Data Processing Addendum

This DPA reflects the parties’ agreement on the Processing of Customer Personal Data in connection with the U.S. state privacy laws applicable to the Services, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), and the comprehensive consumer-privacy laws of other U.S. states (together with the CCPA, the “U.S. State Privacy Laws”). It does not address the EU GDPR or UK GDPR; see Section 12 and Annex C. EU/UK transfer terms are not currently offered and would be added only if BRCK begins serving EU/UK data subjects.

1. Definitions

For purposes of this DPA:

• “Controller / Business” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. As to Customer Personal Data, Customer is the Controller / Business.
• “Processor / Service Provider” means the entity that Processes Personal Data on behalf of, and on the documented instructions of, the Controller / Business. As to Customer Personal Data, BRCK is the Processor / Service Provider.
• “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable U.S. State Privacy Laws.
• “Customer Personal Data” means Personal Data contained in or derived from the content and metadata of communications that Customer (and Customer’s end users) transmit, receive, route, or generate through the Services, and that BRCK Processes solely on Customer’s behalf as a Processor / Service Provider. It includes, without limitation: the content of calls and messages (including any temporary call-audio copies), call detail records (CDRs) and message records, routing, configuration, and signaling metadata, Customer Proprietary Network Information (CPNI) generated by Customer’s end users, E911 registered/service addresses and location data, and end-user identifiers. It does not include Personal Data for which BRCK is itself the Controller / Business (see Section 2.2).
• “Process” / “Processing” means any operation performed on Personal Data, whether or not by automated means.
• “Sub-processor” means a third party engaged by BRCK to Process Customer Personal Data on BRCK’s behalf in connection with the Services.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by BRCK or its Sub-processors.
• “Data Subject Request” means a request by an individual to exercise rights under applicable U.S. State Privacy Laws.
• “CPNI” has the meaning given under Section 222 of the Communications Act of 1934, as amended (47 U.S.C. § 222), and applicable FCC rules.

2. Roles of the Parties

2.1 BRCK as Processor / Service Provider

For Customer Personal Data, BRCK acts as a Processor / Service Provider and Customer acts as the Controller / Business.BRCK will Process Customer Personal Data only on Customer’s documented instructions and only to provide, maintain, secure, and support the Services, as set out in this DPA and the Agreement. The Agreement and this DPA (including any Order Form and the configuration choices Customer makes) constitute Customer’s complete and final documented instructions to BRCK for the Processing of Customer Personal Data; additional or different instructions must be agreed in writing and may be subject to fees.

2.2 BRCK as Controller / Business (governed by the Privacy Policy, not this DPA)

For Personal Data that BRCK collects and Processes for its own purposes— including data about visitors to and users of BRCK’s websites, BRCK’s marketing and communications, Customer’s account-administration and billing data, and similar data — BRCK acts as a Controller / Business, and that Processing is governed by the BRCK Privacy Policy(see Privacy Policy §1.1), not by this DPA.

2.3 Customer’s responsibilities as Controller / Business

Customer represents and warrants that, with respect to Customer Personal Data: (a) it has provided all required notices and obtained all consents and legal bases necessary for BRCK and its Sub-processors to Process the Customer Personal Data as contemplated by the Agreement; (b) its instructions to BRCK comply with applicable law; and (c) it is responsible for the accuracy, quality, and legality of the Customer Personal Data and the means by which it acquired it. Where Customer’s own end users have a relationship with Customer (not BRCK), Customer — not BRCK — is the entity to which those end users direct their privacy rights requests(consistent with Privacy Policy §1.2).

2.4 BRCK’s limited independent-controller activity

To the extent permitted by applicable law, BRCK may Process certain communications and usage metadata as an independent Controller / Businessfor the limited purposes of: (a) preventing, detecting, and investigating fraud, toll fraud, IRSF, security threats, and abuse; (b) maintaining the security, integrity, and operation of BRCK’s network; (c) billing, rating, and collecting amounts owed; (d) complying with BRCK’s own legal, regulatory, and telecom obligations (including CPNI, USF/499, lawful-process, and FCC requirements); and (e) creating de-identified or aggregated data as described in Section 2.5. BRCK will not treat this carve-out as a license to use Customer Personal Data for advertising or for any purpose outside the direct business relationship with Customer (see Section 9).

2.5 De-identified and aggregated data

As permitted for a service provider / processor under applicable U.S. State Privacy Laws, BRCK may create de-identified and aggregated data derived from its Processing of Customer Personal Data, and may use such data to operate, secure, analyze, develop, train, and improve its products, services, and artificial-intelligence and machine-learning models. BRCK maintains such data in de-identified or aggregated form, does not attempt to re-identify it (except as permitted by law to test that de-identification is effective), and does not disclose it in a manner that would identify any individual.

3. Subject Matter, Duration, Nature, and Purpose of Processing

The details of Processing required by applicable law are set out in Annex A. In summary: the subject matter is BRCK’s provision of the Services; the duration is the term of the Agreement plus any post-termination period in Section 8; the nature and purpose is the Processing necessary to route, transmit, deliver, store (as applicable), secure, and support voice, messaging, and related communications; the types of Personal Data include those listed in the definition of Customer Personal Data; and the categories of data subjects are Customer’s end users and other individuals whose Personal Data is contained in communications Processed through the Services.

4. BRCK’s Processing Obligations

BRCK will:

1. Process only on documented instructions (including with regard to international transfers, if any), except where required by applicable law to which BRCK is subject; in such a case, BRCK will inform Customer of that legal requirement before Processing, unless the law prohibits such notice.
2. Confidentiality. Ensure that persons authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality and are limited to those who need access to provide the Services.
3. Security. Implement and maintain the technical and organizational security measures described in Annex B.
4. Lawfulness flag. If BRCK becomes aware that an instruction from Customer infringes applicable law, BRCK will inform Customer and may suspend the affected Processing until the instruction is confirmed, modified, or withdrawn.
5. Assist with Data Subject Requests as set out in Section 5.
6. Assist with security, breach notification, and data-protection assessments as set out in Sections 7 and 8.
7. Sub-processing only as set out in Section 6.
8. Return or delete Customer Personal Data as set out in Section 8.
9. Records and demonstrating compliance as set out in Section 11 (audits).

4.1 De-identified and Aggregated Data; AI/ML Development

Consistent with Section 2.5 and Privacy Policy §4.1, BRCK may create and use de-identified and aggregated data to operate, secure, analyze, develop, train, and improve its products, services, and AI/ML models, with a commitment not to attempt to re-identify it.

5. Assistance with Data Subject Requests

Taking into account the nature of the Processing, BRCK will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to Data Subject Requests. Because BRCK Processes Customer Personal Data on Customer’s behalf, if BRCK receives a Data Subject Request directly from an individual relating to Customer Personal Data, BRCK will not respond to the substance of the request except on Customer’s documented instructions or as required by law, and will, where permitted, advise the individual to submit the request to Customer and promptly notify Customer of the request. Where the Services provide self-service functionality, BRCK may direct Customer to use that functionality to satisfy a Data Subject Request. BRCK may charge a reasonable fee for assistance that materially exceeds standard self-service functionality.

6. Sub-processors

6.1 General authorization

Customer provides general written authorizationfor BRCK to engage Sub-processors to Process Customer Personal Data in connection with the Services, subject to this Section. The categories of Sub-processors BRCK engages are: cloud infrastructure and hosting; analytics; customer support; payment processing; and messaging/voice carrier and routing partners. A current list of BRCK’s Sub-processors, including the service provided, the categories of data Processed, and the processing location, is maintained and made available at brck.com/sub-processors(the “Sub-processor List”). BRCK will update the Sub-processor List and provide the change notification described in Section 6.3 before a new or replacement Sub-processor begins Processing Customer Personal Data.

6.2 Flow-down obligations

Before engaging a Sub-processor that will Process Customer Personal Data, BRCK will impose on the Sub-processor, by written contract, data-protection obligations no less protectivethan those in this DPA, to the extent applicable to the Sub-processor’s services. BRCK remains responsible for its Sub-processors’ performance of those obligations to the same extent BRCK would be responsible if it performed the services directly.

6.3 Change notice and objection right

BRCK will provide Customer with notice of the addition or replacement of a Sub-processor that Processes Customer Personal Data at least thirty (30) days beforethe new Sub-processor begins Processing Customer Personal Data, except that for non-infrastructure Sub-processors and where a shorter period is reasonably necessary (e.g., to address a security risk or a vendor’s discontinuation of service), BRCK may provide at least ten (10) days’ notice. Notice will be given through the Sub-processor List update mechanism and/or by email; Customer may subscribe to change notifications via privacy@brck.com. If Customer has a reasonable, good-faith objection based on data-protection grounds to a new Sub-processor, Customer must notify BRCK in writing within the notice period. The parties will work in good faith to resolve the objection. If the objection cannot be resolved and BRCK proceeds with the Sub-processor, Customer may, as its sole remedy, terminate the affected portion of the Services on written notice (without prejudice to amounts owed for Services rendered).

7. Personal Data Breach Notification

BRCK will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay as required by applicable lawafter becoming aware of it, and will provide Customer with information reasonably available to BRCK to assist Customer in meeting its own breach-notification obligations. Consistent with BRCK’s status as an interconnected VoIP provider, BRCK does notcommit to a fixed numeric deadline (such as 48 or 72 hours); the timing of notice is governed by the applicable legal standard described below. BRCK’s notification is not an acknowledgment of fault or liability. BRCK will take reasonable steps to mitigate the effects of the Personal Data Breach.

This obligation is in addition to, and does not displace, BRCK’s separate regulatory breach obligations as a communications provider. As described in Privacy Policy §12, BRCK handles CPNI under 47 U.S.C. § 222and, as an interconnected VoIP provider, is subject to the FCC’s breach-notification rule for carriers, interconnected VoIP, and TRS providers (47 CFR § 64.2011 / FCC 23-111), which may require notice to the FCC and to federal law enforcement (the FBI and U.S. Secret Service) and to affected customers, and which does not impose a mandatory waiting period before customer notice. BRCK will also comply with applicable state breach-notification laws.

8. Return and Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, BRCK will, at Customer’s election and to the extent technically feasible, return or deleteCustomer Personal Data Processed on Customer’s behalf, and delete existing copies, except to the extent retention is required by applicable law (including telecom record-keeping, CPNI, billing, tax, and lawful-process requirements) or for the limited independent-controller purposes in Section 2.4. BRCK will delete or anonymize Customer Personal Data in accordance with its standard retention practices and Privacy Policy §11 (including the ≤48-hour temporary call-audio QA window). Where BRCK retains Customer Personal Data as permitted above, BRCK will continue to protect it in accordance with this DPA and limit further Processing to the purpose(s) requiring retention.

9. CCPA / U.S. State Privacy Law Service-Provider Terms

To the extent BRCK Processes Customer Personal Data that constitutes “personal information” subject to the CCPA, the parties agree that Customer is a Business and BRCK is a Service Provider, and that BRCK Processes such personal information solely to perform the Services under the Agreement (a “business purpose”). BRCK is prohibited from, and will not:

1. Sell or Sharethe personal information, as “sell” and “share” are defined under the CCPA (i.e., BRCK will not sell it for monetary or other valuable consideration, and will not share it for cross-context behavioral advertising);
2. Retain, use, or disclose the personal information for any purpose other than the business purpose(s) specified in the Agreement, or outside the direct business relationship between BRCK and Customer, except as otherwise permitted by the CCPA;
3. Combine the personal information BRCK receives from, or on behalf of, Customer with personal information BRCK receives from any other person, except as permitted by the CCPA for a service provider; and
4. otherwise Process the personal information in any manner outside the direct business relationship with Customer.

BRCK will comply with the applicable obligations of a Service Provider under the CCPA, will provide the same level of privacy protection as required of a Business, and will notify Customer if BRCK determines it can no longer meet its obligations under the CCPA. BRCK certifies that it understands the restrictions in this Section and will comply with them, and will engage Sub-processors only pursuant to a written contract requiring the Sub-processor to observe the same CCPA Service-Provider restrictions.

10. Other U.S. State Privacy Law Processor Terms

To the extent the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and other U.S. State Privacy Laws that require specific controller-processor contract terms apply, BRCK, as Processor, will: (a) adhere to Customer’s instructions and assist Customer in meeting its obligations under those laws; (b) ensure each person Processing Customer Personal Data is subject to a duty of confidentiality; (c) at Customer’s direction, delete or return Customer Personal Data at the end of the Services, unless retention is required by law; (d) make available to Customer, on reasonable request, information necessary to demonstrate BRCK’s compliance (see Section 11); (e) assist Customer, by appropriate technical and organizational measures, with the security of Processing, breach notification, and data-protection assessments; and (f) engage Sub-processors only under a written contract that flows down these obligations (see Section 6).

11. Audits and Demonstrating Compliance

BRCK will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and BRCK’s obligations under applicable U.S. State Privacy Laws — satisfying the statutory minimum (the CCPA service-provider standard and the Article 28-style information-provision obligation). On Customer’s reasonable written request (no more than once per twelve (12) months, except following a Personal Data Breach affecting Customer Personal Data or where required by a regulator), BRCK will satisfy this obligation by making available then-current third-party audit reports, attestations, or certifications (e.g., SOC 2 / ISO 27001, if held) and by responding to a reasonable written security and data-protection questionnaire, in each case subject to confidentiality. For the avoidance of doubt, this DPA does notgrant Customer or its representatives a right to conduct an on-site or physical audit of BRCK’s facilities or systems. Any information provided under this Section is limited to BRCK’s Processing of Customer Personal Data and excludes data of other customers, BRCK’s confidential commercial information, and anything that would breach BRCK’s legal or contractual obligations.

12. International Transfers

This DPA addresses Processing under U.S. State Privacy Laws only. The Services are provided from the United States and are intended for U.S. users (consistent with Privacy Policy §15). International transfer terms (such as the EU Standard Contractual Clauses, the UK IDTA, or an EU-US Data Privacy Framework certification) are not currently offered and would be added only if BRCK begins serving EU/UK data subjects.

13. Order of Precedence

This DPA is incorporated into and forms part of the Agreement. It is positioned at tier (5) of the Terms of Service ORDER OF PRECEDENCEclause (“the Privacy Policy and any applicable Data Processing Addendum”). In the event of a conflict between this DPA and any other document comprising the Agreement on the subject of the Processing of Customer Personal Data, this DPA controls as to that subject matter; on all other subjects, the order of precedence in the Terms of Service governs. Nothing in this DPA limits or contradicts the Terms of Service section titled “Customer Equipment Security; Responsibility for Unauthorized Use, Fraud, and Toll Fraud,” the Acceptable Use Policy, or the limitation-of-liability provisions of the Terms of Service, all of which continue to apply.

14. Term, Governing Law, and Notices

This DPA takes effect on the effective date of the Agreement (or the date both parties accept it, if later) and continues until BRCK ceases Processing Customer Personal Data. This DPA is governed by the laws of the State of North Carolina, without regard to its conflict-of-laws provisions, consistent with the Terms of Service. The parties submit to the exclusive venue of the state courts of Mecklenburg County, North Carolina and the U.S. District Court for the Western District of North Carolina, Charlotte Division, and any arbitration seat is Charlotte, Mecklenburg County, North Carolina. Notices under this DPA (including Sub-processor objections, breach notifications, and data-subject-request assistance) must be sent to BRCK at legal@brck.com and privacy@brck.com, with a copy to the notice address designated below:

Turkana, LLC d/b/a BRCK
16928 Lancaster Hwy, Suite 109
Charlotte, NC 28277

Annex A — Details of Processing

Annex B — Technical and Organizational Security Measures

BRCK maintains administrative, technical, and physical safeguards designed to protect Customer Personal Data, including, at a minimum:

• Information classification and handling — assets classified by sensitivity and criticality; access restricted on a need-to-know basis;
• Access control and authentication — least-privilege access; access reviewed regularly and revoked promptly on termination or role change; and multi-factor authentication (MFA) enforced for all access to sensitive systems and data, including all third-party vendor and contractor access;
• Encryptionof Personal Data in transit and at rest using industry-standard encryption (consistent with Privacy Policy §13);
• Data minimization — personal and sensitive information collected only to the extent reasonably necessary and proportionate to provide the requested service;
• Backup and recovery — backup and recovery procedures with restoration tests conducted and documented at least quarterly;
• Logging and monitoring — access to systems Processing Customer Personal Data is logged and monitored;
• Vendor / supply-chain risk management— third-party vendors handling BRCK data (e.g., AWS, Oracle NetSuite, Bandwidth) undergo an annual security risk assessment, and vendor contracts require breach notification (a 72-hour vendor-to-BRCK window) and adherence to BRCK’s security standards;
• Personnel — confidentiality obligations and security-awareness training;
• Retention minimization— temporary call-audio QA copies deleted after up to 48 hours (Privacy Policy §11); CPNI and CDRs retained only as required by applicable telecom law and legitimate business need;
• Incident response— documented procedures for detecting, investigating, and responding to Personal Data Breaches (Section 7), aligned with BRCK’s FCC/CPNI breach posture and Incident Response Policy;
• Physical security — controlled physical access to facilities, equipment, and sensitive areas (access cards, biometrics, surveillance); visitors and third-party personnel escorted while on premises;
• Sub-processor oversight — written data-protection terms and ongoing oversight (Section 6).

Customer is responsible for its own equipment, systems, credentials, and configuration choices, and for using the security features BRCK makes available, as set out in the Terms of Service “Customer Equipment Security” section and the Acceptable Use Policy.

Annex C — International Transfer Mechanism

Not offered.BRCK provides the Services from, and processes Customer Personal Data in, the United States, and does not currently offer EU/UK international-transfer terms. EU Standard Contractual Clauses, the UK IDTA, or an EU-US Data Privacy Framework certification would be added here only if BRCK begins serving or monitoring EU/UK data subjects (consistent with Section 12 and Privacy Policy §15).