Data Processing Agreement

Last updated June 15, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the organization subscribing to the Services (“Customer,” “Controller”) and Talkpal, Inc., 2810 N Church St, PMB 54222, Wilmington, DE 19802-4447, United States (“Talkpal,” “Processor”) for the provision of the Services as described in the Terms and Conditions available at https://talkpal.ai/terms-and-conditions (the “Agreement”).

By accepting the Terms and Conditions of the B2B Platform at https://business.talkpal.ai, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its Authorized Users.

This DPA applies where and only to the extent that Talkpal processes Personal Data on behalf of the Customer in the course of providing the Services under the Agreement. This DPA does not apply to Personal Data for which Talkpal is a controller in its own right (such as Account-Level Information and billing data).

1. Definitions

“Authorized User” means any individual granted access to the Services through the Customer’s organizational account, as defined in the Agreement.

“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA, and any other applicable data protection or privacy legislation.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Talkpal on behalf of the Customer in connection with the Services. The terms “Personal Data” (as used in this DPA), “personal data” (as used in the Terms and Conditions), and “personal information” (as used in the Privacy Policy) refer to the same categories of information; the variation reflects the terminology used by the applicable Data Protection Laws referenced in each document.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Talkpal on behalf of the Customer.

“Sub-processor” means any third party engaged by Talkpal to process Personal Data on behalf of the Customer.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), as may be amended or replaced from time to time.

Other capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

2. Scope and Roles

2.1 Roles. With respect to the processing of Personal Data of Authorized Users within Organizational Sub-Accounts, the Customer is the Controller and Talkpal is the Processor. The Customer determines the purposes and means of processing; Talkpal processes Personal Data only on behalf of and in accordance with the Customer’s documented instructions.

2.2 Customer as Controller. The Customer is responsible for ensuring that it has a lawful basis under applicable Data Protection Laws for the processing of Personal Data, including obtaining any necessary consents from Authorized Users where required. The Customer warrants that all Authorized Users are at least 18 years old, and acknowledges that the Services are not designed or intended for the processing of children’s personal data.

2.3 Data for which Talkpal is an independent Controller. Notwithstanding the controller-to-processor relationship described in Section 2.1, certain categories of Personal Data are processed by Talkpal as an independent controller and fall outside the scope of this DPA. These include (a) Account-Level Information (such as the Authorized User’s email address, password, display name, and general account preferences, as defined in Section 4A of the Terms and Conditions), which is shared across the Authorized User’s Account and persists with the Authorized User after their Organizational Sub-Account is deactivated; (b) the Authorized User’s Personal Sub-Account and any associated Sub-Account Data; and (c) billing and payment data processed in connection with the Customer’s subscription. Talkpal’s processing of this data is governed by the Privacy Policy at https://talkpal.ai/privacy-policy and not by this DPA. The Customer acknowledges that this allocation is a function of the Account architecture described in Section 4A of the Terms and Conditions and that Talkpal cannot offer the Services without retaining controller status over Account-Level Information.

3. Details of Processing

3.1 Subject matter and duration. Talkpal processes Personal Data for the purpose of providing the language learning Services to the Customer’s Authorized Users. Processing continues for the duration of the Agreement plus the post-termination deletion periods described in Section 9 of this DPA.

3.2 Nature and purpose of processing. The provision of AI-powered language learning services, including user account management, lesson delivery, speech recognition and language assessment, learning progress tracking, and usage analytics as described in the Agreement and Privacy Policy.

3.3 Categories of data subjects. Authorized Users invited by the Customer to use the Services through an Organizational Sub-Account.

3.4 Types of Personal Data processed. The Personal Data processed includes:

• Name and email address
• Language selections and learning preferences
• Learning progress, lesson completion records, and proficiency assessments
• Conversation history (text and audio interactions with AI features)
• Usage statistics (session data, time spent, activity logs)
• Device and browser information, IP address, and approximate location
• Any other data provided by Authorized Users through their use of the Services within the Organizational Sub-Account

3.5 Special categories of data. Talkpal does not intentionally process special categories of Personal Data (as defined under Article 9 GDPR) on behalf of the Customer. The Customer shall instruct its Authorized Users not to submit special category data through the Services.

4. Customer Instructions

4.1 Talkpal shall process Personal Data only on the Customer’s documented instructions, unless required to do so by applicable law, in which case Talkpal shall (to the extent permitted by law) inform the Customer of that legal requirement before processing.

4.2 The Customer’s instructions for processing are set out in this DPA, the Agreement, and any applicable Order Form. The Customer may issue additional reasonable written instructions consistent with the Agreement, provided that if such instructions fall outside the scope of the Services or require changes to the Services, the parties shall negotiate in good faith any additional fees or terms.

4.3 Talkpal shall promptly inform the Customer if, in Talkpal’s opinion, an instruction infringes applicable Data Protection Laws.

5. Confidentiality

5.1 Talkpal shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2 Talkpal shall not disclose Personal Data to any third party except as permitted by this DPA, the Agreement, or as required by applicable law.

6. Security

6.1 Talkpal shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, as appropriate:

• Encryption of Personal Data in transit and at rest
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessment, and evaluation of the effectiveness of security measures
• Access controls and authentication mechanisms
• Regular security audits and vulnerability assessments

6.2 Talkpal shall take reasonable steps to ensure that security measures are appropriate to the risks presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

7. Sub-processors

7.1 The Customer provides general authorization for Talkpal to engage Sub-processors to assist in providing the Services. Sub-processors may include cloud infrastructure providers, AI processing vendors, speech recognition services, analytics providers, payment processors, and other service providers necessary for the delivery, maintenance, and improvement of the Services. The Sub-processors currently engaged by Talkpal and authorized by the Customer are listed in Schedule 3 (Approved Sub-processors) to this DPA, which forms Annex III to the Standard Contractual Clauses. Schedule 3 identifies each Sub-processor’s entity name and address, the processing it performs, the categories of Personal Data it processes, the location of processing, and the applicable transfer mechanism. An up-to-date copy of Schedule 3 is available to the Customer at any time upon request to support@talkpal.ai.

7.2 Talkpal shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Talkpal remains liable to the Customer for the acts and omissions of its Sub-processors.

7.3 Notice of changes. Talkpal maintains an up-to-date list of Sub-processors (Schedule 3). Talkpal shall provide notice of any intended addition or replacement of a Sub-processor by updating that page at least thirty (30) days before the new Sub-processor processes any Personal Data. Talkpal offers a mechanism by which the Customer may subscribe to receive notification of changes to the Sub-processor list; the Customer is responsible for subscribing in order to receive such notifications. Posting the updated list to the page constitutes notice for the purposes of this DPA and the Standard Contractual Clauses. The updated Schedule 3 shall take effect upon expiry of the notice period and shall thereupon replace the prior version without further formality, subject to Section 7.4.

7.4 Right to object. The Customer may object to an intended change on reasonable, documented data-protection grounds by written notice to support@talkpal.ai within thirty (30) days of the date the updated list is posted. The parties shall cooperate in good faith to resolve the objection, including, where commercially reasonable, offering an alternative configuration of the Services that avoids the new Sub-processor. If no resolution is reached within thirty (30) days of the objection, the Customer may terminate the affected Services upon written notice, and Talkpal shall refund any prepaid fees covering the remainder of the subscription term for the affected Services. If the Customer does not object within the notice period, the change is deemed authorized.

7.5 Emergency replacements. Where a Sub-processor must be replaced urgently to address a security incident or to maintain continuity of the Services, Talkpal may engage the replacement before the notice period expires, provided it notifies the Customer without undue delay and the objection right in Section 7.4 applies from the date of that notice.

8. Data Subject Rights

8.1 Taking into account the nature of the processing, Talkpal shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligations to respond to requests from data subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

8.2 If Talkpal receives a Data Subject Request directly from an Authorized User relating to the Customer’s Organizational Sub-Account, Talkpal shall promptly notify the Customer and shall not respond to the request without the Customer’s prior instructions, unless required by applicable law.

8.3 The Customer may use the administrative tools provided through the B2B Platform to access, export, or delete Authorized User data within its Organizational Sub-Account(s) as needed to respond to Data Subject Requests.

9. Data Retention and Deletion

9.1 Upon termination or expiration of the Agreement, or upon deactivation of an Organizational Sub-Account (for any reason), Talkpal shall delete the Personal Data associated with the relevant Organizational Sub-Account(s) from its active systems within thirty (30) days, unless retention is required by applicable law.

9.2 Data contained in automated backups may persist for up to ninety (90) days before being overwritten in the normal course of Talkpal’s backup rotation.

9.3 Upon the Customer’s written request prior to deletion, Talkpal shall make available to the Customer a copy of the Personal Data in a commonly used, machine-readable format, to the extent technically feasible.

9.4 Talkpal shall certify the deletion of Personal Data in writing upon the Customer’s request.

10. Security Incident Notification

10.1 Talkpal shall notify the Customer of a Security Incident without undue delay and in any event within forty-eight (48) hours after becoming aware of the Security Incident, to enable the Customer to meet its own notification obligations under applicable Data Protection Laws.

10.2 The notification shall include, to the extent available:

• A description of the nature of the Security Incident, including the categories and approximate number of data subjects and Personal Data records affected
• The name and contact details of Talkpal’s point of contact for further information
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

10.3 Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.

10.4 Talkpal shall take reasonable steps to contain, investigate, and mitigate the Security Incident and shall cooperate with the Customer in the Customer’s compliance with its own notification obligations under applicable Data Protection Laws.

11. Data Protection Impact Assessments

Where required under applicable Data Protection Laws, Talkpal shall provide the Customer with reasonable assistance in conducting data protection impact assessments and, where necessary, prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Talkpal.

12. Audits

12.1 Talkpal shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

12.2 The Customer (or its appointed independent third-party auditor, subject to reasonable confidentiality obligations) may conduct an audit of Talkpal’s processing activities relevant to this DPA, subject to the following conditions:

• The Customer shall provide at least 30 days’ written notice of an audit request
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Talkpal’s operations
• The Customer shall bear its own costs of the audit, unless the audit reveals a material breach of this DPA by Talkpal
• Audits shall be limited to once per twelve (12) month period, unless a Security Incident has occurred or a supervisory authority requires an additional audit

12.3 Where Talkpal holds a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report, Talkpal may satisfy an audit request by providing the Customer with a copy of such report (subject to confidentiality obligations), unless the Customer can demonstrate that such report is insufficient to address a specific and documented concern.

13. International Data Transfers

13.1 The Customer acknowledges that Talkpal may transfer Personal Data to countries outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland in order to provide the Services. A list of countries where Personal Data may be processed is described in the Privacy Policy.

13.2 Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, Talkpal shall ensure that appropriate safeguards are in place, including:

• The European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor), as supplemented by any additional measures necessary to ensure an essentially equivalent level of protection
• For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs
• For transfers from Switzerland, the applicable Swiss-approved transfer mechanism

13.3 Talkpal shall conduct and maintain a transfer impact assessment for transfers to countries without an adequacy decision, and shall implement supplementary measures where necessary to address any identified risks.

13.4 The Standard Contractual Clauses are incorporated into this DPA by reference. Where the SCCs apply:

• Module Two (Controller to Processor) applies
• Clause 7 (docking clause) is included
• Under Clause 9, Option 2 (general written authorization) applies, with a notice period of thirty (30) days and the objection mechanism set out in Sections 7.3–7.5 of this DPA
• Under Clause 11, the optional language regarding independent dispute resolution is not included
• Under Clause 17, Option 1 applies, and the SCCs are governed by the law of Ireland
• Under Clause 18(b), disputes shall be resolved before the courts of Ireland
• Annex I, Annex II, and Annex III to the SCCs are populated as described in Schedule 1, Schedule 2, and Schedule 3 of this DPA

14. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in the Agreement or this DPA limits or excludes liability to the extent that such limitation or exclusion is not permitted under applicable Data Protection Laws.

15. General Provisions

15.1 Conflict. In the event of a conflict between this DPA and the Agreement with respect to data protection obligations, this DPA shall prevail.

15.2 Amendments. Talkpal may propose updates to this DPA to reflect changes in Data Protection Laws, regulatory guidance, or Talkpal’s processing practices. Talkpal shall notify the Customer of any proposed material changes at least thirty (30) days before the proposed effective date, together with a summary of the changes. Material changes shall not take effect unless the Customer provides written consent (which may include acceptance through the B2B Platform). If the Customer does not agree to the proposed changes, the Customer may terminate the affected Services by providing written notice before the proposed effective date, and Talkpal shall refund any prepaid fees covering the remainder of the subscription term. Non-material changes (such as corrections of typographical errors or updates to contact information) may take effect upon notice. For the avoidance of doubt, updates to Schedule 3 (Approved Sub-processors) are governed exclusively by Sections 7.3 to 7.5 and do not constitute amendments requiring consent under this Section 15.2.

15.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Governing law. Where the Customer is established in the European Economic Area, this DPA is governed by the laws of Ireland. Where the Customer is established in the United Kingdom, this DPA is governed by the laws of England and Wales. In all other cases, this DPA is governed by the laws of the State of Delaware. The Standard Contractual Clauses shall be governed as specified therein. Nothing in this DPA limits any mandatory statutory rights the Customer may have under the Data Protection Laws of its country of establishment.

15.5 Contact. For questions about this DPA, contact Talkpal at support@talkpal.ai. You may also contact Talkpal’s Data Protection Officer: Dr. Kilian Schmidt, Kertos GmbH, Brienner Str. 41, 80333 Munich, Germany, dsb@kertos.io.

Schedule 1 — Details of Processing (Annex I to the SCCs)

A. List of Parties

Data Exporter (Controller): The Customer, as identified in the Agreement. Contact: the Customer’s designated Administrator.

Data Importer (Processor): Talkpal, Inc., 2810 N Church St, PMB 54222, Wilmington, DE 19802-4447, United States. Contact: support@talkpal.ai. Data Protection Officer: Dr. Kilian Schmidt, Kertos GmbH, Brienner Str. 41, 80333 Munich, Germany, dsb@kertos.io. EU/UK Privacy Representative: Prighter Group – https://app.prighter.com/portal/talkpal

B. Description of the Transfer

Categories of data subjects: Authorized Users of the Customer who access the Services through an Organizational Sub-Account.

Categories of Personal Data transferred: Name, email address, language selections, learning preferences, learning progress, lesson completion records, proficiency assessments, conversation history (text and audio), usage statistics, device and browser information, IP address, and approximate location.

Sensitive data transferred: None intended. The Services involve free-form user content; any special-category data incidentally contained in conversation content is processed only as part of that content, is protected by the measures in Annex II, and is not used to derive special-category insights. The Customer shall instruct Authorized Users not to submit sensitive or special category data.

Frequency of the transfer: Continuous, for the duration of the Agreement.

Nature and purpose of the processing: Provision of AI-powered language learning services, including user account management, lesson delivery, speech recognition and language assessment, learning progress tracking, usage analytics, and service improvement.

Retention period: For the duration of the Agreement, plus 30 days after termination or deactivation for deletion from active systems (up to 90 days in automated backups).

C. Competent Supervisory Authority

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the data exporter is established in the EEA, the supervisory authority of the EEA Member State in which the data exporter is established. Where the data exporter is not established in the EEA but falls within the territorial scope of the GDPR, the supervisory authority of the EEA Member State designated by the data exporter under Article 27(4) GDPR.

Schedule 2 — Technical and Organizational Measures (Annex II to the SCCs)

Talkpal implements and maintains the following categories of technical and organizational security measures:

Access Control

• Role-based access control for all systems processing Personal Data
• Principle of least privilege applied to employee and contractor access
• Regular access reviews and prompt revocation upon role changes or termination

Network Security

• Firewalls, intrusion detection, and intrusion prevention systems
• Network segmentation to isolate processing environments
• Regular vulnerability scanning and penetration testing

Data Storage and Backup

• Personal Data is stored on servers located in the European Union (including Germany, Sweden, and Ireland) and the United States, operated by the Sub-processors listed in Schedule 3. Where Personal Data is transferred outside the EEA, the UK, or Switzerland to a country without an adequacy decision, transfers are protected by the safeguards described in Section 13 and the transfer mechanisms identified in Schedule 3.
• Regular automated backups
• Backup data encrypted and stored securely

Incident Management

• Documented incident response procedures
• 24/7 monitoring of critical systems
• Post-incident review and remediation processes

Business Continuity

• Redundant infrastructure and failover mechanisms
• Disaster recovery plans tested periodically

Physical Security

• Cloud infrastructure hosted by reputable providers (e.g., Microsoft Azure, Amazon Web Services, Google Cloud) with industry-standard physical security certifications (SOC 2, ISO 27001)

Data Minimization and Retention

• Collection limited to data necessary for the provision of the Services
• Automated deletion processes upon account termination or sub-account deactivation in accordance with the retention periods described in the Agreement and this DPA

Schedule 3 — Approved Sub-processors (Annex III to the SCCs)

The Customer provides general written authorization for the engagement of the Sub-processors listed below in connection with the provision of the Services. This Schedule constitutes Annex III to the Standard Contractual Clauses incorporated under Section 13. Changes to this Schedule are made in accordance with Sections 7.3 to 7.5 of this DPA.

Version 2.1 — Effective: June 15, 2026.

Sub-processor	Entity & address	Processing purpose	Personal data categories	Location	Transfer mechanism
Amazon Web Services, Inc.	410 Terry Ave N, Seattle, WA, USA	Cloud infrastructure, hosting, storage, backups	All categories in Annex I.B	EU (Germany, Sweden, Ireland); USA	EU-U.S. DPF; SCCs Module 2 as fallback
MongoDB, Inc. (Atlas)	1633 Broadway, New York, NY, USA	Managed database services	Account data, learning progress, conversation history	EU region clusters; US support access	EU-U.S. DPF; SCCs Module 2 as fallback
Cloudflare, Inc.	101 Townsend St, San Francisco, CA, USA	CDN, DDoS protection, bot management	IP address, technical/connection data	Global edge network; USA	EU-U.S. DPF; SCCs Module 2 as fallback
Microsoft Corporation (Azure AI)	One Microsoft Way, Redmond, WA, USA	Speech recognition, text-to-speech, AI processing	Conversation text and audio (transient); language assessments	EU regions; USA	EU-U.S. DPF; SCCs Module 2 as fallback
OpenAI, L.L.C.	1455 3rd St, San Francisco, CA, USA	LLM conversation generation and language feedback	Conversation text (transient; limited abuse-monitoring retention per DPA)	USA	EU-U.S. DPF; SCCs Module 2
Google LLC / Google Cloud EMEA Ltd.	Gordon House, Barrow St, Dublin 4, Ireland	AI processing (Gemini), Firebase push notifications, cloud services	Conversation text (transient), device tokens, technical data	EU; USA	EU-U.S. DPF; SCCs Module 2 as fallback
Inworld AI, Inc.	1975 W El Camino Real, Mountain View, CA, USA	AI character conversation engine	Conversation text (transient)	USA	SCCs Module 2 + TIA
Anthropic, PBC	548 Market Street, PMB 90375, San Francisco, CA 94104, USA	AI processing — large language model (Claude) analysis, generation, and language feedback on user-submitted content and learning interactions	Conversation text and user-submitted content (transient); learning assessments	USA	SCCs Module 2 + TIA
Twilio Inc. (SendGrid)	101 Spear St, San Francisco, CA, USA	Transactional email delivery	Name, email address	EU; USA	EU-U.S. DPF; SCCs Module 2 as fallback
Zendesk, Inc.	989 Market St, San Francisco, CA, USA	Customer support ticketing	Contact data, support communications	EEA only (Zendesk EU data locality deployment)	Primary processing within the EEA; EU-U.S. DPF (SCCs Module 2 as fallback) covers any residual access from the USA (e.g., technical support)
Datadog, Inc.	620 8th Ave, New York, NY, USA	Performance and availability monitoring	Technical metadata, timestamps, error codes (no conversation content)	EEA only (Datadog EU site)	Primary processing within the EEA; EU-U.S. DPF (SCCs Module 2 as fallback) covers any residual access from the USA (e.g., technical support)
MaxMind, Inc.	51 Pleasant Street #1020, Malden, MA 02148, USA	IP-based geolocation lookup to determine approximate user location (country and region) for content localization, pricing, and compliance purposes	IP address only (transmitted for real-time lookup; no other Personal Data is shared)	USA	EU-U.S. DPF; SCCs Module 2 as fallback
Kertos GmbH	Brienner Str. 41, 80333 Munich, Germany	Privacy management and DSR automation	Identification data necessary to fulfill data subject requests	Germany (EEA)	None required (EEA processing)

Payment processing (Stripe, Apple, Google, PayPal) is excluded from this Schedule because Talkpal processes billing and payment data as an independent controller pursuant to Section 2.3(c); advertising and analytics partners acting as independent or joint controllers are likewise not Sub-processors under this DPA.