Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement between KYLER HURD LLC, DBA Symphora Automation (“Company”, “Processor”) and [FILL IN: Client Legal Name] (“Client”, “Controller”), effective as of [FILL IN: Effective Date of MSA]. Capitalized terms not defined in this DPA have the meanings set forth in the MSA.

  1. Role of the Parties 1.1 Controller and Processor Roles. Client is the Controller of Client Data and Company is a Processor acting on Client’s behalf to provide Services as described in the MSA/SOW.

  2. Processing Details 2.1 Subject matter: Processing of Client Data necessary to provide Services described in the MSA/SOW.
    2.2 Duration: The duration of processing is the term of the MSA/SOW plus any retention period required for dispute resolution or legal obligations.
    2.3 Nature and purpose: To provide appointment booking, lead follow‑up, AI message generation, analytics, and related services.
    2.4 Categories of Data Subjects: Client’s customers, prospects, employees, and other contacts.
    2.5 Categories of Personal Data: Contact info, message content and metadata, call recordings, transaction data, device and usage data, CRM data, consent records.

  3. Processor Obligations 3.1 Instructions. Company will process Client Data only on documented instructions from Client (including the MSA/SOW and any written instructions). Company will notify Client if it believes an instruction violates law.
    3.2 Security. Company will implement appropriate technical and organizational measures, including:
    a) Access controls and least privilege;
    b) Encryption in transit (TLS 1.2+) and reasonable encryption at rest;
    c) Multi‑factor authentication for administrative accounts;
    d) Regular vulnerability scanning and patch management;
    e) Logging and monitoring of privileged access; and
    f) Periodic security reviews and breach response plan.
    3.3 Personnel. Company will ensure persons authorized to process Client Data are subject to confidentiality obligations and trained on data protection obligations.
    3.4 Subprocessors. Company may engage subprocessors to process Client Data. Company will:
    a) Maintain a list of current subprocessors at: Subprocessors ;
    b) Provide prior notice of new subprocessors and allow Client a right to object within 1o days; and
    c) Require subprocessors to enter into written agreements with obligations no less protective than this DPA.
    3.5 Data Subject Requests. Company will, to the extent feasible, assist Client in responding to data subject requests (access, deletion, portability) within a commercially reasonable timeframe and under Client’s instructions.
    3.6 Security Breach Notification. Company will notify Client without undue delay and no later than 72 hours after becoming aware of a security breach affecting Client Data and will provide necessary details and cooperation for remediation and regulatory notifications.

  4. International Transfers 4.1 Transfers. Company may transfer Client Data to subprocessors in jurisdictions outside the EEA/UK. Company will ensure adequate safeguards (e.g., Standard Contractual Clauses (SCCs), binding corporate rules, or Client consent) are in place for such transfers. Where applicable, Company will execute SCCs with Client upon request.

  5. Assistance and Compliance Company will reasonably assist Client with DPIAs, security assessments, and compliance obligations, including implementing technical measures required by law.

  6. Deletion and Return Upon termination or expiry of the MSA/SOW, Company will, at Client’s choice, delete or return all Client Data within 60 days, except where retention is required by law. Company will irreversibly delete backups within 90 days thereafter.

  7. Audit Rights Client may audit Company’s compliance with this DPA by: (a) reviewing Company’s relevant third‑party audit reports (SOC 2, ISO 27001) upon request; and/or (b) conducting an on‑site or remote audit with at least 30 days prior written notice and subject to confidentiality obligations. Any intrusive or frequent audits require mutual agreement on scope and cost allocation.

  8. Liability The parties’ liability for breaches of this DPA is governed by the indemnity and limitation provisions of the MSA, except that neither party’s liability shall be limited for willful misconduct or gross negligence.

  9. Miscellaneous This DPA is governed by the law of Wisconsin. In the event of conflict between this DPA and the MSA, the DPA controls with respect to data processing matters.

Signatures:
Company: KYLER HURD LLC, DBA Symphora Automation
By: ________________________ Name: [FILL IN: Signatory Name] Title: [FILL IN: Title] Date: [FILL IN: Date]

Controller: [FILL IN: Client Legal Name]
By: ________________________ Name: [FILL IN: Signatory Name] Title: [FILL IN: Title] Date: [FILL IN: Date]

.