Data Protection Agreement

[Need a signed copy (including the full text of the SCCs, UK Addendum, and Sub-Processors)? Send a message to your CSM or legal@consio.ai]

‍DATA PROCESSING AGREEMENT

CCPA / CPRA 2026 Compliant

Effective Date: May 15, 2026

1.  Recitals

WHEREAS, Business has engaged Consio to provide certain AI-powered voice agent and telephony services (the "Services") pursuant to a Master Subscription Agreement or equivalent order form (the "MSA");

WHEREAS, in providing the Services, Consio will process Personal Information on behalf of Business, and Business and Consio wish to set forth the terms governing such processing to ensure compliance with applicable privacy law, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA") and the revised regulations promulgated thereunder effective January 1, 2026;

NOW, THEREFORE, in consideration of the mutual covenants contained herein and for other good and valuable consideration, the parties agree as follows:

2.  Definitions

The following definitions apply throughout this Agreement. Terms not defined here have the meanings given in the CCPA or the MSA, as applicable.

"ADMT" (Automated Decision-Making Technology) means any system that processes Personal Information using computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making where the outcome produces significant effect concerning a Consumer, including but not limited to call routing decisions, eligibility determinations, or personalized service responses generated by Consio AI.

"Business Purpose" means the specific, enumerated purpose(s) for which Business discloses Personal Information to Consio, as set forth in Schedule A of this Agreement, consistent with Cal. Civ. Code Section 1798.140(e) and Cal. Code Regs. Tit. 11, Section 7051(a)(2).

"Consumer" means a California natural person as defined in Cal. Civ. Code Section 1798.140(i).

"CPPA" means the California Privacy Protection Agency.

"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household, as defined in Cal. Civ. Code Section 1798.140(v), and as further described in Schedule A.

"Privacy Risk Assessment" means the formal assessment required under Cal. Civ. Code Section 1798.185(a)(15) and Cal. Code Regs. Tit. 11, Section 7150 et seq.

"Sell" and "Share" have the meanings given in Cal. Civ. Code Sections 1798.140(ad) and (ah), respectively.

"Significant Decision" means a decision that produces a legal or similarly significant effect concerning a Consumer, including decisions related to the provision or denial of services, pricing, eligibility, credit, insurance, or employment.

"Sub-processor" means any third party engaged by Consio to process Personal Information on behalf of Business in connection with the Services.

3.  Roles of the Parties

The parties acknowledge that, with respect to the processing of Personal Information described in this Agreement:

• Business is the "business" as defined in Cal. Civ. Code Section 1798.140(d), and determines the purposes and means of processing Personal Information that it discloses to Consio;

• Consio is a "service provider" as defined in Cal. Civ. Code Section 1798.140(ag), and processes Personal Information solely on behalf of Business and in accordance with Business's instructions and the terms of this Agreement;

• Nothing in this Agreement shall be construed to make Consio a "business" with respect to the Personal Information it processes under this Agreement, except to the extent Consio independently determines the purposes and means of processing for its own purposes outside the scope of this Agreement.

4.  Nature, Purpose, and Scope of Processing

Consio shall process Personal Information solely as instructed by Business, solely for the Business Purposes enumerated in Schedule A, and solely for so long as the MSA remains in effect or as otherwise required by applicable law. Consio shall not:

• Sell or Share Personal Information;

• Retain, use, or disclose Personal Information for any commercial purpose other than the Business Purposes specified in Schedule A;

• Retain, use, or disclose Personal Information outside the direct business relationship between the parties;

• Combine Personal Information received from Business with Personal Information received from, or collected in connection with, any other source, except as permitted by the CCPA or as expressly authorized in writing by Business.

Consio shall promptly notify Business if, in Consio's reasonable determination, an instruction from Business violates the CCPA or applicable regulations.

5.  Specification of Business Purposes

In accordance with Cal. Code Regs. Tit. 11, Section 7051(a)(2), the parties agree that Business Purposes shall be described with specificity and not in generic terms. The specific Business Purposes and associated categories of Personal Information are set forth in Schedule A. Business Purposes shall not be amended or expanded except by written amendment signed by both parties.

Consio acknowledges that describing Business Purposes solely by reference to the MSA or in terms such as "as needed to provide services" does not satisfy the specificity requirement of Section 7051(a)(2) and that the Schedule A enumeration controls.

6.  Consumer Rights Assistance

6.1  General Obligation

Consio shall implement and maintain technical and organizational measures sufficient to enable Business to fulfill Consumer rights requests under the CCPA, including the right to know (access), the right to delete, the right to correct, the right to opt out of sale/sharing, and the right to opt out of ADMT. Consio shall provide such assistance without undue delay and within the timelines specified in Section 6.2 below.

6.2  Response Timelines

7.  Automated Decision-Making Technology (ADMT)

7.1  Acknowledgment

The parties acknowledge that the Services include Automated Decision-Making Technology as defined herein, including AI models that process Consumer voice data to generate call routing decisions, automated responses, and service outcomes. Consio shall comply with all obligations applicable to service providers under Cal. Code Regs. Tit. 11, Sections 7025 and 7085 et seq.

7.2  Pre-Use Notice Documentation

Consio shall maintain and provide Business with current documentation sufficient to enable Business to satisfy its Consumer Pre-Use Notice obligations, including:

• A plain-language description of the ADMT logic used in the Services;

• The categories of Personal Information inputs and the types of outputs or decisions produced;

• Any profiling or behavioral inference carried out in connection with the Services;

• The specific contexts in which ADMT may produce or substantially facilitate a Significant Decision.

Consio shall update such documentation within thirty (30) days of any material change to its ADMT functionality.

7.3  Opt-Out Mechanics

Upon Business's written instruction, Consio shall:

• Implement technically feasible mechanisms to honor Consumer opt-out signals from ADMT processing in connection with Significant Decisions;

• Route opted-out Consumers to non-ADMT handling flows where feasible, or flag the interaction for human review;

• Transmit opt-out signals to Business's designated systems within five (5) business days and ensure all applicable Sub-processors honor such signals.

7.4  Consumer Appeal Process

Where ADMT produces or substantially facilitates a Significant Decision affecting a Consumer, Consio shall provide Business with the technical capabilities necessary to implement a Consumer appeal process that enables:

• A request for human review of the outcome;

• A meaningful explanation of the key factors and logic that influenced the decision;

• Reconsideration of the decision based on information provided by the Consumer.

Consio shall respond to Business's escalated appeal requests within five (5) business days.

7.5  ADMT Access Requests

In response to a verified Consumer access request relayed by Business, Consio shall provide, within ten (10) business days, the following information to the extent technically feasible:

• Categories of Personal Information processed by the ADMT in connection with the requesting Consumer;

• A description of the likely outputs or outcomes produced by the ADMT;

• The key inputs or features that most significantly influenced those outcomes;

• Applicable retention periods for the Consumer's processed data.

8.  Sub-processors

8.1  Approved Sub-processors

The Sub-processors approved by Business as of the Effective Date are listed in Schedule B. Business hereby authorizes Consio to engage those Sub-processors for the purposes described therein.

8.2  New and Changed Sub-processors

Prior to engaging any new Sub-processor or materially changing an existing Sub-processor's role with respect to Business's Personal Information, Consio shall provide Business with no less than thirty (30) days prior written notice, including the Sub-processor's name, country of establishment, and the nature of the processing to be performed. Consio shall update Schedule B accordingly.

8.3  Business Right to Object

Business may object to a proposed new Sub-processor by providing written notice to Consio within twenty (20) days of receiving the Sub-processor notice. Objections must be based on documented, reasonable privacy or security concerns. The parties shall negotiate in good faith for thirty (30) days. If unresolved, Business may terminate the affected Services on ninety (90) days written notice without penalty.

8.4  Sub-processor Obligations

Consio shall bind each Sub-processor to written data protection obligations no less protective than those in this Agreement, including all applicable CCPA requirements. Consio remains fully liable to Business for each Sub-processor's acts and omissions to the same extent as if Consio had performed the processing directly.

9.  Security Measures

9.1  Technical and Organizational Measures

Consio shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Personal Information against unauthorized access, destruction, use, modification, or disclosure. Such measures shall include, at a minimum:

• Encryption of Personal Information at rest and in transit using industry-standard protocols;

• Access controls limiting access to Personal Information to personnel with a need-to-know basis;

• Regular vulnerability assessments and penetration testing of systems processing Personal Information;

• Incident response and business continuity procedures covering Personal Information;

• Employee training on data protection and security obligations.

9.2  Cybersecurity Audit

No less than once per calendar year, Consio shall conduct or commission a cybersecurity audit of its systems, controls, and practices as they relate to Business's Personal Information. Upon Business's written request, Consio shall provide:

• An executive summary of the most recent audit findings, or a confirmation letter from an independent auditor;

• A description of any material vulnerabilities identified and the remediation actions taken or planned;

9.3  Business-Initiated Security Assessments

Business may, no more than once per calendar year and upon thirty (30) days prior written notice, conduct or commission an independent security assessment of Consio's systems directly relevant to the processing of Business's Personal Information, at Business's expense. Consio shall cooperate reasonably and respond to written findings within twenty (20) business days.

10.  Data Breach Notification

In the event of an actual or reasonably suspected breach of security involving Business's Personal Information, Consio shall:

1. Notify Business in writing within seventy-two (72) hours of discovery;

2. Include in such notice: a description of the nature of the incident, the categories and approximate number of Consumers and records affected, the likely consequences, the measures taken or proposed to address the incident, and Consio's designated contact for follow-up;

3. Cooperate fully with Business's investigation and response efforts, including providing access to relevant logs, records, and personnel;

4. Not notify any regulatory authority, Consumer, or third party about the incident in a manner that identifies Business without Business's prior written consent, except as required by applicable law;

5. Remediate the cause of the breach and provide Business with written confirmation of remediation steps taken.

11.  Privacy Risk Assessment Cooperation

Consio shall provide reasonable cooperation to Business in connection with any Privacy Risk Assessment, including:

• Providing a current data flow map and processing inventory upon reasonable prior written notice;

• Disclosing the identities and roles of all Sub-processors with access to Personal Information;

• Responding to a written questionnaire or RFI from Business within fifteen (15) business days of receipt;

• Providing thirty (30) days advance written notice before introducing any new processing activity that may present a significant risk to Consumer privacy, including new ADMT use cases, new Personal Information categories, or new Sub-processors.

12.  Remediation Rights

12.1  Business Right to Direct Remediation

Upon Business's reasonable written determination that Consio has used or is using Personal Information outside the scope of this Agreement, Business may direct Consio to:

6. Immediately cease the non-compliant processing;

7. Delete or return the affected Personal Information within fifteen (15) business days;

8. Provide written confirmation that non-compliant processing has ceased and affected data has been deleted or returned;

9. Implement technical or organizational measures reasonably specified by Business to prevent recurrence.

12.2  Dispute Resolution

If Consio disputes Business's determination of non-compliance, the parties shall escalate to senior legal and compliance representatives within five (5) business days and use commercially reasonable efforts to resolve the dispute within thirty (30) days. Consio's obligation to cease the disputed processing shall remain in effect during this period, unless Consio obtains a written legal opinion from independent qualified counsel confirming the processing is compliant.

13.  Data Retention and Deletion

Consio shall retain Personal Information only for the periods specified in Schedule A, and for no longer than is necessary for the applicable Business Purpose or as required by applicable law. Upon expiration of the applicable retention period, or upon termination of the MSA, Consio shall:

• Securely delete or destroy all Personal Information in Consio's possession or control within thirty (30) days, including copies held by Sub-processors;

• Provide Business with written certification of deletion within fifteen (15) business days of completion;

• Retain only such data as is strictly required by applicable law, notifying Business of the legal basis and expected duration for any such retention.

15.  Confidentiality

Consio shall ensure that all personnel authorized to process Personal Information under this Agreement are subject to binding confidentiality obligations. Consio shall not disclose Personal Information to any third party except: (a) to Sub-processors in accordance with Section 8; (b) as required by applicable law, in which case Consio shall provide Business with advance written notice to the extent permitted by law; or (c) as expressly authorized in writing by Business.

16.  General Provisions

16.1  Relationship to MSA

This Agreement is incorporated into and forms part of the MSA. In the event of any conflict between this Agreement and the MSA with respect to the processing of Personal Information subject to the CCPA, this Agreement shall control.

16.2  Amendments

The parties agree to negotiate in good faith any amendments to this Agreement required by future changes to the CCPA or applicable regulations. Either party may request renegotiation upon thirty (30) days written notice following a material change in applicable law.

16.3  Audit and Records

Consio shall maintain complete and accurate records of its processing activities under this Agreement for a minimum of three (3) years and shall make such records available to Business and to the CPPA upon request.

16.4  Governing Law and Jurisdiction

This Agreement is governed by the laws of the State of California. Any dispute arising under this Agreement shall be subject to the exclusive jurisdiction of the courts specified in the MSA, or if none is specified, the state and federal courts located in San Diego County, California.

16.5  Severability

If any provision of this Agreement is found to be unenforceable, the remaining provisions shall remain in full force and effect, and the parties shall negotiate a replacement provision that achieves, to the extent possible, the original purpose.

16.6  Entire Agreement

This Agreement, together with the MSA and all Schedules attached hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior data processing terms and agreements relating to Personal Information subject to the CCPA.

SCHEDULE A

Specific Business Purposes, Personal Information Categories, and Retention Periods

This Schedule is required by Cal. Code Regs. Tit. 11, Section 7051(a)(2) and must be completed by the parties prior to execution.

A.1  Enumerated Business Purposes

Consio is authorized to process Personal Information solely for the following specific purposes:

• Operating and delivering AI-powered inbound and outbound voice agent services on behalf of Business;

• Automated call routing, triage, and response generation;

• Generating and delivering call summaries and transcripts 

• Retaining call recordings for quality assurance review by Business personnel;

• Service performance analytics and reporting to Business;

• Fraud detection and abuse prevention;

• Compliance with applicable legal obligations;

  
  

A.2  Categories of Personal Information

A.3  Data Retention Periods

SCHEDULE B

Approved Sub-processors

The following Sub-processors are approved by Business as of the Effective Date. Consio shall update this Schedule and notify Business in accordance with Section 8.2 before engaging any new Sub-processor. Each Sub-processor is bound by written data protection obligations no less protective than those in this Agreement.

Schedule B shall be updated via written notice from Consio pursuant to Section 8.2 and does not require re-execution of the Agreement upon each update, provided that Business has not exercised its right to object under Section 8.3.