nature of AI technology, AI Services may generate unexpected or inaccurate results, Client is responsible for verifying the accuracy of AI Output before relying on it.

5.8 For further details on data processing and storage locations, and use of AI Data please see here:

h ttps://docs.natterbox.com/docs/international-data-flows-and-transfers

Annex A - Data Processing Details

In this addendum, "Operational Call Logs" and "Client Call Logs" mean call data records containing the information referred to against each name in the "Types of Personal Data" section below.

SCOPE OF PROCESSING	Natterbox provides global AI-powered communications (product depending) and data services to route and connect inbound and outbound communications and to transfer recordings and information about those communications into the Customer’s CRM systems and other storage services.
NATURE OF PROCESSING	General: The provision of marketing, sales, support, operational and managerial information to support business activities. Platform: Configuration and storage of call and communications routing and management policies to facilitate call routing between global telecoms carriers. Using information from the caller and the Client’s CRM to route and manage calls in real time. Communications connection and termination. Facilitating two-way audio and media for communications. Gathering and processing Operational Call Logs to produce Client Call Logs containing call meta-data and information about calls and communications. Transferring Client Call Logs to Client’s CRM system. Gathering, processing and storing voicemails. Gathering, processing and storing call data and metrics from Operational Call Logs for, billing, system analytics, regulatory retention and system management. Diagnosing communications connection issues on notification to customers using network traces at an audio and signalling level. Feature dependent based on product options: When using Natterbox’s recording and transcription services - gathering, processing and storing call recordings within AWS storage. When using Natterbox’s SMS, MMS and WhatsApp services - gathering, sending, processing and storing messages and associated data. When using Natterbox’s call analytics and AI services - call transcription and post-processing of communications to create business intelligence and insights for Client. When using Natterbox’s PCI payment service module - diverting call flows to PCI Compliant Service Providers. When using Natterbox's video calling service - video recordings or snapshots of the video during the recording.
PURPOSE OF PROCESSING	To provide business services and facilitate advanced communications and data services with integration into CRM and other third-party systems.
LOCATION OF PROCESSING	Natterbox maintains a list of Sub-processors and their processing locations at https://docs.natterbox.com/docs/natterbox-sub-processors To provide a secure and reliable telephone service where calls can be routed with minimum latency between callers in any global location, Natterbox infrastructure is distributed across multiple AWS locations. Operational Call Logs are transferred from the regional AWS locations where the calls were facilitated to the customer’s Home Region or Natterbox’s own UK data centres in real time for processing. Once processed, call information is pushed into the customer's own CRM instances for storage and retention to facilitate reporting and business intelligence. Natterbox retains basic call log information for billing and regulatory requirements within our own datacentres in the UK or within AWS. If utilising Natterbox’s call recording solution, encrypted recordings are stored using Amazon Web Services. Unless specifically agreed, these will either be stored in the EU, the customer's Home Region, or (if requested) in the customer’s own AWS storage instance. For further details on data processing and storage locations and information about Client- designated Home Regions please see here: https://docs.natterbox.com/docs/international-data-flows-and-transfers
DURATION OF PROCESSING	Platform: During and after communications: Operational Logs are retained for the minimum time required for processing and purged automatically and permanently periodically in line with defined retention periods. Client Logs (including Call Logs) are stored by Natterbox for billing and regulatory purposes according to national and international communications laws and Regulations dependent on operating territory. Call recordings are retained for 12 months unless otherwise agreed and/or further storage is purchased. Further details can be found here:https://docs.natterbox.com/docs/international-data-flows-and-transfers
TYPES OF PERSONAL DATA	Contact Data: Client’s business names, address and location details, staff names, staff email addresses, staff contact mobile and DDI numbers, staff roles and titles, staff contact preferences, marketing preferences, web-site activity history, communication history, business relationships, customer history. Contract Data: Client’s business details, tax ID, statutory registration information, credit information, billing information, contract terms, contractual agreements, sales agreements, non-disclosure agreements. Client Business and Operational Data: Details of telephony configuration and requirements, network infrastructure, organisational structure and communications relationships, telecoms policies and processes. Details of CRM configuration and setup. Diagnostic information and logs provided for support purposes. Product and Service Data: Data stored in Operational Databases: Client’s business name, staff names, staff email addresses, staff mobile and DDI numbers, agent (staff) skills (optional), numbers and custom messages. These are used for IVRs, call announcements, personalisation and intelligent and skills-based call routing. Data stored in Operational Logs: Client’s staff business phone numbers, names, business email addresses. Meta-data about communications such as time, duration, telephony device’s IP address, location. Any data required by the Client and provided to the Natterbox’s systems from Client’s CRM to facilitate intelligent call routing, enhanced call experience and call management. This may include but is not limited to the calling customer’s preferred language, location, time zone, business name, account executive, music preferences, staff skills etc. Such data is unstructured, optional and under control of the Client. Data stored in Client Call Logs: Phone numbers of anyone that calls to or receives calls from Client’s customers or staff. Meta-data about the call such as country, date and time, duration, ring time etc. No other personal information (personal names, IP addresses etc) is stored in Client Call Logs. Other: Diagnostic data in the form of network and packet traces captured to debug call issues which may include unstructured data in the form of call meta-data, media content, call quality information, signalling traces and call information (IP, Phone Number, Date/Time). When using Natterbox’s recording service - voice recordings of calls. When using Natterbox’s SMS, MMS and WhatsApp services - message content and associated files. When using Natterbox’s AI Services - potentially personally identifiable information gathered from call analytics, sentiment analysis, content transcription etc. When using Natterbox's video calling service - video recordings or snapshots of video.
CATEGORIES OF DATA SUBJECT	Clients’ staff using the communications services Clients’ customers and members of the general public who may be customers of or in communications contact with the data controller (Client), including: Customers Potential Customers Subscribers Employees Suppliers Authorised Agents Contact Persons
SPECIAL CATEGORIES OF PERSONAL DATA	No Special Categories of data are stored as structured data. However, there may be instances of Special Categories of data stored in call recordings and transcriptions of conversations if those services are used.
THIRD-PARTY PROCESSORS	All Processors are selected according to Natterbox’s Supplier Review and adhere to Natterbox’s data processing standards. The full supplier list is published at https://docs.natterbox.com/docs/natterbox-sub-processors Selection categories and criteria for key suppliers: International Telecoms carriers and Internet Service Providers – Services providing connectivity, call routing and termination services, and other data across the Internet. Telecoms Number providers – Organisations that provide numbers in different global markets. Client details are sometimes required to be shared for regulatory purposes when acquiring numbers. Hosted Web Services - Suppliers that host Natterbox’s voice and communications platform and services to enable call & comms routing, call management, processing and storage. Cloud Databases – Processing and storage of call information. CRM and Associated Tools - CRM providers and the business services that the Natterbox platform interacts with and pushes Client Call Logs to. Data Centre Hosting Providers – Natterbox's private cloud servers and infrastructure that is used for data processing. Call Transcription and Analytics services – Call processing and data analytics. Service Provider Partners – Partners providing additional AI, voice, telecoms and system services. Administrative Suppliers - Suppliers that provide administration, management, security and other business services.

Annex B – Optional

Agreement for Platform Integrations and the third party use of Natterbox-derived data

Natterbox Derived Data may be transferred by Client out of the Natterbox platform to other platforms for Processing by or on behalf of Client for use in operational metrics, machine learning or statistical call analysis.

Derived Data by definition does not normally contain Personal Information. Parties acknowledge and agree that Natterbox is the Data Controller of Natterbox Derived Data and Client is the Data Controller of any Personal Data.

This Annex to the Data Processing Addendum outlines Client’s responsibilities when it transfers, integrates or stores (i.e. Processes). Natterbox Derived Data with their own or third-party systems where such derived data includes Personal Data.

1. General Terms

1.1 To the extent that Client Processes Natterbox Derived Data that contains Personal Data (or provides Natterbox Derived Data that contains Personal Data to third parties) it shall do so as a Data Controller.

1.2 The right to re-Process specific Natterbox Derived Data by third parties must be agreed and approved in writing by Natterbox. The Client's request for such approval shall set out details of the specific Natterbox Derived Data requested ("Specific Data") together with the information in paragraph 2.

1.3 Subject to paragraph 1.2, where explicit authorisation and instructions are provided by Client, Natterbox will facilitate integration or transfer of Specific Data to specified third parties.

1.4 Natterbox may charge fees for:

1.4.1 technical assistance and costs implementing, managing and facilitating such integrations referred to in paragraph 1.3; and

1.4.2 integration or transfers of Natterbox Derived Data to Client where Natterbox reasonably considers such assistance to be onerous.

1.5 Client must apply or ensure it has and at all times maintains in place technical and organisational measures and procedures to ensure an appropriate level of security for Natterbox Derived Data in its possession or control (including any Natterbox Derived Data shared by or on behalf of Client with third parties) appropriate to the risk, including protecting such Natterbox Derived Data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access.

1.6 By transferring Natterbox Derived Data out of Natterbox’s platform to Client's own or third-party systems, to the extent permitted by law, Natterbox is no longer responsible (and hereby excludes any and all liability) for the security and integrity of such Natterbox Derived Data including any compliance with the GDPR and Client shall be wholly responsible for all GDPR and other statutory regulations governing the usage, security and retention of such Natterbox Derived Data.

2. Requirements:

In any request for access to Natterbox Derived Data, Client must inform Natterbox of:

2.1 The Natterbox Derived Data to be transferred

2.2 The means of Natterbox Derived Data transfer

2.3 The nature of the processing of the Natterbox Derived Data

2.4 The purpose of the processing of the Natterbox Derived Data

2.5 The name of the processor(s) of the Natterbox Derived Data

2.6 The location of the processing of the Natterbox Derived Data

2.7 The duration of the processing of the Natterbox Derived Data

3. Termination:

3.1 Natterbox reserves the right to modify or terminate this Annex and the permission for Client and third parties to use the Natterbox Derived Data with immediate effect by notice in writing to the Client in the event of misuse of Natterbox Derived Data by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data, unreliability, performance impact, excessive communications load, insufficient data security or any data breach (including a Personal Data Breach) or otherwise if Natterbox receives notification in accordance with paragraph 3.2.

3.2 Client must inform Natterbox as soon as practicable when the integration or transfer of Natterbox Derived Data is no longer required, the Natterbox Derived Data is no longer being Processed by or on behalf of Client or any third party to which Client provides the Natterbox Derived Data or if Client wishes to terminate this Annex.

4. Communication

4.1 Authorisation requests and communication regarding transfers of Natterbox Derived Data should be sent to privacy@natterbox.com

Annex C - EU to UK Data Transfer Safeguards

As Natterbox is based in a country with an adequacy decision by the European Commission, it is not required to conclude Standard Contractual Clauses (‘SCCs’) for the transfer of Personal Data to the UK. However, Natterbox will duly observe all its respective obligations under this Agreement and the applicable Data Protection Laws. In addition, in connection with the processing of Personal Data, Natterbox shall:

1. ensure that any Subcontractor and/or Affiliate will be subject to a written agreement with Natterbox requiring the Subcontractor to comply with the same data protection obligations as set out in this Agreement; and

2. include in its agreement with its Subcontractor(s) and/or Affiliate(s) any additional contractual obligations for the Subcontractor(s) and/or Affiliate(s) resulting from the outcome of a Transfer Impact Assessment to be performed by Natterbox; and

3. enter into International Data Transfer Agreements, or any other model contract that provide adequate safeguards and is issued by Natterbox’s competent data protection authority, with its Subcontractor and/or Affiliate, if Personal Data is processed outside the European Economic Area (EEA) without an adequate level of protection as determined by the European Commission. With regard to transfer of Personal Data between Natterbox and its Affiliate(s) Binding Corporate Rules can serve as such model contract, if available; and

4. grant the right to audit Natterbox’s compliance with above mentioned obligations and applicable Data Protection Laws in accordance with clause 4.9 (Audit Rights) of this Data Processing Agreement.

Data Processing Agreement