Legal Terms

Master Service Agreement

This MSA is made between TalkyLabs Group (9521-9622 Québec Inc), a company incorporated under the Quebec Laws, (“TalkyLabs”), and Client.

The MSA governs Client’s acquisition and use of TalkyLabs’s Services. Please read this MSA fully and carefully before using the Services.

The Client agrees to the terms of this Master Service Agreement (MSA) by activating a box indicating acceptance, executing this MSA or a Service Addendum that references this MSA, or by using the Services. By doing so, the Client acknowledges that they have read and understand the MSA and all other documents referred to in it, which are all incorporated into this MSA. The Client also agrees that this MSA is the only agreement that governs their use of the Services, and that any other terms are not applicable. If the Client is accepting this MSA on behalf of an organization, it represents and warrants that it has the authority to do so. If the Client does not have this authority or does not agree to the terms of this MSA, it should not accept it and should not use the Services. If the Client’s organization has a separate agreement with TalkyLabs that covers their use of the Services, then that agreement will govern instead of this MSA.

This MSA takes effect between the Client and TalkyLabs on the date that the Client accepts it.

TalkyLabs and the Client are each referred to as a “Party” or collectively as the “Parties” in this MSA.

1. Definitions

As used in this MSA, the following terms will have the following meanings:

  • Accessible Mobile Operators: The mobile network providers that can be accessed through the TalkyLabs platform.
  • Acceptable Use Policy: The rules and guidelines for using the Services, as agreed upon by the Parties.
  • Affiliate: Any company or entity that is directly or indirectly controlled by, or under common control with, either Party. Control is defined as owning or controlling more than 50% of the voting rights of the subject entity.
  • Applicable Law: All laws, regulations, and codes of practice that apply to the Services in the jurisdiction where they are provided.
  • Balance: The amount of money that the Client has paid to TalkyLabs for the Services, minus the value of the Services that the Client has used.
  • Beta Services: Services or features that are available to the Client for testing at no additional charge. Beta Services are clearly marked as such.
  • Business Day: A Monday through Friday that is not a public holiday in Canada.
  • Client: The person or organization that is using the Services. If the Client is accepting the MSA on behalf of an organization, they are agreeing to the MSA for that organization and guaranteeing that they have the authority to bind that organization to the MSA.
  • Client Data: Any data, works, or materials that the Client uploads to, stores in, or transmits through the Services.
  • Data Protection Laws: All laws that apply to the processing of personal data, such as the European General Data Protection Regulation (GDPR).
  • Documentation: All of the TalkyLabs API documentation, code samples, and other technical information that is publicly available.
  • Information: Any visual, textual, or other data that is made available to the Client through the TalkyLabs platform or the Services.
  • Intellectual Property Rights: All rights related to intellectual property, including copyrights, patents, trademarks, trade secrets, and trade dress.
  • Malicious Code: Any software that is designed to damage or harm a computer system.
  • TalkyLabs: The company that provides the Services.
  • TalkyLabs API: An application programming interface that allows the Client to interact with the Services.
  • TalkyLabs Platform: The servers, hardware, software, and other equipment that TalkyLabs uses to provide the Services.
  • Mobile Operator: A company that operates a mobile telecommunications network.
  • Mobile Subscriber: A person who has a contract with a Mobile Operator to use their network.
  • MSA: This Master Service Agreement, including all addenda and documentation attached to it.
  • Personal Data: Any information that can be used to identify an individual, such as their name, address, or email address.
  • Services: All products and services that TalkyLabs offers to the Client. This includes services that are provided both through the TalkyLabs platform and the TalkyLabs API.
  • Service Addendum: An addendum to the MSA that describes a specific Service and any specific terms and conditions that apply to that Service.
  • Service Level Agreement (SLA): The agreement between the Parties that defines the level of service that TalkyLabs will provide.
  • Site: TalkyLabs’s web domain, including all pricing and other webpages, available at https://www.TalkyLabs.com/.
  • Dashboard: TalkyLabs’s customer portal, which is accessible through the Site.

IMPORTANT NOTICE:

THIS MSA LIMITS TalkyLabs’S LIABILITY TO THE CLIENT. Refer to Article 24 for more information.

ADDITIONALLY, DISPUTES ARISING FROM THE TERMS OR THE CLIENT’S USE OF THE SERVICES MUST BE RESOLVED THROUGH A DISPUTE RESOLUTION PROCESS, WHICH MAY CULMINATE IN BINDING ARBITRATION. Refer to Article 32 for further details.

2. Scope And Changes To This MSA

2.1 Subject to the terms and conditions of this MSA, TalkyLabs agrees to provide the Client with the Services as defined and described in each Service Addendum, Dashboard, or the Site.

2.2 From time to time, the Parties may mutually agree to add or remove Services from this MSA by adding or removing a Service as a Service Addendum to this Agreement or by using the Dashboard or the Site.

2.3 TalkyLabs may update this MSA from time to time by providing the Client with prior written notice of material updates at least thirty (30) days in advance of the effective date of the update. Notice will be given in Client’s account or via an email to the email address of the owner of Client’s account or as indicated during the sign-up process. This notice will highlight the intended updates. Except as otherwise specified by TalkyLabs, updates will be effective upon the effective date indicated in connection with the update. In case of no such communicated effective date, the update will immediately enter into force. The updated version of this MSA will supersede all prior versions.

2.4 Following such notice, Client’s continued access or use of the Services on or after the effective date of the changes to the MSA constitutes its acceptance of any updates. If Client does not agree to any updates, it should stop using the Services immediately.

2.5 TalkyLabs may not be able to provide at least thirty (30) days prior written notice of updates to this MSA that result from changes in the law or requirements from telecommunications providers.

3. Order Of Precedence

3.1 In the event of any conflict or inconsistency among the following documents, the following order of precedence shall apply:

1. Service Addendum, including its appendices
2. Product-specific terms
3. Service Level Agreement
4. Master Service Agreement (MSA)
5. Documentation

4. Service Terms

4.1 The terms governing the Service are primarily defined in this Master Service Agreement (MSA), except where specific terms apply to a particular Service as outlined in the corresponding Service Addendum, Dashboard, or the Site.

5. Client’s Account(s)

5.1 To utilize the Services, the Client may be prompted to create a user account. During the account creation process, the Client will be required to provide their email address, establish a password, and may be asked to supply a phone number for verification purposes. Access to certain Services may be restricted until the Client registers for an account. When registering for an account, the Client must provide truthful, accurate, up-to-date, and complete information about themselves as requested during the setup process.

5.2 The Client is fully accountable for all usage (whether authorized or not) of the Services under their account(s) and any sub-account(s), including the quality and integrity of Client Data. Furthermore, the Client is solely responsible for all actions and omissions of anyone who has access to or otherwise utilizes any Service (“End User”).

5.3 The Client agrees, represents, and warrants that they will take all reasonable precautions to stop unauthorized access to or use of the Services and will promptly notify TalkyLabs of any unauthorized access or use. TalkyLabs is not responsible for any loss or damage arising from unauthorized use of the Client’s account(s).

5.4 As part of TalkyLabs’s ongoing and regular monitoring of account activity, and to assist TalkyLabs in reducing the risk of fraudulent usage of the Client’s account(s) and the Services, the Client’s access to services may be temporarily restricted while TalkyLabs is activating the Client’s account(s), or if the Client has not used their account for 12 months or more.

6. Connectivity

6.1 The Client shall be solely responsible for providing and maintaining the necessary hardware, software, communications equipment, and any other equipment required to connect to the TalkyLabs Platform and access the Services. At its own expense, the Client shall also be responsible for providing and regularly monitoring the telecommunication and access infrastructure between its operations center and the TalkyLabs Platform.

6.2 TalkyLabs shall be responsible for the operation and maintenance of the TalkyLabs Platform up to and including the Client’s physical point of connection.

7. Access And Use Of Services

7.1 TalkyLabs provides the Services to the Client pursuant to this MSA, the Documentation, and any applicable Service Addendum, Dashboard, or the Site. The Services will comply with the Service Level Agreement, unless otherwise specified in a Service Addendum. TalkyLabs provides the Services in accordance with applicable laws and regulations. The Client’s use of the Services must comply with this MSA, the Documentation, and any applicable Service Addendum, Dashboard, or the Site.

7.2 The Client may use the Services on a non-exclusive basis solely to:

  • Use the Documentation and TalkyLabs APIs to develop its application.
  • Use and make the Services available to End Users in connection with the use of each Service, in accordance with the Documentation, TalkyLabs’s Acceptable Use Policy, and any other limitations agreed upon in the Service Addendum, Dashboard, or the Site.
  • Use the Services solely in connection with and as necessary for the Client activities pursuant to this MSA.
  • Allow its Affiliates to use the Services pursuant to this MSA or as agreed upon in the Service Addendum.

8. Service Availability

8.1 TalkyLabs utilizes reasonable efforts to maintain the availability of Services to the Client, while acknowledging that 100% uptime is not guaranteed. Downtime stemming directly or indirectly from any of the following circumstances shall not be considered a violation of this Master Services Agreement (MSA):

  • Force Majeure Events: These events include unpredictable occurrences beyond the control of either party (see Article 30).
  • Internet or Telecommunications Network Issues: Downtime triggered by disruptions or malfunctions in the Internet or public telecommunications networks is not considered a breach.
  • Client’s IT Infrastructure Limitations: Downtime originating from faults or failures within the Client’s own IT systems or networks is not considered a violation.
  • Third-Party Application Interference: Downtime caused by the use of third-party applications or their interactions with TalkyLabs’s Services is excluded from breach consideration.
  • Malicious Activities and Attacks: Downtime induced by denial-of-service attacks or the influence of malicious code is not considered a breach.
  • Client Misconduct: Downtime arising from the Client’s non-compliance with the terms of this MSA is not considered a breach.
  • Scheduled Maintenance: Pre-scheduled maintenance activities are specifically excluded from breach consideration.

8.2 The Client is obligated to notify TalkyLabs promptly and as accurately as possible about any functional failures, malfunctions, or impairments of the Services. This timely reporting allows TalkyLabs to promptly address and resolve any service disruptions.

9. Client Data

9.1 TalkyLabs is granted a non-exclusive right to copy, reproduce, store, distribute, publish, export, adapt, edit, and translate Client Data to the extent reasonably necessary for the performance of its obligations and the exercise of its rights under this MSA. This permission extends to TalkyLabs’s hosting, connectivity, and telecommunications service providers.

9.2 The Client warrants that Client Data will not infringe the Intellectual Property Rights or any other rights of any third party and does not violate Applicable Law.

9.3 TalkyLabs creates an automated backup of Client Data at least daily, ensuring each backup is sufficient to restore the Service to its original state at the time of backup. TalkyLabs or its commissioned service providers retain and securely store each backup for 30 days.

9.4 TalkyLabs will maintain appropriate administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Client Data, as outlined in the Documentation. These safeguards include measures designed to prevent unauthorized access to or disclosure of Client Data (excluding Client or End User access).

9.5 The Client acknowledges the inherent security limitations of the Internet and telecommunications providers’ networks. The Client agrees that TalkyLabs is not liable for any changes to, interception of, or loss of Client Data while in transit via the Internet or a telecommunications provider’s network.

9.6 In the event Client Data encompasses Personal Data, the Parties shall enter into a data processing agreement (see article 26).

10. Client’s Responsabilities

10.1 The Client acknowledges and agrees to be solely responsible for:

  • All use, whether authorized or unauthorized, of the Services and Documentation under the Client’s account(s), including the quality and integrity of Client Data.
  • Using the Services in accordance with this Master Services Agreement (MSA), the Acceptable Use Policy, Documentation, Service Addendum, or any other applicable terms governing the use of the Services.
  • Using the Services in compliance with all applicable laws and regulations (collectively, “Applicable Law”).
  • All acts, omissions, and activities of End Users, including their compliance with this MSA, the Documentation, the Acceptable Use Policy, and any terms agreed upon by the Parties.
  • Preventing unauthorized access to or use of the Services and promptly notifying TalkyLabs of any such unauthorized access or use.
  • Providing reasonable cooperation in responding to information requests from law enforcement, regulators, or telecommunications providers.
  • Complying with all representations and warranties made in Article 23 of this MSA.

11. Use Restrictions

11.1 With respect to the Services, the Client agrees to the following restrictions:

  • The Client shall not transfer, resell, lease, license, or otherwise make the Services available to third parties or offer them as a standalone product or service. The Client shall only make the Services available to its End Users in accordance with the terms of this Agreement.
  • The Client shall not attempt to use the Services to access or allow access to emergency services (i.e., an official government-sponsored emergency telephone number) unless the Service is expressly approved for emergency services and the Client complies with the specific terms agreed upon between the parties or any other agreement as TalkyLabs deems appropriate.
  • The Client shall use the Services only in compliance with all applicable laws and regulations.
  • The Client shall not use the Services to create, train, or improve (directly or indirectly) a substantially similar product or service to the Services.
  • The Client shall not create multiple service accounts to simulate or act as a single service account or engage in any other behavior that intentionally circumvents fees or other charges associated with the Services.
  • The Client shall not reverse engineer, decompile, disassemble, or otherwise attempt to create or derive the source code of any software provided in connection with the Services.

12. Maintenance

12.1 TalkyLabs reserves the right to temporarily suspend Services for maintenance or upgrade purposes. TalkyLabs will provide Client with five (5) Business Days’ advance written notice of any such suspension. Maintenance-related suspensions, excluding force majeure events or widespread service disruptions (where a disruption refers to a situation where the Services cannot be operated effectively or at all), will typically occur between 12:00 AM and 6:00 AM UTC (Coordinated Universal Time).

13. Service Suspension

13.1 TalkyLabs may suspend Client’s access to the Services in whole or in part upon notice if:

  • The Client violates any provision of this MSA, a Service Addendum, the Documentation, or the Acceptable Use Policy.
  • There is reason to believe that the Client’s use of the Services is fraudulent or negatively impacts the operating capability of the Services.
  • TalkyLabs determines, in its sole discretion, that providing the Services is prohibited by Applicable Law, or it has become impractical or unfeasible for any legal or regulatory reason to provide the Services.
  • The Client’s business becomes insolvent.
  • The Client uses the Services in a way that threatens the security, integrity, or availability of the Services.
  • The Client’s use of the Services poses a security risk to the Services or any third party, adversely affects the Services, service offerings, systems, or data of another TalkyLabs client, exposes TalkyLabs or its service providers to liability, or may be fraudulent.
  • The Client is more than ten (10) Business Days in default of payments due.

13.2 A temporary suspension of access and usage rights has the following effects:

  • The Client remains fully liable for all fees incurred up to the date of suspension.
  • The Client remains liable for all fees and costs applicable to all Services for which access has not been suspended.
  • Client Data stored is not affected by the suspension.

14. Requirements For Building Regulated services

14.1 The Client is responsible to comply with all regulatory requirements, taxes, and fees imposed on regulated services built using the TalkyLabs Services.

15. Changes to Services

15.1 TalkyLabs may periodically modify the features and functionalities of its Services, including the TalkyLabs Platform, TalkyLabs API, and TalkyLabs’s Service Level Agreement (SLA). Where technically feasible, TalkyLabs strives to ensure compatibility between its current Services and its legacy Services. TalkyLabs endeavors to minimize alterations that disrupt backwards compatibility. If unavoidable, backward-incompatible modifications will be implemented only after TalkyLabs has provided the Client with at least sixty (60) days’ advance notice.

 

16. Beta Services

16.1 TalkyLabs may provide Beta Services to Clients from time to time. Clients are free to choose whether or not to try these Beta Services at their own discretion.

16.2 Beta Services are designed for evaluation purposes only and are not intended for production use. They are not supported and may be subject to additional terms and conditions. Unless otherwise specified, the Beta Services trial period will expire one year from the start date or when the Beta Services are generally available without the Beta Services designation. TalkyLabs may discontinue Beta Services at any time and may never make them generally available.

16.3 BETA SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS WITH NO WARRANTIES WHATSOEVER. TalkyLabs SHALL NOT BE LIABLE FOR ANY HARM OR DAMAGE RESULTING FROM THE USE OF THE BETA SERVICES.

17. Affiliates

17.1 Affiliates of the Client are not authorized to purchase Services using the Master Services Agreement (MSA) accepted by the Client.

17.2 Each Affiliate of the Client must accept the MSA independently. If any Affiliate of the Client utilizes the Services under this MSA, the Client and such Affiliates shall be held jointly and severally accountable for the Affiliates’ actions and omissions, including, but not limited to, their breach of this MSA. Any claim brought by an Affiliate of the Client against TalkyLabs for the use of Services under this MSA may only be initiated by the Client on behalf of its Affiliate.

18. Fees And Payment

18.1 The fees to be paid to TalkyLabs by Client are set forth on the Site’s Pricing List page or in each Service Addendum.

Client’s fees are in accordance with the Standard Price List found on the following link: https://www.TalkyLabs.com/pricing/.

In case a customized Price List is sent to the Client on a separate email or as Appendix to a Service Addendum, such customized Price List shall prevail over the Standard Price List.

TalkyLabs has the right to issue a price change to the Client at any time.

18.2 Payments to be made by Client to TalkyLabs for the Services and payment terms are set forth in the applicable Service Addendum or as described below on article 18.8. TalkyLabs shall not be obliged to perform any Services under this MSA if Client has not provided payments. TalkyLabs also has the right to temporarily suspend the Service until outstanding payments have been received.

18.3 All charges and fees for the Services are exclusive of any taxes, including sales, value-added, or other taxes. Client shall be liable for and shall reimburse TalkyLabs for all sales or value-added taxes imposed in connection with or arising from the provision of Services to Client. Client will provide TalkyLabs sufficient information as to the timely payment of all applicable withholding taxes, if so required by TalkyLabs.

18.4 All payments between the Parties shall be for the full invoiced amount and as such, each Party shall pay any bank charges its bank may charge. Any shortfall between the invoiced amount and the amount received by TalkyLabs will constitute an outstanding amount and will be carried forward.

18.5 Client may pay for the Services by PayPal, credit card, or if arranged, wire transfer. In the latter case, the Client shall pay the charges to TalkyLabs by wire transfer to the bank account indicated by TalkyLabs via e-mail.

18.6 Payment shall be made using the currency indicated in the Service Addendum, Dashboard or the Site.

18.7 Payments, once made, are non-refundable. Except as otherwise set forth herein or in the applicable Service addendum, and subject to 19.3 (payment dispute), In case of post-paid accounts, Client will pay the fees due hereunder in accordance with the applicable payment method described on 18.8.

18.8 If the Client chooses, in case of post-paid accounts, to add funds to its account via credit card and utilizes those funds to pay the outstanding fees, the Client is responsible for ensuring that the amount covered is sufficient to meet the fees due. If the Client’s account does not have enough funds or its credit card declines a payment for the outstanding fees, TalkyLabs may suspend the delivery of Services for all of the Client’s accounts until the Fees due are paid in full. The creation of new accounts by the Client is prohibited until the Fees due have been paid in full.

18.9 The Client will have access to its invoices in the Dashboard immediately after the payment has been successfully received by TalkyLabs.

19. Billing

In case of post-pay accounts, the following will apply:

19.1 TalkyLabs will use all reasonable means to ensure the accuracy of its records regarding Client’s use of Services.

19.2 If Client’s records of Services usage differ from TalkyLabs’s records, the Parties will cooperate to investigate the discrepancies and correct them.

19.3 If Client disagrees with an invoice amount, they must notify TalkyLabs in writing within ten (10) Business Days of receiving the invoice. Within ten (10) Business Days of receiving the notification, TalkyLabs will send Client an itemized transaction log report of all Service requests received from Client in the given period. If the Parties are unable to resolve the dispute within another fifteen (15) days, it may be escalated to senior management or resolved in accordance with Article 32. Client must pay all amounts not in dispute on the due date.

19.4 Unless otherwise specified in the respective Service Addendum, Dashboard, or Site, TalkyLabs will make invoices available to the Client via the Dashboard. The Client is considered to have access to the invoice the same day TalkyLabs made it available.

20. Unsolicited Traffic

20.1 The Client agrees not to use any Services for any unlawful, immoral, or improper purpose or in any manner that violates Applicable Law or Mobile Operator requirements. The Client also agrees not to allow any third party to engage in such activities.

20.2 The Client shall not send any unsolicited traffic to the TalkyLabs Platform, the TalkyLabs API, or any Service. The Client shall ensure that its agreements with its clients contain similar clauses prohibiting the sending of unsolicited traffic. The Client shall implement all necessary measures to prevent unsolicited traffic from reaching the TalkyLabs Platform, the TalkyLabs API, or any Service.

20.3 In the event that unsolicited traffic is sent to the TalkyLabs Platform, the TalkyLabs API, or any Service by the Client, its clients, or any of its clients’ clients, the following actions shall be taken:

  • The party detecting the unsolicited traffic shall immediately notify the other party.
  • The parties shall work together in good faith to gather information (including timestamp, content, destination number, and originator) to identify the source of the unsolicited traffic as soon as possible after the incident.
  • The Client shall immediately terminate the connection with the Client’s client that originated the unsolicited traffic and ensure that such Client’s client is no longer connected to the TalkyLabs Platform, the TalkyLabs API, or any Service.

20.4 TalkyLabs may, at its sole discretion, immediately suspend (temporarily halt the provision of services) or terminate this Agreement if any of the clauses in this Article 20 are violated. This termination shall not prejudice TalkyLabs’s rights to claim damages.

21. Subcontractors

21.1 TalkyLabs may engage subcontractors of its selection to satisfy its commitments. TalkyLabs is liable for the actions and negligence of its subcontractors as if they were its own.

22. Intellectual Property Rights

22.1 All Intellectual Property Rights (IPRs) in any software, information, technology, or data provided by either party under this Agreement shall remain the property of that party or its licensors. IPRs in any developed materials shall belong to the party that developed them.

22.2 For clarity: TalkyLabs exclusively owns and retains all IPRs in the Services, Documentation, Confidential Information (as defined in Section 25 below), and anonymized or aggregated data generated from the use and operation of the Services (including but not limited to volumes, frequencies, bounce rates, etc.) that do not identify an individual as the source of the information. TalkyLabs also owns all Contributions (feedback, recommendations, correction requests, or suggestions) submitted by the Client or any End User about the Services.

22.3 The Client exclusively owns and retains all IPRs in Client Data and the Client’s Confidential Information.

22.4 By submitting Contributions, the Client agrees:

  • TalkyLabs is not obligated to maintain confidentiality regarding the Client’s Contributions.
  • TalkyLabs may use or disclose (or choose not to use or disclose) the Client’s Contributions for any purpose or in any manner.
  • TalkyLabs owns the Client’s Contributions.
  • The Client is not entitled to any compensation or reimbursement from TalkyLabs for its Contributions under any circumstances.

22.5 The Client grants TalkyLabs the right to use its name, logo, and a description of its use case to identify the Client on TalkyLabs’s website, earnings releases and calls, marketing, or promotional materials, subject to the Client’s standard trademark usage guidelines, which the Client may provide to TalkyLabs.

23. Representations and Warranties

23.1 TalkyLabs MAKES NO EXPRESS OR IMPLIED WARRANTIES REGARDING THE SERVICES. THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND. TalkyLabs DISCLAIMS ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. TalkyLabs ALSO DISCLAIMS ALL WARRANTIES REGARDING THIRD-PARTY TELECOMMUNICATIONS PROVIDERS.

23.2 NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY TALKYLABS, ITS AFFILIATES, DISTRIBUTORS, AGENTS, OR EMPLOYEES SHALL CREATE A WARRANTY. SUCH INFORMATION OR ADVICE SHALL NOT IN ANY WAY INCREASE THE SCOPE OF ANY WARRANTY PROVIDED HEREIN.

23.3 The Services are not designed, intended, or licensed for use in hazardous environments requiring fail-safe controls. This includes nuclear facilities, aircraft navigation or communication systems, air traffic control, life support, or weapons systems. TalkyLabs expressly disclaims any express or implied warranty of fitness for such purposes.

23.4 TalkyLabs represents and warrants that it will provide Services that meet reasonable commercial standards and good industry practice. However, TalkyLabs does not warrant that the Services will be fault-free, continuously available, or that all Accessible Mobile Operators will be reachable at all times.

23.5 TalkyLabs cannot guarantee that the Services will never be faulty. However, TalkyLabs will use its reasonable commercial efforts to correct reported faults and make the Services available as soon as TalkyLabs reasonably can.

23.6 TalkyLabs is not responsible for any mobile telecommunications systems or networks that it does not operate, including the networks of the Operators. Therefore, TalkyLabs is not liable for the acts or omissions of other providers of telecommunication services (including suspension or termination of TalkyLabs connections and/or contracts with any Operator) or for faults in or failures of their apparatus or network.

23.7 Client acknowledges that TalkyLabs has no control over the Information and data that passes through the use of the Services. Client shall be solely liable for the content of the Information, data, and any other material transmitted by Client or anyone else using the Services, including but not limited to Mobile Subscribers. TalkyLabs excludes all liability of any kind in connection with the transmission or reception of such content.

23.8 If Client records or monitors all and any communications using the Services, it must comply with all Applicable Laws and secure all required prior consents. TalkyLabs makes no representations or warranties with respect to recording or monitoring of any communications. Client acknowledges that these representations, warranties, and obligations are essential to TalkyLabs’s ability to provide the Client with access to recording and monitoring features that are part of the Services. Client further agrees to indemnify TalkyLabs and its Affiliates in accordance with the terms of article 24 for claims arising out of or related to Client’s acts or omissions in connection with providing notice and obtaining consents regarding such recording or monitoring of communications using the Services.

23.9 Client further represents and warrants that it has provided (and will continue to provide) adequate notices and has obtained (and will continue to obtain) the necessary permissions and consents to provide Client Data to TalkyLabs for use and disclosure pursuant to article 9.

24. Indemnification And Limitation Of Liability

24.1 The Client agrees to defend and indemnify TalkyLabs, its affiliates, subsidiaries, officers, directors, employees, agents, contractors, and suppliers (collectively, the “Indemnified Parties”) from and against any and all claims, damages, liabilities, costs, and expenses (including attorneys’ fees) arising out of or in connection with the Client’s use of the Services other than as expressly authorized in this MSA, the Documentation, and the respective Service Addendum; the Client’s infringement of any third-party intellectual property rights in using the Services; the Client’s breach of any of its obligations under this Agreement; or any claims arising from Information, data, or messages transmitted by the Client using the Services, including but not limited to claims for libel, slander, copyright infringement, and invasion of privacy or alteration of private records or data.

24.2 TalkyLabs agrees to promptly notify the Client of any such third-party claim and to cooperate with the Client in the defense and/or settlement of such claim. The Client acknowledges that TalkyLabs may, at its sole expense, participate in the defense and/or settlement of any such claim through counsel of its own choice.

24.3 TalkyLabs shall not be liable for any loss of use, losses due to force majeure, interruption of business, or any direct, indirect, special, incidental, or consequential damages of any kind (including loss of customers, lost profits, lost revenues or anticipated savings or earnings, interference with business, or cost of purchasing replacement services) arising out of or in connection with the use of, or inability to use, the Services or the performance or failure to perform by TalkyLabs of any provision of this MSA, whether or not caused by the acts or omissions of TalkyLabs, its affiliates, employees, or agents, even if TalkyLabs has been advised of the possibility of such damages.

24.4 To the extent that TalkyLabs is liable for any damages, its maximum total liability shall be limited to the total amount of paid fees by the Client in the last twelve (12) months under this MSA. This limitation of liability shall not apply to the liability for death or personal injury.

24.5 TalkyLabs makes no warranties or representations regarding the suitability of the Services for the Client’s purposes or their compatibility with the Client’s existing software, hardware, or infrastructure.

24.6 TalkyLabs’s liability shall be excluded in the case of non-contractual use by the Client.

24.7 Neither TalkyLabs nor its representatives, Affiliates, or employees shall be liable under any legal or equitable theory for any claim, damage, or loss (and the Client shall indemnify and hold TalkyLabs harmless against any and all such claims) arising from or relating to the inability to use the Services to contact emergency services, as defined in article 11.1. TalkyLabs’s outbound communication Services should not be used for contacting emergency services, unless the Service is expressly approved for such purpose and the Client and TalkyLabs have entered into a separate agreement in connection with the use of such approved Service.

25. Confidentiality

25.1 Each party (the “Recipient”) shall treat all materials, information, and documents (including this MSA) provided by the other party (the “Disclosing Party”) in connection with its obligations under this MSA as confidential (collectively, “Confidential Information”). Without prior written consent from the Disclosing Party, the Recipient shall not disclose Confidential Information to any third party.

25.2 Confidential Information shall not include (i) information that is publicly available at the time of disclosure; (ii) information that was originally Confidential Information but subsequently entered the public domain other than due to a breach of this provision or any other confidentiality obligation; (iii) information that a party obtains from a third party without any breach of this provision or any confidentiality obligation; (iv) information that a party is legally required to disclose by a government authority, court of competent jurisdiction, or by law or to comply with the rules of a recognized stock exchange, but only to the extent required by such disclosure.

25.3 Upon the Disclosing Party’s written request at any time, the Recipient shall promptly return all Confidential Information to the Disclosing Party or certify in writing to the Disclosing Party that it has been destroyed.

25.4 This Article 25 does not preclude the Parties from disclosing Confidential Information to regulators or Mobile Operators in response to a request from such entities.

26. Data Protection

26.1 Each party shall adhere to applicable Data Protection Laws when processing Personal Data.

26.2 For the purposes of this section and the entire Master Services Agreement (MSA), “data” refers to any information provided, submitted, or uploaded by the Client or End Users in connection with the Service’s usage. This includes Personal Data provided to TalkyLabs by the Client or on the Client’s instructions or to which TalkyLabs gains access when fulfilling its obligations under this MSA.

26.3 TalkyLabs does not acquire any ownership rights to the data. However, TalkyLabs is permitted to generate aggregated statistical data on an anonymous basis regarding the Service’s usage.

26.4 TalkyLabs, as a service provider, stores Client Data for the Client. The Client is responsible for inputting, storing, and making Client Data available for retrieval when using the Services. The Client must refrain from uploading or using any illegal Client Data or Malicious Code in connection with the Services.

26.5 The Client remains the data controller within the meaning of Data Protection Laws and must ensure that the processing of data relating to the Service’s usage complies with Data Protection Laws. TalkyLabs acts as a data processor under Data Protection Law. If necessary, the Client and TalkyLabs shall enter into a data processing agreement to comply with Data Protection Laws.

26.6 To fulfill the terms of this MSA, the Client grants TalkyLabs the right to reproduce Client Data for storage in connection with the Service’s usage. This applies to the extent necessary for providing the Services under this MSA. Specifically, TalkyLabs is authorized to store Client Data in a backup system or separate backup data center. TalkyLabs is also authorized to modify the data structure or format to prevent failures.

26.7 TalkyLabs is permitted to process Client Data for billing and administrative purposes.

27. Termination And Survival

27.1 The terms and conditions of this Master Service Agreement (MSA) shall remain in force until the expiry or termination of all of the Service Addenda.

27.2 The right to terminate for good cause remains reserved.

27.3 This MSA may be terminated by:

  • either party if the other party breaches any substantial obligations under this MSA or any applicable Service Addendum and fails to remedy such breach within ten (10) Business Days of receiving written notice of the breach.
  • either party to the extent permissible by law if the other party ceases to trade, becomes insolvent, bankrupt, or undergoes a liquidation (except for solvent reconstruction or amalgamation) or has a receiver, administrator, trustee, or similar officer appointed in respect of all or part of its business and assets, or if any analogous event occurs under the laws of the place where that party is established or if that party otherwise ceases to be a validly existing corporation.
  • either party If an event of Force Majeure occurs and it lasts for more than thirty (30) days.
  • the Client within five (5) Business Days of receiving a price change notice served in accordance with Article 18.1.
  • the Client within five (5) Business Days of becoming aware of modifications, made in accordance with Articles 2 and 15, to any of the following: this MSA, any applicable Service Addendum, the Dashboard, or the Site.
  • TalkyLabs if the Client breaches its obligations under Articles 10 or 20.
  • TalkyLabs if the Client undergoes a change of control.

27.4 Except for termination of this MSA in accordance with article 27.3, any Balance remaining after termination of this MSA will be repaid by TalkyLabs to Client within ten (10) Business Days of termination.

27.5 Provisions which explicitly or implicitly survive the termination of this MSA (e.g. the duty of confidentiality) shall not be affected by the termination and remain in full force. These articles include, but are not necessarily limited to the articles 18, 22, 24, 25, 26, 27, 28 and 33 that will survive any termination or expiration of this MSA.

28. Termination Effects

28.1 In the event of Client-initiated termination, the Client shall reimburse TalkyLabs for the agreed-upon fees until the MSA or the corresponding Service Addendum would have naturally expired or been properly terminated absent the termination.

28.2 Upon termination of the MSA, the Client’s right to access the Services shall cease immediately.

28.3 Termination of the MSA shall trigger immediate payment of all outstanding payment obligations incurred during the term of the MSA and each Service Addendum.

28.4 Termination of the MSA shall not preclude either Party from exercising any other remedies available under this MSA.

28.5 TalkyLabs shall return to the Client all documents and Client Data provided by the Client in connection with this MSA and currently in TalkyLabs’s possession. Upon written request from the Client, TalkyLabs shall transfer all Client Data to portable data carriers and hand them over to the Client. Following Client inspection of the data carrier, TalkyLabs shall erase all Client Data.

29. Assignment

29.1 The Client shall not assign or otherwise transfer this Master Services Agreement (MSA), in whole or in part, without the prior written consent of TalkyLabs. Any attempt by the Client to assign, delegate, or transfer this MSA shall be null and void.

29.2 TalkyLabs may assign this MSA, in whole or in part, without the consent of the Client. Subject to this Article 29, this MSA will be binding on both the Client and TalkyLabs and each of its successors and assigns.

30. Force Majeure

30.1 Either Party shall be excused from any delay or failure to perform its obligations under this Agreement if and only if such delay or failure is caused by events beyond the Party’s reasonable control, including acts of war, natural disasters, civil unrest, pandemics, epidemics, power outages, government restrictions, court orders, condemnations, Internet disruptions, or other events of a similar nature. This excuse shall apply only for the duration of the Party’s inability to perform and shall not excuse any delay or failure that extends beyond that period. The Party invoking this excuse shall promptly notify the other Party of the cause thereof and shall take all reasonable steps to remedy the situation as soon as possible.

31. Notices

31.1 All notices or other documents required or authorized by this Agreement may be served on Client at the address(es) and email address(es) provided during the Sign-up process.

31.2 All notices or other documents required or authorized by this Agreement may be served on TalkyLabs at : info@talkylabs.com.

31.3 Either Party may update its notice information by giving written notice to the other Party in accordance with this Article.

32. Governing Law

32.1 The Parties shall initially attempt to resolve any dispute through good faith negotiations. If the Parties are unable to reach a mutually agreeable resolution within thirty (30) days of the dispute arising, or within any other agreed-upon timeframe, the matter shall be exclusively resolved through arbitration.

32.2 This Agreement, and all matters arising out of or relating to this Agreement, shall be governed by and construed in accordance with the substantive laws of the province of Quebec, Canada.

32.3 Any dispute, controversy, or claim arising out of or in relation to this MSA, including its validity, invalidity, breach, or termination, shall be resolved by arbitration in accordance with the Rules of law applicable in Québec, Canada, in force on the date on which the notice of arbitration is submitted in accordance with these Rules.

32.4 The arbitration shall be conducted by a single arbitrator.

32.5 The arbitral proceedings shall be conducted in the French language. The English language remains an option if applicable.

33. General Provisions

33.1 A waiver of a default or breach of this MSA by either party will not constitute a waiver of any subsequent default or breach.

33.2 The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Each Party is solely responsible for paying its employees and employment-related taxes.

33.3 This MSA, including the annexes and documents referred to in it, constitutes the entire agreement between the Parties regarding the subject matter hereof. This MSA supersedes all prior written or oral agreements or understandings related to the subject matters provided in this MSA.

33.4 The Parties may not issue press releases or other forms of promotion that mention the other in connection with this MSA announcing the Service without the prior written consent of the other.

33.5 If any provision of this MSA or any part of such provision is or becomes invalid, unenforceable, or missing, the other provisions of this MSA shall not be affected thereby. The invalid, unenforceable, or missing provision shall be replaced by a valid and enforceable provision, the effect of which comes as close as possible to the intended economic effect of the invalid, unenforceable, or missing provision.

33.6 Each Service Addendum to which reference is made herein or any services referenced on the Dashboard or the Site shall be deemed to be incorporated into this MSA by such reference.

1. Definitions And Scope

Capitalized terms not defined herein have the meanings ascribed to them in the Master Service Agreement (MSA), or other similar written agreement between the Parties.

This Acceptable Use Policy (AUP) governs the Clients and the End Users use of the Services.

If Customer or any End User violates this AUP, TalkyLabs may suspend Customer’s use of the Services. This AUP may be updated by TalkyLabs from time to time upon reasonable notice, which may be provided via Customer’s account, e-mail, or by posting an updated version of this AUP on the Site.

 

2. Acceptable Use Of Client And End Users

The Client, its Affiliates, and End Users agree to refrain from engaging in, authorizing, assisting, or enabling any third party to participate in any of the following prohibited activities:

  • The Client and its Users shall comply with all applicable laws, regulations, and industry standards, including those governing telecommunications providers and service providers.
  • The Client and its Users shall not engage in any activities that may damage, interfere with, overburden, or adversely affect the availability, reliability, or stability of TalkyLabs’s Services or third-party systems or networks related to the Services.
  • The Client and its Users shall not attempt to circumvent or break any security mechanisms on TalkyLabs’s Services. They shall also refrain from using the Services in a manner that poses a security or other risk to TalkyLabs, its Affiliates, or other clients using the Services.
  • The Client and its Users shall not engage in unauthorized testing, reverse engineering, decompiling, or benchmarking of TalkyLabs’s Services. They shall also not attempt to discover limitations or vulnerabilities in the Services or evade filtering capabilities.
  • The Client and its Users shall not engage in fraudulent, deceptive, inaccurate, or misleading activities with respect to third parties. They shall also refrain from impersonating identities or identifiers, or bypassing legitimate identification systems.
  • The Client and its Users shall not collect information about individuals, including email addresses or telephone numbers, under false pretenses or without complying with Applicable Laws, particularly Data Protection Laws. They shall also refrain from engaging in spamming, unsolicited advertising, marketing, or other harassing activities that infringe Applicable Laws.
  • When forwarding messages or activities from a virtual number, the Client and its Users shall make a reasonable attempt to receive or answer those messages or activities. They shall not forward messages or activities to dead endpoints.
  • The Client and its Users shall not use the Services in a manner that results in charges to TalkyLabs by third parties without TalkyLabs’s prior written consent in each instance.

 

Last Updated: 2024.01.05

1. System Responsibilities – General Conditions

This Service Level Agreement (SLA) is applicable as from the Effective Date of the Master Service Agreement (MSA) and shall remain in force until amended or terminated in accordance with the MSA. This SLA outlines the service levels to which TalkyLabs commits itself. This service is provided subject to the terms and conditions as stipulated in the MSA. The availability commitment applies solely to the TalkyLabs Platform and does not extend to potential issues or technical problems related to Mobile Network Operators (MNOs) or any external connections. However, TalkyLabs will make every reasonable effort to deliver the highest possible quality of service, in line with industry standards. Additionally, TalkyLabs will utilize all possible means to provide prior notification to the Customer in the event of anticipated service disruptions. TalkyLabs endeavors to ensure that message transmission time through the TalkyLabs Platform up to delivery to or from TalkyLabs’s MNO connection is no more than 45 seconds. However, during periods of exceptional traffic, this time may be extended.

2. Definitions

  • Actual Monthly Availability Percentage means (A-B)/A, where:
    • A = Total Monthly Time (as defined below), and
    • B = Unavailable Monthly Time (as defined below).
  • Monthly Availability Percentage Threshold means the applicable percentage set forth in the table in Section 3 (Service Commitments) of this SLA under the heading, “Monthly Availability Percentage Threshold.”
  • Service Credit means the credit that Customer is eligible to request pursuant to Section 5 (Service Credit Request) of this SLA if (a) the Actual Monthly Availability Percentage is less than the applicable Monthly Availability Percentage Threshold. A Service Credit is calculated by multiplying the applicable percentage set forth in Section 3 (Service Commitments) of this SLA by (i) the fees Customer actually incurs for the affected TalkyLabs Service APIs for the applicable calendar month.
  • Total Monthly Time means the total number of minutes in the applicable calendar month.
  • Unavailable Monthly Time means the number of minutes in the applicable calendar month during which the TalkyLabs Service APIs, as applicable, were unavailable for use. Unavailable Monthly Time does not include Excluded Monthly Times (as defined below).

3. Service Commitments

Applicable APIs Monthly Availability Percentage Threshold Service Credit
Services APIs 99.5% 5%

4. Status Notifications

Client has the option to subscribe to email notifications for status updates regarding TalkyLabs Service APIs at https://status.talkylabs.com/.

5. Service Credit Request

To request a Service Credit, customers must submit a request to Customer Support via the appropriate link: https://www.talkylabs.com/contact-us/. This request must be submitted within 30 days of the last day of the calendar month in which the customer alleges that TalkyLabs failed to meet the applicable Monthly Availability Percentage Threshold. All submissions must include the following information:
  • Subject: “SLA Claim”
  • Dates and times: Specify the dates and times of Unavailable.
  • Documentation: Provide any supporting documentation that verifies the Unavailable Monthly Time.
Any Service Credit awarded will be applied as a credit to the customer’s future TalkyLabs payments for the Services APIs. Service Credits are not issued as cash refunds.

6. Exclusions

Despite any other provisions in this Agreement, Unavailable Monthly Time will not be considered if it:
  • is caused by factors beyond TalkyLabs’s reasonable control, including, but not limited to, telecommunications provider-related issues, Internet access problems beyond TalkyLabs’s network control, or force majeure events.
  • results from actions or inactions of the Customer or any third party (excluding TalkyLabs’s agents or subcontractors).
  • stems from the Customer’s applications, equipment, software, add-on services, or third-party technology (except for equipment directly controlled by TalkyLabs).
  • occurs during TalkyLabs’s scheduled maintenance, for which TalkyLabs provides at least 24 hours’ notice.
  • takes place during TalkyLabs’s emergency maintenance (essential for maintaining Services API integrity or operation), regardless of TalkyLabs’s prior notice.
  • relates to TalkyLabs’s alpha, beta, not generally available, limited release, developer preview, or other experimental Services APIs.
  • lasts for less than five (5) minutes of continuous unavailability (collectively, “Excluded Monthly Times”).
This SLA does not apply to any products, services, or versions thereof that are:
  • No longer available or supported.

7. Exclusive Liability

The service credits specified in this SLA are TalkyLabs’s only and entire obligation to the Client and the Client’s sole and exclusive recourse for TalkyLabs’s failure to meet any Monthly Availability Percentage Threshold.

8. Amendments

TalkyLabs may amend this SLA from time to time. The effective date of any amendment will be indicated in the amended SLA. The then-current version of this SLA is available at https://www.talkylabs.com/legal/.

1. Aim, Scope, and Applicability

In compliance with data protection regulations prevailing in the regions where TalkyLabs operates, this Policy outlines the fundamental principles guiding the Company’s handling of personal data, encompassing consumers, customers, suppliers, business partners, employees, and other individuals. It also delineates the responsibilities of TalkyLabs’s business units and employees in managing personal information.

This Policy is applicable to TalkyLabs and its directly or indirectly controlled wholly-owned subsidiaries conducting business within the European Economic Area (EEA) or processing personal data of individuals residing within the EEA.

This document is intended for all employees, both permanent and temporary, and all contractors engaged by TalkyLabs.

 

2. Reference Documents

  • EU GDPR 2016/679
  • Relevant national law or regulation for GDPR implementation
  • Local laws and regulations
  • Employee Personal Data Protection Policy
  • Data Retention Policy
  • Data Subject Access Request Procedure
  • Data Protection Impact Assessment Guidelines
  • Cross Border Personal Data Transfer Procedure
  • Information security policies
  • Breach Notification Procedure

 

3. Definitions

The following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:

  • Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Sensitive Personal Data: Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Data Controller: The natural or legal person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.
  • Processing: A series of actions performed on personal data or sets of personal data, whether manually or automatically, such as gathering, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying the data.
  • Anonymization: Irreversible removal of identifying information from personal data, rendering it impossible for anyone, using reasonable time, cost, and technology, to identify the person to whom the data originally belonged. Anonymized data is no longer considered personal data and is not subject to the same privacy protections.
  • Pseudonymization: The processing of personal data in a way that it cannot be associated with a specific data subject without additional information. This additional information must be kept separately and subject to technical and organizational measures to prevent the personal data from being associated with an identified or identifiable natural person. Pseudonymization reduces the risk of linking personal data to a data subject, but it does not eliminate it entirely. Because pseudonymized data is still personal data, it is subject to the same data protection principles as identifiable personal data.
  • Cross-border processing of personal data: Processing of personal data that takes place in the context of a controller or processor having operations in multiple Member States of the European Union. This can either be processing that takes place across different establishments of the controller or processor, or processing that takes place within a single establishment but affects or is likely to affect data subjects in multiple Member States of the European Union.
    Supervisory Authority: An independent public body established by a Member State in accordance with Article 51 of the EU GDPR.
  • Lead Supervisory Authority: The supervisory authority primarily responsible for handling cross-border data processing activities, such as complaints from data subjects regarding their personal data processing. It is responsible for receiving data breach notifications, being notified of risky processing activities, and exercising full authority to ensure compliance with the EU GDPR.
  • Local Supervisory Authority: Each Member State maintains a local supervisory authority that oversees data processing activities within its territory. These authorities monitor local data processing that affects data subjects or is conducted by EU or non-EU controllers or processors whose processing targets data subjects residing in their territory. Their responsibilities include conducting investigations, applying administrative measures and fines, promoting public awareness of data protection risks and rights, and accessing the premises and equipment of controllers and processors.
    Main establishment as regards a controller: If a controller has establishments in more than one Member State, the main establishment is the place of its central administration in the Union. However, if the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, the latter establishment may be considered to be the main establishment.
  • Main establishment as regards a processor: If a processor has establishments in more than one Member State, the main establishment is the place of its central administration in the Union. If the processor has no central administration in the Union, the main establishment is the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation.
  • Group undertaking: A group undertaking is any holding company together with its subsidiary.

 

4. Fundamental Principles of Personal Data Processing

Organizational entities handling personal data must adhere to a set of core principles outlined in Article 5(2) of the General Data Protection Regulation (GDPR). These principles establish the foundation for responsible and compliant data handling practices.

4.1. Lawfulness, Fairness, and Transparency

Personal data processing must be conducted in conformity with legal requirements and uphold fairness and transparency towards individuals. This entails obtaining explicit consent from data subjects or relying on other legitimate grounds for processing.

4.2. Purpose Limitation

Personal data collection and processing must be confined to specific, explicit, and legitimate purposes. Any subsequent use of the data must align with the original intent and not deviate in a manner that conflicts with the initial objectives.

4.3. Data Minimization

The amount of personal data collected, processed, and stored should be proportionate to the intended purposes. Organizations should only collect and retain data that is necessary and relevant for achieving their objectives. Anonymization or pseudonymization techniques can be employed to reduce the risk to individuals.

4.4. Accuracy

Personal data must be accurate and up-to-date. Reasonable efforts should be made to ensure the correctness of information, promptly rectifying any inaccuracies identified.

4.5. Storage Period Limitation

Personal data should not be retained for longer than is necessary to fulfill the purposes for which they were collected and processed. Organizations must establish retention periods and adopt mechanisms to securely delete or anonymize obsolete data.

4.6. Integrity And Confidentiality

Data controllers must implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, disclosure, alteration, or destruction. These measures should consider the state of technology, the costs of implementation, the likelihood and severity of potential risks.

4.7. Accountability

Data controllers bear the responsibility for ensuring compliance with the aforementioned principles. They must demonstrate their commitment to data protection by documenting their processing activities, establishing control mechanisms, and implementing accountability measures.

 

5. Integrating Data Protection Into Business Processes

To ensure compliance with data protection principles, organizations should embed data protection practices into their core business processes.

5.1. Data Subject Notification

(Refer to the Fair Processing Guidelines section for detailed instructions.)

5.2. Data Subject Choice And Consent

(Refer to the Fair Processing Guidelines section for detailed instructions.)

5.3. Data Collection

The Company should collect only the minimum amount of personal data necessary for its legitimate purposes.

5.4. Data Purpose, Use, Retention, And Disposal

The Company’s data processing activities must align with the information disclosed in the General Data Protection Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security measures must be implemented to safeguard personal data from unauthorized access, use, or disclosure. The Company is responsible for compliance with the requirement listed above.

5.5. Disclosure To Third Parties

When utilizing third-party service providers or business partners to process personal data on behalf of the Company, the Company must ensure that these processors implement appropriate security measures. For this purpose, the Processor GDPR Compliance Questionnaire must be used.

The Company must contractually stipulate that third-party processors adhere to the same data protection standards as the Company. Third-party processors may only utilize personal data to fulfill their contractual obligations to the Company or upon explicit instructions and cannot process data for any other purposes. In cases involving joint processing with independent third parties, the Company must clearly define respective responsibilities in the relevant contract or legal document (e.g., Supplier Data Processing Agreement).

5.6. Cross-Border Transfer Of Personal Data

Prior to transferring personal data outside the European Economic Area (EEA), the Company must employ adequate safeguards, including the execution of a Data Transfer Agreement (DTA) as mandated by the European Union. If required, authorization from the relevant Data Protection Authority (DPA) must be obtained. The entity receiving the transferred personal data must comply with the principles of data processing outlined in the Cross-border Data Transfer Procedure.

5.7. Data Subject Rights Of Access

When acting as a data controller, the Company is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.

5.8. Data Portability

Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. The company is accountable for ensuring that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.

5.9. Right To Be Forgotten

Data subjects have the right to request the deletion of their personal data from the Company’s systems. When acting as a data controller, the Company must take necessary actions, including technical measures, to inform third-parties who utilize or process the data to comply with the request.

 

6. Fair Processing Guidelines

Personal data must be processed only when explicitly authorized by the Chief Executive Officer (CEO), Chief Technology Officer (CTO), or Chief Information Security Officer (CISO).

The company must determine whether to perform a Data Protection Impact Assessment (DPIA) for each data processing activity, in accordance with the DPIA Guidelines.

6.1. Notices To Data Subjects

Upon collection or before collecting personal data for any type of processing activities, including but not limited to selling products or services, or marketing activities, the customer’s sales representative or account manager is responsible for properly informing data subjects of the following information:

  • The types of personal data collected
  • The purposes of the processing
  • Processing methods
  • The data subjects’ rights with regard to their personal data
  • The retention period
  • Potential international data transfers
  • Whether the data will be shared with third parties, and
  • The company’s security measures to protect personal data

This information is provided through a General Data Protection Notice (GDPN).

In the event that personal data is being shared with a third party, the Security&Compliance Office is responsible for ensuring that data subjects have been notified of this through a GDPN.

Where personal data is being transferred to a third country, in accordance with the Cross Border Data Transfer Policy, the GDPN should reflect this and clearly state to which country and entity the personal data is being transferred.

In the event that sensitive personal data is being collected, the CISO or CTO is responsible for ensuring that the GDPN explicitly states the purpose for which this sensitive personal data is being collected.

6.2. Obtaining Consents

Whenever personal data processing is based on the data subject’s consent, or other lawful grounds, the customer’s sales representative is responsible for obtaining it and submitting it to the Security&Compliance Office for retention of such consent. The customer’s sales representative is also responsible for providing data subjects with options to provide consent and must inform them that their consent can be withdrawn at any time.

When data subjects request to correct, amend, or destroy their personal data records, the CISO is responsible for ensuring that these requests are handled within a reasonable time frame. The Security&Compliance Office is also responsible for recording the requests and maintaining a log of them.

Personal data must only be processed for the purpose for which they were originally collected. If the company wants to process collected personal data for another purpose, the company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which the data was collected, as well as the new or additional purpose(s). The reason for the change in purpose(s) should also be included. The Data Protection Officer is responsible for complying with the rules in this paragraph.

From now on, and in the future, the CISO and CTO are responsible for ensuring that collection methods comply with relevant law, good practices, and industry standards.

The Security&Compliance Office is responsible for creating and maintaining a Register of the General Data Protection Notices.

 

7. Organization And Responsibilities

The key areas of responsibilities for processing personal data lie with the following organisational roles:

  • Individuals: Every individual who works for or with the Company and has access to personal data processed by the Company is responsible for ensuring appropriate personal data processing.
  • Security&Compliance Office: This office makes decisions about and approves the Company’s general strategies on personal data protection.
  • Chief Information Security Officer (CISO): The CISO is responsible for managing the personal data protection program and developing and promoting end-to-end personal data protection policies.
  • Legal Affairs Office: Together with the CISO, the Legal Affairs Office monitors and analyzes personal data laws and changes to regulations, develops compliance requirements, and assists business departments in achieving their personal data goals.
  • IT Manager: With support from the Security&Compliance Office, the IT Manager is responsible for:
    • Ensuring all systems, services, and equipment used for storing data meet acceptable security standards.
    • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Marketing Manager: With support from the CISO, the Marketing Manager is responsible for:
    •  Approving any data protection statements attached to communications such as emails and letters.
    • Addressing any data protection queries from journalists or media outlets like newspapers.
    • Working with the Security&Compliance Office to ensure marketing initiatives abide by data protection principles when necessary.
  • Human Resources Manager: With support from the CISO, the Human Resources Manager is responsible for:
    • Enhancing employee awareness of user personal data protection.
    • Organizing personal data protection expertise and awareness training for employees working with personal data.
    • Ensuring end-to-end employee personal data protection. This includes ensuring that employees’ personal data is processed based on the employer’s legitimate business purposes and necessity.
  • Procurement Manager: With support from the CISO, the Procurement Manager is responsible for:
    • Transferring personal data protection responsibilities to suppliers.
    • Increasing suppliers’ awareness of personal data protection.
    • Ensuring that personal data requirements are cascaded down to any third parties used by a supplier.
    • Reserving the Company’s right to audit suppliers.

 

8. Guidelines for Establishing the Lead Supervisory Authority

8.1. Necessity to Establish the Lead Supervisory Authority

Identifying a Lead Supervisory Authority is only necessary if the Company carries out cross-border processing of personal data.
Cross-border processing of personal data occurs when:

  • Data is processed by subsidiaries of the Company that are located in other member states of the European Union (EU), or
  • Data is processed by a single establishment of the Company in the EU, but the processing is likely to have a significant impact or is already having a significant impact on data subjects in more than one member state.

If the Company only has establishments in one member state and its processing activities only affect data subjects in that member state, there is no need to establish a lead supervisory authority. The sole competent authority will be the Supervisory Authority in the member state where the Company is legally established.

8.2. Main Establishment And The Lead Supervisory Authority

8.2.1. Main Establishment For The Data Controller

The Security&Compliance Office (SCO) must identify the Company’s main establishment so that the lead supervisory authority can be determined.

If the Company is based in an EU member state and makes decisions regarding cross-border processing activities at its central administration, there will be a single lead supervisory authority for the Company’s data processing activities.

If the Company has multiple establishments that operate independently and make decisions about the purposes and means of processing personal data, the Company’s management must acknowledge that there may be more than one lead supervisory authority.

8.2.2. Main Establishment For The Data Processor

When the Company is acting as a data processor, its main establishment will be the location of its central administration. If the Company’s central administration is not located in the EU, its main establishment will be the establishment in the EU where the main processing activities take place.

8.2.3. Main Establishment For Non-EU Companies For Data Controllers and Processors

If the Company does not have a main establishment in the EU but does have subsidiaries in the EU, the local supervisory authority is the competent authority.

If the Company does not have a main establishment in the EU or subsidiaries in the EU, it must appoint a representative in the EU. The competent authority will be the local supervisory authority in the member state where the representative is located.

 

9. Response To Personal Data Breach Incidents

Upon becoming aware of a suspected or actual personal data breach, the Security&Compliance Office shall initiate an internal investigation and implement remedial actions promptly, adhering to the provisions of the Data Breach Policy. If the breach poses a threat to the rights or liberties of data subjects, the Company shall notify the pertinent data protection authorities without undue latency, ideally within a 72-hour window.

 

10. Audit And Accountability

The Security&Compliance Office is responsible for monitoring the implementation of this Policy within all business departments.
Any employee found to be in violation of this Policy may face disciplinary action. Additionally, employees who engage in conduct that violates applicable laws or regulations may be subject to civil or criminal penalties.

 

11. Conflicts Of Law

This Policy is designed to comply with the laws and regulations in effect in the country where TalkyLabs is established, as well as in any other countries where TalkyLabs operates. In the event of any conflict between this Policy and such laws or regulations, the latter shall govern.

 

12. Managing Records Kept On The Basis Of This Document

 

Record NameRole/Department Responsible For StorageControls For Record ProtectionRetention Time
Data Subject Consent FormsSecurity And Compliance OfficeOnly Authorized Persons May Access The Forms10 Years
Data Subject Consent Withdrawal FormSecurity And Compliance OfficeOnly Authorized Persons May Access The Folder10 Years
Supplier Data Processing AgreementsLegal Affairs OfficeOnly Authorized Persons May Access The Folder5 Years After The Agreement Has Expired

 

13. Validity And Document Management

This document is valid as of 2024.01.05.

The owner of this document is CISO role, who must check and, if necessary, update the document at least once a year.

1. Purpose, Scope, and Users

To establish the foundation for TalkyLabs’s Information Security Management System (ISMS) by defining the overarching goals, principles, and fundamental guidelines for information security management.

This Policy encompasses the entire ISMS, as outlined in the ISMS Scope Document. It applies to all TalkyLabs employees and relevant external parties involved in handling TalkyLabs’s information assets.

This Policy is intended for use by all TalkyLabs employees, as well as relevant external parties who handle TalkyLabs’s information assets.


2. Reference Documents

This Policy draws upon the following reference documents for guidance and alignment:

  1. ISO/IEC 27001 standard, clauses 5.2 and 5.3
  2. ISMS Scope Document
  3. Risk Assessment and Risk Treatment Methodology
  4. Statement of Applicability
  5. List of Legal, Regulatory, and Contractual Obligations


3. Basic Information Security Terminology

To ensure a common understanding of information security concepts, this Policy defines the following key terms:

  • Confidentiality: The state of being kept secret or private. In information security, confidentiality refers to protecting sensitive information from unauthorized access or disclosure.
  • Integrity: The state of being complete and uncorrupted. In information security, integrity refers to ensuring that information remains accurate, reliable, and unaltered from its original state.
  • Availability: The state of being accessible and ready for use when needed. In information security, availability refers to ensuring that information and systems are accessible to authorized users when required.
  • Information security: The practice of protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to maintain its confidentiality, integrity, and availability.
  • Information Security Management System (ISMS): A structured set of processes and procedures that enable an organization to effectively manage its information security risks.

 

4. Managing Information Security

4.1 Objectives and Measurement

The Information Security Management System (ISMS) has the following general objectives:

  • To create a secure environment for hosting third-party (customer) sensitive information.
  • To establish procedures to mitigate the risk of information misuse due to human interaction with such data.
  • To implement technical safeguards to minimize the likelihood of unauthorized external access to information.
  • To maintain a strong brand reputation and minimize the potential damage caused by security incidents.

These objectives align with the organization’s overall business goals, strategy, and plans. The objectives may be reviewed periodically to ensure their continued relevance and alignment with evolving business needs.


5. Validity and document management

This document is valid as of 2024.01.05.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of employees and external parties who have a role in the ISMS but are not familiar with this document;
  • The extent to which the ISMS complies with the laws, regulations, contracts, and other internal documents of the organization;
  • The effectiveness of the implementation and maintenance of the ISMS;
  • The clarity of the responsibilities for the implementation of the ISMS.
en_USEnglish
fr_FRFrançais en_USEnglish