Last updated: May 28, 2025
This Data Processing Addendum ("DPA") is governed by and part of the Terms of Service (the "Agreement," which includes this DPA) between you as a subscriber ("you" or "Subscriber") and Sloane (Sloane is the d/b/a for ECM One, LLC) ("Sloane," "us" or "we") and sets forth the terms and conditions relating to Processing of Personal Information through your use of the Services. The parties agree to comply with the terms and conditions in this DPA in connection with such Processing of Personal Information. All capitalized terms not defined herein have the same meaning set forth in the Agreement.
1.1 Purpose and Scope
This Data Processing Addendum ("DPA") forms part of the Terms of Service between ECM One, LLC d/b/a Sloane ("Processor") and the entity or individual agreeing to the Terms of Service ("Controller") (together, the "Parties").
This DPA applies to the processing of personal data provided by the Controller to the Processor in connection with the Services, as defined in the Terms of Service.
1.2 Nature of the Processing
The Processor will process personal data solely for the purpose of providing the Services to the Controller, which may include call routing, voicemail transcription, calendar scheduling, and AI-assisted responses.
1.3 Duration of Processing
The processing will continue for the duration of the Controller's use of the Services and as otherwise required by applicable laws or the Terms of Service.
1.4 Roles of the Parties
The Parties acknowledge and agree that, with respect to personal data, the Controller determines the purposes and means of processing, and the Processor acts solely on behalf of the Controller and according to its instructions.
1.5 Compliance with Laws
Each Party will comply with all applicable laws, including data protection and privacy laws, in connection with its performance under this DPA.
For the purposes of this DPA:
"Controller" means the entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the Customer as defined in the Terms of Service.
"Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is ECM One, LLC d/b/a Sloane.
"Data Subject" means an identified or identifiable natural person whose Personal Data is being processed.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under the Agreement.
"Processing" (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, which may include, as applicable: (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CPRA"); (iii) the Virginia Consumer Data Protection Act ("VCDPA"); (iv) Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"); and (v) any other similar laws applicable to the processing activities conducted pursuant to the Agreement.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in accordance with this DPA.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by the Processor.
3.1 Instructions from Controller
The Processor will process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If the Processor is required to process Personal Data by applicable law, it shall inform the Controller of that legal requirement before processing, unless prohibited by law.
3.2 Confidentiality
The Processor shall ensure that all persons authorized to process Personal Data are bound by confidentiality obligations and have received appropriate training on data protection.
3.3 Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:
3.4 Assistance to Controller
Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling its obligations to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Law. This includes access, rectification, erasure, restriction, objection, and data portability, as applicable.
3.5 Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach. Such notification shall include all information necessary for the Controller to meet its obligations under Applicable Data Protection Law.
3.6 Data Protection Impact Assessments and Prior Consultation
Taking into account the nature of the processing and the information available, the Processor shall assist the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law.
4.1 Authorization of Sub-processors
The Controller authorizes the Processor to engage Sub-processors to process Personal Data in connection with the Services, provided that the Processor enters into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those set out in this DPA.
4.2 List of Current Sub-processors
The Processor shall make available to the Controller an up-to-date list of Sub-processors upon request. The list shall include the identities of the Sub-processors and a description of their processing activities.
4.3 Changes to Sub-processors
The Processor shall provide the Controller with reasonable advance notice (which may be provided via email or dashboard notification) of any intended changes concerning the addition or replacement of Sub-processors. The Controller may object to such changes on reasonable data protection grounds within ten (10) calendar days of receiving notice. If the Controller objects, the Processor will use reasonable efforts to address the Controller's concerns. If the Controller and Processor cannot reach a mutually agreeable resolution, the Controller may terminate the relevant Services.
4.4 Liability for Sub-processors
The Processor shall remain fully liable for the acts and omissions of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
5.1 Geographic Scope
The Controller acknowledges that the Processor and its Sub-processors may process Personal Data in jurisdictions outside of the jurisdiction where the Controller or Data Subjects are located, including in the United States.
5.2 Adequacy Mechanisms
Where Personal Data originating from the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland is transferred to a country that has not been recognized by the European Commission or other relevant authority as providing an adequate level of data protection, such transfer shall be governed by appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission or other lawful transfer mechanisms under Applicable Data Protection Law.
5.3 Standard Contractual Clauses (SCCs)
If and to the extent the parties rely on the SCCs as a data transfer mechanism, the Processor shall comply with their terms. The parties agree to incorporate the SCCs into this DPA as necessary to comply with international data transfer laws. Specific module configurations or supplementary measures may be agreed upon separately or detailed in an appendix.
5.4 Obligations to Notify
The Processor shall notify the Controller without undue delay if it becomes aware that it can no longer meet its obligations under the SCCs or other applicable data transfer mechanisms.
6.1 Assistance with Requests
Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.
6.2 Notification of Requests
If the Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, the Processor shall promptly notify the Controller and shall not respond to such request except on the documented instructions of the Controller, unless otherwise required by applicable law.
6.3 Timely Cooperation
The Processor shall provide the Controller with reasonable cooperation and assistance in relation to the handling of Data Subject rights requests, including access, rectification, erasure, restriction, data portability, and objection rights, as required by Applicable Data Protection Law.
7.1 Controller Instructions Upon Termination
Upon termination or expiration of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller, unless otherwise required by applicable law to retain such data.
7.2 Deletion Procedures
Unless the Controller instructs otherwise, the Processor shall delete all Personal Data within thirty (30) days following the termination of the Agreement. Deletion shall be performed using secure deletion procedures in accordance with industry standards.
7.3 Exceptions to Deletion
Notwithstanding the foregoing, the Processor may retain copies of Personal Data as required by applicable law, or as necessary for legal, accounting, or compliance purposes, provided such data is subject to appropriate confidentiality and data protection safeguards.
8.1 Audit Requests
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
8.2 Audit Conditions
Audits shall be subject to reasonable advance notice (no less than thirty (30) days), conducted during regular business hours, and carried out in a manner that minimizes disruption to the Processor's operations. Audits shall not unreasonably interfere with the Processor's day-to-day activities and may be subject to the Controller entering into a confidentiality agreement with the Processor.
8.3 Frequency and Scope
Unless required by a regulatory authority or in response to a Data Breach or material non-compliance, the Controller may not audit more than once per twelve (12) month period.
8.4 Costs of Audit
The Controller shall bear its own costs and expenses related to the audit. If the audit requires significant Processor resources beyond normal cooperation, the Controller may be required to reimburse the Processor for reasonable associated costs.
9.1 Limitation of Liability
Each Party's liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent such limitation is prohibited by Applicable Data Protection Law.
9.2 Indemnity
Each Party shall indemnify, defend, and hold harmless the other Party from and against any losses, liabilities, damages, claims, penalties, fines, or expenses (including reasonable attorneys' fees) arising out of or relating to a breach of this DPA by the indemnifying Party, or its Sub-processors or affiliates, to the extent permitted by Applicable Data Protection Law.
10.1 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions set forth in the Agreement, unless otherwise required by Applicable Data Protection Law.
10.2 Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail with respect to the subject matter of data processing, unless otherwise expressly stated.
10.3 Amendments
This DPA may be amended only in writing signed by both Parties, except where changes are required to comply with Applicable Data Protection Law, in which case the Processor may update the DPA and provide notice to the Controller.
10.4 Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
10.5 Survival
Provisions of this DPA that, by their nature, should survive termination of the Agreement (including but not limited to those concerning data retention, confidentiality, audit rights, and liability) shall so survive.
