Hilus Data Processing Addendum

1. Definitions

"Customer Data" means Personal Data processed by Hilus AI on Customer's behalf in connection with the Services and contained in Customer content, communications, recordings, transcripts, workflows, account-level configurations, or other materials submitted to, stored in, or otherwise processed through the Services by or on behalf of Customer. Customer Data does not include account, billing, relationship-management, telemetry, support, or similar data that Hilus AI Processes as a controller for its own business purposes as described in its Privacy Policy, nor de-identified or aggregated data that does not identify Customer or any individual.

"Data Protection Laws" means applicable laws and regulations relating to privacy, data protection, security, or the Processing of Personal Data, including, where applicable, the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and the CCPA.

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

"Subprocessor" means any third party authorized by Hilus AI to Process Customer Data in connection with the Services.

"Personal Data," "Process" or "Processing," "Controller," "Processor," "Business," "Service Provider," and "Contractor" have the meanings given to them under applicable Data Protection Laws.

2. Scope and Roles

Customer appoints Hilus AI as a Processor, Service Provider, or Contractor, as applicable, to Process Customer Data on Customer's behalf only for the limited and specific purposes described in the Agreement and this DPA, including providing, securing, supporting, and maintaining the Services and carrying out related processing permitted by applicable Data Protection Laws.

Customer is the Controller or Business for Customer Data, or is acting on behalf of a Controller or Business and has the authority to instruct Hilus AI regarding the Processing of Customer Data.

This DPA does not apply where Hilus AI acts as a Controller for data it Processes for its own business purposes, such as account administration, billing, fraud prevention, support operations, security, or legal compliance.

3. Customer Instructions and Customer Responsibilities

The Agreement, including any applicable order form, this DPA, the configuration of the Services, and Customer's documented written instructions consistent with the Agreement together constitute Customer's complete documented instructions for Hilus AI's Processing of Customer Data. Customer acknowledges that certain service configurations and design choices controlled by Customer, including user permissions, integrations, retention settings, deletion settings, and workflow design choices, form part of Customer's instructions.

Customer is responsible for the accuracy, quality, and legality of Customer Data and for providing all notices and obtaining and maintaining all rights, permissions, and consents required for Hilus AI to lawfully Process Customer Data, including for call recording disclosures, automated communications, AI disclosures, and customer communications where applicable. If Customer is itself a Processor, Service Provider, or Contractor, Customer represents that its instructions and appointment of Hilus AI have been authorized by the relevant Controller or Business.

Except to the extent separately agreed in writing, Customer will not intentionally submit to the Services: (i) human protected health information regulated by HIPAA; (ii) payment card numbers, card security codes, bank account credentials, or similar payment credentials except through an approved third-party payment processor flow made available for that purpose; or (iii) special-category or similarly sensitive Personal Data that would require materially different processing obligations than those described in this DPA.

4. Hilus AI Processing Obligations

Hilus AI will Process Customer Data only on Customer's documented instructions unless otherwise required by applicable law. If Hilus AI is required by applicable law to Process Customer Data other than on Customer's instructions, Hilus AI will inform Customer before doing so unless prohibited by law.

Hilus AI will promptly notify Customer if, in Hilus AI's reasonable opinion, a Customer instruction violates applicable Data Protection Laws. To the extent legally permitted, Hilus AI will also notify Customer if it receives a legally binding request from a regulator, court, or law enforcement authority for disclosure of Customer Data.

Hilus AI will ensure that persons authorized to Process Customer Data are subject to appropriate confidentiality obligations.

5. Security and Security Incidents

Hilus AI will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Processing and the information available to Hilus AI. A summary of Hilus AI's security measures is set out in Schedule 2.

Hilus AI will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Data. To the extent reasonably available, Hilus AI's notice will describe the nature of the Security Incident, the categories of Customer Data affected, the likely consequences, and the steps taken or proposed to investigate, contain, mitigate, and remediate the Security Incident.

Hilus AI's notification of or response to a Security Incident is not an acknowledgment of fault or liability.

Hilus AI will take reasonable steps to investigate, contain, mitigate, and remediate the Security Incident.

6. Data Subject Requests and Cooperation

Taking into account the nature of the Processing, Hilus AI will provide reasonable assistance to Customer to enable Customer to respond to requests from individuals exercising rights under applicable Data Protection Laws, to the extent Customer cannot reasonably fulfill such requests through the Services.

Unless required by applicable law, Hilus AI will not respond directly to any such request relating to Customer Data without Customer's prior written authorization, except that Hilus AI may advise the requester to direct the request to Customer.

Hilus AI will provide reasonable assistance to Customer, at Customer's expense where permitted by law, with data protection impact assessments, prior consultations with regulators, or similar obligations to the extent required by applicable Data Protection Laws and reasonably related to Hilus AI's Processing of Customer Data.

7. Subprocessors

Customer provides general authorization for Hilus AI to engage Subprocessors to Process Customer Data in connection with the Services, including providers of hosting, communications, telephony, analytics, customer support, security, and AI or speech technology services.

Hilus AI will maintain a current list of material Subprocessors and will make that list available on request or, if Hilus AI elects, through a public posting or customer-facing webpage. Hilus AI will provide notice of material changes to the list by updating the posting, emailing Customer, or through another reasonable means.

Hilus AI will impose data-protection obligations on each Subprocessor that are no less protective than the obligations imposed on Hilus AI under this DPA, to the extent applicable to the services performed by that Subprocessor. Hilus AI will remain responsible for the acts and omissions of its Subprocessors to the same extent Hilus AI would be responsible if performing the services directly, subject to the liability limitations in the Agreement.

If Customer has a reasonable data-protection objection to a new Subprocessor, Customer may notify Hilus AI in writing within thirty (30) days after receiving notice of the change. The parties will work in good faith to address the objection. If the parties cannot resolve the objection within a reasonable period, Customer may terminate the affected Services on written notice.

8. Audits and Compliance Information

Upon Customer's reasonable written request, and no more than once annually unless required by applicable law or a confirmed Security Incident, Hilus AI will provide information reasonably necessary to demonstrate its compliance with this DPA, including summaries of relevant security controls or policies.

To the extent required by applicable Data Protection Laws and where the information made available by Hilus AI is insufficient, Hilus AI will allow for a reasonable audit or inspection by Customer or its independent auditor, subject to reasonable advance notice, confidentiality obligations, and measures to minimize disruption to Hilus AI's business. Any such audit will be at Customer's expense.

Hilus AI may satisfy audit obligations through existing third-party reports, certifications, penetration-test summaries, or other comparable documentation where appropriate.

9. Return and Deletion

Upon termination or expiration of the Agreement, Hilus AI will, at Customer's choice and to the extent technically feasible, return or delete Customer Data, unless retention is required by applicable law or necessary for security, dispute-resolution, backup, or compliance purposes. Any retained Customer Data will remain protected under this DPA and will be used only for the reason requiring retention.

10. International Transfers

Customer acknowledges that Hilus AI and its Subprocessors may Process Customer Data in the United States and other countries in which Hilus AI or its Subprocessors operate.

To the extent Customer Data is subject to Data Protection Laws that require a recognized transfer mechanism for international transfers, the parties will cooperate in good faith to implement an appropriate transfer mechanism, which may include adequacy decisions, the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful safeguards reasonably required for the relevant transfer. If Hilus AI makes such transfer terms available as part of its standard DPA or Subprocessor arrangements, those terms are incorporated by reference into this DPA to the extent required for the relevant transfer.

11. U.S. State Privacy Terms

To the extent the CCPA or other U.S. state privacy laws apply to Customer Data, Hilus AI will Process Customer Data only for the limited and specific purposes described in the Agreement and this DPA; will not sell or share Customer Data; will not retain, use, or disclose Customer Data outside the direct business relationship with Customer except as permitted by applicable law; and will not combine Customer Data with personal information received from another person except as permitted by applicable law. Hilus AI's controller-side disclosures regarding personal information it collects for its own business purposes are described in its Privacy Policy and, for California residents, its California Notice at Collection; those documents do not limit or expand Hilus AI's obligations as a Processor, Service Provider, or Contractor under this DPA.

Hilus AI certifies that it understands and will comply with the restrictions applicable to Service Providers and Contractors under applicable U.S. state privacy laws.

To the extent Customer instructs Hilus AI to Process de-identified data derived from Customer Data as permitted by the Agreement and applicable law, Hilus AI will implement reasonable measures designed to maintain such data in de-identified form and will not attempt to re-identify it except as permitted by applicable law.

Customer will not instruct or permit Hilus AI to Process Customer Data in a way that would cause the disclosure of Customer Data to Hilus AI to constitute a sale or share under applicable U.S. state privacy laws, or that would prevent Hilus AI from qualifying as a Service Provider, Contractor, or Processor.

If Hilus AI determines that it can no longer meet its obligations under this Section, it will notify Customer without undue delay. Customer may take reasonable and appropriate steps to help ensure Hilus AI's use of Customer Data is consistent with applicable U.S. state privacy laws, and the parties will work together in good faith to stop and remediate any unauthorized use.

12. General

This DPA remains in effect for as long as Hilus AI Processes Customer Data on Customer's behalf under the Agreement.

Except as expressly modified by this DPA, the Agreement remains in full force and effect.

Any claims arising from or related to this DPA are subject to the liability limitations, exclusions, governing-law terms, dispute-resolution terms, and other relevant provisions of the Agreement, unless applicable Data Protection Laws require otherwise.

Schedule 1. Details of Processing

Subject matter of Processing

The provision of Hilus AI's business Services, including AI-powered voice and chat products, workflow automation, integrations, APIs, account management, support, security, and related production services.

Nature and purpose of Processing

Hosting, storing, organizing, transmitting, transcribing, routing, analyzing, retrieving, summarizing, and otherwise Processing Customer Data as necessary to provide, secure, support, and maintain the Services; troubleshooting; preventing fraud and misuse; and maintaining security and reliability.

Duration of Processing

For the term of the Agreement and any period during which Hilus AI retains Customer Data in accordance with the Agreement, this DPA, or applicable law.

Categories of data subjects

Customer personnel; Customer's end users, callers, clients, pet owners or other patient representatives; and other individuals whose Personal Data Customer or its users submit to the Services.

Categories of Personal Data

Contact details; communications content; call recordings and audio; transcripts; messages; scheduling and workflow information; account and support information; device, log, and usage data; veterinary-client communications; pet-related information associated with identified or identifiable owners, clients, or representatives; and other Personal Data submitted by or on behalf of Customer through the Services.

Schedule 2. Summary of Security Measures

• Encryption of Customer Data in transit and, where applicable, at rest.
• Access controls designed to limit access to authorized personnel on a need-to-know basis, including role-based or least-privilege access principles where appropriate.
• Logging and monitoring of production systems and administrative activity where appropriate.
• Documented security policies, incident-response procedures, and processes for vulnerability management and patching.
• Use of established infrastructure and service providers subject to contractual confidentiality and security obligations.
• Processes designed to support secure deletion or de-identification of Customer Data when no longer needed, subject to retention requirements.
• Personnel confidentiality commitments and security awareness measures appropriate to their roles.