DPA art.28 — Natalia Analytics connected mode

Article 1 — Subject matter, duration and law

This DPA applies between Natalia SAS (the « Processor ») and the Customer (the « Controller ») for the duration of the connected mode activation of the Natalia Analytics Software. It is governed by GDPR (Regulation (EU) 2016/679) and by French law for matters falling outside the GDPR.

Article 2 — Nature, purpose and duration of processing

The Processor performs the following processing operations on behalf of the Controller: (a) LLM-assisted analysis of CDR uploaded by the Controller, (b) conversational Q&A interface, (c) generation of analytical insights returned to the Controller. The processing lasts as long as connected mode is activated and ends upon deactivation by the Controller.

Article 3 — Categories of data and data subjects

Categories of data: phone numbers (controller-side pseudonymised), call metadata (date, time, duration, direction), aggregated KPIs, conversational prompts from Controller users. Categories of data subjects: employees of the Controller using the phone system, third parties (callers and callees) involved in business calls.

Article 4 — Obligations of the Processor (art.28 §3 GDPR)

(a) Documented instructions. The Processor processes the personal data only on documented instructions from the Controller, including transfers to a third country. The Controller's instructions are materialised by the activation of connected mode and by the configuration parameters set in the admin UI.

(b) Confidentiality. The Processor ensures that persons authorised to process the personal data are bound by an enforceable confidentiality obligation.

(c) Security measures (art.32). The Processor implements appropriate technical and organisational measures: encryption at rest and in transit, role-based access control, immutable audit log, isolated infrastructure, EU-only hosting, annual penetration test, vulnerability management process. The details are documented on the security page.

(d) Sub-processing. The Processor uses the sub-processors listed in Annex 2. Any new sub-processor is notified to the Controller 30 days in advance, with right to object. In case of objection, the Controller may terminate the connected mode without penalty.

(e) Assistance with data subject rights. The Processor assists the Controller in fulfilling the data subjects' rights (access, rectification, erasure, portability, objection) by providing appropriate technical and organisational means: export endpoints, deletion endpoints, audit access.

(f) Assistance with security obligations. The Processor assists the Controller with art.32 to 36 obligations, in particular notification of personal data breaches within 48h of detection.

(g) Deletion or return. At the end of the processing, the Processor, at the choice of the Controller, deletes or returns the personal data within 30 days, and deletes existing copies, except where retention is required by EU or Member State law.

(h) Information and audit. The Processor makes available to the Controller all information necessary to demonstrate compliance with art.28 and allows audits, including inspections, conducted by the Controller or by an independent third party mandated by the Controller, once per year subject to 30-day notice.

Article 5 — International transfers

The personal data is hosted exclusively in the European Union (Belgium / Ireland). The sub-processor Gemini (Google Ireland) processes the personal data in the eu-west region. No transfer outside the EU takes place. If a transfer outside the EU becomes necessary, EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply with a documented Transfer Impact Assessment.

Article 6 — Personal data breach notification

The Processor notifies the Controller of any personal data breach without undue delay and at the latest within 48h after detection. The notification includes the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences and the measures taken or proposed.

Article 7 — Liability

Each Party is liable for damages caused by processing operations not in compliance with the GDPR, within the limits of the master agreement. The Processor is liable in particular if it has acted outside or contrary to the lawful instructions of the Controller or if it has not complied with its obligations under art.28 GDPR.

Annex 1 — Security measures (art.32)

Encryption at rest, encryption in transit (TLS 1.2+), role-based access control (RBAC), pseudonymisation of phone numbers per tenant, immutable audit log, EU-only hosting, annual penetration test, breach notification process ≤ 48h, individual authentication of operators, written intervention authorisation procedure. Full details on the security page of the documentation.

Annex 2 — List of sub-processors

Gemini (Google Ireland Limited) — Sub-processor for LLM analysis only. Region: eu-west. Contract: Google Cloud DPA + EU SCC. Customer prompt retention: 0 days (contractual). Training on customer prompts: prohibited (contractual).

EU-based managed infrastructure provider — Sub-processor for managed datastores and managed object storage. Region: Belgium. Contract: provider DPA + EU SCC.