**Dial — Data Processing Addendum**

**Effective date: June 21, 2026**

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Dial Terms & Conditions (the "Terms") between the customer ("Customer," "Controller") and the applicable Dial contracting entity — Genway Inc for customers in the United States, or Genway Israel Ltd for customers elsewhere ("Dial," "Processor"). It applies where Dial processes Personal Data on Customer's behalf in providing the Service.

For self-serve customers, this DPA is accepted together with the Terms and **requires no signature**. Enterprise customers may enter into a separately negotiated data-processing agreement. In the event of a conflict on data-protection matters, this DPA prevails over the Terms; for transfers of EU/EEA personal data, the Standard Contractual Clauses prevail over this DPA.

# 1\. Definitions

"Applicable Data Protection Laws" means data-protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Israeli Privacy Protection Law and its regulations, and U.S. state privacy laws including the California Consumer Privacy Act as amended (CCPA/CPRA). "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Personal Data Breach" have the meanings given in Applicable Data Protection Laws. "Customer Personal Data" means Personal Data that Dial processes on Customer's behalf in providing the Service. "Sub-processor" means a third party engaged by Dial to process Customer Personal Data. "SCCs" means the European Commission's Standard Contractual Clauses (Decision 2021/914). "UK Addendum" means the UK Information Commissioner's International Data Transfer Addendum to the SCCs.

# 2\. Roles of the parties

Customer is the Controller (or, where Customer acts on behalf of another controller, a processor) of Customer Personal Data, and Dial is the Processor (or sub-processor). Each party will comply with its respective obligations under Applicable Data Protection Laws. This DPA does not apply to Personal Data for which Dial is an independent controller, which is addressed in the Privacy Policy.

# 3\. Scope and instructions

Dial will process Customer Personal Data only to provide and support the Service and on Customer's documented instructions. Customer's instructions are set out in the Terms, this DPA, and Customer's configuration and use of the Service (including instructions given through the dashboard and API). Dial will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws, but is not obligated to provide legal advice.

Customer warrants that its instructions and Customer Personal Data comply with Applicable Data Protection Laws, and that it has provided all notices and obtained all rights, lawful bases, and consents necessary for Dial to process Customer Personal Data — including, where applicable, consents for the recording, monitoring, transcription, and automated or AI-driven calling and messaging that the Service performs at Customer's direction.

# 4\. Details of processing

The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are described in Annex I.

# 5\. Confidentiality

Dial will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

# 6\. Security

Dial will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks involved. Customer is responsible for its own use and configuration of the Service, including safeguarding its credentials and determining whether the Service is appropriate for the categories of data Customer chooses to process.

# 7\. Sub-processors

Customer grants Dial general authorization to engage Sub-processors to process Customer Personal Data. The categories of Sub-processors are described in Annex III, and a current list of the specific Sub-processors is available to Customer on request and before or upon onboarding. Dial will notify Customer of intended changes to its Sub-processors (by email and/or by updating the list it makes available) and give Customer a reasonable opportunity to object on reasonable data-protection grounds. If Customer objects and the parties cannot resolve the objection, Customer's sole and exclusive remedy is to stop using the affected part of the Service. Dial will impose data-protection obligations on its Sub-processors substantially similar to those in this DPA and remains responsible for their performance of those obligations.

# 8\. Assistance to Customer

Taking into account the nature of the processing and the information available to Dial, Dial will provide reasonable assistance to Customer — to the extent such assistance exceeds the Service's standard self-serve functionality, at Customer's expense — to enable Customer to: (a) respond to requests from Data Subjects exercising their rights; (b) ensure the security of processing; (c) carry out data-protection impact assessments and prior consultations; and (d) meet its obligations in respect of Personal Data Breaches. If Dial receives a request from a Data Subject relating to Customer Personal Data, it will, where lawful, direct the Data Subject to Customer and/or forward the request.

# 9\. Personal Data Breach

Dial will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to Dial to assist Customer in meeting its obligations. Dial's notification is not, and will not be construed as, an acknowledgment of fault or liability.

# 10\. International transfers

To the extent Dial processes Customer Personal Data subject to EU, UK, or Israeli law in a country that has not received an adequacy decision, the parties agree that the SCCs (and, for UK data, the UK Addendum) are incorporated into this DPA by reference, with Customer as data exporter and Dial as data importer. Module Two (controller-to-processor) applies, or Module Three (processor-to-processor) where Customer is itself a processor. The Annexes to this DPA populate the corresponding annexes of the SCCs. For Israeli data, the parties will apply appropriate safeguards consistent with Israeli law.

# 11\. Deletion or return

Upon termination or expiry of the Service, or upon Customer's earlier written request, Dial will, within a reasonable period and to the extent technically feasible, delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law or is necessary for Dial's legitimate and legally permissible purposes (for example, backups cycled out in the ordinary course, fraud and abuse prevention, and the establishment, exercise, or defense of legal claims). Data retained on this basis remains subject to the protections of this DPA.

# 12\. Audits

Dial will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, primarily through documentation such as security overviews and, where available, third-party reports. Where an on-site audit is strictly required by Applicable Data Protection Laws, it will be limited to once per twelve months, conducted on reasonable prior written notice and during business hours, subject to confidentiality, in a manner that does not disrupt Dial's operations or compromise the security or data of other customers, and at Customer's expense.

# 13\. California (CCPA/CPRA)

To the extent Dial processes personal information subject to the CCPA/CPRA on Customer's behalf, Dial acts as a "service provider." Dial will not sell or share such personal information; will not retain, use, or disclose it except as necessary to perform the Service or as otherwise permitted by the CCPA; will not combine it with other personal information except as permitted; and certifies that it understands and will comply with these restrictions.

# 14\. Liability

Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms.

# 15\. General

This DPA is governed by the law and dispute-resolution provisions of the Terms (the laws of the State of Israel; exclusive jurisdiction of the competent courts of Tel Aviv-Jaffa), except to the extent Applicable Data Protection Laws or the SCCs require otherwise. If any provision of this DPA is held invalid or unenforceable, the remainder continues in effect. Dial may update this DPA to reflect changes in Applicable Data Protection Laws, its Sub-processors, or the Service, on notice to Customer; such updates will not materially reduce the protections of Customer Personal Data.

# Annex I — Details of Processing

- **Data exporter / Controller:** Customer (the account holder).
- **Data importer / Processor:** Genway Inc (US customers) or Genway Israel Ltd (other customers), operating as Dial.
- **Subject matter:** provision of the Dial programmable voice, SMS, and WhatsApp communications Service.
- **Duration:** the term of the Terms, plus any retention period described in this DPA.
- **Nature and purpose:** hosting, transmitting, routing, recording, transcribing, storing, and otherwise processing communications and related data to provide and support the Service.
- **Categories of Personal Data:** identifiers and contact details (names, phone numbers, email addresses); communications content (call audio/recordings, SMS and WhatsApp message content); transcripts; and metadata (call detail records, message metadata, timestamps, IP addresses, and logs). Customer determines and is responsible for the data it transmits and must not submit special-category data except where lawful and appropriate.
- **Categories of Data Subjects:** Customer's end users, customers, contacts, and other individuals whom Customer or its AI agents call or message, and Customer's authorized users.
- **Frequency of transfer:** continuous, for the duration of the Service.

# Annex II — Technical and Organizational Measures

- Encryption of Customer Personal Data in transit (TLS) and at rest.
- Access controls, authentication, and least-privilege access for personnel.
- Network and infrastructure security provided through the hosting environment (United States).
- Logging and monitoring of access and activity.
- Confidentiality obligations binding personnel authorized to access Customer Personal Data.
- Secure software-development and change-management practices.
- Backup and restoration capabilities to support availability and resilience.
- Processes to identify, escalate, and respond to security incidents.

These measures may evolve over time and will not be materially reduced during the term.

# Annex III — Sub-processors

Dial engages Sub-processors in the following categories to provide the Service: (a) cloud hosting and infrastructure; (b) telecommunications connectivity (voice and messaging); (c) speech-to-text and voice processing; (d) logging and monitoring; and (e) product analytics. All current Sub-processors are located in the United States.

A current and complete list of Dial's Sub-processors — including each Sub-processor's identity, processing activities, and location — is available to Customer on request at privacy@getdial.ai and will be provided before or upon onboarding. Customer may subscribe to receive notice of changes.

In addition, Stripe processes Customer billing and account data as part of Dial's payment processing and acts as an independent controller for that data.