Data Processing Addendum

For the purposes of this Addendum: "Customer" means the business, organisation or person using SaySo for business purposes. "SaySo" means the provider of the SaySo service. "Customer Personal Information" means personal information that the Customer uploads, records, submits, sends or otherwise processes through SaySo about its customers, leads, staff, suppliers or other individuals. "Personal information" has the meaning given under applicable Australian privacy law. "Sensitive information" means sensitive information under applicable Australian privacy law, including information about health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, criminal record or other sensitive matters.

The Customer is responsible for deciding what Customer Personal Information is collected, uploaded, recorded, sent or processed through SaySo, and why. SaySo processes Customer Personal Information to provide the service to the Customer. For account, billing, subscription, support, security, product usage and business administration information relating to the Customer, SaySo may act as an independent handler of that information, as described in the SaySo Privacy Policy.

The Customer is responsible for ensuring that: • it has the right to collect, use, disclose and process Customer Personal Information through SaySo; • it has provided any required privacy notices to individuals; • it has obtained any required consents or permissions; • recordings, uploads, proposal content and customer communications comply with applicable law; • Customer Personal Information uploaded to SaySo is accurate, relevant and limited to what is reasonably needed; • sensitive information is not uploaded unless it is necessary, lawful and appropriately authorised; • proposal content is reviewed before being sent to any recipient.

SaySo may process Customer Personal Information that is entered, uploaded, recorded, generated or sent through the service. This may include: • customer or recipient names; • contact details, if entered; • proposal content, including services, prices, terms, notes and commercial details; • voice recordings; • transcripts; • information extracted from recordings or free text; • uploaded files, images, logos or brand assets; • approval or signature data; • proposal viewing data, including opening time, approximate viewing activity, IP address, device type and browser type; • technical logs needed for security, troubleshooting and service operation.

SaySo processes Customer Personal Information for the following purposes: • providing the SaySo service; • creating, editing and managing proposals; • transcribing recordings; • extracting relevant proposal details; • generating draft proposal content; • displaying proposal pages; • sending proposal links; • collecting electronic approval or signature; • showing basic proposal viewing activity to the Customer; • providing support; • maintaining security; • preventing misuse, fraud or unauthorised access; • troubleshooting and improving service performance; • complying with applicable law; • protecting legal rights. SaySo will not use Customer Personal Information for independent marketing to the Customer's proposal recipients.

SaySo will process Customer Personal Information in accordance with: • this Addendum; • the Terms of Service; • the Privacy Policy; • the Customer's use of the service; • applicable law. SaySo may also process Customer Personal Information where reasonably necessary for security, fraud prevention, service integrity, technical maintenance, backup, legal compliance or dispute resolution. If SaySo reasonably believes that an instruction from the Customer is unlawful, unsafe or creates a material risk, SaySo may decline to follow the instruction, suspend the relevant processing, or request clarification.

SaySo will restrict access to Customer Personal Information to personnel, contractors and service providers who need access for legitimate service, support, security or operational purposes. SaySo will take reasonable steps to ensure that persons with access to Customer Personal Information are subject to appropriate confidentiality obligations.

In the course of providing the service, authorised SaySo personnel may access proposals of the business user, provided that such access is required for one of three defined purposes only: support, security, or quality assurance. Before each access, the authorised staff member must select the reason and may add free-form notes. The selection, notes, staff member identifier, proposal identifier and time of access are automatically recorded in an immutable audit log. The business user can review recent access events in the Settings → Account area, including the access reason and any notes provided. Access is subject to confidentiality obligations, the principle of operational necessity and internal procedures. SaySo does not allow its authorised personnel to process such information for any purpose other than the declared one, or to transfer it to third parties beyond the approved sub-processor list. In the event of misuse of access, SaySo will act in accordance with its HR procedures, notify the business user where required by law, and take appropriate steps.

SaySo will take reasonable steps to protect Customer Personal Information from misuse, interference, loss, unauthorised access, modification and disclosure. Security measures may include, as appropriate: • access controls; • authentication controls; • separation between customer accounts; • encryption in transit; • use of reputable cloud infrastructure; • backups; • logging and monitoring; • restriction of administrative access; • security reviews; • incident response procedures. No system can be guaranteed to be completely secure. SaySo does not warrant that Customer Personal Information will be immune from all unauthorised access, cyber incidents or technical failures.

SaySo may use subcontractors and service providers to operate the service. These may include providers of: • cloud hosting; • database infrastructure; • AI processing and transcription; • email delivery; • live chat support (Crisp Chat by Crisp IM SAS — EU servers, GDPR-compliant DPA at https://crisp.chat/en/privacy/, active only when functional cookies are accepted); • analytics and monitoring; • security tools; • customer support tools; • storage and content delivery. SaySo will take reasonable steps to ensure that subcontractors and service providers handle Customer Personal Information only as needed to provide services to SaySo, and subject to appropriate confidentiality, security and data handling obligations. SaySo may update its service providers from time to time. Where a new service provider materially changes the processing of Customer Personal Information, SaySo will take reasonable steps to notify Customers through the service, website, email or another appropriate method.

SaySo is operated using cloud based and global technology providers. Customer Personal Information may be stored, accessed or processed outside Australia, including in countries where SaySo or its service providers operate. Where SaySo discloses Customer Personal Information to an overseas recipient, SaySo will take reasonable steps designed to ensure that the overseas recipient handles the information in a manner consistent with applicable privacy obligations. The Customer acknowledges that use of SaySo may involve overseas processing.

SaySo may use AI and automated processing tools to transcribe recordings, extract relevant information, structure proposal content and generate draft wording. AI output may be inaccurate, incomplete or unsuitable. The Customer is responsible for reviewing all AI generated content before sending a proposal to any recipient. SaySo does not use Customer Personal Information to make final legal, financial, contractual or professional decisions on behalf of the Customer or proposal recipients.

When a proposal is sent through SaySo, SaySo may collect basic viewing data, such as when the proposal was opened, approximate viewing activity, device type, browser type, IP address and related technical data. This information may be shown to the Customer for the purpose of managing the proposal and customer communication. The Customer is responsible for ensuring that its use of viewing data is lawful, fair and not misleading.

SaySo will provide reasonable assistance to the Customer to respond to requests from individuals relating to Customer Personal Information. Such requests may include access, correction, deletion or privacy enquiries. If an individual contacts SaySo directly about Customer Personal Information controlled by the Customer, SaySo may refer the individual to the Customer or handle the request in consultation with the Customer. SaySo may refuse or limit deletion where retention is reasonably required for legal, tax, accounting, contractual, evidentiary, security, fraud prevention or dispute resolution purposes.

If SaySo becomes aware of a data breach involving Customer Personal Information, SaySo will assess the incident and take reasonable steps to contain, investigate and respond to it. Where the breach may materially affect Customer Personal Information, SaySo will notify the Customer without unreasonable delay after becoming aware of the incident. The notice may include, where available: • a general description of the incident; • the categories of information affected; • the approximate scope of the incident; • steps taken or proposed to contain the incident; • recommended steps for the Customer, if any; • contact details for follow up. SaySo may provide information in stages as the investigation develops. The Customer is responsible for assessing whether it has any obligation to notify affected individuals, regulators or other parties.

SaySo will retain Customer Personal Information for as long as reasonably necessary to provide the service, maintain security, comply with law, resolve disputes, enforce agreements, meet tax or accounting obligations, or protect legal rights. After account closure or termination of the service, SaySo will delete, return, restrict or retain Customer Personal Information in accordance with its Privacy Policy, Terms of Service, technical capabilities and applicable law. Certain information may be retained for longer periods, including: • approved or signed proposals; • billing and tax records; • security logs; • dispute records; • information contained in backups until ordinary backup cycles expire; • information needed for legal compliance or legal defence.

Where technically available, the Customer may export or request a copy of Customer Personal Information in a reasonable format. SaySo may refuse or limit export where doing so would affect another person's privacy, compromise security, breach law, or require unreasonable technical effort.

SaySo may use aggregated, anonymised or de identified data for service monitoring, analytics, product improvement, security, benchmarking and performance measurement. SaySo will not attempt to re identify de identified data except where required to test security, comply with law, investigate misuse, or maintain the service.

Upon reasonable request, SaySo may provide information about its privacy, security and data handling practices. This may include security questionnaires, policy summaries, vendor information, technical descriptions, or third party reports where available. Any audit or review must be reasonable, pre arranged, limited in scope, subject to confidentiality, and must not compromise security, privacy of other customers, trade secrets or service availability. SaySo may charge reasonable costs for extensive, repeated or unusual audit requests.

SaySo is not responsible for the Customer's unlawful, misleading or unauthorised use of Customer Personal Information. The Customer must not use SaySo to: • send unlawful or misleading proposals; • upload information without authority; • collect signatures deceptively; • monitor recipients unlawfully; • process sensitive information without proper basis; • breach privacy, consumer, spam, employment or industry specific laws.

Each party is responsible for its own acts and omissions in relation to personal information. The Customer is responsible for the lawfulness of its collection, use, disclosure and processing of Customer Personal Information. SaySo is responsible for processing Customer Personal Information in accordance with this Addendum, the Terms of Service, the Privacy Policy and applicable law. SaySo's liability is subject to the limitations of liability in the Terms of Service, to the maximum extent permitted by law. Nothing in this Addendum excludes, restricts or modifies any right or remedy that cannot be excluded, restricted or modified under applicable law.

This Addendum applies for as long as the Customer uses SaySo to process Customer Personal Information. Sections relating to confidentiality, security, retention, deletion, liability, audit, legal compliance and dispute resolution survive termination where their nature requires it.

If there is a conflict between this Addendum and the Terms of Service in relation to the processing of Customer Personal Information, this Addendum will apply to the extent of the conflict. If there is a conflict between this Addendum and mandatory applicable law, the mandatory law will apply.

This Addendum is governed by the governing law stated in the Terms of Service, unless mandatory law requires otherwise. If the Customer is located in Australia, nothing in this Addendum limits any mandatory rights or obligations that apply under Australian law.

For privacy or data processing questions, contact: Privacy Contact Email: niv@alma-ads.co.il