DATA PROCESSING AGREEMENT
Companion to Ultatel Master Services Agreement
This Data Processing Agreement (this “DPA”) is entered into between Ultatel, LLC (“Ultatel” or “Processor”) and the customer identified on the signature block (“Customer” or “Controller”), and is effective as of the date last signed below (the “Effective Date”).
This DPA supplements and is incorporated into the Master Services Agreement between the parties (the “MSA”). In the event of a conflict between this DPA and the MSA, this DPA shall govern with respect to processing of Personal Data; provided that nothing in this DPA shall expand Ultatel’s liability beyond the limitations set forth in Section 7 of the MSA.
1. Definitions
(a) “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable: (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”); (ii) the Virginia Consumer Data Protection Act and similar U.S. state privacy laws (“U.S. State Privacy Laws”); and (iii) any other applicable national or state privacy or data protection law that becomes applicable to the processing under this DPA.
(b) “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Law. Under the CCPA, references to “Controller” include “business” and references to “Processor” include “service provider.”
(c) “Customer Data” means Personal Data and other content that Customer or its end users transmit, store, or process through the Services.
(d) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
(e) “Services” has the meaning given in the MSA.
(f) “Sub-processor” means any third party engaged by Ultatel that processes Customer Data on Ultatel’s behalf in connection with the Services.
2. Roles of the Parties
With respect to Customer Data, Customer is the Controller (or “business” under the CCPA), and Ultatel is the Processor (or “service provider” under the CCPA). Each party shall comply with its obligations under Applicable Data Protection Law in connection with the processing of Customer Data.
Ultatel processes limited account-administration data (including Customer’s administrator credentials, billing data, and aggregated usage statistics) as a Controller for purposes of providing, securing, and improving the Services, fraud prevention, and complying with legal obligations. Such processing is described in the Privacy Policy at www.ultatel.com/privacy.
3. Processing Instructions
Ultatel shall process Customer Data only on documented instructions from Customer, except where required by applicable law. The MSA, this DPA, and Customer’s use of the Services constitute Customer’s documented instructions. If Ultatel is required by law to process Customer Data otherwise, Ultatel shall, where legally permitted, inform Customer of such legal requirement before processing.
Ultatel shall promptly notify Customer if, in Ultatel’s opinion, an instruction from Customer infringes Applicable Data Protection Law. Ultatel shall have no obligation to monitor Customer’s instructions for legal compliance.
4. Confidentiality
Ultatel shall ensure that personnel authorized to process Customer Data are subject to confidentiality obligations no less protective than those set forth in Section 12 of the MSA. Such confidentiality obligations shall survive the termination of this DPA.
5. Security Measures
Ultatel shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature of the processing, and the rights and freedoms of Data Subjects. The minimum security measures are set forth in Annex 2 to this DPA. Ultatel may update its security measures from time to time, provided that such updates do not materially diminish the level of protection.
6. Personal Data Breach Notification
Ultatel shall notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation, of any Personal Data Breach affecting Customer Data. The notification shall include, to the extent known at the time of notification:
- a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Customer Data records concerned;
- the likely consequences of the Personal Data Breach;
- measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects; and
- the name and contact details of Ultatel’s designated point of contact.
Ultatel shall supplement the initial notification as additional information becomes reasonably available. Ultatel’s notification shall not be construed as an acknowledgment of fault or liability. Customer is responsible for notifying Data Subjects, regulators, and other third parties as required by Applicable Data Protection Law.
7. Sub-processors
(a) Customer authorizes Ultatel to engage Sub-processors to process Customer Data, subject to the conditions set forth in this Section 7.
(b) Ultatel maintains a current list of Sub-processors at www.ultatel.com/subprocessors. Ultatel shall provide Customer with at least thirty (30) days’ prior notice of any new Sub-processor (or expansion of an existing Sub-processor’s scope) by updating such list.
(c) Customer may object to a new Sub-processor in writing within the thirty (30) day notice period if it has a reasonable, documented data protection basis to do so. Upon a reasonable objection, the parties shall work together in good faith to resolve the objection. If the parties cannot agree, Customer’s sole remedy is to terminate the affected Services without payment of an Early Termination Fee, with refund of any prepaid, unused fees.
(d) Ultatel shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA, and shall remain responsible for the acts and omissions of its Sub-processors with respect to Customer Data.
8. Data Subject Requests
Ultatel shall, taking into account the nature of the processing, provide commercially reasonable assistance to Customer through appropriate technical and organizational measures, insofar as this is possible, to enable Customer to fulfill its obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, data portability, and objection).
If Ultatel receives a request directly from a Data Subject, Ultatel shall, where legally permitted, refer the Data Subject to Customer and notify Customer without undue delay. Ultatel shall not respond to such requests directly unless authorized in writing by Customer or required by law.
9. Audits and Records
(a) Ultatel shall make available to Customer all information necessary to demonstrate compliance with this DPA. Ultatel shall satisfy this obligation by making available to Customer, on Customer’s reasonable written request and subject to confidentiality obligations: (i) Ultatel’s most recent third-party security attestation or report (where Ultatel maintains one); and (ii) responses to a reasonable security questionnaire.
(b) If the foregoing is insufficient to satisfy Customer’s audit obligations under Applicable Data Protection Law, Customer may, no more than once per year and subject to reasonable advance notice (no less than thirty (30) days), conduct an audit of Ultatel’s data protection practices through an independent auditor mutually acceptable to the parties. The audit shall be conducted during normal business hours, in a manner that does not unreasonably interfere with Ultatel’s operations, and the auditor shall execute a confidentiality agreement reasonably acceptable to Ultatel. Customer shall bear the cost of any audit unless the audit reveals a material breach of this DPA, in which case Ultatel shall reimburse Customer’s reasonable audit costs.
(c) Audits shall not include access to (i) other customers’ data, (ii) Ultatel’s confidential business information unrelated to compliance with this DPA, or (iii) data centers operated by Sub-processors that prohibit on-site customer audits (in which case Ultatel shall provide alternative compliance evidence).
10. Data Residency and International Transfers
Ultatel processes and stores Customer Data within the United States. Ultatel shall not transfer Customer Data outside of the United States without Customer’s prior written consent. If Customer consents to international transfers, the parties shall negotiate in good faith appropriate safeguards (including standard contractual clauses where applicable) to address the transfer.
11. CCPA-Specific Terms
(a) Ultatel acts as a “service provider” under the CCPA with respect to Customer Data of California residents.
(b) Ultatel shall not (i) sell or share Customer Data, (ii) retain, use, or disclose Customer Data for any purpose other than the specific business purpose of providing the Services, including for any commercial purpose other than as permitted by the CCPA, (iii) retain, use, or disclose Customer Data outside of the direct business relationship with Customer, or (iv) combine Customer Data with personal information received from any other source, except as permitted by the CCPA.
(c) Ultatel certifies that it understands and will comply with the restrictions in this Section 11.
12. Return or Deletion of Customer Data
Upon termination or expiration of the MSA, and at Customer’s written request, Ultatel shall, within sixty (60) days, delete or return all Customer Data in its possession, except to the extent retention is required by applicable law or by routine backup retention schedules. Customer Data retained on backup media shall be destroyed in accordance with Ultatel’s standard backup retention schedule and shall remain subject to the protections of this DPA until destroyed.
Customer is responsible for exporting Customer Data prior to termination of the MSA. Ultatel may make export tools available; failing that, Ultatel will reasonably cooperate with Customer’s export requests for a period of thirty (30) days following termination, subject to Customer’s payment of any outstanding amounts.
13. Limitation of Liability
Each party’s liability under this DPA, taken together with all liability under the MSA, BAA (if applicable), and any related agreements, is subject to the limitations of liability set forth in Section 7 of the MSA, including the General Cap, Super-Cap (which applies to data security incidents), and the exclusion of indirect, incidental, special, consequential, and punitive damages.
14. Term and Termination
This DPA shall continue in effect until the earlier of (a) the termination or expiration of the MSA, or (b) the parties’ mutual written agreement to terminate. Provisions that by their nature should survive termination (including Sections 4, 6, 12, 13, and applicable Annexes) shall survive.
15. Miscellaneous
(a) This DPA, together with the MSA, constitutes the entire agreement between the parties with respect to the processing of Customer Data.
(b) In the event of a conflict between this DPA and the MSA, this DPA shall govern with respect to the processing of Customer Data.
(c) This DPA may be amended only in writing signed by both parties; provided that Ultatel may update Annex 2 (security measures) and the Sub-processor list from time to time as described herein.
(d) Notices under this DPA shall be delivered in accordance with Section 21 of the MSA. Privacy-related notices to Ultatel may also be sent to privacy@ultatel.com.
Annex 1 — Description of Processing
Field | Description |
Subject matter | Provision of UCaaS / CCaaS / cloud communications services as described in the MSA. |
Duration | For the term of the MSA, plus any retention period required by law or routine backup cycles. |
Nature of processing | Receipt, storage, transmission, routing, recording (where enabled), analytics, and deletion of voice, video, messaging, and related data through the Services. |
Purpose | To provide the Services to Customer in accordance with the MSA and Customer’s instructions. |
Data residency | United States. Ultatel processes and stores Customer Data within the U.S. and does not transfer Customer Data outside of the U.S. without Customer’s prior written consent. |
Categories of data subjects | Customer’s employees, contractors, end users, customers, prospects, and other individuals whose data is processed through the Services. |
Categories of personal data | Identification (name, email, phone), call detail records, voice and video recordings (where Customer enables recording), text messages, fax content, IP addresses, device identifiers, and any other personal data Customer transmits through the Services. |
Special categories | Customer determines whether to transmit special categories of personal data through the Services. Where Customer transmits Protected Health Information, the parties shall execute the BAA. |
Annex 2 — Technical and Organizational Security Measures
Ultatel implements and maintains the following minimum technical and organizational measures, which may be updated from time to time as set forth in Section 5 of this DPA:
Control area | Description |
Access control | Role-based access control, least-privilege principles, multi-factor authentication for administrative access, periodic access reviews. |
Encryption | Encryption in transit (TLS 1.2 or higher) for data exchanged with the Services. Encryption at rest (AES-256 or equivalent) for stored Customer Data, including call recordings and voicemail. |
Network security | Firewalls, intrusion detection and prevention systems, distributed denial of service (DDoS) protection, network segmentation. |
Logging and monitoring | Centralized logging of access to Customer Data, security event monitoring, anomaly detection, log retention consistent with applicable law and security standards. |
Incident response | Documented incident response plan with defined roles, escalation paths, and a target notification window of 72 hours from confirmation of a Security Incident affecting Customer Data. |
Personnel security | Background checks (where permitted by law), confidentiality obligations, mandatory annual security and privacy training. |
Vendor / sub-processor management | Risk-based vetting of sub-processors, contractual data protection obligations, ongoing oversight. |
Business continuity | Documented business continuity and disaster recovery plans, with periodic testing. |
Vulnerability management | Regular vulnerability scanning, patch management, periodic penetration testing by qualified third parties. |
Data residency | Customer Data is processed and stored within the United States. International transfers occur only with Customer’s prior written consent and appropriate safeguards. |
IN WITNESS WHEREOF, the parties have executed this DPA as of the Effective Date.
CONTROLLER (Customer) | PROCESSOR (Ultatel) |
Signature: ____________________________
Name: _______________________________
Title: _________________________________
Date: _________________________________ | Signature: ____________________________
Name: _______________________________
Title: _________________________________
Date: _________________________________ |
