Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meaning given to them in the Agreement.

"Agreement" means the Order Form together with the applicable Terms and Conditions of Sale and the relevant Service Agreement(s) executed between Imagicle and the Customer.

"Customer" means the final customer authorized to use the Offerings.

"Data Controller" has the meaning given in Article 4(7) GDPR. For the purposes of this DPA, the Customer acts as Data Controller with respect to the Personal Data of its End Users, unless otherwise specified in the Agreement.

"Data Processor" has the meaning given in Article 4(8) GDPR. For the purposes of this DPA, Imagicle acts as Data Processor on behalf of the Customer.

"Data Subject" has the meaning given in Article 4(1) GDPR.

"End User" means any natural person who uses the Offerings under the Customer's account or license.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended or supplemented from time to time.

"Offerings" means the software products, cloud services, and related support services provided by Imagicle under the Agreement, as further specified in the applicable Order Form and Service Agreement(s).

"Personal Data" has the meaning given in Article 4(1) GDPR.

"Processing" and "Process" have the meaning given in Article 4(2) GDPR.

"Special Categories of Personal Data" has the meaning given in Article 9(1) GDPR.

"Sub-Processor" means any third party engaged by Imagicle to Process Personal Data on behalf of the Customer in connection with the Offerings, as listed in the Sub-Processor Register maintained at https://www.imagicle.com/legal-terms/sub-processors.

2. Purpose of the document

This DPA sets forth the terms under which Imagicle S.p.A. ("Processor" or "Sub-Processor", as applicable) Processes Personal Data on behalf of the Customer ("Controller" or "Processor", as applicable) in connection with the Offerings.

It is intended to comply with the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR") and any applicable national data protection legislation.

This DPA forms an integral part of the Agreement and is legally binding upon the Parties.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

Where Imagicle acts as Sub-Processor (i.e., where the Customer itself acts as Data Processor on behalf of a third-party Data Controller), the obligations set forth herein apply mutatis mutandis, and the Customer warrants that it has obtained all necessary authorizations from the upstream Data Controller to engage Imagicle as Sub-Processor.

3. Obligations

In accordance with Article 28(3) GDPR, Imagicle, acting as Data Processor, undertakes to:

(a) Process on documented instructions only. Process Personal Data solely on the documented instructions of the Customer, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by Union or Member State law; in such case, Imagicle shall inform the Customer of that legal requirement before Processing, unless prohibited on important grounds of public interest.

(b) Ensure confidentiality. Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Implement security measures. Implement all measures required pursuant to Article 32 GDPR, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, as well as the risks to the rights and freedoms of natural persons.

(d) Respect conditions for sub-processing. Not engage another processor without prior specific or general written authorization of the Customer. The Sub-Processors currently authorized by the Customer are listed in the Sub-Processor Register maintained at https://www.imagicle.com/legal-terms/sub-processors.

Imagicle shall inform the Controller and/or the Processor of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity to object to such changes.

Imagicle shall provide such notice at least 30 days prior to the new or replacement Sub-Processor commencing processing. The Controller and/or the Processor may object to such changes within 14 days of receipt of the notice by notifying Imagicle in writing. If the Controller and/or the Processor objects and the parties cannot resolve the objection within 30 days, may terminate the affected service upon written notice, without penalty.
Where Imagicle engages a Sub-Processor, it shall impose on that Sub-Processor the same data protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

By signing the Order Form incorporating this DPA by reference, the Customer grants general written authorization for Imagicle to engage the Sub-Processors listed in the Sub-Processor Register maintained at https://www.imagicle.com/legal-terms/sub-processors for the purposes stated therein.

(e) Assist with data subjects' rights. Taking into account the nature of the Processing, assist the Customer through appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Articles 15–22 GDPR.

(f) Assist with security and compliance obligations. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32–36 GDPR (security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the Data Subject, data protection impact assessment, prior consultation), taking into account the nature of Processing and the information available to Imagicle.
In particular, Imagicle shall notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach, to enable the Customer to fulfil its own notification obligation to the competent supervisory authority within the 72-hour deadline established by Article 33(1) GDPR. Such notification shall include the information required under Article 33(3) GDPR to the extent available at the time.

(g) Delete or return data upon termination. At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. Imagicle's data retention and deletion timelines are detailed in the section "What are the data retention and deletion policies?" of this DPA.

(h) Provide information and allow audits. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Article, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, provided that: (i) the Customer gives Imagicle reasonable prior written notice of no less than 30 days; (ii) the audit does not unreasonably interfere with Imagicle's business operations; and (iii) the Customer bears the costs of any such audit. Imagicle may satisfy this obligation in part by providing up-to-date third-party audit certifications (e.g., ISO 27001, SOC 2) where applicable.

4. What categories of data does Imagicle process?

For the definition of Personal Data, see the Definitions section of this DPA.

The Controller and/or the Processor, by accepting this DPA, instructs Imagicle to Process Personal Data for the following purposes, which constitute the documented instructions of the Customer for the purposes of Article 28(3)(a) GDPR:

accessing data stored on the Customer's server/cloud with exclusive reference to the specific product activated for possible access during service and support
proceeding to the creation of statistics and archives of resolved cases for analysis aimed at improving services (regarding user contact information only)
providing, operating, and securing the Offerings activated under the Agreement, including processing necessary for service delivery, troubleshooting, monitoring, and compliance, and accessing data stored on the Customer’s server/cloud where required for service and support

The categories of Personal Data processed by Imagicle depend on the specific Offerings activated, as detailed in the table below:

LIST OF PERSONAL DATA PROCESSED FOR THE SPECIFIC IMAGICLE PRODUCT
Contact Center/Attendant Console	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, external caller/caller number and related data loaded to the company address book, Area of origin, call duration data, call entry time and call transfers, user status and availability)
Advanced Queueing and Auto Attendant	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, external caller/caller number, and related data loaded to the company address book, Area of origin, call duration data, call entry time, and call transfers, user status, and availability)
Call Recording	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, external caller/caller number, and related data loaded to the company address book, Area of origin, call duration data) call content (the content of the recorded calls can be about anything, also including health information and sensitive data)
Contact Manager	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used external user information (First name, Last name, E-mail, Office extension number and/or cell phone number, Company)
Call Analytics	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used data on incoming and outgoing telephone traffic (Internal User's first and last name, Office phone number, external caller/caller number, and related data loaded to the company address book, Area of origin, call duration data)
Digital Fax	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used fax related information (external number, Recipient name, Recipient number, time, date, source area) content of faxes (The content of faxes can be about anything also including health information and sensitive data)
Hotel Services	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used information regarding the guest (First Name, Last Name) call-related information (Guest's full name, Room number, Caller/caller number, area of origin) contents of voicemail (Guest's first and last name. The contents of voicemail can, by its nature, be about anything, so it is possible that sensitive information may be in it)
Manager Assistant	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, caller/caller number and related data loaded to the personal address book, Area of origin, call duration data, call entry time, and call transfers, user status, and availability)
Screen Recording	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used screen recorded content (the content recorded on the screen can be about anything happened during the agent conversation, also including health information and sensitive data treated during the call & screen recording session)
Voice Analytics	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, external caller/caller number and related data loaded to the company address book, Area of origin, call duration data) call content (the content of the recorded calls can be about anything, also including health information and sensitive data)
Virtual Receptionist	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used call-related data (Internal User's first and last name, Office phone number, external caller/caller number and related data loaded to the company address book, Area of origin, call duration data) call content (the content of the transcribed and analyzed calls can be about anything, also including health information and sensitive data)
Smartflows Virtual Agents	internal user information (Name, User, Password, First name, Last name, E-mail, Mobile number, Address, Office phone number) internal user password only if local authentication is used st name, Office phone number, caller/caller number and related data loaded to the company address book, Area of origin, call duration data, call entry time and call transfers, user status and availability) chat-related data (Internal User's first and last name, Office phone number, email and/or caller number, IP Address of origin, chat start time, user status and availability) chat-content (the content of the chat can be about anything, also including health information and sensitive data) all content (the content of the transcribed and analyzed calls can be about anything, also including health information and sensitive data)
Cloud Shared Services (SSO/Identity, Directory Sync, Cloud Licensing, Telemetry, Presence)	When enabled/used in connection with any Imagicle product, Imagicle Cloud Shared Services (e.g., SSO/Identity, Directory Synchronization, Cloud Licensing/Entitlements, Telemetry/Diagnostics, Presence) may process the following categories of personal data: first name, last name, email/UPN/username, user ID tenant/customer identifier role/group membership (if synchronized) administrative attributes (if configured by Customer) presence/status information and related timestamps for Customer users technical and operational data (e.g., product version, environment/system configuration parameters, performance metrics, error logs, and service usage events) Cloud Shared Services do not process the content of customer communications (e.g., call recordings, transcripts, messages). Imagicle processes telemetry/diagnostic data on Customer’s documented instructions for the purposes of operating, securing and improving the Offerings.

Imagicle may process Customer contact details as an independent controller for its own marketing communications, as described in its Privacy Policy.

5. Who handles the Data?

Imagicle Employees in Charge of Processing
Employees of Imagicle direct or indirect processing subsidiaries located in the U.S.A, France, United Kingdom, United Arab Emirates, and Saudi Arabia
Providers/Processors who process data on behalf of Imagicle

Processing by the parties as mentioned above is carried out, in addition to paper-based processing, with the help of electronic tools such as laptop PCs, desktop computers, servers, pecs, ordinary e-mail, SSDs, USB memory keys, memory cards, CD-ROMs and DVD-ROMs, hard drives (internal and external), cell phone memories, tablets, and cloud drives.

6. To whom are the data reported?

Imagicle may use third parties to provide the service. We do not rent or sell the information. Imagicle contracts with third-party service providers who can provide the same data protection and information security you can expect from Imagicle.

The current list of Sub-Processors authorized by the Customer, including their name, role, country of processing, and applicable privacy policy, is maintained and kept up to date at: https://www.imagicle.com/legal-terms/sub-processors

Imagicle shall update such list prior to engaging any new Sub-Processor or replacing an existing one, in accordance with the notification procedure set out in this Section.

7. Where does the treatment take place?

Data are processed at the operational headquarters of Imagicle and related companies (as described above).

For Cloud Products, the Customer chooses the location of data centers from those proposed by Imagicle.

For reasons related to collaboration with third parties, the personal data provided may be transferred to a country other than the one where the Data Subject is located outside the European Economic Area.

8. What are the data retention and deletion policies?

As Data Processor/Sub Processor

Personal data collected during support services, after 3 years from the service termination, all data will be deleted

Personal data collected during cloud services, after 30 days after the contract termination data will be no longer accessible by the customer. Data will be kept in backup for up to 90 days (grace period) and then deleted. During this period, the Customer (or, for them, the reseller, where applicable) can request an export of the data to Imagicle with an e-mail addressed to gdpr@imagicle.com. The data stored in the database will be extracted in a format the Customer uses.

All related files will be exported to a network link for downloading by the Customer.

After the above time limits have expired, Imagicle will not retain any copies of the Personal Data unless required by law (and in such case, Imagicle will notify the Customer).

During the term of the Agreement, Customer controls retention settings and deletion of content within the Offerings where such controls are available. Imagicle processes and retains content only as necessary to provide the Offerings and in accordance with the Agreement and Customer’s documented instructions.

For more details on retention and cancellation policy, contact Imagicle at the following e-mail address: gdpr@imagicle.com.

9. How can data subjects exercise their rights?

The Data Subject may exercise the rights provided by the GDPR (Articles 15-21), including:

receive confirmation of the existence of Data and access to its content (access rights)
update, modify and/or correct Data (right of rectification)
request the deletion or limitation of the processing of Data processed in violation of the law, including Data whose retention is not necessary concerning the purposes for which the Data were collected or otherwise processed (right to be forgotten and right to limitation)
oppose to the processing (right to object)
propose complaints to the Supervisory Authority in the Data Subject's jurisdiction in case of violation of personal data protection regulations
receive an electronic copy of Data concerning him or her as a Data Subject when such Data has been rendered in the context of the contract, and request that such Data be transmitted to another data controller (right to data portability)

To exercise these rights, as stated in the disclosures, the Data Subject may contact Imagicle by sending a communication to gdpr@imagicle.com by visiting http://www.imagicle.com .

The Data Subject should include his or her name, e-mail/postal address and/or phone number(s) to be sure that his or her request can be appropriately handled.

Imagicle shall acknowledge receipt of the request and verify the identity of the Data Subject through reasonable means proportionate to the nature of the request. Imagicle shall respond within one month of receipt, extendable by two months where the complexity or volume of requests so requires, with written notice of such extension provided within the first month.

Where identity verification requires documentary evidence, Imagicle shall request only the minimum information necessary and process it solely for verification purposes.

In the event of a successful outcome of such activities, Imagicle shall make the changes on the databases and files containing such data of the Data Subject and shall inform the same, without undue delay and in any case no later than within one month from the receipt of the request itself (this period may be extended by two months if necessary, taking into account the complexity and number of requests), by the same means in which the request for the exercise of rights was received, of the successful execution of the request.

Otherwise, in the event of a negative outcome of the verifications, it will notify the person concerned of the reason for the execution of the formulated request.