Data Processing Agreement

Last updated March 29, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the organization subscribing to the Services (“Customer,” “Controller”) and Talkpal, Inc., 2810 N Church St, PMB 54222, Wilmington, DE 19802-4447, United States (“Talkpal,” “Processor”) for the provision of the Services as described in the Terms and Conditions available at https://talkpal.ai/terms-and-conditions (the “Agreement”).

By accepting the Terms and Conditions of the B2B Platform at https://business.talkpal.ai, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its Authorized Users.

This DPA applies where and only to the extent that Talkpal processes Personal Data on behalf of the Customer in the course of providing the Services under the Agreement. This DPA does not apply to Personal Data for which Talkpal is a controller in its own right (such as Account-Level Information and billing data).

1. Definitions

“Authorized User” means any individual granted access to the Services through the Customer’s organizational account, as defined in the Agreement.

“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA, and any other applicable data protection or privacy legislation.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Talkpal on behalf of the Customer in connection with the Services.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Talkpal on behalf of the Customer.

“Sub-processor” means any third party engaged by Talkpal to process Personal Data on behalf of the Customer.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), as may be amended or replaced from time to time.

Other capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

2. Scope and Roles

2.1 Roles. With respect to the processing of Personal Data of Authorized Users within Organizational Sub-Accounts, the Customer is the Controller and Talkpal is the Processor. The Customer determines the purposes and means of processing; Talkpal processes Personal Data only on behalf of and in accordance with the Customer’s documented instructions.

2.2 Customer as Controller. The Customer is responsible for ensuring that it has a lawful basis under applicable Data Protection Laws for the processing of Personal Data, including obtaining any necessary consents from Authorized Users where required.

3. Details of Processing

3.1 Subject matter and duration. Talkpal processes Personal Data for the purpose of providing the language learning Services to the Customer’s Authorized Users. Processing continues for the duration of the Agreement plus the post-termination deletion periods described in Section 9 of this DPA.

3.2 Nature and purpose of processing. The provision of AI-powered language learning services, including user account management, lesson delivery, speech recognition and language assessment, learning progress tracking, and usage analytics as described in the Agreement and Privacy Policy.

3.3 Categories of data subjects. Authorized Users invited by the Customer to use the Services through an Organizational Sub-Account.

3.4 Types of Personal Data processed. The Personal Data processed includes:

• Name and email address
• Language selections and learning preferences
• Learning progress, lesson completion records, and proficiency assessments
• Conversation history (text and audio interactions with AI features)
• Usage statistics (session data, time spent, activity logs)
• Device and browser information, IP address, and approximate location
• Any other data provided by Authorized Users through their use of the Services within the Organizational Sub-Account

3.5 Special categories of data. Talkpal does not intentionally process special categories of Personal Data (as defined under Article 9 GDPR) on behalf of the Customer. The Customer shall instruct its Authorized Users not to submit special category data through the Services.

4. Customer Instructions

4.1 Talkpal shall process Personal Data only on the Customer’s documented instructions, unless required to do so by applicable law, in which case Talkpal shall (to the extent permitted by law) inform the Customer of that legal requirement before processing.

4.2 The Customer’s instructions for processing are set out in this DPA, the Agreement, and any applicable Order Form. The Customer may issue additional reasonable written instructions consistent with the Agreement, provided that if such instructions fall outside the scope of the Services or require changes to the Services, the parties shall negotiate in good faith any additional fees or terms.

4.3 Talkpal shall promptly inform the Customer if, in Talkpal’s opinion, an instruction infringes applicable Data Protection Laws.

5. Confidentiality

5.1 Talkpal shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2 Talkpal shall not disclose Personal Data to any third party except as permitted by this DPA, the Agreement, or as required by applicable law.

6. Security

6.1 Talkpal shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, as appropriate:

• Encryption of Personal Data in transit and at rest
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessment, and evaluation of the effectiveness of security measures
• Access controls and authentication mechanisms
• Regular security audits and vulnerability assessments

6.2 Talkpal shall take reasonable steps to ensure that security measures are appropriate to the risks presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

7. Sub-processors

7.1 The Customer provides general authorization for Talkpal to engage Sub-processors to assist in providing the Services. Sub-processors may include cloud infrastructure providers, AI processing vendors, speech recognition services, analytics providers, payment processors, and other service providers necessary for the delivery, maintenance, and improvement of the Services. The categories of Sub-processors and the nature of their processing are described in the Privacy Policy available at https://talkpal.ai/privacy-policy.

7.2 Talkpal shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Talkpal remains liable to the Customer for the acts and omissions of its Sub-processors.

7.3 Talkpal may update its Sub-processors from time to time as necessary to provide the Services. The Customer acknowledges that the use of Sub-processors may change as Talkpal evolves its Services, and that the Privacy Policy will reflect the current categories of third-party service providers engaged by Talkpal. If a Customer has a specific concern regarding a particular Sub-processor, the Customer may raise such concern by contacting Talkpal at [email protected], and the parties shall discuss the matter in good faith.

8. Data Subject Rights

8.1 Taking into account the nature of the processing, Talkpal shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to requests from data subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

8.2 If Talkpal receives a Data Subject Request directly from an Authorized User relating to the Customer’s Organizational Sub-Account, Talkpal shall promptly notify the Customer and shall not respond to the request without the Customer’s prior instructions, unless required by applicable law.

8.3 The Customer may use the administrative tools provided through the B2B Platform to access, export, or delete Authorized User data within its Organizational Sub-Account(s) as needed to respond to Data Subject Requests.

9. Data Retention and Deletion

9.1 Upon termination or expiration of the Agreement, or upon deactivation of an Organizational Sub-Account (for any reason), Talkpal shall delete the Personal Data associated with the relevant Organizational Sub-Account(s) from its active systems within thirty (30) days, unless retention is required by applicable law.

9.2 Data contained in automated backups may persist for up to ninety (90) days before being overwritten in the normal course of Talkpal’s backup rotation.

9.3 Upon the Customer’s written request prior to deletion, Talkpal shall make available to the Customer a copy of the Personal Data in a commonly used, machine-readable format, to the extent technically feasible.

9.4 Talkpal shall certify the deletion of Personal Data in writing upon the Customer’s request.

10. Security Incident Notification

10.1 Talkpal shall notify the Customer of a Security Incident without undue delay and in any event within forty-eight (48) hours after becoming aware of the Security Incident, to enable the Customer to meet its own notification obligations under applicable Data Protection Laws.

10.2 The notification shall include, to the extent available:

• A description of the nature of the Security Incident, including the categories and approximate number of data subjects and Personal Data records affected
• The name and contact details of Talkpal’s point of contact for further information
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

10.3 Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

10.4 Talkpal shall take reasonable steps to contain, investigate, and mitigate the Security Incident and shall cooperate with the Customer in the Customer’s compliance with its own notification obligations under applicable Data Protection Laws.

11. Data Protection Impact Assessments

Where required under applicable Data Protection Laws, Talkpal shall provide the Customer with reasonable assistance in conducting data protection impact assessments and, where necessary, prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Talkpal.

12. Audits

12.1 Talkpal shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

12.2 The Customer (or its appointed independent third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of Talkpal’s processing activities relevant to this DPA, subject to the following conditions:

• The Customer shall provide at least 30 days’ written notice of an audit request
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Talkpal’s operations
• The Customer shall bear its own costs of the audit, unless the audit reveals a material breach of this DPA by Talkpal
• Audits shall be limited to once per twelve (12) month period, unless a Security Incident has occurred or a supervisory authority requires an additional audit

12.3 Where Talkpal holds a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report, Talkpal may satisfy an audit request by providing the Customer with a copy of such report (subject to confidentiality obligations), unless the Customer can demonstrate that such report is insufficient to address a specific and documented concern.

13. International Data Transfers

13.1 The Customer acknowledges that Talkpal may transfer Personal Data to countries outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland in order to provide the Services. A list of countries where Personal Data may be processed is described in the Privacy Policy.

13.2 Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, Talkpal shall ensure that appropriate safeguards are in place, including:

• The European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor), as supplemented by any additional measures necessary to ensure an essentially equivalent level of protection
• For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs
• For transfers from Switzerland, the applicable Swiss-approved transfer mechanism

13.3 Talkpal shall conduct and maintain a transfer impact assessment for transfers to countries without an adequacy decision, and shall implement supplementary measures where necessary to address any identified risks.

13.4 The Standard Contractual Clauses are incorporated into this DPA by reference. Where the SCCs apply:

• Module Two (Controller to Processor) applies
• Clause 7 (docking clause) is included
• Under Clause 9, Option 2 (general written authorization) applies, as set out in Section 7 of this DPA
• Under Clause 11, the optional language regarding independent dispute resolution is not included
• Under Clause 17, Option 1 applies, and the SCCs are governed by the law of Ireland
• Under Clause 18(b), disputes shall be resolved before the courts of Ireland
• Annex I and Annex II to the SCCs are populated as described in Schedule 1 and Schedule 2 of this DPA

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in the Agreement or this DPA limits or excludes liability to the extent that such limitation or exclusion is not permitted under applicable Data Protection Laws.

15. General Provisions

15.1 Conflict. In the event of a conflict between this DPA and the Agreement with respect to data protection obligations, this DPA shall prevail.

15.2 Amendments. Talkpal may propose updates to this DPA to reflect changes in Data Protection Laws, regulatory guidance, or Talkpal’s processing practices. Talkpal shall notify the Customer of any proposed material changes at least thirty (30) days before the proposed effective date, together with a summary of the changes. Material changes shall not take effect unless the Customer provides written consent (which may include acceptance through the B2B Platform). If the Customer does not agree to the proposed changes, the Customer may terminate the affected Services by providing written notice before the proposed effective date, and Talkpal shall refund any prepaid fees covering the remainder of the subscription term. Non-material changes (such as corrections of typographical errors or updates to contact information) may take effect upon notice.

15.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Governing law. Where the Customer is established in the European Economic Area, this DPA is governed by the laws of Ireland. Where the Customer is established in the United Kingdom, this DPA is governed by the laws of England and Wales. In all other cases, this DPA is governed by the laws of the State of Delaware. The Standard Contractual Clauses shall be governed as specified therein. Nothing in this DPA limits any mandatory statutory rights the Customer may have under the Data Protection Laws of its country of establishment.

15.5 Contact. For questions about this DPA, contact Talkpal at [email protected].

Schedule 1 — Details of Processing (Annex I to the SCCs)

A. List of Parties

Data Exporter (Controller): The Customer, as identified in the Agreement. Contact: the Customer’s designated Administrator.

Data Importer (Processor): Talkpal, Inc., 2810 N Church St, PMB 54222, Wilmington, DE 19802-4447, United States. Contact: [email protected]. EU/UK Privacy Representative: Prighter Group – https://app.prighter.com/portal/talkpal

B. Description of the Transfer

Categories of data subjects: Authorized Users of the Customer who access the Services through an Organizational Sub-Account.

Categories of Personal Data transferred: Name, email address, language selections, learning preferences, learning progress, lesson completion records, proficiency assessments, conversation history (text and audio), usage statistics, device and browser information, IP address, and approximate location.

Sensitive data transferred: None intended. The Customer shall instruct Authorized Users not to submit sensitive or special category data.

Frequency of the transfer: Continuous, for the duration of the Agreement.

Nature and purpose of the processing: Provision of AI-powered language learning services, including user account management, lesson delivery, speech recognition and language assessment, learning progress tracking, usage analytics, and service improvement.

Retention period: For the duration of the Agreement, plus 30 days after termination or deactivation for deletion from active systems (up to 90 days in automated backups).

C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the data exporter is established in the EEA, the supervisory authority of the EEA Member State in which the data exporter is established. Where the data exporter is not established in the EEA but falls within the territorial scope of the GDPR, the supervisory authority of the EEA Member State designated by the data exporter under Article 27(4) GDPR.

Schedule 2 — Technical and Organizational Measures (Annex II to the SCCs)

Talkpal implements and maintains the following categories of technical and organizational security measures:

Access Control

• Role-based access control for all systems processing Personal Data
• Principle of least privilege applied to employee and contractor access
• Regular access reviews and prompt revocation upon role changes or termination

Network Security

• Firewalls, intrusion detection, and intrusion prevention systems
• Network segmentation to isolate processing environments
• Regular vulnerability scanning and penetration testing

Data Storage and Backup

• Data stored on servers located in the Netherlands, Sweden, the United States, the United Kingdom, France, Germany, and other EU countries
• Regular automated backups
• Backup data encrypted and stored securely

Incident Management

• Documented incident response procedures
• 24/7 monitoring of critical systems
• Post-incident review and remediation processes

Business Continuity

• Redundant infrastructure and failover mechanisms
• Disaster recovery plans tested periodically

Physical Security

• Cloud infrastructure hosted by reputable providers (e.g., Microsoft Azure, Amazon Web Services, Google Cloud) with industry-standard physical security certifications (SOC 2, ISO 27001)

Data Minimization and Retention

• Collection limited to data necessary for the provision of the Services
• Automated deletion processes upon account termination or sub-account deactivation in accordance with the retention periods described in the Agreement and this DPA