Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and forms part of the Master Services Agreement ("MSA") between Norsha Dynamics LLC d/b/a Brensa Systems ("Processor" or "Brensa") and the client identified in the MSA ("Controller" or "Client"). This DPA governs Brensa's processing of personal information on Client's behalf when Brensa provides any of the Services.

1. Definitions

Capitalized terms not defined here have the meanings given in the MSA or the applicable Privacy Law.

• Privacy Law means all data-protection laws and regulations applicable to a Party's processing of Personal Data under this DPA, including the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code ch. 541), the California Consumer Privacy Act / California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), the HIPAA Privacy, Security, and Breach Notification Rules (45 C.F.R. Parts 160, 162, 164) where applicable and where a separate Business Associate Agreement is executed, the EU/UK General Data Protection Regulation (Regulation (EU) 2016/679) where applicable, the Telephone Consumer Protection Act (47 U.S.C. § 227 and 47 C.F.R. § 64.1200), the Texas Telemarketing laws (Tex. Bus. & Com. Code chs. 301–305 as amended by S.B. 140), federal and state wiretap and call-recording laws, CAN-SPAM (15 U.S.C. §§ 7701–7713; 16 C.F.R. Part 316), and applicable state AI-disclosure laws.
• Personal Data means any information processed by Brensa on behalf of Client that identifies or is reasonably linkable to an identified or identifiable natural person, including "personal data" under the TDPSA and GDPR and "personal information" under the CCPA. Personal Data includes End-Customer Data.
• End-Customer Data means Personal Data of Client's customers, prospects, leads, or contacts that flows through the Services.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Brensa on Client's behalf. The term does not include unsuccessful login attempts, port scans, denial-of-service attempts, or other events that do not result in unauthorized access to or acquisition of Personal Data.
• Processing, Controller, Processor, Service Provider, Contractor, Sale, Share, and Sensitive Personal Information have the meanings given in the applicable Privacy Law.
• Subprocessor means any third party engaged by Brensa to process Personal Data on Client's behalf in connection with the Services.

2. Roles of the Parties

For all Personal Data processed by Brensa on Client's behalf in connection with the Services:

• Controller / Business / Data Exporter: Client.
• Processor / Service Provider or Contractor / Data Importer: Brensa.

Brensa qualifies as a Service Provider under Cal. Civ. Code § 1798.140(ag) and a Contractor under Cal. Civ. Code § 1798.140(j), and as a Processor under Tex. Bus. & Com. Code § 541.001(20) and GDPR Art. 4(8). Where a separate Business Associate Agreement is executed under Section 13, Brensa will also act as a "Business Associate" as defined at 45 C.F.R. § 160.103.

3. Subject Matter, Duration, Nature, Purpose, and Categories — Service-by-Service

The subject matter of the processing is Brensa's provision of the Services. The duration is the term of the MSA plus any return/deletion period in Section 12. The nature and purpose, the data subjects, and the data types vary by service and are described below. Sensitive Personal Information is not processed by default; Client must not configure the Services to ingest sensitive data without Brensa's prior written agreement.

3.1 AI Phone Receptionist

• Purpose: answer inbound calls; perform BANT qualification; book via Cal.com; route hot leads via SMS; write to CRM (HubSpot, Salesforce, JobNimbus, ServiceTitan, Mindbody, Clio, Lawmatics, Airtable, or any webhook/REST endpoint).
• Data subjects: inbound callers (typically prospects, customers).
• Data types: caller phone number, name (if given), call audio, AI transcript, BANT scoring outputs, disposition, appointment data.
• Special: AI self-disclosure within 15 seconds; recording disclosure on every call.

3.2 AI DM Responder (Instagram, Facebook, web chat)

• Purpose: respond to direct messages within ~60 seconds; operate inside Meta's 24-hour standard messaging window via the Meta Graph API.
• Data subjects: users who message Client's social accounts.
• Data types: Meta-platform user ID, display name, message content, conversation state, timestamps.

3.3 AI Outbound Sales Caller

• Purpose: dial dormant leads and customer base for re-engagement and upsells; throughput 200–500 dials per agent per day.
• Data subjects: persons on Client's outbound list.
• Data types: phone number, name, list metadata, call audio, transcript, disposition, suppression flags.
• Special: Client warrants TCPA-compliant prior express written consent for marketing AI-voice calls and prior express consent for non-marketing AI-voice calls; AI self-discloses; calls are recorded and dispositioned.

3.4 Lead Reactivation Engine

• Purpose: voice + SMS + email sequences against dormant leads only.
• Data subjects: dormant leads (6–12 months dormant; never older than 24 months; never on a suppression list).
• Data types: contact data, prior interaction history, sequence engagement events.
• Special: Client warrants the suppression list excludes opt-outs and DNC entries.

3.5 AI Lead Qualification (BANT)

• Purpose: score every inbound lead within 60 seconds.
• Data subjects: inbound leads.
• Data types: lead identifiers, BANT scoring features.

3.6 Cal.com Booking Integration

• Purpose: schedule appointments.
• Data subjects: persons booking with Client.
• Data types: name, email, phone, time slot, notes.

3.7 Hot-Lead SMS Routing

• Purpose: alert Client owner/manager via SMS within ~1.2 seconds with one-tap callback.
• Data subjects: Client personnel; the underlying lead.
• Data types: owner phone, lead summary, callback link.

3.8 Custom Call Flows

• Purpose: state-machine call logic, A/B tested and quarterly tuned.
• Data subjects: callers.
• Data types: flow-state telemetry, branch outcomes, anonymized A/B metrics.

3.9 Failed Payment Recovery

• Purpose: detect failed Stripe charges via webhook; retry intelligently; send AI-personalized email sequences; place escalation calls; run card-update flows.
• Data subjects: Client's paying customers.
• Data types: customer email, name, last-four card digits, card brand, retry status, decline reasons, message content. Brensa does not store full card numbers; PAN data remains within Stripe.

3.10 Churn Save Automation

• Purpose: detect cancellation intent; run save sequences with discount or pause logic.
• Data subjects: Client's paying customers.
• Data types: subscription state, churn signals, save-flow interactions.

3.11 Review and Testimonial Automation

• Purpose: request reviews at optimal lifecycle moments; route across Google, Yelp, BBB, and industry-specific platforms; intercept negative feedback before public posting.
• Data subjects: Client's customers.
• Data types: customer name, contact channel, transaction data, review responses.
• Special: No incentivized or fake reviews; aligned with 16 C.F.R. Part 465 and FTC Act § 5.

3.12 AI Tier-1 Customer Support

• Purpose: handle 60–80% of routine support questions via AI trained on Client's knowledge base; escalate with full context.
• Data subjects: Client's customers.
• Data types: ticket text, chat transcript, knowledge-base content, escalation context.

4. Brensa's Processing Obligations

Brensa will:

1. process Personal Data only on Client's documented instructions, including the MSA, SOWs, and Brensa's standard configuration (with Client-approved deviations);
2. not sell or share Personal Data as those terms are defined under the CCPA/CPRA, not retain, use, or disclose Personal Data outside the direct business relationship between the Parties, and not combine Personal Data received from Client with personal information from any other source other than as permitted by Cal. Civ. Code § 1798.140(e) (operational business purposes);
3. not use Personal Data to train any general-purpose AI model; Brensa configures Anthropic and OpenAI API access so that API traffic is excluded from model training under those providers' standard API terms;
4. promptly notify Client if Brensa, in its opinion, receives an instruction that violates Privacy Law;
5. ensure that personnel authorized to process Personal Data are bound by confidentiality (Section 5);
6. implement and maintain the security measures in Section 6;
7. assist Client with data-subject requests (Section 8) and with breach notification (Section 9);
8. engage Subprocessors only as set out in Section 10;
9. cooperate with audits as set out in Section 11; and
10. on termination, return or delete Personal Data per Section 12.

5. Personnel Confidentiality

Brensa will ensure that any individual authorized to process Personal Data on Client's behalf is subject to a written confidentiality obligation no less protective than the MSA's confidentiality clause and is trained on Brensa's privacy and security program. Today, the founder is the sole operator; this commitment binds all future personnel and contractors.

6. Security Measures

Brensa implements and maintains administrative, technical, and physical safeguards designed to protect Personal Data, including:

• Encryption in transit: TLS 1.2 or higher for all network connections.
• Encryption at rest: AES-256 for managed databases, object storage, and recording archives.
• Access controls: role-based access with least-privilege; revocation on personnel change.
• MFA: mandatory multi-factor authentication for all administrative access.
• Logging and monitoring: centralized logs for authentication, configuration changes, and data access; alerting on anomalous patterns.
• Secret management: API keys, tokens, and credentials stored in a managed secrets vault; never committed to source.
• Environment isolation: logical separation of production from development/testing.
• Vendor due diligence: documented security assessment before Subprocessor engagement; written contractual privacy/security terms with each Subprocessor.
• Incident response: documented internal incident-response plan with defined roles, notification trees, and post-mortem requirements.
• Backup and recovery: encrypted backups with retention up to 35 days; tested recovery procedures.
• Patch and vulnerability management: routine dependency updates and monitoring.

These measures meet GDPR Art. 32 ("appropriate technical and organizational measures") and the CCPA's "reasonable security" standard (Cal. Civ. Code § 1798.81.5 reference). Brensa will update measures as the threat landscape evolves and will not materially decrease the security posture during the Term.

7. Subprocessors

7.1 Approved Subprocessors

Client authorizes the following Subprocessors as of the DPA's effective date:

Client-controlled integrations (not Brensa Subprocessors in the strict sense): HubSpot, Salesforce, JobNimbus, ServiceTitan, Mindbody, Clio, Lawmatics, Airtable, and any webhook/REST endpoint Client designates. Client is the customer of record and controller for each of these and Brensa transmits data to them on Client's instructions.

7.2 Change-Notification Process

Brensa maintains the current Subprocessor list and provides it to Client on request by email to legal@brensasystems.com. Brensa will give Client at least thirty (30) days' advance written notice before adding or replacing a Subprocessor that processes End-Customer Data. Within that window, Client may object on reasonable grounds related to data protection. The Parties will work in good faith to resolve the objection; if unresolved, Client may terminate the affected Service line on reasonable notice without penalty for the unused portion of any prepaid period.

7.3 Subprocessor Obligations

Brensa imposes on each Subprocessor written terms substantially equivalent to those in this DPA. Brensa remains liable to Client for the acts and omissions of its Subprocessors as if Brensa had performed the acts and omissions itself.

8. Data Subject Rights Assistance

Brensa will, taking into account the nature of the processing, assist Client by appropriate technical and organizational measures, insofar as possible, in fulfilling Client's obligations to respond to requests by data subjects to exercise their rights under Privacy Law, including rights of:

• access (TDPSA § 541.051(a)(1); CCPA § 1798.110; GDPR Art. 15);
• correction (TDPSA § 541.051(a)(2); CCPA § 1798.106; GDPR Art. 16);
• deletion (TDPSA § 541.051(a)(3); CCPA § 1798.105; GDPR Art. 17);
• portability (TDPSA § 541.051(a)(4); CCPA § 1798.130; GDPR Art. 20);
• opt-out of targeted advertising, sale, or profiling (TDPSA § 541.051(a)(5); CCPA §§ 1798.120, 1798.121; GDPR Arts. 21–22).

Brensa will forward any data-subject request received directly by Brensa to Client within five (5) business days and will not respond to the data subject directly except to confirm receipt and route the request to Client.

9. Personal Data Breach Notification

Brensa will notify Client of a Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of the Personal Data Breach. The notification will include, to the extent then known:

• the nature of the Personal Data Breach, including categories and approximate number of data subjects and records affected;
• the likely consequences;
• the measures Brensa has taken or proposes to take to address the breach and mitigate its possible adverse effects;
• a Brensa point of contact.

Brensa will provide updates as additional information becomes available and will reasonably assist Client in fulfilling Client's notification obligations to data subjects, regulators, and other persons under Privacy Law (including Tex. Bus. & Com. Code § 521.053, GDPR Arts. 33–34, HIPAA Breach Notification Rule at 45 C.F.R. §§ 164.400–164.414 where applicable, and analogous state laws).

10. Audit Rights

Brensa will make available to Client, on reasonable written request and not more than once per twelve-month period (except following a Personal Data Breach or as required by a regulator), information reasonably necessary to demonstrate compliance with this DPA. Where Client reasonably requires further verification, Client may, at Client's cost and on at least thirty (30) days' written notice, conduct (or have a mutually agreed independent auditor conduct under NDA) an audit of Brensa's relevant controls. Audits will be scheduled to minimize disruption, must respect Brensa's confidentiality and security obligations to other clients, and will not access raw data or systems containing other clients' data.

11. International Transfers

Brensa is U.S.-based and processes Personal Data primarily in the United States. To the extent Personal Data is subject to GDPR or UK GDPR and is transferred to the United States or another third country lacking an adequacy decision, the Parties agree:

• the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two (controller-to-processor), are deemed incorporated by reference, with Client as data exporter and Brensa as data importer; the optional docking clause is included; Clause 9 Option 2 (general written authorization for sub-processors with 30-day notice) applies; Clause 17 governing law is Ireland; Clause 18 disputes before the courts of Ireland; Annexes I, II, and III are populated by the descriptions in Sections 3, 6, and 7 of this DPA respectively;
• the UK International Data Transfer Addendum to the EU SCCs is deemed incorporated for transfers subject to the UK GDPR;
• the Parties will implement supplementary measures consistent with the European Data Protection Board's June 18, 2021 Recommendations 01/2020.

Today no EU/UK clients are engaged. This Section is included to make this DPA portable.

12. Return or Deletion of Personal Data

On termination or expiration of the MSA, or on Client's written instruction, Brensa will, at Client's election, return or delete all Personal Data in Brensa's possession or control within thirty (30) days, except for: (a) backup copies that will be deleted in the ordinary backup-rotation cycle, not to exceed thirty-five (35) days from primary deletion; (b) Personal Data Brensa is required by law to retain (with the retention duration limited to that legal requirement); and (c) aggregated, de-identified data that no longer constitutes Personal Data. Brensa will provide written certification of deletion on request.

13. HIPAA-Readiness Clause

Brensa is not a Business Associate by default. The Services are not configured to process Protected Health Information ("PHI") as defined at 45 C.F.R. § 160.103. If Client is a HIPAA Covered Entity or Business Associate and reasonably anticipates that PHI will pass through the Services, the Parties will execute a separate Business Associate Agreement containing the terms required by 45 C.F.R. § 164.504(e), and the BAA will control over this DPA on HIPAA matters. Until such a BAA is executed, Client warrants it will not provide PHI to Brensa or configure the Services to ingest PHI.

14. TCPA, SB 140, and Telemarketing Pass-Through Warranties

Client warrants and covenants that, with respect to any outbound voice, SMS, or messaging campaign Brensa operates on Client's behalf:

1. Client has obtained, and continues to maintain, all consents required by 47 U.S.C. § 227 and 47 C.F.R. § 64.1200, including prior express written consent for marketing autodialed/AI-voice/prerecorded calls and texts to wireless numbers and prior express consent for non-marketing autodialed/AI-voice calls;
2. Client maintains current internal do-not-call lists and scrubs against the National Do Not Call Registry and any applicable state DNC lists, including the Texas No-Call List under Tex. Bus. & Com. Code § 304.052;
3. Client honors revocation of consent in any reasonable manner consistent with 47 C.F.R. § 64.1200(a)(9)(i)(F), (a)(10), (a)(11), and (d)(3);
4. Client complies with quiet-hour restrictions, including 47 C.F.R. § 64.1200(c)(1) (8 a.m. – 9 p.m. local time at the called party's location) and Tex. Bus. & Com. Code ch. 301;
5. Client has obtained any seller registration required under Tex. Bus. & Com. Code § 302.101 (as amended by S.B. 140 to include text/graphic transmissions);
6. Client complies with CAN-SPAM (15 U.S.C. §§ 7701–7713; 16 C.F.R. Part 316) for any commercial email; and
7. Client has not provided Brensa with any contact data unlawfully obtained.

Client indemnifies Brensa against claims arising from breach of these warranties (cross-reference to MSA Section on indemnification).

15. Call-Recording Two-Party Consent Pass-Through (Belt-and-Suspenders)

The Parties acknowledge that Brensa records and transcribes voice calls operated through the Services. Two layers of protection apply:

1. Brensa universal recording disclosure. Brensa's voice agent plays a recording disclosure at the start of every call, regardless of jurisdiction. This is intended to satisfy the strictest U.S. all-party-consent recording laws.
2. Client warranty. Client separately warrants that, for Client's outbound list and inbound caller base, Client has any consent required to record calls under the laws of the called party's or caller's jurisdiction, including the all-party-consent state statutes listed in the Privacy Policy Section 9 (Cal. Penal Code §§ 631, 632, 632.7; Conn. Gen. Stat. §§ 52-570d, 53a-187; 11 Del. Code § 1335; Fla. Stat. § 934.03; 720 ILCS 5/14-1 et seq.; Md. Code Ann., Cts. & Jud. Proc. § 10-402; Mass. Gen. Laws ch. 272, § 99; Mont. Code Ann. § 45-8-213; N.H. Rev. Stat. Ann. § 570-A:2; Or. Rev. Stat. § 165.540; 18 Pa. Cons. Stat. §§ 5703–5704; Wash. Rev. Code § 9.73.030; and Nevada and Michigan as interpreted by their courts).

Both layers operate independently. Failure of either does not excuse the other.

16. Liability Allocation

The MSA's limitation of liability and indemnification provisions apply to claims arising under this DPA, except that the cap will not apply to (a) Brensa's breach of its security obligations resulting in a Personal Data Breach caused by Brensa's gross negligence or willful misconduct, (b) Client's breach of the TCPA/recording warranties in Sections 14 and 15, or (c) liabilities that cannot be limited as a matter of law. Each Party's aggregate liability under this DPA is otherwise subject to the 12-Month Fees Paid Cap in the MSA.

17. Order of Precedence

In case of conflict, the following order of precedence governs, from highest to lowest: (1) any executed Business Associate Agreement (HIPAA matters only); (2) the SCCs and UK Addendum if and to the extent applicable; (3) this DPA; (4) the MSA; (5) the SOW; (6) the Site Terms of Service.

18. Term and Survival

This DPA takes effect when the MSA takes effect and continues for the term of the MSA. Sections 12 (return/deletion), 14 (TCPA pass-through), 15 (recording pass-through), 16 (liability), and 17 (precedence) survive termination.

19. Miscellaneous

This DPA is governed by the law of the State of Texas (subject to the SCC governing-law provision for transfers in scope of GDPR). Any disputes are subject to the dispute-resolution provisions in the MSA and Site Terms (AAA Commercial Arbitration in Dallas County, Texas, one arbitrator, with the IP/confidentiality emergency-injunctive carve-out). The Parties may execute this DPA in counterparts, including by electronic signature.