Overview

AmberNexus engages third-party sub-processors to assist in providing our Services. This page lists all sub-processors that may process personal data on behalf of our customers, the types of data they process, and their geographic location.

All sub-processors are bound by Data Processing Agreements that require them to:

• Process data only according to our instructions.
• Implement and maintain appropriate technical and organisational security measures.
• Notify us promptly of any personal data breaches.
• Delete or return personal data upon termination of services.
• Engage further sub-processors only with our prior written consent.

AmberNexus undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed sub-processors prior to engagement.

Current Sub-Processors

Infrastructure & Hosting

AI & Voice Services

Communication Services

Telephony & Voice Channel Services

CRM & Lead Management

Messaging Services

Web Security

Payment Processing

Sub-Processor Details

Amazon Web Services (AWS)

Entity: Amazon Web Services, Inc.
Parent Company: Amazon.com, Inc.
Category: Infrastructure & Hosting
Purpose: Primary cloud infrastructure provider for application hosting, data storage (including voice recordings stored in Amazon S3), compute services, and database management.
Data Types: All customer data, including personal data, voice recordings, call transcripts, call metadata, account data, and usage logs.
Location: United States (primary), data may be stored in other AWS regions as configured.
Certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, CSA STAR.
Privacy Policy: Privacy Policy
DPA: AWS Global Data Processing Addendum (incorporated into AWS Service Terms)
Sub-processor List: Subprocessor
Data Retention: AWS S3 does not impose a fixed vendor-side retention period. Retention is entirely controlled by AmberNexus via S3 Lifecycle Policies. AmberNexus retains call recordings and transcripts for up to 3 years from the date of the call.

Deepgram, Inc.

Entity: Deepgram, Inc.
Category: AI & Voice Services
Purpose: Provides real-time automatic speech recognition (ASR / speech-to-text) for transcribing call audio into text as part of the AmberNexus voice agent pipeline. Deepgram processes audio streams in real time during each call and returns transcript data; it does not store audio or transcripts after processing is complete.
Data Types: Call audio streams (processed transiently during the call); API usage logs containing request metadata (e.g. timestamps, duration, request identifiers). Audio content is not stored.
Location: United States (primary). EU endpoint is available for data residency requirements but is not currently used by AmberNexus.
Certifications: SOC 2 Type I & Type II, HIPAA (BAA available), GDPR, CCPA, PCI DSS.
Privacy Policy: Privacy Policy
Security & Compliance: Trust Center
Data Retention: Audio streams are processed ephemerally and are not stored post-transcription, ensuring zero retention for call audio and transcripts. API logs (metadata only) may be retained for up to 90 days.
Note: Deepgram does not use Customer Content submitted via the API to train its models unless a customer explicitly opts into the Model Improvement Programme.

ElevenLabs Inc.

Entity: ElevenLabs Inc.
Category: AI & Voice Services
Purpose: Provides AI-powered voice synthesis (text-to-speech via Flash v2.5 model) and real-time speech-to-text transcription (via Scribe v2 realtime model) for AmberNexus voice agents.
Data Types: Text inputs submitted for synthesis, synthesised audio outputs, voice configuration and model data, call audio streams (for speech-to-text inference via Scribe v2).
Location: United States (primary), processing may also occur in the Netherlands and Singapore.
Privacy Policy: Privacy Policy
DPA: ElevenLabs Data Processing Addendum
Trust Center: Compliance Center
Data Retention: Data is permanently erased upon account deletion or when the customer deletes data. Backups are retained for up to a maximum of 50 days, after which they are automatically erased. This applies to both the ElevenLabs Scribe v2 realtime model (STT) and the ElevenLabs Flash v2.5 model (TTS). Zero Retention Mode is available for enterprise customers, in which case no data is held once the requested job is completed.
Note: Voice data may be used by ElevenLabs for AI model improvement. An opt-out is available via ElevenLabs account settings or upon request to ElevenLabs support. Under Zero Retention Mode, data is not retained after processing.

Google LLC (Gemini LLM)

Entity: Google LLC
Parent Company: Alphabet Inc.
Category: AI & Voice Services
Purpose: Provides large language model (LLM) inference for natural language understanding, intent recognition, and generation of conversational responses within AmberNexus voice agents.
Data Types: Transcribed speech text, conversation context and history, session metadata passed to the model for inference.
Location: United States and other Google Cloud regions globally.
Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS.
Privacy Policy: Privacy Policy
DPA: Google Cloud Data Processing Addendum
Sub-processor List: Subprocessor
Data Retention: Customer context and prompts are processed ephemerally for API fulfillment and are not retained beyond the duration of the API request, subject to AmberNexus's enterprise opt-outs for data caching and abuse monitoring logs. Google explicitly does not use submitted Customer Content via the Google Cloud API to train its foundation models. Refer to the Google Cloud Data Processing Addendum for full details.

Google LLC (Gmail / Google Workspace)

Entity: Google LLC
Parent Company: Alphabet Inc.
Category: Communication Services
Purpose: Internal business email and collaboration tooling used by AmberNexus personnel for operational and administrative communications.
Data Types: Email addresses, names, internal communication content.
Location: United States
Certifications: ISO 27001, SOC 1/2/3, FedRAMP.
Privacy Policy: Privacy Policy
DPA: Google Workspace Data Processing Amendment
Data Retention: Retention of internal email and workspace data is entirely controlled by AmberNexus as the Google Workspace administrator. Google does not independently impose a retention period on workspace data.

Mailgun Technologies, Inc.

Entity: Mailgun Technologies, Inc.
Parent Company: Sinch Group
Category: Communication Services
Purpose: Transactional email delivery for customer-facing notifications and one-time passwords (OTPs) only. Mailgun is not used for marketing communications.
Data Types: Recipient email addresses, names, email subject lines and OTP/notification message content, email delivery metadata.
Location: United States
Privacy Policy: mailgun.com/legal/privacy-policy
DPA: Mailgun Data Processing Addendum
Data Retention: Email message bodies (including notification and OTP content) are securely purged after 3 days. Email event logs (delivery status, timestamps, bounce records) are retained for up to 30 days.

Twilio Inc.

Entity: Twilio Inc.
Category: Telephony & Voice Channel Services
Purpose: Provision and management of SIP telephone numbers and PSTN call routing services. Twilio enables End Customers to reach AmberNexus-powered voice agents via standard telephone calls.
Data Types: Call audio streams (for routing only), caller and called phone numbers (retained in call detail records), call timestamps and duration, call status metadata. Call recordings are not retained by Twilio on AmberNexus’s behalf.
Location: United States
Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1.
Privacy Policy: twilio.com/en-us/legal/privacy
DPA: Twilio Data Protection Addendum
Sub-processor List: SubProcessors
Data Retention: Call detail records (metadata) retained for up to 13 months (400 days) by default, per Twilio's data access policy. TwiML and request inspector logs retained for 30 days. Full data retention overview available at Twilio Data Retention & Deletion. Call recordings are not enabled on the Twilio platform by AmberNexus and are therefore not retained by Twilio.
Note: Call recording at the Twilio platform level is disabled by AmberNexus. All recordings are stored exclusively in AmberNexus's Amazon S3 infrastructure and governed by AmberNexus's own retention policy.

Plivo Inc.

Entity: Plivo Inc.
Category: Telephony & Voice Channel Services
Purpose: Provision and management of PSTN telephone numbers and call routing services as an alternative or supplementary telephony provider.
Data Types: Call audio streams (for routing only), caller and called phone numbers, call timestamps and duration, call status metadata. Call recording at the Plivo platform level is not enabled.
Location: Global (United States, India, and other regions).
Certifications: ISO 27001, SOC 2 Type II.
Privacy Policy: Privacy Policy
Data Retention: Call detail records (CDRs) retained in Plivo's transactional databases for 90 days from the date of creation. Call recordings are not enabled at the Plivo level. Anonymised or aggregated usage data may be retained for up to 7 years for compliance and audit purposes.
Note: Call recording at the Plivo platform level is disabled by AmberNexus. All recordings are stored exclusively in AmberNexus's Amazon S3 infrastructure.

Zoho Corporation Pvt. Ltd. (Zoho CRM)

Entity: Zoho Corporation Pvt. Ltd.
Category: CRM & Lead Management
Purpose: Customer relationship management platform used by AmberNexus for lead generation, pipeline management, and customer engagement tracking.
Data Types: Names, email addresses, phone numbers, company information, interaction history, lead status, and communication logs.
Location: United States, EU, and India (data centre selected based on customer region configuration).
Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.
Privacy Policy: zoho.com/privacy.html
DPA: Zoho Data Processing Addendum (incorporated into Zoho Terms of Service)
Data Retention: Data retained for the duration of the active CRM relationship. Deleted upon account closure or upon request, subject to Zoho's data processing terms and applicable backup retention periods.

Meta Platforms, Inc. (WhatsApp Business)

Entity: Meta Platforms, Inc.
Parent Company: Meta Platforms, Inc.
Category: Messaging Services
Purpose: WhatsApp Business is used to facilitate communication with users regarding Nexus lead follow-ups, service-related notifications, and customer engagement.
Data Types: Phone numbers, names, message content, conversation metadata, read receipts, and delivery status.
Location: United States, EU (per Meta's data centre policy and regional configuration).
Privacy Policy: whatsapp.com/legal/business-policy
DPA: Meta Business Data Processing Terms
Data Retention: WhatsApp messages are end-to-end encrypted by default. Metadata is retained per Meta's Business Data Processing Terms. AmberNexus retains conversation records for up to 1 year for lead follow-up purposes.
Note: WhatsApp Business is used solely for lead follow-up and service communications. Marketing messages are not sent via WhatsApp without user consent.

Cloudflare, Inc.

Entity: Cloudflare, Inc.
Category: Web Security
Purpose: Provides web application firewall (WAF) services and DDoS mitigation for protecting AmberNexus web-facing services and APIs against application-layer threats.
Data Types: IP addresses, HTTP request headers, traffic patterns, and limited connection metadata. Cloudflare does not access or store call recordings, transcripts, voice data, or application-layer content.
Location: Global (Cloudflare processes traffic at data centres worldwide for WAF and DDoS inspection).
Certifications: SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS Level 1, FedRAMP.
Privacy Policy: cloudflare.com/privacypolicy
DPA: Cloudflare Data Processing Addendum
Data Retention: Real-time security logs retained for up to 72 hours for threat detection and analysis. Enterprise log retention may extend to 30 days. Cloudflare does not store application-layer content or Personal Data beyond what is necessary for security analysis.

Amber Pay (via PowerTranz)

Entity: Amber Pay Limited
Payment Gateway: PowerTranz (a Mastercard company)
Category: Payment Processing
Purpose: Payment processing and payment gateway services for AmberNexus. Amber Pay provides PCI DSS-compliant payment acceptance, processing, and settlement services. Transactions are routed through PowerTranz, a Mastercard-owned payment gateway operating in the Caribbean and Americas region.
Data Types: Cardholder names, card numbers (tokenised at point of capture), transaction amounts and currency, billing addresses, transaction reference identifiers, payment status and settlement metadata.
Location: Caribbean and United States. Payment transactions are processed through PowerTranz data centres with primary operations in the Caribbean region.
Certifications: PCI DSS Level 1 (Amber Pay). PowerTranz is a PCI DSS Level 1 certified payment gateway and a Mastercard subsidiary.
Website: myamberpay.com
Payment Gateway: powertranz.com
Data Retention: Card numbers are tokenised at point of capture and are never stored in their original form. Transaction records are retained for the period required by applicable financial regulations and card scheme rules (typically up to 7 years for audit and chargeback purposes). Tokenised payment data is purged upon account closure and expiry of regulatory retention obligations.
Note: Amber Pay does not store raw card numbers, CVVs, or magnetic stripe data. All sensitive cardholder data is tokenised and encrypted in transit via TLS 1.2+. PowerTranz, as a Mastercard subsidiary, operates under Mastercard's global security and compliance standards.

Data Transfer Safeguards

For sub-processors located outside your jurisdiction, we implement appropriate safeguards for the international transfer of personal data:

Changes to Sub-Processors

Notification Process

We may update our sub-processors from time to time. When we add or replace a sub-processor that processes personal data:

• We will update this page with the new sub-processor details and the effective date of the change.
• Enterprise customers with Data Processing Agreements in place will receive email notification at least 30 days prior to the change becoming effective.
• Changes become effective 30 days after the date of posting, unless otherwise agreed in writing.

Objection Process

If you have legitimate concerns about a new or replacement sub-processor on grounds related to data protection or data security:

• Contact us at privacy@myambergroup.com within 30 days of the date of notification.
• We will work with you in good faith to address any legitimate data protection or security concerns.
• If concerns cannot be resolved, you may within 30 days of concluded negotiations terminate the affected Services upon written notice.

Contact

For questions about our sub-processors or to request copies of Data Processing Agreements:

Email: privacy@myambergroup.com

Address: Data Protection Officer, Amber Connect Limited, 5th Floor, 13, Haining Road, Kingston 5, Jamaica.

1. Eligibility and Use Restrictions

(a) Age.

Our Services are not intended for or directed at children under the age of 18, and AmberNexus does not knowingly collect, store, or process Personal Data from children under the age of 18. However, as our Services involve voice communications, there may be instances where a person under the age of 18 participates in a call incidentally (for example, by answering a telephone). In such cases, any Personal Data incidentally captured will be processed solely to the extent necessary to deliver the Service and will be deleted upon becoming aware of such collection, in accordance with applicable law. If you believe that Personal Data of a minor has been incidentally processed through our Services, please contact us at the address in privacy policy

(b) Authorization.

If you register, access or use our Services on behalf of another person or entity, (i) all references to "you" throughout these Terms (other than in this Section 1(a)) will include that person or entity, (ii) you represent that you are authorized to enter into these Terms on that person's or entity's behalf, and (iii) in the event you or that person or entity violates these Terms, that person or entity also agrees to be responsible to us. If you are an entity using any Services pursuant to these Terms, you are responsible for your employees' and representatives' use of the Services, including ensuring they comply with these Terms.

(c) Use Restrictions.

Your access to and use of the Services and your use of any Output (defined below) must comply with these Terms. Without limiting the forgoing: (i) if you access or use our Services free of charge (such a user, a "Free User"), you may only use the Services for non-commercial purpose; (ii) if you access or use our Services through a paid subscription plan (such a user, a "Paid User"), you may use the Services for commercial purposes, but in either case, your access and use of the Services and any Output must still comply with the Prohibited Use Policy.

2. Personal Data

You may provide certain information to AMBER NEXUS in connection with your access to or use of our Services, or we may otherwise collect certain information about you when you access or use our Services. You represent and warrant that any information that you provide to AMBER NEXUS in connection with the Services is accurate.

You acknowledge that AMBER NEXUS may process personal data relating to the operation, support, or use of our Services for our own business purposes, including:

• billing, account management, technical support, and compliance with law - processed as necessary to perform our contract with you or to comply with legal obligations;
• analytics, usage tracking, data aggregation, and anonymisation - processed on the basis of our legitimate interest in improving our Services and AI models. You have the right to object to this processing at any time by contacting us at privacy@myambergroup.com; and
• research and improvement of our AI models using your Input or Voice Data processed only to the extent you have provided written consent under Section 4(d) of these Terms. You may withdraw that consent at any time in accordance with Section 4(g).

"Voice Data" means audio recordings and derived data generated in connection with your use of the Services, including call recordings, voice inputs, synthesised audio outputs, and call transcripts, as further defined in the Privacy Policy. "Input" means text, audio, or other content you provide to the Services. "Output" means content generated by the Services in response to an Input, including synthesised voice responses.

All terms relating to Data Protection are governed by our Privacy Policy, available at ambernexus.ai/legal.html, which is incorporated into these Terms by reference. The Privacy Policy sets out in full the categories of Personal Data collected, the legal bases for each processing activity, your rights, and the data retention periods that apply, including those applied by our key sub-processors.

3. Accounts

We may require that you create an account in order to use some or all of our Services. You may not share or permit others to use your individual account credentials. You will promptly update any information contained in your account if it changes. You must maintain the security of your account, as applicable, and promptly notify us if you discover or suspect that someone has accessed your account without your permission.

4. Content and User Voice Models; AMBER NEXUS Models

(a) Inputs and Outputs.

You may transmit or otherwise provide data and information as input to our Services ("Input"). When you provide Input to the Services, you may receive audio output generated and returned by one or more AMBER NEXUS Voice Models (defined below), or text output generated and returned by one or more AMBER NEXUS LLMs (defined below), based on Input ("Output") (Input and Output, collectively, the "Content"). Input may include, without limitation, recordings of your voice, text descriptions, or any other content that you may provide to us through the Services. We may enable you to download Output from some (but not all) of the Services; in such cases, you are permitted to use such Output outside of the Services but always subject to these Terms. If you choose to make any of your information publicly available through the Services or otherwise, you do so at your own risk.

(b) User Voice Models (Voice Clones).

Some of our Services allow you to create a digital replication or synthetic version of a human voice (commonly referred to as a "Voice Clone") that can be used to generate Output in the form of synthetic audio sounding like your own voice or the voice of an individual for whom you have obtained all necessary rights, permissions, and consents (each, a "User Voice Model"). To create a User Voice Model, you may be required to upload audio recordings of your own voice or the voice of an individual you are authorized to represent as Input to the Services. You represent and warrant that you have obtained explicit, informed, and legally valid consent from the individual whose voice is used, including consent for synthetic voice generation. Subject to subsection 4(d) below, AMBER NEXUS is permitted to use such audio recordings solely to create, operate, and maintain the User Voice Model and to provide the Services. You may request deletion of your User Voice Models through your account, subject to applicable law and AMBER NEXUS's data retention obligations.

(c) Rights to your Content.

(i) Except as expressly set forth herein, as between you and AMBER NEXUS, you retain all rights in and to your Input.

(ii) For the avoidance of doubt, Output may be generated by, but does not include, AMBER NEXUS' foundational and other artificial intelligence voice models (the "AMBER NEXUS Voice Models") or AMBER NEXUS' foundational and other artificial intelligence or language learning models ("AMBER NEXUS LLMs") (AMBER NEXUS Voice Models and AMBER NEXUS LLMs, collectively, the "AMBER NEXUS Models"). Except as expressly set forth herein, as between you and AMBER NEXUS, you retain all rights in and to your Output.

(d) License to Your Content.

To the extent that You provide AMBER NEXUS with written consent, you hereby grant to AMBER NEXUS a revocable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly or otherwise perform and display, and use your Input to provide the Services (including the trust and safety features therein), to improve the Services, and to develop new services and products. For avoidance of doubt, to the extent that your Input includes your voice, the foregoing license allows AMBER NEXUS to reproduce, modify, publish, create derivative works from, distribute, publicly or otherwise perform, and use your voice, and other indicia of your persona that may be contained therein, to provide and improve the Services, and to develop new services and products. Notwithstanding the foregoing, we will not commercialize your voice on a standalone basis without your permission to do so. This non-commercialisation restriction applies equally to all affiliates, vendors, sub-processors, and third-party service providers to whom your Voice Data may be disclosed pursuant to the Privacy Policy, and AMBER NEXUS shall contractually impose equivalent restrictions on such parties. Such license shall be:

• Revocable,
• nonexclusive (which means you can license your Input to others),
• subject to royalties, unless otherwise agreed between the Parties,
• worldwide (which means it's valid anywhere in the world), and
• non-sub-licensable except that AMBER NEXUS may share your Input with its affiliates, sub-processors, and service providers as listed in the Privacy Policy sub-processor list (ambernexus.ai/subprocessors), solely as necessary to deliver the Services, provided such parties are contractually bound by confidentiality and data protection obligations no less restrictive than those set out in these Terms (which means we cannot otherwise make it available to others unless expressly agreed to in writing by you).

Please note: revoking this license does not automatically result in the immediate deletion of your Personal Data. AMBER NEXUS and its sub-processors may retain your Personal Data for the periods set out in the Privacy Policy data retention schedule (which may be up to 3 years from account closure or call date, and up to 2-3 years for synthesised voice outputs retained by ElevenLabs Inc., as applicable), to the extent required by law or legitimate operational need. Revocation of consent prevents future use of your data for model improvement but does not require deletion of data retained under other lawful bases.

(e) License to User Voice Models.

To the extent you own or acquire any intellectual property rights in or to any User Voice Models, you hereby grant to AMBER NEXUS a limited, revocable, non-exclusive, worldwide license to use, reproduce, modify, adapt, and create derivative works from such User Voice Models solely as necessary to:

1. provide, operate, and maintain the Services for you;
2. enable trust, safety, security, and abuse-prevention features; and
3. improve the performance and functionality of the Services in an aggregated and non-identifiable manner.

Such license is granted subject to the following conditions:

• revocable, meaning you may withdraw this license by deleting the applicable User Voice Model or closing your account, subject to applicable law;
• non-exclusive, meaning you may license your User Voice Models to others;
• royalty-bearing only where expressly agreed in writing between the Parties;
• worldwide; and
• non-sub-licensable, except to AMBER NEXUS's affiliates, contractors, and subprocessors solely as necessary to provide the Services.

For the avoidance of doubt, AMBER NEXUS shall not commercialize, license, or make available any User Voice Model to third parties without your express permission, including through the Voice Library Service.

Please note: revoking this license or deleting your User Voice Model does not override AMBER NEXUS's data retention obligations under the Privacy Policy. Synthesised voice outputs processed by ElevenLabs Inc. may be retained for up to 2 years (audio/transcripts) and up to 3 years (account history) in accordance with that provider's retention schedule, which operates independently of requests submitted to AMBER NEXUS.

(f) Necessary Rights.

You may not provide Input or create Output for which you do not have all the rights necessary to grant us the license described above. You represent and warrant that the Content and User Voice Models, and our use of the Content and User Voice Models, will not violate any rights of any person or entity, or cause injury to any person or entity.

(g) Data Deletion and Opt Out.

You may request for us to delete your personal data as required under applicable law. Please see our Privacy Policy for more information. In addition, you may request to opt out of your Content and User Voice Models being used by us to improve the Services (including Amber Nexus Models). AMBER NEXUS will action deletion and opt-out requests within 30 business days of receipt. Your Content and User Voice Models will no longer be used to improve our Services (including Amber Nexus Models) once the request has been processed by our team, but does not affect any uses of (or materials resulting from uses of) your Content or User Voice Models prior to that date. Please be aware that certain sub-processors operate independent data retention schedules that may survive a deletion request submitted to AMBER NEXUS. In particular, ElevenLabs Inc. retains synthesised voice outputs for up to 2 years (audio and transcripts) and up to 3 years (account history) from the date of last interaction. AMBER NEXUS will use commercially reasonable efforts to coordinate deletion requests with sub-processors but cannot guarantee deletion within a specific timeframe on third-party systems. Full sub-processor retention periods are published in the Privacy Policy.

5. Our Intellectual Property

(a) Ownership.

The Services, including the text, graphics, images, photographs, videos, illustrations, and other content contained therein, and all intellectual property rights therein and thereto, are owned by AMBER NEXUS or our licensors. Except as explicitly stated in these Terms, all rights in and to the Services, including all intellectual property rights therein and thereto, are reserved by us or our licensors.

(b) Limited License.

Subject to your compliance with these Terms, AMBER NEXUS hereby grants to you a limited, non-exclusive, non-transferable, sublicensable, irrevocable license to access and use our Services. For clarity, any use of the Services other than as specifically authorized herein, without our prior written permission, is strictly prohibited and will terminate the license granted herein.

(c) Trademarks.

The name "AMBER NEXUS" and our logos, product or service names, slogans, and the look and feel of the Services are trademarks of AMBER NEXUS and may not be copied, imitated or used, in whole or in part, without our prior written permission. All other trademarks, registered trademarks, product names, and company names or logos mentioned or in connection with the Services are the property of their respective owners. Reference to any products, services, processes, or other information by trade name, trademark, manufacturer, supplier, or otherwise does not constitute or imply endorsement, sponsorship, or recommendation by us. All white labelled products/Services shall bear the name of the product followed by the wording "Powered by Amber".

6. Subscription Services; Payment

(a) Subscriptions.

Subscription/Service Fees shall be attached as Annexure C. To access and use certain Services, you may be required to enroll in a subscription payment plan (a "Recurring Subscription"). Your Recurring Subscription will automatically renew until you cancel it or your Recurring Subscription is otherwise terminated. AMBER NEXUS will submit an invoice to you every month which shall be settled by you within 30 days of invoice. You may cancel your subscription through your account. You may cancel a Recurring Subscription at any time. Following any cancellation, however, you will continue to have access to the applicable Services through the end of your current subscription period. Subject to mutual agreement between the Parties, AMBER NEXUS may change the prices charged for Recurring Subscriptions at any time by posting updated pricing through the Services; provided, however, that the prices for your Recurring Subscription will remain in force for the duration of the subscription period for which you have paid. After that period ends, your use of the applicable Services will be charged at the then-current subscription price.

(b) Other Usage Charges.

In the event your usage exceeds the volume provided under your Recurring Subscription, you will be charged usage overage fees for your Recurring Subscription, as indicated to you upon subscribing. In such event, we shall invoice you for these additional charges as per the agreed rate.

(c) Payment.

AMBER NEXUS will submit an invoice to you every month which shall be settled by you within 30 days of invoice.

7. Copyright Complaints

(a) Reporting Claims of Copyright Infringement.

If you believe that any content on our Services infringe any copyright that you own or control, you may notify AMBER NEXUS' designated agent (your notification, a "Notice") as follows:

By Email: privacy@myambergroup.com

8. Third-Party Services and Content

(a) Our Services may rely on or interoperate with third-party products and services, including data storage services, communications technologies, third-party LLM providers, and internet and mobile operators (collectively, "Third-Party Services"). These Third-Party Services are beyond our control, but their operation may impact, or be impacted by, the use and reliability of our Services. A current list of our third-party sub-processors, including their data processing roles and applicable retention periods, is maintained at ambernexus.ai/subprocessors in accordance with the Privacy Policy.

9. Indemnification

To the fullest extent permitted by applicable law, both parties will indemnify each other, defend, and hold harmless the other Party and their officers, directors, partners, licensors, employees and agents from and against any losses, liabilities, claims, demands, damages, expenses or costs ("Claims") arising out of or related to: (a) the violation of these Terms; (b) the violation, misappropriation, or infringement of any rights of another (including intellectual property rights or privacy rights); or (c) conduct in connection with the Services or the Content. The breaching party will cooperate with the other party in defending such Claims, and pay all fees, costs, and expenses associated with defending such Claims (including attorneys' fees). The non breaching party will have control of the defense or settlement, at the non breaching parties sole option, of any third-party Claims. This indemnity is in addition to, and not in lieu of, any other indemnities set forth in a written agreement between you and AMBER NEXUS.

10. Disclaimers

AMBER NEXUS does not represent or warrant that our Services or any content provided therein or therewith are error-free or that access to our Services or any content provided therein or therewith will be uninterrupted. While AMBER NEXUS attempts to make your use of our Services and any content provided therein or therewith safe using industry best practices, we cannot and do not represent or warrant that our Services or any content provided therein or therewith are free of viruses or other harmful components or content or materials. All disclaimers of any kind (including in this Section 10 and elsewhere in these Terms) are made for the benefit of all AMBER NEXUS and AMBER NEXUS' respective shareholders, agents, representatives, licensors, suppliers, and service providers, as well as our and their respective successors and assigns.

11. Limitation of Liability

(a)

To the fullest extent permitted by applicable law, either party will not be liable to the other under any theory of liability (whether based in contract, tort, negligence, warranty, or otherwise) for any indirect, consequential, exemplary, incidental, punitive, or special damages or lost profits.

(b)

The total liability of AMBER NEXUS for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid by you to use our Services in the 12 months preceding the claim.

12. Dispute Resolution; Arbitration

Please read this Section 12 carefully because it requires you and AMBER NEXUS to arbitrate certain disputes and claims and limits the manner in which we can seek relief from each other.

(a) Informal Dispute Resolution Prior to Arbitration.

For any dispute or claim between you and AMBER NEXUS arising out of or relating in any way to your access to or use of the Services, any communications you receive, any products sold or distributed through the Services or these Terms and prior versions of these Terms, including claims and disputes that arose between you and us before the effective date of these Terms, or any privacy or data security claims, (collectively, "Disputes", and each a "Dispute"), you and AMBER NEXUS agree to attempt to first resolve the Claim informally via the following process:

If you assert a Dispute against AMBER NEXUS, you will first contact AMBER NEXUS by sending a written notice of your Dispute to AMBER NEXUS by email to privacy@myambergroup.com. If AMBER NEXUS asserts a Dispute against you, AMBER NEXUS will contact you by sending a written notice of AMBER NEXUS' Dispute to you via email to the primary email address associated with your account.

If you and AMBER NEXUS cannot reach an agreement to resolve the Dispute within 30 days after you or AMBER NEXUS receives the applicable notice, then either party may submit the Dispute to binding arbitration as set forth below. The statute of limitations and any filing fee deadlines shall be tolled for thirty (30) days from the date that either you or AMBER NEXUS first send the applicable notice so that the parties can engage in this informal dispute-resolution process.

(b) Disputes Subject to Arbitration; Exceptions.

Except for individual disputes that qualify for small claims court and any disputes exclusively related to the intellectual property or intellectual property rights of you or AMBER NEXUS, including any disputes in which you or AMBER NEXUS seek injunctive or other equitable relief for the alleged unlawful use of your or AMBER NEXUS' intellectual property or other infringement of your or AMBER NEXUS' intellectual property rights ("IP Disputes"), all Disputes, whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory, that are not resolved in accordance with Section 12(a) will be resolved by a neutral arbitrator through arbitration instead of in a court. The arbitration shall be governed by Jamaican law under the Arbitration Act, 2017 subject to JAIAC Arbitration Rules. The arbitrator will have the authority to grant any remedy or relief that would otherwise be available in court.

A party who wishes to initiate arbitration must provide the other party with a request for arbitration (the "Request"). The Request must include: (i) the name, mailing address, email address, and telephone number of the party seeking arbitration and the email address associated with any applicable account; (ii) a statement of the legal claims being asserted and the factual bases of those claims; (iii) a description of the remedy sought and an accurate, good faith calculation of the amount in controversy in United States dollars; (iv) a statement certifying completion of the informal dispute resolution process as described in Section 12(a) above; and (v) evidence that the requesting party has paid any necessary filing fees in connection with such arbitration.

If the party requesting arbitration is represented by counsel, the Request shall also include such counsel's name, mailing address, email address, and telephone number. Such counsel must also sign the Request. By signing the Request, counsel certifies to the best of counsel's knowledge, information, and belief, formed after an inquiry reasonable under the circumstances, that: (A) the Request is not being presented for an improper purpose, such as to harass, cause unnecessary delay, or needlessly increase the cost of dispute resolution; (B) the claims, defenses and other legal contentions are warranted by existing law or by a non-frivolous argument for extending, modifying, or reversing existing law or for establishing new law; and (C) the factual and damages contentions have evidentiary support or, if specifically so identified, will likely have evidentiary support after a reasonable opportunity for further investigation or discovery.

You and AMBER NEXUS agree that all materials and documents exchanged during the arbitration proceedings shall be kept confidential and shall not be shared with anyone except the parties' attorneys, accountants, or authorized representatives, and shall be subject to the condition that they agree to keep all materials and documents exchanged during the arbitration proceedings strictly confidential.

13. Governing Law

Any Claims will be governed by and construed and enforced in accordance with the laws of Jamaica.

Notwithstanding the foregoing, nothing in this Section 13 limits or excludes the statutory data protection rights of users under the laws of their country of residence. In particular:

• Users residing in the European Economic Area or the United Kingdom retain all rights under the EU GDPR or UK GDPR respectively, including the right to lodge a complaint with their local supervisory authority.
• Users residing in India retain all rights under the Digital Personal Data Protection Act, 2023 ("DPDPA"), including rights of nomination, grievance redressal, and the right to approach the Data Protection Board of India.
• Users residing in Jamaica retain all rights under the Data Protection Act, 2020, including oversight by the Office of the Information Commissioner.

The general Jamaican law clause governs commercial disputes under these Terms; it does not displace users' statutory data protection rights in their jurisdiction of residence. Where a data protection claim cannot be resolved under Jamaican law, the applicable local data protection law shall govern that claim.

14. Modifying

No modification of these terms shall be of any force or effect unless modified and agreed in writing by both Parties.

15. Miscellaneous

(a)

These Terms reflect the entire agreement between the parties relating to the subject matter hereof and supersede all prior agreements, representations, statements, and understandings of the parties. Except as otherwise provided herein, these Terms are intended solely for the benefit of the parties and are not intended to confer third-party beneficiary rights upon any other person or entity. Communications and transactions between us may be conducted electronically.

(b)

The section titles in these Terms are for convenience only and have no legal or contractual effect. Lists of examples following "including" or "e.g." or similar words are not exhaustive (that is, they are interpreted to include "without limitation").

(c)

If any portion of these Terms is found to be unenforceable or unlawful for any reason, including but not limited to because it is found to be unconscionable, (a) the unenforceable or unlawful provision will be severed from these Terms; (b) severance of the unenforceable or unlawful provision will have no impact whatsoever on the remainder of these Terms; and (c) the unenforceable or unlawful provision may be revised to the extent required to render the Terms enforceable or valid, and the rights and responsibilities of the parties will be interpreted and enforced accordingly, so as to preserve the Terms and the intent of the Terms to the fullest possible extent.

(d)

If you have a question or complaint regarding the Services, please send an email to privacy@myambergroup.com

Annexure A

Conversational AI Terms

These Conversational AI Terms ("Service Terms") supplement your ("you", "your" or "Customer") existing Terms of Service with AMBER NEXUS (the "Underlying AMBER NEXUS Agreement"). Defined terms used in these Service Terms have the meanings set forth in the Underlying AMBER NEXUS Agreement.

By using Conversational AI you agree to these Service Terms. Service Terms constitute a legally binding contract between you and AMBER NEXUS. In case of any conflict between these Service Terms and other terms agreed upon between you and AMBER NEXUS, these Service Terms shall prevail with respect to your access or use of Conversational AI.

1. CONVERSATIONAL AI

"Conversational AI" is a solution offered by AMBER NEXUS that enables the deployment of interactive AI voice agents ("Customer AI Agent") as part of AMBER NEXUS' Services. Conversational AI is powered in part by one or more third-party LLM providers ("LLM Provider"). By using Conversational AI, you acknowledge and agree that you may interact with and direct information to these LLM Providers and that you must comply with applicable LLM Provider policies.

2. RESTRICTIONS

Customer shall not, and shall not permit its End Users (defined below) to:

• use Conversational AI or LLM Provider services hereunder in a manner that violates any applicable laws or infringes, misappropriates or otherwise violates any party's intellectual property rights;
• modify or create derivative works of Conversational AI or LLM Provider services;
• reverse assemble, reverse compile, reverse engineer, decompile, translate, engage in model extraction or stealing attacks, or otherwise attempt to discover the source code or underlying components of models, algorithms, and systems of Conversational AI or those of an LLM Provider (except to the extent such restrictions are contrary to applicable law, in which case, if you reside in a jurisdiction that expressly prohibits such restrictions, you must provide AMBER NEXUS with advance written notice prior to engaging in any such activities, and AMBER NEXUS may, in its discretion, either provide such information to you or impose reasonable conditions, including a reasonable fee, on such use of AMBER NEXUS' source code for Conversational AI to ensure AMBER NEXUS' (and our suppliers') proprietary rights in such source code are protected);
• provide as Input to Conversational AI or otherwise submit or make accessible to AMBER NEXUS any financial account identifiers (e.g., credit card numbers or bank account numbers), government issued identifiers (e.g., social insurance numbers, health card numbers) or other types of sensitive data that is subject to specific or elevated data protection requirements, including without limitation protected health information ("Prohibited Data"), unless AMBER NEXUS has expressly agreed in writing that it can comply with such requirements. AMBER NEXUS reserves the right to delete any such Prohibited Data at its sole discretion; or
• use the Conversational AI or LLM Provider services in violation of any applicable laws or regulations governing the initiation, placement, recording, or monitoring of telephone calls or other voice communications.

3. RESPONSIBILITIES

Customer shall clearly and prominently inform its End Users that (a) they are interacting with AI rather than a human, and (b) conversations are being recorded and may be shared with AMBER NEXUS and LLM Providers. Customer is also required to update its privacy policies accordingly. In the event Customer initiates outbound calls using Conversational AI, Customer shall be responsible for obtaining all legally required consents and providing all legally required disclosures related thereto. Customer is solely responsible for ensuring compliance with all applicable laws, regulations, and industry standards in connection with Customer's use of Conversational AI.

4. END USERS

Each End User that has access to a Customer AI Agent must have accepted an End User Agreement (defined below) that includes the following terms: (1) End Users must be bound by restrictions, obligations, and prohibitions regarding their use of the Customer AI Agent at least as restrictive as those found in Amber Nexus Terms of Service and these Service Terms; (2) Customer is not AMBER NEXUS' agent or partner or in a joint venture with AMBER NEXUS; (3) AMBER NEXUS is a third-party beneficiary of Customer's agreement with End Users; and (4) End User grants AMBER NEXUS and its affiliates and subcontractors a non-exclusive right to process and use End User's data to provide and support the Services. Customer will not make any representations or warranties in the End User Agreement regarding the functionality or performance of the Services that conflict with the Underlying AMBER NEXUS Agreement. The End User Agreement must be binding on End Users under applicable laws and regulations in the jurisdiction in which Customer is providing access to the Customer AI Agent. As used herein, "End User" means Customer's customer that (w) is licensing or using the Customer AI Agent only for its own internal business operations or personal use, and (x) has signed an End User Agreement. "End User Agreement" means a (y) written contract, or (z) "clickwrap" style online agreements involving conspicuous notice to End Users and an affirmative click to accept by End Users, entered into between Customer and any End User pursuant to which End User accesses or uses the Customer AI Agent.

5. NO PROFESSIONAL OR MEDICAL ADVICE

OUTPUT GENERATED BY CONVERSATIONAL AI IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE PROFESSIONAL ADVICE IN ANY FIELD, INCLUDING WITHOUT LIMITATION MEDICAL, LEGAL, ACCOUNTING, FINANCIAL, INVESTMENT, OR PSYCHOLOGICAL ADVICE. CUSTOMER AGREES NOT TO RELY ON SUCH OUTPUT AS A SUBSTITUTE FOR PROFESSIONAL ADVICE. ALWAYS SEEK ADVICE FROM A QUALIFIED PROFESSIONAL. AMBER NEXUS DISCLAIMS ALL LIABILITY FOR ANY ACTIONS TAKEN BASED ON OUTPUT GENERATED BY CONVERSATIONAL AI. ANY RELIANCE ON OUTPUT IS SOLELY AT CUSTOMER'S OWN RISK.

6. BRING YOUR OWN LARGE LANGUAGE MODEL

If Customer elects to integrate a Customer-Provided LLM (defined below) with Conversational AI, the following terms also apply:

6.1 Defined Terms:

"BYO-LLM Integration" means the integration of the Customer-Provided LLM with Conversational AI to enable interaction and functionality with the Customer-Provided LLM.

"Customer-Provided LLM" means any algorithm or machine learning model developed, licensed, or sourced by Customer independently from the Services ("Third-Party Model") and integrated into the Services by Customer for use with Conversational AI. For the avoidance of doubt, "Customer-Provided LLM" shall not include Conversational AI.

6.2 License to Access and Use Customer-Provided LLM.

Customer hereby grants AMBER NEXUS a revocable non-exclusive, non-transferable license to access, interact with and use the Customer-Provided LLM as necessary to deliver Conversational AI.

6.3 Customer Responsibility for Customer-Provided LLM.

6.3.1 Customer acknowledges and agrees that any Customer-Provided LLM is solely its responsibility, including without limitation the procurement, management, and compliance obligations associated with such Third-Party Model.

6.3.2 Customer represents and warrants that: (1) it has all necessary licenses, consents, permissions or approvals necessary to access and use the Customer-Provided LLMs in conjunction with the Services provided hereunder; (2) its use of the Customer-Provided LLMs hereunder shall comply with AMBER NEXUS' Prohibited Use Policy and any agreements or terms governing the use of such Customer-Provided LLM; and (3) it shall not use any Customer-Provided LLMs in any manner that infringes upon any third party rights, violates applicable laws, or introduces security vulnerabilities, or compromises the integrity of the Services or AMBER NEXUS' other customers.

6.3.3 Customer retains ownership of any data processed by the Customer-Provided LLM. Customer represents and warrants that all data used with the Customer-Provided LLM complies with all applicable data protection laws.

6.4 No Subprocessor Relationship.

Customer acknowledges that Customer and AMBER NEXUS operate independently, and any Third-Party Model integrated with Conversational AI through a BYO-LLM Integration shall not be deemed a subprocessor of AMBER NEXUS. Customer shall be solely responsible for (i) establishing any required contractual or compliance obligations with the Third Party Model, including obtaining any necessary consents or authorizations for data processing; and (ii) ensuring that the Customer-Provided LLM complies with all applicable laws, including data protection laws and regulations.

6.5 Compliance and Security Requirements.

6.5.1 Customer agrees that it is solely responsible for ensuring that the Customer-Provided LLM operates in compliance with applicable data protection laws and security standards. Customer shall implement appropriate security measures and protocols to protect both its data and the integrity of AMBER NEXUS' Services when using the Customer-Provided LLM. Customer shall be responsible, and assumes all liability, for security vulnerabilities or data protection obligations introduced through the use of the Customer-Provided LLM.

6.5.2 Without prejudice to AMBER NEXUS's security obligations, Customer acknowledges and agrees that it, rather than AMBER NEXUS, is responsible for certain configurations and design decisions for the Customer-Provided LLM and Customer AI Agent, and that Customer, and not AMBER NEXUS, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable data protection laws.

6.5.3 Customer bears sole responsibility for its API, including without limitation, the API's configuration and access control functionalities, and assumes all liability for damages. Customer is solely responsible for maintaining the confidentiality and security of its API keys. Customer is responsible for all activities that occur under its API keys, regardless of whether such activities are authorized by Customer.

6.6 Restrictions.

6.6.1 Customer shall not use the Customer-Provided LLM to generate, create, or distribute content that is illegal, offensive, defamatory, or otherwise in violation of AMBER NEXUS' Prohibited Use Policy. Additionally, Customer shall not use the Customer-Provided LLM to create, generate or distribute any sexual content. AMBER NEXUS reserves the right to suspend or terminate Customer's access to the BYO-LLM Integration if the Customer-Provided LLM is used in violation of Amber Nexus Terms of Service or these Service Terms.

6.6.2 Customer shall not use the BYO-LLM Integration to develop competing models or services.

6.7 No Warranty or Support Obligation.

6.7.1 AMBER NEXUS makes no representations, warranties or guarantees regarding the functionality, performance, reliability, accuracy, or security of any Customer-Provided LLM. Customer acknowledges that AMBER NEXUS is not responsible for any outcomes, errors, or issues arising from the Customer-Provided LLM's performance within the BYO-LLM Integration.

6.7.2 AMBER NEXUS shall have no obligation to provide support or maintenance for any issues specific to the Customer-Provided LLM. For clarity, any service level commitments made by AMBER NEXUS do not apply to Customer-Provided LLMs.

6.8 Indemnification.

Without limiting Customer's indemnity obligations under the Underlying AMBER NEXUS Agreement or as otherwise set forth herein, Customer agrees to indemnify, defend, and hold harmless AMBER NEXUS and its officers, directors, partners, licensors, employees and agents from any claims, damages, losses, or liabilities arising from or related to the Customer-Provided LLM, including without limitation claims related to intellectual property infringement, data privacy violations, content generated through the Customer-Provided LLM, and security breaches caused by or related to the Customer-Provided LLM.

6.9 Termination and Suspension Rights.

AMBER NEXUS reserves the right to suspend or terminate the Customer's access to the BYO-LLM Integration on 60 days written notice, if the Customer-Provided LLM poses a security or safety risk, violates the Underlying AMBER NEXUS Agreement, or if Customer is in breach of any terms herein. Upon termination, AMBER NEXUS will revoke access to the BYO-LLM Integration and handle any data associated with the Customer-Provided LLM in accordance with AMBER NEXUS' data retention policies.

Annexure B

Voice Library Terms

These Voice Library Terms supplements Amber Nexus Terms of Service ("Terms of Service") and, together with the Terms of Service, applies to your use of our Voice Library Service, including the sharing of User Voice Models on or through the Voice Library Service. Defined terms used in this Annexure B have the meanings set forth in the Terms of Service.

1. Content on the Voice Library

The Voice Library Service makes available AMBER NEXUS Voice Models, provided by AMBER NEXUS, as well as User Voice Models, provided by AMBER NEXUS users, including you, through the Services. The rights in and to AMBER NEXUS Voice Models and User Voice Models, including those made available as part of the Voice Library Service, are set out in our Terms of Service.

2. Sharing User Voice Models in the Voice Library

You may share User Voice Models you've generated on our platform through the Voice Library Service. If you chose to do so, you hereby authorize us, subject to agreed license fee terms, to make available the User Voice Models for others to access and use through the Voice Library Service in accordance with the Terms of Service and these Voice Library terms ("Voice Library License"). For clarity, others may be able to generate Output with the User Voice Models you have shared in our Library subject to the payment of license fees.

3. Eligibility & Conditions

As a condition of making available any User Voice Model in the Voice Library, you agree that you satisfy (and will continue to satisfy) the following requirements: You must create and share a User Voice Model based on your voice using our technology and platform. You must not create and share a User Voice Model based on another person's voice or an altered version of your voice.

4. Personal Data

Nothing in this Annexure B shall be construed as waiving or limiting any rights or protections conferred to the user under personal data protection and privacy laws.

5. Termination

You can terminate your participation in the Voice Library service by deleting the User Voice Models you have shared from your account or deleting your account, subject to the procedure described below. In the event you terminate your participation in the Voice Library service, your User Voice Models will be available until the end of the Notice Period as set forth above.

The termination of your participation in the Voice Library service will not impact the transfer or licensing of intellectual property and other rights up to the point of termination.

This Annexure B and the Terms of Service may be terminated if you exercise your legal right to withdraw consent for the processing of the necessary categories of their personal data by AMBER NEXUS, as defined by applicable laws and which are necessary to fulfill the purpose of this service. If this occurs, we will treat it as an Early Revocation Request and you will pay the corresponding fee described above.

6. Other Terms

To the fullest extent permitted by applicable law, we reserve the right to review and remove any User Voice Model made available in the Voice Library in our sole discretion, and at any point in time, with notice to you, including as indicated in the Terms of Service.

Annexure C

Service/Subscription Fees

Service/Subscription Fees information will be provided separately.

1. Definitions and Interpretation

In this DPA, unless the context otherwise requires, the following terms shall have the meanings set forth below. Terms not otherwise defined herein shall have the meanings given in the Principal Agreement, the Privacy Policy (available at ambernexus.ai/legal.html), or under Applicable Data Protection Laws.

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the Data Protection Act, 2020 of Jamaica ("JDPA"), the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Digital Personal Data Protection Act, 2023 of India ("DPDPA"), the Protection of Personal Information Act of South Africa ("POPIA"), and any other applicable data protection or privacy laws relevant to the processing activities.

"Controller" means the party that determines the purposes and means of processing of Personal Data. Unless otherwise specified in an Order Form or Statement of Work, the Customer is the Controller.

"Customer Personal Data" means any Personal Data that is processed by Amber Nexus on behalf of the Customer in connection with the Services.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.

"Information Commissioner" means the Information Commissioner of Jamaica appointed under the JDPA, or any other relevant supervisory authority with jurisdiction over data protection matters.

"Personal Data" means information relating to an identified or identifiable natural person, as defined under the JDPA, GDPR, DPDPA, POPIA, and other Applicable Data Protection Laws.

"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Processor" means the party that processes Personal Data on behalf of the Controller. Unless otherwise specified, Amber Nexus is the Processor.

"Sensitive Personal Data" means personal data consisting of genetic data or biometric data, data concerning health, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning a person's sex life or sexual orientation, as well as any data classified as sensitive under Applicable Data Protection Laws.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international transfers of Personal Data, including the EU SCCs (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and any successor clauses.

"Sub-processor" means any third party engaged by Amber Nexus (or by any other Sub-processor) to process Customer Personal Data on behalf of the Customer.

"Supervisory Authority" means any regulatory authority with jurisdiction over data protection matters, including the Information Commissioner of Jamaica, EU/EEA Data Protection Authorities, the UK Information Commissioner's Office (ICO), the Data Protection Board of India, and the Information Regulator of South Africa.

2. Scope and Purpose of Processing

2.1. This DPA applies to the processing of Customer Personal Data by Amber Nexus as Processor on behalf of the Customer (Controller) in connection with the provision of the Services.

2.2. The details of the processing, including the subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A (Details of Processing).

2.3. Amber Nexus shall process Customer Personal Data only as necessary for the performance of the Services and in accordance with the Customer's documented instructions, unless required by applicable law to process the data otherwise.

3. Compliance with Data Protection Standards

3.1. Both parties shall comply with their respective obligations under Applicable Data Protection Laws, including the Eight Data Protection Standards set forth in Part IV of the JDPA:

First Standard - Fair and Lawful Processing (Section 22). Personal Data shall be processed fairly and lawfully. Data Subjects must expressly consent to processing, and such consent must be informed, freely given, specific, and unequivocal.

Second Standard - Specified Purposes (Section 25). Personal Data shall be collected only for specified and lawful purposes, and processing shall not be incompatible with those stated purposes.

Third Standard - Adequate and Relevant Data (Section 26). Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

Fourth Standard - Accuracy (Section 27). Personal Data must be accurate and, where necessary, kept up to date. Reasonable steps shall be taken to verify the accuracy of Personal Data.

Fifth Standard - Retention Limitation (Section 28). Personal Data shall not be kept for longer than is necessary for the purposes for which it was collected and shall be disposed of in accordance with applicable regulations and this DPA.

Sixth Standard - Rights of Data Subjects (Section 28). Personal Data must be processed in accordance with the rights of Data Subjects, including rights of access, rectification, erasure, and prevention of processing.

Seventh Standard - Security Measures (Section 30). Appropriate technical and organisational measures shall be implemented to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Eighth Standard - International Transfers (Section 31). Personal Data shall not be transferred outside of Jamaica unless the receiving jurisdiction ensures an adequate level of protection or appropriate safeguards are in place.

3.2. For processing of Personal Data of Data Subjects in South Africa, both parties shall comply with the Eight Conditions for Lawful Processing set forth in Chapter 3 of POPIA, including: Condition 1 (Accountability, Section 8); Condition 2 (Processing Limitation, Sections 9–12); Condition 3 (Purpose Specification, Sections 13–14); Condition 4 (Further Processing Limitation, Section 15); Condition 5 (Information Quality, Section 16); Condition 6 (Openness, Sections 17–18); Condition 7 (Security Safeguards, Sections 19–22); and Condition 8 (Data Subject Participation, Sections 23–25). Amber Nexus, as Operator under POPIA, shall process such Personal Data only in accordance with the Customer's instructions and shall implement appropriate measures to secure the integrity and confidentiality of Personal Information in its possession or under its control.

4. Obligations of Amber Nexus as Processor

4.1. Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law.

4.2. Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set forth in Annex B (Technical and Organisational Security Measures) and as described in our Security Controls document (available at ambernexus.ai/security-controls).

4.4. Not engage another processor (Sub-processor) without prior general written authorisation of the Customer, subject to Section 8 of this DPA.

4.5. Assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights.

4.6. Assist the Customer in ensuring compliance with security obligations, Personal Data Breach notification requirements, data protection impact assessments, and prior consultation with Supervisory Authorities.

4.7. At the choice of the Customer, delete or return all Customer Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless retention is required by Applicable Data Protection Laws. Deletion shall be completed within thirty (30) days of termination, unless otherwise agreed.

4.8. Make available to the Customer all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

5. Personal Data Breach Notification

5.1. Where Amber Nexus becomes aware of a Personal Data Breach affecting Customer Personal Data, it shall notify the Customer without undue delay, and in any event within twenty-four (24) hours of becoming aware of the breach.

5.2. The notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) a description of the measures taken or proposed to be taken to address the breach; and (d) the contact details of Amber Nexus's Data Protection Officer or designated privacy contact.

5.3. In compliance with Section 21(3) of the JDPA, the Customer as Controller shall report any Personal Data Breach to the Information Commissioner within seventy-two (72) hours of becoming aware of the breach. Amber Nexus shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

5.4. The Customer shall also promptly notify each affected Data Subject of the breach and the measures taken to mitigate potential adverse effects, where required by Applicable Data Protection Laws.

5.5. Where a Personal Data Breach involves Personal Information of Data Subjects in South Africa, the Customer as Responsible Party under POPIA shall notify the Information Regulator and the affected Data Subjects (unless the identity of such Data Subjects cannot be established) as soon as reasonably possible after becoming aware of the compromise, in compliance with Section 22 of POPIA. POPIA imposes no minimum harm threshold — any reasonable grounds to believe that Personal Information has been accessed or acquired by an unauthorised person triggers the obligation. Amber Nexus, as Operator, shall promptly inform the Customer of any such breach and shall provide all information necessary to enable the Customer to fulfil its notification obligations under Section 22, including submitting the prescribed Form SCN1 to the Information Regulator.

6. Data Subject Rights

6.1. The parties shall ensure that Data Subjects can exercise their rights under Applicable Data Protection Laws, including:

• Right to be Informed / Right of Access. Data Subjects have the right to know what Personal Data is being collected and processed, and to obtain a copy of their Personal Data held by the Controller.
• Right to Rectification. Data Subjects have the right to correct inaccurate Personal Data.
• Right to Erasure. Data Subjects have the right to request deletion of Personal Data, subject to lawful retention requirements.
• Right to Restrict or Object to Processing. Data Subjects have the right to restrict or object to the processing of their Personal Data in certain circumstances.
• Right to Data Portability. Data Subjects have the right to request transfer of their Personal Data to another controller in a structured, commonly used, and machine-readable format.
• Rights Related to Automated Decision-Making. Data Subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.
• Right to Withdraw Consent. Data Subjects may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Nominate (DPDPA). Data Subjects residing in India have the right to nominate any individual who will exercise their rights in the event of death or incapacity.
• Right to Grievance Redressal (DPDPA). Data Subjects residing in India have the right to grievance redressal regarding how their Personal Data is processed.
• Right to Complain to the Information Regulator (POPIA). Data Subjects residing in South Africa have the right to submit a complaint to the Information Regulator of South Africa in terms of Section 74 of POPIA where they believe that their Personal Information has been processed in violation of POPIA.

6.2. Amber Nexus shall promptly notify the Customer of any request received directly from a Data Subject and shall not respond to such request without the Controller's prior written instructions, unless required by Applicable Data Protection Laws.

7. International Data Transfers

7.1. Amber Nexus maintains hosting and server infrastructure primarily in the United States (Amazon Web Services). Customer Personal Data may therefore be transferred to, stored in, and processed in the United States and other jurisdictions where our Sub-processors operate.

7.2. In accordance with Section 31 of the JDPA (Eighth Data Protection Standard), Personal Data shall not be transferred outside Jamaica unless the transfer is to a country or territory ensuring an adequate level of protection or is subject to appropriate safeguards.

7.3. For transfers of Personal Data protected by the GDPR from the EEA, the parties shall implement Standard Contractual Clauses as follows:

• Where the Customer is a Controller and Amber Nexus is a Processor, Module Two (Controller to Processor) shall apply.
• Where the Customer is a Processor and Amber Nexus is a Sub-processor, Module Three (Processor to Processor) shall apply.
• Clause 7 (Docking Clause) shall not apply.
• Under Clause 9(a) (Use of Sub-processors), Option 2 (General Written Authorisation) shall apply, with a prior notice period of thirty (30) days.
• Under Clause 17 (Governing Law), Option 1 shall apply, and the SCCs shall be governed by the laws of Ireland.
• Under Clause 18(b) (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Ireland.

7.4. For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs shall be incorporated.

7.5. For transfers of Personal Data from India, Amber Nexus shall comply with the requirements of the Digital Personal Data Protection Act, 2023 and rules made thereunder regarding cross-border data transfers.

7.6. For transfers of Personal Data from Jamaica, Amber Nexus shall ensure compliance with the Data Protection Act, 2020 and obtain any required authorisation from the Information Commissioner.

7.7. For transfers of Personal Data from South Africa, Amber Nexus shall ensure compliance with the Protection of Personal Information Act of South Africa ("POPIA") and obtain any required authorisation from the Information Regulator.

7.8. Details of authorised international transfers are set forth in Annex C (International Data Transfers).

8. Sub-processors

8.1. The Customer provides general written authorisation for Amber Nexus to engage Sub-processors to process Customer Personal Data in connection with the Services, subject to the conditions of this Section.

8.2. The current list of Sub-processors authorised by Amber Nexus is maintained at ambernexus.ai/legal.html (Sub-Processors tab) and is incorporated herein by reference.

8.3. Where Amber Nexus engages a Sub-processor, it shall impose on that Sub-processor the same data protection obligations as set out in this DPA by way of a contract or other legal act, providing sufficient guarantees that appropriate technical and organisational measures are implemented.

8.4. Amber Nexus shall provide the Customer with at least thirty (30) days' prior notice of the addition or replacement of any Sub-processor, by updating the Sub-processors list and notifying enterprise customers by email. The Customer may object to any new Sub-processor on reasonable data protection or security grounds within thirty (30) days of notification. If the objection cannot be resolved, the Customer may terminate the affected Services on thirty (30) days' written notice.

8.5. Amber Nexus shall remain fully liable to the Customer for the performance of any Sub-processor's obligations under this DPA.

9. Audit Rights and Compliance

9.1. Amber Nexus shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA.

9.2. Upon reasonable written request (no more than once per twelve-month period), Amber Nexus shall make available relevant SOC 2 reports, ISO 27001 certificates, and summaries of penetration test results.

9.3. The Customer or an auditor mandated by the Customer may conduct audits and inspections to verify Amber Nexus's compliance with this DPA, subject to reasonable advance notice and during normal business hours.

9.4. Amber Nexus shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Laws.

9.5. Audit results shall be treated as Amber Nexus's confidential information and shall not be disclosed to any third party without Amber Nexus's prior written consent.

10. Data Protection Impact Assessment

10.1. In accordance with Section 45 of the JDPA and Article 35 of the GDPR, the Customer as Controller shall conduct a Data Protection Impact Assessment (DPIA) where processing is likely to result in a high risk to the rights and freedoms of Data Subjects.

10.2. Amber Nexus shall provide reasonable assistance to the Customer in conducting DPIAs where required, taking into account the nature of the processing and the information available to Amber Nexus.

11. Data Retention and Deletion

11.1. Amber Nexus retains Customer Personal Data only for as long as necessary to provide the Services and fulfil the purposes described in Annex A, subject to the retention periods set forth below and any overriding legal obligations.

11.2. Upon termination of the Principal Agreement, Amber Nexus shall, at the Customer's choice, delete or return all Customer Personal Data within thirty (30) days, and delete existing copies, unless retention is required by Applicable Data Protection Laws.

11.3. Where the Customer submits a deletion request, Amber Nexus shall use commercially reasonable efforts to delete or anonymise Customer Personal Data held within its own systems and forward the deletion request to relevant Sub-processors in accordance with applicable Data Processing Agreements.

12. Liability and Indemnification

12.1. Each party shall be liable for its own acts and omissions and for those of its employees, agents, and sub-processors that result in a breach of this DPA or Applicable Data Protection Laws.

12.2. Each party agrees to indemnify and hold harmless the other party from and against any claims, damages, losses, costs, and expenses arising from any breach of this DPA or Applicable Data Protection Laws.

12.3. For processing of Personal Information of Data Subjects in South Africa, each party acknowledges that POPIA provides for the following enforcement consequences: (a) civil liability under Section 99, whereby a Data Subject may institute civil proceedings for damages against the Responsible Party for any breach of POPIA, whether or not there is intent or negligence on the part of the Responsible Party; (b) criminal offences under Sections 100 to 106 of POPIA (including obstruction of the Information Regulator, failure to comply with enforcement notices, and unlawful acts in connection with account numbers), with penalties under Section 107 including fines or imprisonment of up to ten years for serious offences; and (c) administrative fines under Section 109 of POPIA of up to R10 million imposed by the Information Regulator. Both parties shall maintain appropriate controls to minimise the risk of enforcement action by the Information Regulator.

12.4. The total aggregate liability of either party under this DPA shall be subject to any limitation of liability provisions set forth in the Principal Agreement.

13. Confidentiality

13.1. The parties shall keep confidential all Customer Personal Data and all information disclosed under this DPA and shall not disclose such information to any third party except as permitted under this DPA or required by law.

13.2. The obligations of confidentiality shall survive termination of this DPA and the Principal Agreement.

14. Term and Termination

14.1. This DPA shall come into effect on the date the Customer accepts the Principal Agreement and shall remain in force for the duration of the Principal Agreement.

14.2. This DPA shall automatically terminate upon the termination or expiry of the Principal Agreement.

14.3. The provisions of this DPA that by their nature are intended to survive termination (including Sections 5, 11, 12, 13, and 15) shall survive.

15. Governing Law and Dispute Resolution

15.1. This DPA shall be governed by and construed in accordance with the laws of Jamaica, without regard to its conflict of laws principles.

15.2. Notwithstanding the foregoing, (a) residents of the EEA, Switzerland, and the United Kingdom retain the full suite of rights under the GDPR and UK GDPR, including the right to lodge complaints with their local Supervisory Authority; (b) residents of India retain their rights under the DPDPA 2023, including access to the Data Protection Board of India; (c) residents of Jamaica retain their rights under the Data Protection Act 2020, including oversight by the Office of the Information Commissioner; and (d) residents of South Africa retain their rights under POPIA, including the right to lodge a complaint with the Information Regulator of South Africa (inforeg.org.za) and to institute civil proceedings in accordance with Section 99 of POPIA.

15.3. Any dispute arising out of or in connection with this DPA shall first be attempted to be resolved through good faith negotiations. If the dispute cannot be resolved within thirty (30) days, either party may refer the dispute to the exclusive jurisdiction of the courts of Jamaica, or to binding arbitration under the Arbitration Act 2017 and JAIAC Arbitration Rules, as set forth in the Principal Agreement.

16. General Provisions

Entire Agreement. This DPA, together with its Annexes and the Principal Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof.

Amendments. Amber Nexus may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, our processing activities, or Sub-processor arrangements. Material changes will be communicated to Customers via the contact information associated with their account.

Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

No Waiver. The failure of either party to enforce any provision of this DPA shall not be construed as a waiver of such provision or the right to enforce it at a later time.

Conflict. In the event of a conflict between the terms of this DPA and the Principal Agreement regarding data protection matters, this DPA shall prevail.

ANNEX A - DETAILS OF PROCESSING

1. Subject Matter and Duration

Amber Nexus processes Customer Personal Data in connection with the provision of conversational AI voice agent services and related platform functionality. Processing continues for the duration of the Principal Agreement.

2. Nature and Purpose of Processing

The following processing activities are performed in connection with the Services: voice call routing and telephony; real-time speech-to-text transcription (via Deepgram and ElevenLabs Scribe v2); large language model inference for natural language understanding and response generation; AI voice synthesis via text-to-speech (ElevenLabs Flash v2.5); call recording and transcript storage (where enabled by the Customer's Administrator); account management and user authentication; transactional email delivery (notifications and OTP); customer relationship management and lead generation (via Zoho CRM); messaging and lead follow-up communications (via WhatsApp Business); web application firewall and DDoS mitigation services (via Cloudflare WAF); and analytics, billing, and platform administration.

3. Categories of Personal Data

The following categories of Personal Data may be processed: names and contact details; email addresses; account credentials (encrypted); telephone numbers; voice data (call recordings, voice inputs, synthesised audio outputs); call transcripts; call metadata (timestamps, duration, caller identifiers, geographic indicators); IP addresses and device data; usage and activity logs; billing and transaction records; CRM data (company information, interaction history, lead status); messaging data (WhatsApp phone numbers, message content, conversation metadata); and web security metadata (IP addresses, request headers, traffic patterns).

4. Sensitive Personal Data

The Services are not designed to process Sensitive Personal Data. Customers are responsible for ensuring that Sensitive Personal Data, Protected Health Information, government identifiers, or financial account numbers are not submitted to the Services unless expressly agreed in writing. Where Sensitive Personal Data is incidentally captured during voice interactions, it will be processed solely to the extent necessary to deliver the Services.

5. Categories of Data Subjects

Data Subjects may include: the Customer's employees and authorised users; End Customers who interact with voice agents deployed by the Customer; individuals whose Personal Data is included in Inputs or Outputs; and individuals whose contact information is processed for CRM, messaging, or communication purposes.

ANNEX B - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Amber Nexus implements the following technical and organisational security measures in compliance with Section 30 of the JDPA (Seventh Data Protection Standard), GDPR Article 32, POPIA Condition 7 (Security Safeguards, Sections 19–22), and industry best practices. A comprehensive description of our security controls is available at ambernexus.ai/security-controls.

Access Control

• Role-based access control with principle of least privilege.
• Multi-factor authentication (OTP) required for every login event, including password resets.
• Minimum 12-character password requirement with password history enforcement (last 5 passwords).
• Account lockout after 5 consecutive failed login attempts.
• Password expiry every 60 days with mandatory first-time password change.
• Concurrent login sessions disallowed.
• Formal access request and approval workflows.
• Regular access reviews and prompt revocation upon role change or termination.

Encryption and Data Protection

• Encryption in transit: TLS 1.2 or higher for all data transmission.
• Encryption at rest: All AWS instances, S3 storage, and database volumes encrypted. Sensitive information including PII is encrypted at rest.
• All sensitive and personal data encrypted both in transit and at rest.
• Secrets (API keys, database credentials, encryption keys) rotated at Amber Nexus-defined frequencies.
• Data classification and handling policy with defined classification levels.

Network and Infrastructure Security

• Cloudflare Web Application Firewall (WAF) protecting against OWASP Top 10, DDoS, and bot traffic.
• CIS Controls implementation for infrastructure hardening.
• Network segmentation and firewall rules.
• Cloud security policy governing secure AWS configuration, deployment, and management.

Application Security

• Secure Software Development Lifecycle (SDLC) with security checkpoints at each stage.
• Regular internal vulnerability assessments using SAST and DAST.
• Third-party penetration testing conducted regularly.
• Formal change management procedures with impact assessment, approval, and rollback plans.

Monitoring and Incident Response

• Continuous incident monitoring with alert triage and escalation.
• Comprehensive logging and monitoring with defined retention and review procedures.
• Information incident management policy with breach notification aligned to GDPR, DPDPA, and JDPA timelines.

Endpoint Security

• Endpoint Detection and Response (EDR) deployed on all end-user machines.
• Mobile Device Management (MDM) enforcing security policies, encryption, and remote wipe.

Physical and Environmental Security

• Physical access controls, environmental safeguards, and facility security requirements.
• Visitor management and secure equipment disposal.

Organisational Measures

• Background verification (BGV) checks conducted for all employees.
• Security awareness training conducted at defined intervals for all employees.
• Confidentiality obligations in all employment and contractor agreements.
• Documented business continuity and disaster recovery plans, tested regularly.
• Risk assessments performed regularly with treatment plans and continuous improvement.

ANNEX C - INTERNATIONAL DATA TRANSFERS

The following international transfers are authorised under this DPA:

Transfer mechanisms applied across jurisdictions include: Standard Contractual Clauses (SCCs) for EEA transfers; UK International Data Transfer Addendum (IDTA) for UK transfers; EU-U.S. Data Privacy Framework where certified; DPDPA compliance for India; JDPA Section 31 compliance for Jamaica; POPIA Section 72 compliance for South Africa (transfers subject to adequate protection or binding agreements ensuring equivalent protection to POPIA); and Data Processing Agreements with all Sub-processors across all jurisdictions.

Contact Us

For any questions regarding this DPA, to exercise data protection rights, or to request a copy of the Standard Contractual Clauses or other transfer safeguards, please contact:

Data Protection Officer: privacy@myambergroup.com

Address: 5th Floor, 13 Haining Road, Kingston 5, Jamaica

This DPA is incorporated into and forms part of the Principal Agreement. By accessing or using the Services, the Customer acknowledges and agrees to the terms of this DPA.

1. Governance and Policy Framework

AmberNexus maintains a comprehensive governance and policy framework to ensure that security, privacy, and operational standards are consistently applied across the organisation.

Information Security Policy. Comprehensive information security policy establishing the organisation's security objectives, principles, and management commitment.

Acceptable Usage Policy. Defines acceptable and prohibited use of organisational information systems, networks, and data. Ensures employees and contractors understand their obligations regarding data handling and system usage.

Code of Conduct Policy. Establishes standards of ethical behaviour and professional conduct expected of all employees, including adherence to data protection principles.

Data Protection and Privacy Policy. Governs the collection, processing, storage, and sharing of personal data in compliance with the JDPA, GDPR, UK GDPR, DPDPA, and other applicable laws.

Privacy Policy on Website. Publicly accessible privacy policy published at ambernexus.ai/legal.html detailing data collection practices, legal bases, and data subject rights.

List of Approved Policies and Procedures. Maintained register of all approved organisational policies and procedures with version control, review dates, and responsible owners.

Availability of Policy Documents. All policy documents are made available to relevant stakeholders and employees. Policies are reviewed and updated at defined intervals.

Whistleblower Policy. Formal whistleblower policy enabling employees and stakeholders to report unethical conduct, security violations, or data protection concerns without fear of retaliation.

Management Roles and Responsibilities. Clear definition and assignment of security roles and responsibilities across management, including a designated Data Protection Officer (DPO) and Information Security function.

2. Access Management and Authentication

AmberNexus enforces strict access management and authentication controls to ensure that only authorised individuals can access systems, data, and services.

Access Management Policy

Formal policy governing user access provisioning, de-provisioning, and periodic access reviews. All access to systems and data requires formal approval and follows the principle of least privilege.

Password Policy

Formal password policy defining complexity requirements, rotation schedules, storage standards, and handling procedures for all organisational systems.

First-Time Password Change Required. Users are required to update their password upon first login before accessing the Services. This prevents use of temporary or pre-set credentials.

Minimum 12-Character Password Requirement. All user passwords must be at least 12 characters in length, enforcing strong password creation across the platform.

Password History Enforcement (Last 5). The system retains a history of the last 5 passwords and prevents reuse, ensuring users create genuinely new credentials at each rotation.

Account Lockout After 5 Failed Attempts. User accounts are automatically locked after 5 consecutive failed login attempts, protecting against brute-force attacks.

Password Expiry Every 60 Days. Passwords expire every 60 days, requiring users to create new credentials at regular intervals to limit the window of exposure from compromised credentials.

Multi-Factor Authentication

After entering username and password, a one-time password (OTP) is required for every authentication event, including password resets. This ensures that credential compromise alone is insufficient for unauthorised access.

Concurrent Login Control

Simultaneous login sessions from multiple devices or locations are disallowed. This prevents session hijacking and ensures accountability for all authenticated actions.

3. Data Protection and Encryption

AmberNexus implements robust encryption and data protection measures to safeguard sensitive information throughout its lifecycle, both in transit and at rest.

Encryption Policy. Establishes standards for encryption of data in transit and at rest, including approved algorithms, key management, and rotation procedures.

TLS 1.2 Encryption for Data in Transit. All data transmitted between clients, services, and third-party integrations is encrypted using Transport Layer Security (TLS) 1.2 or higher.

AWS Encryption (Data at Rest). All AWS instances and storage volumes are encrypted at rest. Sensitive information including personally identifiable information (PII) is encrypted at rest across Amazon S3 buckets, RDS databases, and EBS volumes.

Sensitive Information Encrypted in Transit and at Rest. All sensitive and personal data, including PII, voice data, call recordings, transcripts, and account credentials, is encrypted both during transmission and while stored.

Secrets Rotation at Amber-Defined Frequencies. API keys, database credentials, encryption keys, and other secrets are rotated at frequencies defined by AmberNexus's security policy.

Data Classification and Handling Policy. Defines data classification levels (e.g., public, internal, confidential, restricted) and the corresponding handling, storage, transmission, and disposal requirements for each level.

Data Backup Policy. Defines backup schedules, retention periods, storage locations, and restoration procedures for critical data and systems.

4. Infrastructure and Network Security

AmberNexus deploys layered infrastructure and network security controls to protect cloud environments, network boundaries, and physical facilities.

Network Security Policy. Defines network segmentation, firewall rules, intrusion detection and prevention, and monitoring requirements for all network environments.

Cloud Security Policy. Governs the secure configuration, deployment, and management of cloud services (AWS). Covers identity and access management, logging, encryption, and incident response in the cloud environment.

CIS Controls Implementation. Infrastructure is hardened and monitored in alignment with Center for Internet Security (CIS) Controls, providing a baseline of security best practices.

Cloudflare Web Application Firewall (WAF). Cloudflare WAF is deployed to protect web-facing services against OWASP Top 10 vulnerabilities, DDoS attacks, and automated bot traffic.

Physical and Environmental Policy. Establishes physical access controls, environmental safeguards, and facility security requirements for any premises housing information systems.

5. Application Security and Software Development Lifecycle

AmberNexus integrates security into every stage of the software development lifecycle and enforces rigorous application security testing and change management.

Software Development Lifecycle Management Policy. Formal SDLC policy governing secure development practices, code review requirements, and security gate checks.

Development Lifecycle Established. Structured development lifecycle with defined stages including requirements, design, development, testing, deployment, and maintenance.

Regular Internal Vulnerability Assessments (SAST and DAST). Regular internal vulnerability assessments are conducted using both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools.

Third-Party Penetration Testing. Independent third-party penetration testing is conducted regularly to identify vulnerabilities that may not be detected by internal assessments.

Change Management Policy. Formal policy governing how changes to information systems, infrastructure, and applications are requested, assessed, approved, implemented, and reviewed.

Change Management Procedures Enforced. All changes to production systems and code follow formal change management procedures including impact assessment, approval workflows, testing, and rollback plans.

Vulnerability Management Policy. Defines processes for identifying, classifying, prioritising, remediating, and tracking vulnerabilities across all systems and applications.

6. Monitoring, Logging and Incident Response

AmberNexus maintains comprehensive monitoring, logging, and incident response capabilities to detect, respond to, and recover from security incidents.

Logging and Monitoring Policy. Comprehensive logging and monitoring policy defining what events are logged, log retention periods, access controls for logs, and review procedures.

Incident Monitoring. Continuous monitoring of systems, networks, and applications for security incidents, anomalous behaviour, and policy violations with alert triage and escalation.

Information Incident Management Policy. Defines the incident response lifecycle including detection, classification, containment, eradication, recovery, and post-incident review. Breach notification timelines aligned to GDPR (72 hours), DPDPA, and JDPA requirements.

7. Human Resources and Endpoint Security

AmberNexus ensures that security responsibilities are embedded throughout the employee lifecycle and that endpoint devices are protected.

Human Resource Security Policy. Governs security responsibilities throughout the employee lifecycle including pre-employment screening, onboarding, role changes, and termination.

Background Verification (BGV) Checks. Background verification checks are conducted for all employees prior to employment, verifying identity, qualifications, and relevant history.

Security Awareness Training. Security awareness training is conducted at defined intervals for all employees, covering phishing, social engineering, data handling, incident reporting, and regulatory obligations.

Endpoint Detection and Response (EDR). EDR solutions are deployed on all end-user machines, providing real-time threat detection, automated response, and forensic investigation capabilities.

Mobile Device Management (MDM). MDM is implemented across the organisation to enforce security policies on mobile and endpoint devices, including encryption, remote wipe, and application controls.

Remote Working Policy. Defines security requirements for remote and hybrid work arrangements, including secure connectivity (VPN), device requirements, and data handling obligations.

Asset Management Policy. Governs the identification, classification, tracking, and secure disposal of information assets, including hardware, software, and data.

8. Business Continuity and Risk Management

AmberNexus maintains business continuity and risk management programmes to ensure service resilience and the ability to recover from disruptions.

Business Continuity Management Policy. Establishes the framework for business continuity planning, including business impact analysis, recovery objectives, and plan maintenance.

Continuity and Disaster Recovery Plans Established. Documented continuity and disaster recovery plans are in place, tested regularly, and updated based on lessons learned.

Risk Management Policy. Defines the methodology for identifying, assessing, treating, and monitoring information security risks. Integrates with enterprise risk management.

Risk Assessments Performed. Regular risk assessments are conducted to identify and evaluate threats and vulnerabilities to information assets, with treatment plans established for identified risks.

9. Vendor and Third-Party Management

AmberNexus maintains rigorous vendor management controls to ensure that third-party service providers meet our security and data protection standards.

Vendor Management Policy. Governs the assessment, selection, onboarding, and ongoing monitoring of third-party vendors and service providers. Vendors processing personal data are subject to due diligence.

Third-Party Agreements Established. All third-party service providers are bound by Data Processing Agreements requiring data security measures, breach notification, data deletion on termination, and sub-processor restrictions.

10. Payment Security

AmberNexus maintains PCI DSS Level 1 compliance for all payment processing activities through its partnership with Amber Pay and the PowerTranz payment gateway (a Mastercard subsidiary).

PCI DSS Level 1 Compliance. Amber Pay, our payment processor, holds PCI DSS Level 1 certification, the highest level of payment card industry compliance. PowerTranz, the underlying payment gateway, is a Mastercard subsidiary and independently PCI DSS Level 1 certified.

Card Data Tokenisation. All cardholder data is tokenised at the point of capture. Raw card numbers, CVVs, and magnetic stripe data are never stored on AmberNexus or Amber Pay systems. Tokenised references are used for all subsequent transaction processing and record-keeping.

Payment Data Encryption. All payment data in transit is encrypted using TLS 1.2 or higher. End-to-end encryption is maintained from the point of card data entry through to the payment gateway and card network.

Transaction Record Retention. Transaction records are retained for the period required by applicable financial regulations and card scheme rules (typically up to 7 years). Records are purged upon account closure and expiry of regulatory retention obligations.

Contact Us

For any questions regarding this Document or our security controls, please contact our Data Protection Officer or Security Team at:

Email (General / DPO): privacy@myambergroup.com

This Document is reviewed and updated periodically to reflect changes in our security posture, regulatory obligations, and threat landscape.