Imagicle Legal Terms

Subprocessors

The following is a list of the processors/sub-processors named concerning the processing: 

Amazon Web Services EMEA SARL

Sub-Processor’s Address: Viale Monte Grappa 3/5, 24124, Milan (Italy)

Purpose of Data Processing: AWS is entrusted, as a Cloud Service Provider, solely with ensuring the integrity and availability of the data stored on its servers. Therefore, AWS does not access Customer content except as necessary to provide and maintain the hosting services (e.g., for security and support) and subject to contractual safeguards; the data is protected by additional security measures, such as encryption.
AWS is used for hosting purpose and for artificial intelligence service like Text to Speech and Speech to Text capabilities.

Categories of personal data: personal data related to the use of Imagicle Products and related Services, Call audio and related call metadata; text derived from call content (transcripts), Text provided for synthesis (which may include personal data) and generated audio output, where applicable.

Country where processing will take place: cloud services are managed through Amazon Web Services (AWS). Customers can request that their production hosting be in any country-specific AWS location proposed by Imagicle or in another AWS region of their choice

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link:

https://www.dataprivacyframework.gov/s/participant-search

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679)

·         Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679)

All the information provided by AWS regarding data processing at the following link:

https://aws.amazon.com/it/compliance/gdpr-center

Salesforce UK Limited

Sub-Processor’s Address: Floor 26 Salesforce Tower, 110 Bishopsgate, EC2N4AY London. (United Kingdom)

Purpose of Data Processing: this is a CRM software provider used for administration and business relationship management activities with customers/potential customers/end users only. Salesforce operators in the service and support phases of the product may, on an occasional basis and under the control of Imagicle personnel, access personal data

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user

Country in which the processing activity will take place: worldwide

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link:

https://www.dataprivacyframework.gov/s/participant-search

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679)

·         Other countries: Transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

All the information provided by Salesforce regarding data processing at the following link: https://www.salesforce.com/eu/company/privacy

 

 

 

Atlassian

Sub-Processor’s Address: 350 Bush Street, Level 13 San Francisco, California 94104 (USA) 

Purpose of Data Processing: this cloud storage (archiving) and file-sharing service allows you to store, synchronize and share documents and other files via the Internet. Imagicle uses it for sharing and storing files and documents that may contain personal data of customers/potential customers/end Users related only to administration and business relationship management activities

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user

Country in which the processing activity will take place: worldwide

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link:

https://www.dataprivacyframework.gov/s/participant-search

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679)

·         Other countries: Transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679)

All the information provided by Atlassian regarding data processing at the following link: https://www.atlassian.com/it/legal/privacy-policy#what-this-policy-covers

 

 

Microsoft Ireland Operations Limited

Microsoft 365

 

Sub-Processor’s Address: Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Purpose of the Data Processing: Microsoft 365 is a suite of enterprise collaboration software products. It is used by Imagicle for the management of various digital contents, among which texts, presentations, emails that may contain personal data of Customer and End User and data and Personal Data related to the use of Imagicle Products and in the fruition of related Services

Categories of personal data: Customer and End User personal data and data related to the use of Imagicle Products and in the fruition of related Services

Country where processing will take place: worldwide

Frequency of transfer: continuous/daily

Guarantees legitimizing the transfer

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link:

https://www.dataprivacyframework.gov/s/participant-search

·         Other countries do not ensure an adequate level of protection: the transfer is permitted if the Commission has decided that the third country, a territory or one or more specific sectors within the third country, or the international organization in question ensure an adequate level of protection. In that case, the transfer does not require specific authorizations. The adequacy of the third country or organization is recognized by decision of the European Commission (Art. 45 of EU Regulation 2016/679)

·         Other countries: The transfer is made on the basis of the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or on the basis of the Binding Corporate Rules (BCRs), (Art. 46 of EU Regulation 2016/679)

All the information provided by Microsoft on data processing at the following link: https://privacy.microsoft.com/it-IT/

 

 

Dropbox International Unlimited Company

Sub-Processor’s Address: One Park Place, Floor 5 Upper Hatch Street, Dublin (Ireland)

Purpose of Data Processing: this cloud storage (archiving) and file-sharing service allows you to store, synchronize and share documents and other files via the Internet. Imagicle uses it for sharing and storing files and documents that may contain personal data of Customers/Potential Customers/End Users related only to administration and business relationship management activities

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user

Country in which the processing activity will take place: worldwide

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link:

https://www.dataprivacyframework.gov/s/participant-search

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679)

·         Other countries: Transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679)

All the information provided by Dropbox regarding data processing at the following link: https://www.dropbox.com/privacy

Imagicle Ltd

Processor’s Address: Pixash Lane, Keynsham, Bristol

Purposes of Data Processing: this direct subsidiary of Imagicle Spa works with it to administer and manage the relationship with the customer/potential customer/end user

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user

Country where processing activities will take place: United Kingdom

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679). COMMISSION EXECUTIVE DECISION (EU) 2021/1773 of June 28, 2021, under Directive (EU) 2016/680 of the European Parliament and the Council on the adequate protection of personal data by the United Kingdom.

 

 

 

Imagicle Sas

Processor’s Address: Parc des Barbanniers 5 - Promenade de la Bonnette - 92230 Genevilliers

Purposes of the Data Processing: this is a direct subsidiary of Imagicle Spa that collaborates with it to administer and manage the relationship with the customer/potential customer/end user.

Categories of personal data:

·         personal data processed to administer and manage the relationship with the customer/potential customer/end user

·         personal data related to the use of Imagicle Products and related Services

Country in which processing activities will take place: France

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

Not necessary, the transfer takes place within the territory of the European Union

Imagicle DMCC

Processor’s Address: Office 1307, JBC5, Cluster W, JLT - PO BOX 283982 United Arab Emirates

Purposes of the Data Processing: this direct subsidiary of Imagicle Spa works with it to administer and manage the relationship with the customer/potential customer/end user and for support activities

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer /end user

Country in which processing will take place: United Arab Emirates

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

Transfer is made based on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR

Imagicle Saudi Communication Technology and Information

Processor’s Address: 7586 King Fahd Rd, 4119 Ar Rahmaniyah Dist, 12341 Riyadh, Kingdom of Saudi Arabia

Purpose of Data Processing: this indirect subsidiary of Imagicle Spa works with it to administer and manage the relationship with the customer/potential customer/end user and for support activities

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user.

Country where processing will take place: Saudi Arabia

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

Transfer is made based on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR

Imagicle Inc

Processor’s Address: 333, Las Olas Way - Fort Lauderdale FL33130 - United States

Purposes of the Data Processing: this direct subsidiary of Imagicle Spa, works with it to administer and manage the relationship with the customer/potential customer/end user and for support activities

Personal data categories: personal data processed to administer and manage the relationship with the customer/potential customer/end user.

Country in which processing activities will take place: United States of America

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

Transfer is made based on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR

 

OpenAI

Sub-Processor's Address: 1455 3rd Street, San Francisco, CA 94158, United States (OpenAI OpCo, LLC; EEA/Swiss personal data is processed by OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland)

Purpose of Data Processing: AI model (LLM) inference service. OpenAI processes API requests through its large language models for intent recognition and output generation. Processing is performed to provide the Service. By default, OpenAI does not use API platform inputs or outputs to train or improve its models. API inputs and outputs may be securely retained for up to 30 days to provide the services and identify abuse, after which they are removed unless legally required to be retained. Zero Data Retention (ZDR) option available for eligible endpoints/qualifying use cases. OpenAIOpenAI

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content provided to enable the Service, and AI-generated outputs

Country where processing will take place: United States

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

· United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable. For EEA/Swiss personal data, OpenAI Ireland Ltd acts as the contracting party and onward transfers to OpenAI affiliates or third parties outside the EEA/Switzerland are made on the basis of agreements incorporating such safeguards.

· Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

· Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

All the information provided by OpenAI regarding privacy and data processing at the following links:

· Privacy Policy: https://openai.com/policies/privacy-policy
· Data Processing Addendum: https://openai.com/policies/data-processing-addendum
· Trust Portal: https://trust.openai.com

 

Additional product specific sub-processors

Voice Analytics 

Soniox

Sub-Processor's Address: 1045 Helm Lane, Foster City, CA 94404, United States (Soniox Inc)

Purpose of Data Processing: AI speech-to-text (ASR), text-to-speech, and translation service. Soniox processes audio submitted via its API to perform real-time and asynchronous transcription, speaker separation, translation, and related speech/voice processing for intent recognition and output generation. Processing is performed to provide the Service. Audio and transcripts are never used to train or improve Soniox models or services. Soniox does not store audio or transcript data unless storage is explicitly requested through a service that supports it (e.g. the async API), in which case stored data is isolated within the customer's Soniox account and can be deleted at any time via the Console or API; minimal logging is performed for reliability, debugging, and billing. In-region processing / data residency (Sovereign Cloud) is available to meet latency and regulatory requirements.

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call audio and call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content (e.g. context terms) provided to enable the Service, and AI-generated outputs

Country where processing will take place: United States (default; in-region/EU processing available via Soniox data residency where configured)

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

· United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable. Soniox maintains SOC 2 Type 2, ISO/IEC 27001:2022, HIPAA, and GDPR compliance, with compliance documentation available through the Soniox Console.

· Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

· Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

All the information provided by Soniox regarding privacy and data processing at the following links:

· Privacy Policy: https://soniox.com/policies/privacy-policy
· Security & Privacy documentation: https://soniox.com/docs/security-and-privacy
· Policies overview: https://soniox.com/policies
· DPA / compliance documentation (SOC 2, ISO 27001, etc.): available through the Soniox Console (Security & compliance section)

OpenRouter, Inc.

 

Sub-Processor’s Address: 936 W Alder St, Louisville, CO 80027, United States

Purpose of Data Processing: AI model routing and API gateway service. OpenRouter routes API requests to various AI model providers for intent recognition and output generation. Processing is performed to provide the Service. Customer content is not used to train models.Zero Data Retention (ZDR) option available

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content provided to enable the Service, and AI-generated outputs

Country where processing will take place: United States

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable.

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

·         Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

 

All the information provided by OpenRouter regarding privacy and data processing at the following links:

·         Privacy Policy:https://openrouter.ai/privacy

·         Trust Center & DPA:https://trust.openrouter.ai/?tab=documents

 

AI Virtual Receptionist and Smartflows

OpenRouter, Inc.

 

Sub-Processor’s Address: 936 W Alder St, Louisville, CO 80027, United States

Purpose of Data Processing: AI model routing and API gateway service. OpenRouter routes API requests to various AI model providers for intent recognition and output generation. Processing is performed to provide the Service. Customer content is not used to train models.Zero Data Retention (ZDR) option available

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content provided to enable the Service, and AI-generated outputs

Country where processing will take place: United States

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable.

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

·         Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

 

All the information provided by OpenRouter regarding privacy and data processing at the following links:

·         Privacy Policy:https://openrouter.ai/privacy

·         Trust Center & DPA:https://trust.openrouter.ai/?tab=documents

Deepgram

Sub-Processor's Address: 548 Market Street, PMB 25104, San Francisco, CA 94104, United States (Deepgram, Inc.)

Purpose of Data Processing: AI speech-to-text (ASR) and voice AI service. Deepgram processes audio submitted via its API to perform transcription, language understanding, and related speech/voice processing for intent recognition and output generation. Processing is performed to provide the Service. Deepgram acts as a data processor and processes Customer Data solely on behalf of, and as directed by, the customer (controller). Deepgram operates a Model Improvement Partnership Program; requests can be excluded from model improvement by setting the mip_opt_out=true API parameter, in which case data from opted-out requests is retained only for the duration necessary to process the request. Real-time PII/PCI redaction and configurable/zero-retention processing options are available. EU in-region processing is available via Deepgram's EU endpoint (api.eu.deepgram.com). DeepgramDeepgram

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call audio and call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content provided to enable the Service, and AI-generated outputs

Country where processing will take place: United States

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

· United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable. Deepgram enters into data processing agreements with its customers and frequently enters into the EU Commission's Standard Contractual Clauses to legitimize transfers of Customer Data outside the EEA, United Kingdom or Switzerland to the US. Deepgram

· Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

· Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

All the information provided by Deepgram regarding privacy and data processing at the following links:

· Privacy Policy: https://deepgram.com/privacy
· Trust & Security / Data Privacy Compliance: https://developers.deepgram.com/trust-security/data-privacy-compliance
· Data Security: https://deepgram.com/data-security
· DPA / SCCs: available from Deepgram on request (referenced in the Privacy Policy)

ElevenLabs

 

Sub-Processor’s Address: 169 Madison Ave #2484, New York, NY 10016, United States

Purpose of Data Processing: Text-to-speech generation (TTS) for AI-enabled voice services (e.g., Virtual Receptionist). Customer content is not used to train models.

Personal data categories: Text provided for synthesis (which may include personal data) and generated audio output; related request metadata.

Country where processing will take place: United States

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: the transfer is made based on the presence of an adequacy decision (art 45 GDPR) adopted on 10.07.2023 by the European Commission (EU-U.S. DATA PRIVACY FRAMEWORK - "DPF"). The member organizations of the DPFA can be consulted at the following link: https://www.dataprivacyframework.gov/s/participant-search

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

·         Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

 

All the information provided by ElevenLabs regarding privacy and data transfers at the following links:

·         Privacy Policy: https://elevenlabs.io/privacy-policy

·         EU-U.S. Data Privacy Framework Policy: https://elevenlabs.io/eu-us-data-privacy-framework-policy/

MongoDB

Sub-Processor's Address: 1633 Broadway, 38th Floor, New York, NY 10019, United States (MongoDB, Inc.; for customers located outside the Americas and Japan, the contracting entity is MongoDB Limited, Building 2, Number 1 Ballsbridge, Shelbourne Road, Ballsbridge, D04 Y3X9 Dublin, Ireland)

Purpose of Data Processing: Managed cloud database service (MongoDB Atlas). MongoDB hosts, stores, and enables retrieval of application data on Imagicle's behalf, including the persistence of content used to provide the Service. Processing is performed to provide the Service. MongoDB acts as a data processor for any personal data that customers upload to its cloud services and processes it solely on the customer's instructions; by default MongoDB does not have visibility into the nature or categories of personal data uploaded. MongoDB does not use Customer Personal Data to train AI models; for optional AI Features, customer input data is not used for model training where the customer opts out. Customers select their preferred data hosting region and cloud provider (AWS, Microsoft Azure, or Google Cloud); MongoDB does not choose the physical geographic location where Customer Personal Data is stored. Encryption at rest/in transit, with optional Queryable Encryption / Client-Side Field Level Encryption, is available.

Personal data categories: personal data related to the use of Imagicle Products and related Services, including call transcripts and other text derived from call content, Customer prompts/instructions and knowledge content provided to enable the Service, AI-generated outputs, and associated application/configuration data persisted in the database

Country where processing will take place: Customer-selected deployment region (configured by Imagicle). Where Imagicle deploys in a MongoDB Atlas European region, Customer Personal Data physically resides in the EU; MongoDB, Inc. (United States) may access data for support/operations under the safeguards below.

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

· United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable. MongoDB is certified to the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework; its DPA incorporates the 2021 EU SCCs and the 2022 UK International Data Transfer Addendum.

· Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

· Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

All the information provided by MongoDB regarding privacy and data processing at the following links:

· Privacy Policy: https://www.mongodb.com/legal/privacy/privacy-policy
· Data Processing Agreement: https://www.mongodb.com/legal/data-processing-agreement
· Sub-processors: https://www.mongodb.com/cloud/trust/compliance/subprocessors
· Trust Center: https://www.mongodb.com/products/platform/trust

Pinecone

 

Sub-Processor’s Address: New York, 1375 Broadway, Floor 11, United States

Purpose of Data Processing: Use of Pinecone Vector Database to build knowledgeable AI

Personal data categories: personal data related to the use of Imagicle Products and related Services, including vectorized representations (embeddings) derived from Customer-provided knowledge content and/or text derived from call content, where applicable

Country where processing will take place: United States, Europe, based on customer region service selection.

Frequency of transfer: continuous/daily

Guarantees that legitimize the transfer:

·         United States: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, and/or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679), as applicable.

·         Other countries with guarantee an adequate level of protection: transfer is permissible if the Commission has decided that the third country, a territory or specific sector(s) within the third country, or the international organization in question guarantee an adequate level of protection. In such a case, the transfer does not require specific authorization. The third country or organization's adequacy is recognized by the European Commission's decision (Article 45 of EU Regulation 2016/679).

·         Other countries: transfer is made based on the standard data protection clauses adopted by the European Commission, with provision for additional safeguards where deemed necessary, or based on Binding Corporate Rules (BCRs) (Art. 46 of EU Regulation 2016/679).

 

All the information provided by Pinecone regarding privacy and security at the following links:

·         Privacy Policy (Cross-border transfers): https://www.pinecone.io/privacy/

·         Trust/Security Center: https://security.pinecone.io/