Data Processing Addendum (US Only, B2B)

This Data Processing Addendum ("DPA") forms part of the Terms of Service between OPSAVO LLC ("OpsAVO") and the customer entity agreeing to the Terms ("Customer"). This DPA applies only to the extent OpsAVO processes Customer Personal Data on behalf of Customer in connection with the Services.

This DPA applies only to U.S.-based business-to-business use of the Services. It does not adopt or incorporate GDPR, UK GDPR, SCCs, or similar international transfer terms unless OpsAVO expressly agrees in writing.

Customer acts as the business, controller, or similar decision-maker for Customer Personal Data submitted to the Services. OpsAVO acts as Customer's service provider or processor solely for the limited purpose of providing the Services to Customer.

Customer Personal Data means personal information contained in Customer Content that OpsAVO processes on behalf of Customer in connection with the Services.

Security Incident means confirmed unauthorized access to, acquisition of, or disclosure of Customer Personal Data in OpsAVO's possession or control, excluding unsuccessful attempts or events that do not compromise Customer Personal Data.

OpsAVO will process Customer Personal Data only:

1. to provide, secure, maintain, support, and improve the Services;
2. as instructed by Customer through its use and configuration of the Services; and
3. as required by applicable law.

Customer is solely responsible for:

• the lawfulness of collecting Customer Personal Data;
• providing all required notices;
• obtaining all required consents and authorizations;
• the accuracy, quality, and legality of Customer Personal Data;
• the legality of Customer's instructions, configurations, campaigns, workflows, AI prompts, and communications; and
• determining whether the Services are appropriate for Customer's regulatory environment and business use case.

Unless OpsAVO expressly agrees in writing otherwise, Customer will not submit to the Services or require OpsAVO to process:

• protected health information subject to HIPAA;
• payment card data requiring PCI-specific handling outside supported payment processor workflows;
• biometric identifiers or biometric information;
• highly sensitive government identifiers beyond ordinary business contact and payment information;
• classified, export-controlled, or similarly restricted data; or
• other regulated or highly sensitive data requiring special contractual, operational, or technical controls.

If Customer submits excluded data despite this restriction, Customer does so at its own risk and remains fully responsible.

OpsAVO will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

OpsAVO will maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized access, disclosure, loss, alteration, or destruction, taking into account the nature of the Services and the information processed.

OpsAVO does not guarantee that the Services are immune from every security event, vulnerability, or threat.

If OpsAVO confirms a Security Incident affecting Customer Personal Data, OpsAVO will notify Customer without undue delay. OpsAVO may provide information in phases as it becomes available. OpsAVO's obligation to notify or respond to a Security Incident is not an admission of fault or liability.

Customer authorizes OpsAVO to use subprocessors in connection with the Services. Subprocessors may include communications, hosting, AI, analytics, infrastructure, authentication, payment, support, and related providers.

OpsAVO may add, replace, or remove subprocessors at its discretion. OpsAVO may use communications, AI, hosting, infrastructure, analytics, authentication, payment, support, and related service providers to operate the Services.

OpsAVO will remain responsible for its subprocessors to the extent required by applicable law or contract.

Taking into account the nature of the Services, OpsAVO may provide reasonable assistance to Customer in responding to verified requests or legal obligations relating to Customer Personal Data, to the extent Customer cannot reasonably fulfill them through the Services. Customer will reimburse OpsAVO for any time and costs incurred in providing such assistance unless otherwise required by law.

Customer has no audit or inspection rights under this DPA unless OpsAVO expressly agrees otherwise in writing. OpsAVO may, in its sole discretion, choose to provide summaries, questionnaires, or other security information.

Upon termination or expiration of the Services, OpsAVO may delete Customer Personal Data in accordance with its retention and deletion practices, subject to backups, legal retention, fraud prevention, dispute handling, security logging, and archival systems.

Customer acknowledges and agrees that any return or export of Customer Personal Data after termination is limited to the data export functionality, if any, made available within the OpsAVO platform, subject to account status, retention limits, technical availability, backups, legal retention, fraud prevention, dispute handling, security logging, and archival systems. OpsAVO is not obligated to provide custom exports, migration services, or data return outside those platform export functions unless OpsAVO expressly agrees otherwise in writing.

For the avoidance of doubt, provider-provisioned phone numbers, messaging registrations, brand registrations, campaign registrations, sender identities, and related communications assets are not Customer Personal Data returnables under this DPA and are governed by the Terms of Service.

This DPA is subject to the liability limitations, disclaimer framework, and dispute terms in the Terms of Service.

If there is a direct conflict between this DPA and the Terms of Service on the subject of processing Customer Personal Data, this DPA controls only to the extent of that conflict.