Assistant Engine
Get a demo
← Back to home

DPA

Data Processing Agreement

Data Processing Agreement

within the Meaning of Art. 28, 29 of the GDPR

entered into by and between

Assistant Engine GmbH, Gerhofstraße 1-3, 20354 Hamburg - hereinafter "Licensor" -

and

the customer - hereinafter "Licensee" -

Recitals

Processor processes personal data under the authority of Controller within the meaning of Art. 4 no. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter "GDPR"). This Data Processing Agreement (“Agreement”) defines the specific data protection obligations of the parties arising in connection with the outsourced data processing provided for in the master agreement („License Agreement“). This Agreement applies to all services which relate to the master agreement and in connection with which employees of the Processor or third parties acting on behalf of the Processor may come into contact with personal data provided by the Controller. This contract is part of the License Agreement as Annex 1 and comes into effect upon the conclusion of the License Agreement.

Section 1

Definitions

1.1 Personal data means any information provided by the Controller relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 no. 1 of the GDPR).

1.2 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 no. 2 of the GDPR).

1.3 Instructions are any directions issued by the Controller to the Processor ordering the Processor to process personal data. Instructions are originally defined by the master agreement and thereafter may be modified, amended, or replaced by Controller through written, individual instructions (“Individual Instructions”).

Section 2

Applicability, Responsibility

The Processor shall process personal data under the authority of the Controller. The Controller is the sole party responsible for the compliance with all applicable data protection laws, especially the lawful transfer of personal data to contractors and the processing of personal data ("controller" within the meaning of Art. 4 no. 7 of the GDPR).

Section 3

Duration

The term of this Agreement corresponds to the term of the master agreement. The right to terminate for good cause shall remain unaffected thereby.

Section 4

Extent, Type, and Purpose of the Processing of Personal Data

The extent, type, and purpose of the processing of personal data by the Processor under the authority of the Controller are described in detail in the master agreement and the service description.

Section 5

Type of Data

The processing of personal data involves the following types/categories of data (enumeration/description of data categories):

  • Connection data (IP address, date/time)
  • Name, first name
  • Voice, image, and text files, particularly chat logs that are generated during/by the use of the app.
  • Content of the software application that is transmitted as context when using the user interface components.
  • All data that the Licensee provides to the Licensor for transmission to the LLM.
  • All data that the LLM or conntected tools / third-party APIs returns as feedback to the App.

Section 6

Data Subjects

The group of Data Subjects whose personal data is processed includes:

  • Users of the app (Licensee)
  • Persons and end users whose data is transmitted by the Licensee via the admin panel and/or the API interface.
  • Persons whose data becomes subject to data processing by the use of tools / third-party APIs connected to the app by the Licensee.

Section 7

Rectification, Erasure, Blocking, and Return of Data

7.1 The Controller may demand that personal data be rectified, erased, blocked, or returned at any time during or after the term of this Agreement and the master agreement by means of a legitimate Individual Instruction.

7.2 The Controller shall determine the measures for the surrender of the data carriers provided and/or deletion of the stored personal data after termination of the Agreement by contract or by Individual Instruction.

Section 8

Technical and Organizational Measures

8.1 The Processor shall implement technical and organizational measures to adequately protect personal data against the risks of misuse and loss in conformity with the requirements of Art. 24, 32 of the GDPR. Such measures include, without limitation, the following, provided that such measures are appropriate:

  • measures preventing unauthorized parties from gaining access to data processing systems employed to process or use personal data (physical access control);
  • measures preventing unauthorized parties from using data processing systems (system access control);
  • measures guaranteeing that persons authorized to use data processing systems have access exclusively to personal data covered by their access authorizations, and that personal data cannot be read, copied, modified, or removed without authorization during and after the processing (data access control);
  • measures guaranteeing that personal data cannot be read, copied, modified, or removed during electronic transfer or during transport or storage on data carriers and that it is possible to review and determine to whom personal data are to be transferred using data transmission systems (data transfer control);
  • measures guaranteeing that it can be reviewed and determined later on whether and by whom personal data have been input into, modified in, or removed from data processing systems (data input control);
  • measures guaranteeing that personal data processed by the Processor can be processed only as instructed by the Controller (order control);
  • measures guaranteeing that personal data are protected from accidental erasure or loss (data availability control);
  • measures guaranteeing that personal data that have been collected for different purposes can be processed separately (data separation control);
  • measures for the pseudonymization and encryption of personal data;
  • measures guaranteeing on a long-term basis the capability, confidentiality, integrity, availability, and resilience of systems and services related to the processing of personal data;
  • measures guaranteeing that in the event of any physical or technical incident the availability of personal data and access to personal data can be quickly restored; and
  • procedures for the regular review, analysis, and evaluation of the effectiveness of technical and organizational measures to guarantee the security of the processing of personal data.

8.2 Technical and organizational measures are subject to technological progress and continued development. Therefore, the Processor is permitted to implement adequate alternative measures, provided that such alternative measures guarantee the same level of security as the agreed measures. Any material changes that may adversely affect the integrity, confidentiality, or availability of personal data are to be documented.

Section 9

Instructions

9.1 The Controller shall have the right to issue Individual Instructions regarding the type, extent, and procedures of the processing of personal data to the Processor. Such instructions are to be issued in written form.

9.2 The Processor shall process personal data only within the framework of the master agreement, the Agreement and Individual Instructions, unless the Processor has a legal obligation to process personal data under EU law or the law of any member state.

9.3 Provisions regarding any compensation for additional costs incurred by the Processor as a result of Individual Instructions issued by the Controller shall remain unaffected thereby.

9.4 The Processor shall notify the Controller of any exceptions to the obligation to process personal data only in accordance with the Controller's instructions that may apply to the Processor under applicable law, unless such notification is prohibited by such applicable law for the protection of an important public interest.

Section 10

Other Obligations of the Processor

10.1 The Processor designates – if obliged by law – a data protection officer who can carry out his duties in accordance with Art. 37, 38, 39 of the GDPR. The Processor shall provide the Controller with the name and contact information of its data protection officer (if applicable) on request.

10.2 The Processor shall require those of its employees who are assigned to process personal data to agree to comply with the duty of data confidentiality (Art. 29 of the GDPR) and provide such employees with training and instruction on compliance with the data protection provisions of the GDPR. The duty of data confidentiality continues in effect after work has been completed.

10.3 The Processor shall notify the Controller of any major disruptions of Processor's business operations, of any suspected data breaches, and of any other irregularities concerning the processing of personal data. This also applies to any audits, measures by the regulatory authority within the meaning of Art. 51-59 of the GDPR, or investigations within the meaning of Art. 83, 84 of the GDPR.

10.4 The Processor acknowledges that he may be subject to disclosure obligations under Art. 33 of the GDPR in the event of any unlawful transfer or acquisition of certain personal data. Therefore, such incidents must be reported immediately to the Controller regardless of the cause. The Processor's report to the Controller shall include, without limitation, the following information:

  • A description of the type of breach regarding the protection of personal data, including – if possible - the categories and approximate number of affected Data Subjects, and the categories and approximate number of affected personal data sets;
  • A description of the measures implemented or proposed by the Processor to remedy the personal data breach and, if applicable, measures to mitigate potential adverse effects of the breach.

The Processor shall implement adequate measures to secure personal data and to mitigate potential adverse consequences for Data Subjects in agreement with the Controller.

10.5 The Processor has an obligation to notify the Controller at any time if data or documents of the Controller are affected by a personal data breach. The destruction of data material in compliance with data protection regulations shall be carried out by the Processor at his own expense, based on an Individual Instruction by the Controller. In special cases designated by the Controller in writing, data shall be stored or returned to the Controller.

Section 11

Rights and Obligations of the Controller

11.1 The Controller is the sole party responsible for assessing the lawfulness of the processing of personal data as well as for protecting the rights of the Data Subjects.

11.2 The Controller shall promptly and fully inform the Processor in writing if the Controller discovers any errors or irregularities with respect to data protection laws during its review of data processing results.

11.3 The Controller is responsible for keeping a record of processing activities as required by Art. 30 of the GDPR.

11.4 The Controller is responsible for complying with the notification obligations under Art. 33 of the GDPR.

Section 12

Inquiries from Data Subjects

12.1 If the Controller is obligated under applicable data protection law to provide individuals with information about the processing of their personal data, the Processor shall – when necessary – assist the Controller with making such information available, provided that the Controller has requested such assistance from the Processor in writing.

12.2 The Processor shall inform the Controller if Data Subjects assert their data protection rights against the Processor.

Section 13

Cooperation with Regulatory Authority

Upon request the Controller and the Processor and, if necessary, their respective representatives shall cooperate with the regulatory authority when performing their responsibilities.

Section 14

Inspection Obligations of Controller

The Controller approves the technical and organizational measures taken by the Processor before transmitting data to the processor and continually during the term of this agreement and documents the result. For this purpose, he may request self-disclosure from the Processor or may conduct an audit during regular business hours with at least one month prior notice at its own cost. In case of an audit, the Controller bears the costs of manpower to be provided by the Controller in order to conduct the audit.

Section 15

Subcontractors

15.1 Commissioning of sub-processors under this agreement and mentioned tasks in Sections 3, 4, 5, possible as long as the Processor ensures that the sub-processor is subject to the same obligations laid out in this Agreement, in particular, the Processor shall verify that the requirements of confidentiality, data protection and data security stipulated in this Agreement are met.

15.2 The Controller shall receive inspection rights in the sense of Section 14. By written request of the Controller, the Processor shall provide the Controller with information about the relevant contents of the data processing agreement between the Processor and the sub-processor as well as a copy thereof.

15.3 The sub-processors engaged by the Contractor are listed in Annex 1 "Subcontractors". The Processor shall be entitled to engage further sub-processors, provided that they comply with the requirements pursuant to section 15.1 and 15.2 and the Processor informs the Controller thereof and the Controller does not object in writing within seven days.

Section 16

Duty of Confidentiality

The Processor is obliged to maintain confidentiality when processing personal data. The Processor agrees to comply with the same data confidentiality obligations to which the Controller is subject. The Controller shall notify the Processor in writing of any special data confidentiality obligations.

Section 17

General Provisions, Disclosure Obligations, Written Form, Choice of Law

17.1 If personal data should be jeopardized at the Processor's place of business as a result of any attachment or seizure proceeding, any insolvency or composition proceeding, or any other events or third-party measures, the Processor shall promptly notify the Controller thereof. The Processor shall immediately notify all relevant parties regarding this event that the Controller has the exclusive ownership of and authority over the personal data and is therefore the "controller" within the meaning of the GDPR.

17.2 Personal data shall be processed and used exclusively in the territory of the Federal Republic of Germany, in any member state of the European Union, or in any other country that is a party to the Agreement on the European Economic Area. Each transfer of personal data to a third country is subject to the prior consent of the Controller and may proceed only if the special requirements of Art. 44, 45, and 46 of the GDPR are satisfied. Insofar as the processing is carried out by a Subcontractor named in Annex 2.1 "Subcontractors", the Controller hereby gives its consent.

17.3 Any modifications or amendments to this Agreement or its provisions – including any representations by the Processor – shall require a written agreement and shall be expressly identified as modifications or amendments to provisions of this Agreement. The same shall also apply to any waiver of this form requirement.

17.4 This Agreement shall be subject to German law with the exception of the conflict of laws provisions.

17.5 Venue and jurisdiction shall be as provided in the master agreement, provided that under the terms of the master agreement venue and jurisdiction is in courts of the Federal Republic of Germany. Otherwise, exclusive venue and jurisdiction shall be in courts at the place of Processor registered office.

Annex 1: Subcontractors

  • Hetzner Online GmbH: Cloud-Hosting. Industriestr. 25, 91710 Gunzenhausen (Germany)