SYMBO.

Product

Dialer
CallerGuardian
LocalEdge

Platform

Sequences & Automation Coaching & Analytics Lead Management CRM Sync & Integrations
Customers Pricing Login Get a Demo

Data Processing Agreement (DPA)

Last updated: March 10, 2026

This Data Processing Agreement (“DPA”) and the schedules to this DPA apply to the Processing of Client Personal Data on behalf of the Client in order to provide Services ordered from Symbo.

For purposes of this DPA, Client and Symbo agree that Client may be a Data Controller of Client Personal Data, and Symbo may be a Data Processor of such data, except when the Client acts as a Data Processor of Client Personal Data, in which case Symbo is a subprocessor.

In the course of providing Services to the Client, Symbo may Process Client Personal Data on behalf of the Client. Symbo agrees to comply with the following provisions with respect to any Client Personal Data submitted by or on behalf of the Client for the Services or collected and Processed through the Services.

1. Definitions

1.1 Any capitalized term used but not defined in this DPA has the meaning provided to it in Applicable Data Protection Law.

  1. (a) “Applicable Data Protection Law” refers to all laws and regulations applicable to Symbo’s Processing of Personal Data, including, without limitation, European Data Protection Laws and Non-European Data Protection Laws.
  2. (b) “Client Personal Data” means any Personal Data Processed by Symbo on behalf of the Client pursuant to or in connection with the Services, with explicit exclusions of Client Feedback, the Personal Data of representatives of third-party organizations, and records of communications between Symbo and the Client.
  3. (c) “CCPA” means the California Consumer Privacy Act 2018 Cal. Civ. Code 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Agreement, including, without limitation, the California Privacy Rights Act of 2020 (the “CPRA”).
  4. (d) “Contractor” has the meaning set forth in the CPRA.
  5. (e) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” will be construed accordingly.
  6. (f) “GDPR” means the EU General Data Protection Regulation 2016/679, and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.
  7. (g) “Non-European Data Protection Laws” means the CCPA; the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”); and substantially similar privacy or data protection laws applicable to a party, each as may be amended or replaced from time to time.
  8. (h) “Personal Data” shall have the meaning ascribed to it, or to substantially similar phrases, in Applicable Data Protection Law.
  9. (i) “Processed” means any operation or set of operations which is/are performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process,” “Processes,” “Processed,” or “Processing” shall be construed accordingly.
  10. (j) “Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated last four digits of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under Applicable Data Protection Law.
  11. (k) “Services” means those services and activities to be supplied to or carried out by or on behalf of Symbo for the Client.
  12. (l) “Subprocessor” means any third party appointed by or on behalf of Symbo to Process Client Personal Data.
  13. (m) “Transfer” means the transfer of Client Personal Data outside the United Kingdom or EU/European Economic Area (“EEA”).

2. Processing of Client Personal Data

2.1 Instructions for Data Processing: Symbo will, in the course of providing the Services, Process Client Personal Data only on behalf of and in accordance with the documented instructions of the Client, unless required to do otherwise by Applicable Data Protection Law. In such a case, Symbo will inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Schedule 1 specifies the duration of the Processing, the nature and purpose of the Processing, and the types of Personal Data and categories of Data Subjects.

2.2 Client Responsibilities: The Client is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own Processing of Client Personal Data; and (b) it has, and will continue to have, the right to Transfer, or provide access to, Client Personal Data to Symbo for Processing in accordance with the terms of this DPA.

2.3 Purpose of Processing: Symbo is authorized to Process Client Personal Data as necessary to provide the Services, and as further instructed by the Client, as described in this DPA.

2.4 Lawfulness of Instructions: The Client will ensure that its instructions comply with Applicable Data Protection Law. The Client acknowledges that Symbo is not responsible for determining which laws are applicable to the Client’s business nor whether Symbo’s provision of the Services meets or will meet the requirements of such laws. Symbo will inform the Client if it becomes aware or reasonably believes that the Client’s data Processing instructions violate any applicable law.

2.5 Sensitive Data: The Client will not provide (or cause to be provided) any Sensitive Data to Symbo for Processing under this DPA, and Symbo will have no liability whatsoever for Sensitive Data, whether in connection with a security incident or otherwise.

2.6 Data Subject Rights: Taking into account the nature of the Processing, Symbo will assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligations to respond to requests to exercise Data Subject rights under Applicable Data Protection Law.

3. Security

3.1 Confidentiality Obligations: Symbo will ensure that its employees (including subprocessors) who Process Client Personal Data for Symbo or who have access to Client Personal Data are authorized to Process this Personal Data and are contractually bound to observe confidentiality. Symbo will ensure that this obligation to maintain confidentiality continues beyond the termination of employment contracts or service contracts, and beyond the termination of this DPA.

3.2 Technical and Organizational Measures: Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons, Symbo will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. As appropriate, this may include:

  1. The pseudonymization and encryption of Personal Data;
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  3. The ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident;
  4. Additional technical security measures can be found in Exhibit A.

3.3 Regular Testing and Evaluation: Symbo will regularly test, assess, and evaluate the effectiveness of technical and organizational measures to ensure the security of the Processing.

4. Subprocessing

4.1 Use of Subprocessors: The Client agrees that Symbo may use Subprocessors to assist in providing the Services. Where Symbo authorizes any Subprocessor as described in this Section 4, Symbo agrees to impose data protection terms on any Subprocessor it appoints that require it to protect Client Personal Data to the standard required by Applicable Data Protection Law, including providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR.

4.2 Client Notification: Symbo will maintain an up-to-date list of its Subprocessors and make it available to the Client upon request. Symbo will notify the Client of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Client the opportunity to object to such changes within ten (10) business days after being notified.

4.3 Liability for Subprocessors: Symbo will remain liable to the Client for the performance of its Subprocessors’ obligations to the extent that Symbo would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

4.4 Objection to Subprocessors: If the Client reasonably objects to the use of a specific Subprocessor, Symbo will work with the Client in good faith to make available a commercially reasonable alternative to provide the Services without the use of the disputed Subprocessor. If Symbo is unable to make such a change within thirty (30) days of the Client’s objection, either party may terminate the Services requiring the use of the disputed Subprocessor, without penalty.

5. Data Rights Requests

5.1 Self-Service Features: Symbo’s Services provide the Client with a number of self-service features, including the ability to rectify, delete, obtain a copy of, or restrict the use of Client Personal Data. These features may be used by the Client to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to requests from Data Subjects via the Symbo Services at no additional cost. Additionally, upon the Client’s request, Symbo will provide reasonable additional and timely assistance (at the Client’s expense only if complying with the Client’s request requires Symbo to assign significant resources) to assist the Client in complying with its data protection obligations regarding Data Subject rights under Applicable Data Protection Law.

5.2 Notification of Requests: In the event that any request, correspondence, enquiry, or complaint from a Data Subject, regulatory body, or third party, including but not limited to law enforcement, is made directly to Symbo in connection with Symbo’s Processing of Client Personal Data, Symbo will inform the Client, providing details of the same, to the extent legally permitted. Unless legally obligated to do so, Symbo will not respond to any such request, inquiry, or complaint without the Client’s prior consent. In the case of a legal demand for disclosure of Client Personal Data in the form of a subpoena, search warrant, court order, or other compulsory disclosure request, Symbo will attempt to redirect the requesting party to request disclosure from the Client. If Symbo is legally compelled to respond to such a request, Symbo will notify the Client prior to disclosing Client Personal Data so that the Client may seek a protective order or other relief, if appropriate, unless Symbo is barred by law from giving such notification.

6. Data Breach Notification

6.1 Notification of Personal Data Breach: In the event of a Personal Data Breach affecting Client Personal Data, Symbo will, without undue delay and in any event within 48 hours of becoming aware of the breach, notify the Client. Such notification will include, to the extent possible, sufficient information for the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law.

6.2 Data Recovery: Symbo will promptly work to recover Client Personal Data which is lost, damaged, destroyed, or distorted as a result of the Personal Data Breach, and take such reasonable commercial steps as may be directed by the Client to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

7. DPIA and Consultation

7.1 Symbo will provide reasonable assistance to Client in connection with data protection impact assessments, and prior consultations with Supervisory Authorities, which Client reasonably considers to be required of Client by Article 35 or 36 of the GDPR, with regards to Processing of Client Personal Data by Symbo.

8. Return and Deletion of Client Personal Data

8.1 Subject to Section 8.2 below, Symbo will (i) within forty-five (45) days of a Client end user’s request, respond to such deletion request (unless Symbo notifies Client of its intent to extend such response deadline by an additional forty-five (45) days) and delete such Personal Data for the respective Client end user. Further, except (i) as required under Applicable Data Protection Law, or (ii) as indicated in Section 8.2 below, Symbo will in each case delete all Client Personal Data (or, if requested by Client, return to Client all Client Personal Data) within three (3) months after the expiration or termination of the Agreement. After such period, Symbo shall have no obligation to maintain or destroy any such Personal Data except in accordance with applicable law and without liability to Client.

8.2 Symbo may retain Client Personal Data after the expiry or termination of the Agreement: (i) to the extent required by Applicable Data Protection Law, and only to the extent and for such period as required by applicable laws and always provided that Symbo will ensure the confidentiality of all such Client Personal Data and will ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Data Protection Law requiring its storage and for no other purpose; and (ii) provided, however, Symbo may retain such Client Personal Data in accordance with its standard backup, log, or record retention policies.

8.3 The parties agree that the certification of deletion of Client Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses, as applicable, shall be provided by Symbo to Client only upon Client’s written request.

9. De-Identified Data

9.1 “De-identified Data” means Client Personal Data that has been Processed such that it can no longer be linked to an identified or identifiable Natural Person, or a device linked to such person.

9.2 Symbo may Process Client Personal Data to create De-identified Data for Symbo’s legitimate business purposes. De-identified Data will not be considered Client Personal Data and Symbo may retain such data at its discretion.

10. Audit Rights

10.1 Subject to this Section 10, Symbo shall make available to the Client, upon request, all information necessary to demonstrate compliance with this Agreement. Symbo shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client, in relation to the Processing of Client Personal Data by Symbo and its Sub-processors.

10.2 The information and audit rights of the Client under Section 10.1 shall only arise to the extent that this Agreement does not otherwise provide the Client with information and audit rights meeting the relevant requirements of Applicable Data Protection Law.

11. International Data Transfers

11.1 Client authorizes Symbo and its subprocessors to transfer and process Client Personal Data across international borders, including from the UK, European Economic Area, and anywhere else in the world where Symbo, its affiliates, or its subprocessors maintain data processing operations to and in the United States. Symbo shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA.

11.2 To the extent that Symbo is a recipient of Client Personal Data protected by the Australian Privacy Law, the parties acknowledge and agree that Symbo may transfer such Client Personal Data outside of Australia as permitted by the terms agreed upon by the parties and subject to Symbo complying with this DPA and the Australian Privacy Law.

11.3 To the extent that Symbo is a recipient of Client Personal Data protected by European Data Protection Laws (“European Data”) in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), the parties agree to abide by and process European Data in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA.

11.4 The parties agree that if Symbo cannot ensure compliance with the SCCs, it shall promptly inform Client of its inability to comply. If Client intends to suspend the transfer of European Data and/or terminate the affected parts of the Service, it shall first provide notice to Symbo and provide Symbo with a reasonable period of time to cure such non-compliance, during which time Symbo and Client shall reasonably cooperate to agree on what additional safeguards or measures, if any, may be reasonably required.

11.5 To the extent that and for so long as the SCCs as implemented in accordance with Section 11.3 cannot be relied on to lawfully transfer personal data in compliance with UK Data Protection Laws, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”) shall be incorporated by reference. Additionally, to the extent Symbo adopts an alternative lawful data transfer mechanism for the transfer of European Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Laws and extends to the countries to which European Data is transferred).

11.6 Symbo and Client will use the Standard Contractual Clauses described in Schedule 2 as the adequacy mechanism supporting the transfer and processing of Client Personal Data.

12. Jurisdiction Specific Terms

12.1 Where Symbo processes Client Personal Data protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3, the terms specified in Schedule 3 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.

13. General Terms

13.1 Confidentiality: Each Party must keep any information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; or (b) the relevant information is already in the public domain.

13.2 Notices: All notices and communications given under this Agreement must be in writing and will be sent by email. The Client shall be notified by email sent to the address related to its use of the Service under the Principal Agreement. Symbo shall be notified by email sent to [email protected].

14. Liability

14.1 Client and Symbo will each be separately liable to the other party for damages it causes by any breach of the clauses in this DPA. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e., damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party will be liable to Data Subjects for damages it causes by any breach of third-party rights under these clauses. This does not affect the liability of the data exporter under its Applicable Data Protection Law. Any claims made against Symbo or its affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Client that is a party to the Agreement.

15. Failure to Perform

15.1 In the event that changes in law or regulation render performance of this DPA impossible or commercially unreasonable insofar as it concerns the processing of Client Personal Data under these clauses, the Parties may renegotiate this DPA in good faith, provided, for the avoidance of doubt, that one of the following shall have first occurred: (i) Client has suspended the transfer of Client Personal Data to Symbo and Symbo does not restore compliance hereunder within one month of Client’s suspension, (ii) Symbo is in substantial or persistent breach of these clauses, or (iii) Symbo fails to comply with the binding decision of a competent court or supervisory authority regarding its obligations hereunder. If (i), (ii), or (iii) has occurred and renegotiation would not cure the impossibility, or the Parties cannot reach an agreement, the Parties may terminate the Agreement in accordance with the Agreement’s termination provisions.

16. Updates

16.1 Symbo may update the terms of this DPA from time to time; provided, however, Symbo will provide at least thirty (30) days prior written notice (e.g., via electronic means) to Client when a material update is required as a result of (a) the release of new products or services or material changes to any of the existing Services that require a change to the DPA; (b) changes in Applicable Data Protection Law; or (c) a merger, acquisition, or other similar transaction. The then-current terms of this DPA are available at symbo.ai/dpa.

17. Duration and Survival

17.1 This DPA will become legally binding upon the Effective Date of the Agreement or upon the date that the Parties sign this DPA if it is completed after the effective date of the Agreement. Symbo will process Client Personal Data until the relationship terminates as specified in the Agreement. Any obligation imposed on Symbo under this DPA in relation to the processing of Client Personal Data will terminate when Symbo no longer processes Client Personal Data.

18. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the same laws and jurisdiction as outlined in the Terms of Service between Symbo and the Client, unless otherwise agreed upon by the parties in writing.

Schedule 1 — Client Personal Data Processing Details

Subject Matter of Processing: The Processing will involve the performance of the Services pursuant to the Agreement.

Duration of Processing: The Processing will continue as set forth in the Agreement.

Categories of Data Subjects: Client employees, contractors, agents, and/or representatives, service providers or vendors.

Special Categories of Personal Data: None.

Nature and Purpose of Processing: The Processing activities performed by Symbo for the limited and specified purposes described in the Agreement.

Types of Personal Data: Corporate contact information such as name, job title, email address, physical address, phone number, cookie and other online identifiers, including without limitation, Internet Protocol addresses, browser version, operating system and related configuration information.

Physical Location of Personal Data Processed by Symbo: United States.

Symbo List of Data Subprocessors: Available upon request with signed NDA.

Schedule 2 — Cross Border Data Transfer Mechanisms

1. Definitions

  1. (i) “EC” means the European Commission.
  2. (ii) “EEA” means the European Economic Area.
  3. (iii) “Standard Contractual Clauses” means, depending on the circumstances unique to Client, any of the following: (1) UK Standard Contractual Clauses, and (2) 2021 Standard Contractual Clauses.
  4. (iv) “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the EC in decision 2010/87/EU (“UK Controller to Processor SCCs”).
  5. (v) “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the EC in decision 2021/914.

2. Cross Border Data Transfer Mechanisms

(i) Order of Precedence: In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2(ii) (UK Standard Contractual Clauses) or Section 2(iii) (2021 Standard Contractual Clauses) of this Schedule 2; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

(ii) UK Standard Contractual Clauses: The parties agree that the UK Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Personal Data.

(iii) 2021 Standard Contractual Clauses: The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission as providing an adequate level of protection for Personal Data. The following modules apply:

  • Module Two (Controller to Processor) applies where Client is a controller and Symbo is processing Personal Data.
  • Module Three (Processor to Processor) applies where Client is a processor and Symbo is processing Personal Data.

For each Module, where applicable: (a) in Clause 7, the optional docking clause will not apply; (b) in Clause 9, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 4 of this DPA; (c) in Clause 11, the optional language will not apply; (d) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law; (e) in Clause 18(b), disputes will be resolved before the courts of Ireland; (f) in Annex I, Part C, the Irish Data Protection Commission will be the competent supervisory authority.

Schedule 3 — Jurisdiction Specific Terms

1. Australia

  • “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
  • “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. Brazil

  • “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
  • “Data Processor” includes “operator” as defined under Applicable Data Protection Law.

3. Canada

  • “Applicable Data Protection Law” includes The Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Symbo’s subprocessors, as described in Schedule 1, are Third Parties under Applicable Data Protection Law, with whom Symbo has entered into a written contract that includes terms substantially similar to this DPA.
  • Symbo will implement technical and organizational measures as set forth in Section 3 (Security) of this DPA.

4. Israel

  • “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
  • “Data Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
  • “Data Processor” includes “Holder” as defined under Applicable Data Protection Law.
  • Symbo will require authorized personnel to comply with data secrecy principles and sign confidentiality agreements.
  • Personal data will not be transferred to a subprocessor unless such subprocessor has executed an agreement pursuant to Section 4 of this DPA.

5. Japan

  • “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
  • “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • “Data Controller” includes “Business Operator” as defined under Applicable Data Protection Law.
  • “Data Processor” includes a business operator entrusted with handling personal data (a “trustee”).

6. Singapore

  • “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
  • Symbo will process personal data to a standard of protection in accordance with the PDPA.

7. United Kingdom

  • References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
  • The Standard Contractual Clauses will also apply to Client in the United Kingdom as data exporter and to Symbo as data importer for Transfers of Personal Data to countries that are not deemed to have an adequate level of data protection.

8. United States — California

  • “Applicable Data Protection Law” includes the California Consumer Privacy Act of 2018 (CCPA), including the California Privacy Rights Act of 2020 (CPRA).
  • “Data Controller” includes “Business” as defined under Applicable Data Protection Law.
  • “Data Processor” includes “Service Provider” as defined under Applicable Data Protection Law.
  • “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law.
  • Symbo will Process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement. Symbo agrees not to (a) sell Client Personal Data; (b) retain, use, or disclose Client Personal Data for any commercial purpose other than providing the Services; or (c) retain, use, or disclose Client Personal Data outside of the scope of the Agreement.
  • Symbo certifies that its subprocessors are Service Providers under Applicable Data Protection Law, with whom Symbo has entered into written contracts with terms substantially similar to this DPA.
  • Symbo will not combine Client Personal Data with Personal Data received from other sources, subject to the exceptions set forth under the CPRA.

Exhibit A — Technical and Organizational Measures

As of the effective date of this Data Processing Agreement (DPA), Symbo, when processing personal data on behalf of the Customer, has implemented and maintains the following technical and organizational security measures:

Information Security Program: Symbo maintains a reasonable information security program based on industry-standard information security principles. This program covers policies and procedures, access control, business continuity, HR security, network infrastructure security, third-party security, vulnerability management, vendor management, risk management, and incident response.

Physical Access Controls: Symbo takes reasonable measures to prevent physical access, such as secured buildings and offices, to ensure unauthorized persons do not gain access to personal data.

System Access Controls: Symbo takes reasonable measures to prevent unauthorized use of personal data. These controls include authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access at several levels.

Data Access Controls: Symbo takes reasonable measures to ensure that personal data is accessible and manageable only by properly authorized staff. Direct database query access is restricted, and application access rights are established and enforced to ensure only individuals with the appropriate privileges have access to personal data.

Transmission Controls: Symbo takes reasonable measures to ensure that the transfer of personal data by means of data transmission facilities is secure, preventing unauthorized reading, copying, modification, or removal during electronic transmission or transport. Personal data is encrypted in transit over public networks using industry-standard HTTPS/TLS (TLS 1.2 or higher). Personal data is encrypted at rest using AES-256 encryption.

Input Controls: Symbo implements reasonable measures to provide the ability to check and establish whether and by whom personal data has been entered into, modified, or removed from data processing systems.

Data Backup: Backups of databases in the Service are taken on a regular basis, secured, and encrypted to ensure that personal data is protected against accidental destruction or loss.

Human Resources Security: Symbo employees undergo a comprehensive background check before formal employment offers, where permitted by local regulations. All employees must sign non-disclosure agreements before gaining access to personal data. Each new employee must attend an information security and privacy training session during onboarding, with continuous training provided on Symbo’s security policies, best practices, and privacy principles.

Vendor Management: Symbo maintains a vendor management program to ensure that appropriate security controls are in place. Symbo periodically reviews each vendor in light of Symbo’s security and business continuity standards.

Platform Security Measures: Symbo segments its system into separate networks to better protect sensitive data and to separate public services from internal services. Personal data is only permitted to exist within the production network, which is accessible only behind a firewall.

Business Continuity: Symbo maintains a Business Continuity and Disaster Recovery plan based on industry best practices to ensure the reliability and availability of its operational systems and effective recovery in the event of a disruptive event.

Data Center Security: Symbo primarily hosts personal data in data centers certified to meet recognized standards such as ISO 27001 and PCI DSS Service Provider Level 1. The hosting provider’s infrastructure services include backup power, HVAC systems, and fire suppression equipment. On-site security measures include security guards, fencing, intrusion detection technology, and other measures to protect the physical security of servers and customer data.

Contact Information

If you have questions about this Data Processing Agreement, please contact us at:

Symbo LLC
Lehi, Utah
[email protected]