Standard Data Processing Agreement
Contents
Ten sections, organised by topic, followed by execution.
Framework ────────────────────────────────────────────────────────
§ 1 Subject matter and term of processing
§ 2 Specification of the content
Security and obligations ────────────────────────────────────────────────────────
§ 3 Technical and organisational measures
§ 4 Quality assurance and other obligations of the Contractor
Sub-processing ────────────────────────────────────────────────────────
§ 5 Sub-contracting in accordance with Art. 28(3)(2)(d) GDPR
Control, support and instructions ────────────────────────────────────────────────────────
§ 6 Monitoring rights of the Controller
§ 7 Support and notification obligations of the Contractor
§ 8 The Controller's authority to issue instructions
Closing ────────────────────────────────────────────────────────
§ 9 Erasure and return of personal data
§ 10 Other provisions
— Execution
Parties
Personal Data Processing Contract within the meaning of Art. 28(3) of the Regulation (EU) 2016/679 (GDPR).
On behalf of the CLIENT:
“CLIENT” referring to the entity or individual that sources, buys, or in any way controls licenses for Users and End Users or External Users as defined in the Order Form, to which this document is attached.
– Controller within the meaning of Art. 4 No. 7 GDPR –
– hereinafter referred to as the “Controller” –
by the VENDOR
Retorio GmbH, Landwehrstraße 63, 80336 München, Germany
– Processor within the meaning of Art. 4 No. 8 GDPR –
– hereinafter referred to as the “Processor” –
– hereinafter referred to individually as “Party” or jointly as “Parties” –
§ 1 | Subject matter and term of processing
1Details on the subject matter and duration of the processing shall in each case be derived from the more detailed designation of the main agreement to which this DPA is attached (hereinafter referred to as the Main Contract or Main Agreement) concluded between the parties on which this contract is based. 2This Agreement is legally dependent and shares the legal fate of the Main Agreement; termination of the Main Agreement shall automatically result in termination of this Agreement. 3The parties are aware that no (further) commissioned processing may be carried out without the existence of a valid commissioned processing agreement. 4An isolated ordinary termination of this Agreement is excluded.
§ 2 | Specification of the content
(1) Type of processing
1As part of the order, personal data shall be processed by the Processor within the meaning of Art. 4 No. 2 GDPR. 2In essence, this is the collection, the adaption or alteration and the readout.
(2) Purpose of the processing
1Data are processed for the following purpose: 2Biometric data is required to determine and evaluate the behaviour displayed by the person. 3The identification of the person as such (identity) is not stored. 4Rather, the algorithm extracts image data (e.g. face, arms, etc.) and analyses them automatically. 5The output is no biometric information. 6Only the algorithm processes them. 7The Processor does not store the processed data either.
(3) Location of the processing
1The contractually agreed data processing shall, as a matter of principle and by default, take place in a member state of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA). 2The Processor prioritises EU/EEA processing for all CLIENT data, including for the AI sub-processing services described in § 5.
3By way of exception, where strictly necessary to maintain the availability, continuity and performance of the Service — in particular in the event of a capacity shortfall, service degradation, outage or disaster-recovery event affecting the EU/EEA regions of the Processor's AI infrastructure sub-processors (currently Microsoft Azure OpenAI Service and Google Cloud Vertex AI) — limited categories of personal data may, for the duration of the event only, be processed on a transient basis in those providers' global infrastructure, which may include locations outside the EU/EEA (including the United States). 4Any such transient processing is subject to the following safeguards: (a) it is limited to what is necessary to provide the requested Service function and lasts no longer than the capacity or availability event requires; (b) the data is processed on a zero-retention basis, is not stored beyond the duration of the interaction, and is not used by the relevant provider to train, retrain or otherwise improve any model; and (c) the transfer is covered by the appropriate transfer mechanism under Chapter V GDPR set out in § 5 for the relevant sub-processor.
5A relocation of the regular (non-transient) storage of CLIENT data to a third country may only take place in compliance with the provisions of this contract if the Processor informs the CLIENT in advance of the location of the data processing and if the special requirements set out in Art. 44 et seqq. GDPR are met.
(4) Type of data
The following types/categories of personal data are processed:
- Contact/communication data (e.g., phone, email, if actively provided by applicant or employee; not mandatory).
- Performance data (if provided by the client), if applicable.
- Biometric data (Art. 4 No. 14 GDPR).
(5) Data subject categories
The categories of data subjects include:
- Employees
§ 3 | Technical and organisational measures
(1) 1Before starting the processing, particularly with regard to the performance of the specific order, the Contractor shall document the implementation of the necessary technical and organisational measures that were set out before the order was assigned, and pass these on to the Controller to be reviewed. 2Upon acceptance by the Controller, the documented measures shall form the basis of the order. 3If changes are required following the review or an audit by the Controller, these shall be implemented by mutual agreement.
(2) 1The Contractor shall ensure the security pursuant Art. 28 (3)(c) and (e) sub-clause 1, Art. 32 GDPR, particularly in conjunction with Art. 5 (1) and (2) GDPR. 2The measures to be taken are measures to secure data and ensure an appropriate level of security for the risk with regard to the confidentiality, integrity, availability and resilience of the systems and services. 3The state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, within the meaning of Art. 32(1) GDPR, are to be taken into account [details in Exhibit 5].
(3) 1The technical and organisational measures are subject to technical advances and further development. 2In this respect, the Contractor is permitted to implement alternative adequate measures. 3The security level of the defined measures must be maintained. 4Significant changes shall be documented.
§ 4 | Quality assurance and other obligations of the Contractor
pursuant to Art. 28 (3)(1) GDPR:
In addition to compliance with the regulations of this order, the Contractor also has legal obligations as a processor; therefore, the Contractor shall ensure compliance with the following requirements:
(1) 1Where required by law, the Contractor shall appoint a competent and reliable person as a data protection officer, who shall perform the duties pursuant to Art. 38 and 39 GDPR. 2The contact information of the appointed data protection officer shall be provided to the Controller for the purposes of establishing direct contact. 3If the Contractor is not obligated to appoint a data protection officer, a point of contact for data protection matters shall be appointed, the contact information of whom shall be provided to the Controller for the purposes of establishing direct contact. 4The Controller shall be notified without undue delay of any change in data protection officer or point of contact.
(2) Pursuant to Art. 28(3)(2)(b) GDPR, the Contractor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have been made aware of the data protection provisions that are relevant to them beforehand.
(3) The Contractor and any person acting under the authority of the Contractor who has access to personal data shall not process those data except on instructions (Art. 29, 32(4) GDPR) from the Controller, including the authority granted under this Contract, unless required to do so by law.
(4) The Contractor shall ensure the implementation of and compliance with all technical and organisational measures required for this order pursuant to Art. 28(3)(2)(c), Art. 32 (GDPR) [details in Exhibit 5].
(5) The Controller and the Contractor (and, where applicable, their representatives) shall cooperate, on request, with the supervisory authority in the performance of its tasks (Art. 31 GDPR).
(6) 1The Contractor undertakes to inform the Controller immediately of supervisory inspections and measures to the extent that they apply to this order. 2This also applies if a responsible authority conducts an investigation of the Contractor as part of an administrative offence or criminal proceedings with regard to the processing of personal data.
(7) If the Controller is subject to monitoring by the supervisory authority, an administrative offence or criminal proceedings, a liability claim of a data subject or a third party or another claim relating to the processing by the Contractor, the Contractor shall support the Controller to the best of its ability.
(8) The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the data for which it is responsible are processed in line with the requirements of applicable data protection law, and the rights of the data subject are protected.
(9) The Contractor shall ensure that it can demonstrate the agreed technical and organisational measures to the Controller as part of its monitoring rights in accordance with § 6 of this Contract.
§ 5 | Sub-contracting in accordance with Art. 28(3)(2)(d) GDPR
in conjunction with Art. 28(2) and (4) GDPR:
1Sub-contracting services are services that relate directly to the provision of the main service. 2Services that the Contractor uses purely as ancillary services from third parties in order to perform their business activity are not considered sub-contracting. 3These include, for example, cleaning services, pure telecommunications services with no specific relation to services provided by the Contractor for the Controller, postal and courier services, transport services or security services. 4The Contractor is also obligated, including for additional services provided by third parties, to ensure that appropriate precautions and technical and organisational measures have been agreed in order to ensure the protection of personal data. 5The maintenance and upkeep of IT systems or applications is considered sub-contracting that requires approval and processing within the meaning of Art. 28 GDPR if the maintenance and inspection relates to systems that are used in connection with providing services for the Controller, and personal data that are processed on behalf of the Controller can be accessed during the maintenance.
In line with the regulation of Art. 28(2)(1) GDPR, the Contractor shall not use other processors (sub-contractors, sub-sub-contractors) without the prior separate or general written consent of the Controller; the sub-contracting provisions apply (accordingly) to both the sub-contractor as well as to all other engaged (sub-)sub-contractors.
§ 5.1 | Authorised sub-processors and the sub-processor list
1The Controller hereby grants the Contractor general written authorisation, within the meaning of Art. 28(2) GDPR, to engage the sub-processors required to provide the Service. 2The current, authoritative list of sub-processors engaged by the Contractor — including each sub-processor's name, the processing activity, the categories of data, the processing location and the applicable third-country transfer mechanism — is maintained and kept up to date by the Contractor at:
https://retorio.com/legal/subprocessors (the “Sub-Processor List”).
3The Sub-Processor List as published at the Effective Date is reproduced for reference in the table below. 4In the event of any discrepancy between the table below and the online Sub-Processor List, the online Sub-Processor List, as notified to the Controller in accordance with § 5.2, governs the then-current set of authorised sub-processors. 5This reflects common practice among enterprise SaaS providers and is intended to keep this DPA stable while allowing the underlying list of providers to be kept current without re-executing the Agreement.
Sub-Processor List — as at the Effective Date
|
Sub-Processor |
Description |
Purpose |
Data subjects |
Location & transfer mechanism |
|---|---|---|---|---|
|
Intercom |
Communication interface / chatbot for support enquiries. |
Customer Service |
Users & CLIENT |
55 2nd Street, 4th Floor, San Francisco, CA 94105, USA. SCCs in place (intercom.com/legal/data-processing-agreement). EU migration intended. |
|
Google (Google Ireland Ltd.) |
Cloud hosting of the application; flexible scaling and worldwide availability. |
Data storage & management |
CLIENT & Users |
Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (EU region). |
|
MongoDB |
Cloud-hosted databases for faster data processing and access. |
Managed database-as-a-service |
CLIENT & Users |
MongoDB Inc., Building Two, Number One Ballsbridge, Dublin 4, Ireland (EU region). |
|
Google & Microsoft |
State-of-the-art speech models across many languages. |
Speech-to-Text |
Users |
Google Ireland Ltd., Dublin; Microsoft Ireland, One Microsoft Place, Dublin D18 P521, Ireland (EU regions). |
|
Microsoft |
Summarises spoken content and matches it to response categories for feedback. |
Text analysis |
CLIENT & Users |
Microsoft Ireland, One Microsoft Place, Dublin D18 P521, Ireland (EU region). |
|
Microsoft Corporation (US) |
AI infrastructure (Azure OpenAI Service). Transient failover processing only, where EU/EEA regions are unavailable or at capacity (see §2(3), §5.4). |
Speech-to-Text / Text analysis (failover) |
Users / CLIENT |
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Transfer mechanism: EU SCCs (Commission Decision 2021/914), processor-to-processor module, per the Microsoft Products and Services DPA. Microsoft EU Data Boundary applies by default. |
|
Google LLC (US) |
AI infrastructure (Google Cloud Vertex AI). Transient failover processing only, where EU/EEA regions are unavailable or at capacity (see §2(3), §5.4). |
Speech-to-Text / Text analysis (failover) |
Users / CLIENT |
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Transfer mechanism: EU SCCs (Commission Decision 2021/914) and/or EU–U.S. Data Privacy Framework, per the Google Cloud Data Processing Addendum (CDPA). |
|
Sendgrid (Twilio) |
Automated emails (registration, invitations, password reset / double opt-in). |
Email registration / password |
Users & CLIENT |
1801 California Street, Suite 500, Boulder, CO 80202, USA. DPA with Twilio incorporating SCCs. EU migration intended. |
|
Sentry |
Tracks system failures and exceptions. |
Exception detection & bug fixing |
Users & CLIENT |
132 Hawthorne St, San Francisco, USA. DPA in place covering SCCs (sentry.io/legal/dpa). EU migration intended. |
|
Hotjar |
Insight into software blockers to improve the experience. |
User experience & behaviour |
Users & Customers |
Hotjar Ltd, Dragonara Business Centre, St Julian's STJ 3141, Malta (EU). |
|
Anam |
Provision of virtual avatars. |
Virtual avatars |
Users & Customers |
ANAM.AI LTD (no. 15214363), Fora, White Collar Factory, Old Street Yard, London EC1Y 8AF, UK. UK adequacy applies. |
|
Xirsys |
Persistent connection enabling dynamic conversations. |
Latency of dynamic conversations |
Users & Customers |
25350 Magic Mountain Parkway, Suite 300, Santa Clarita, CA 91355, USA. SCCs in place. |
|
Grafana Labs |
Detects errors during operation. |
Customer Service |
Users & Customers |
Grafana Labs, Potsdamer Platz 10, Haus 2, 10785 Berlin, Germany (EU). |
§ 5.2 | Changes to sub-processors (notification and objection)
1The Contractor shall notify the Controller of any intended addition or replacement of a sub-processor before that sub-processor begins processing the Controller's personal data. 2Notification is given by updating the online Sub-Processor List and by sending notice in text form (including by email) to the contact the Controller has designated for this purpose, or, in the absence of a designated contact, to the Controller's administrative or billing contact on file. 3The Controller may subscribe to changes to the Sub-Processor List in order to receive such notifications automatically.
4The Controller is entitled to object to the engagement of a new or replacement sub-processor in written or text form for good cause relating to data protection, to be substantiated to the Contractor. 5If the Controller does not raise an objection within fourteen (14) days of receipt of the notification, the Controller's right of objection with regard to that change shall lapse and the change is deemed approved. 6If the Controller objects for good cause, the Parties shall work together in good faith to find a commercially reasonable solution that addresses the Controller's concern. 7If no such solution can be found within a reasonable period, either Party may terminate the affected part of the Service, and the Controller may terminate the Main Agreement with respect to the services that cannot be provided without the relevant sub-processor; the Contractor may, in that case, terminate the affected part of the Service at the time the sub-processor was to be used. 8If the Controller refuses consent through its objection for reasons other than data-protection good cause, the Contractor may terminate this Contract as well as the Main Contract, if applicable, at the time of the planned use of the sub-processor.
§ 5.3 | Flow-down and onward sub-processing
1The Controller's personal data may only be transmitted to the sub-processor, and that sub-processor used for the first time, once all conditions for sub-contracting have been met. 2In particular, the Contractor is responsible for imposing its data protection obligations under this Contract on the other processor in accordance with Art. 28(4)(1) GDPR. 3The Contractor hereby generally approves onward sub-processing as reflected in the Sub-Processor List; any further outsourcing by a sub-processor to a sub-sub-processor not reflected in the Sub-Processor List requires notification in accordance with § 5.2, to which the same objection right applies.
§ 5.4 | Third-country processing, EU prioritisation and transient failover
1Where a sub-processor provides the agreed service outside the EU/EEA, the Contractor shall take appropriate measures to ensure admissibility under data protection law in accordance with Art. 44 et seqq. GDPR, in particular by relying on the transfer mechanism identified for that sub-processor in the Sub-Processor List.
2The Processor prioritises processing in the EU/EEA. 3For the AI infrastructure services provided through Microsoft Azure OpenAI Service and Google Cloud Vertex AI, the EU/EEA regions of those providers are used by default. 4In the limited failover circumstances described in § 2(3) — namely a capacity shortfall, service degradation, outage or disaster-recovery event affecting those EU/EEA regions — the Contractor maintains the right to route the affected processing, on a transient and temporary basis for the duration of the event only, to the relevant provider's global infrastructure, which may include the United States, under the transfer mechanism identified for Microsoft Corporation (US) and Google LLC (US) in the Sub-Processor List. 5Such failover processing is performed on a zero-retention basis: the data is processed transiently to deliver the requested Service function, is not retained beyond the interaction, and is not used to train, retrain or improve any model. 6This § 5.4 is consistent with, and does not expand beyond, the AI processing described in the SaaS Terms of Service (Exhibit 2, § 7).
§ 6 | Monitoring rights of the Controller
pursuant to Art. 28(3)(2)(h) GDPR:
1In consultation with the Contractor, the Controller has the right to conduct audits or to have audits conducted by auditors to be appointed in each case; these auditors must not be competitors of the Contractor. 2The Controller has the right to make sure that the Contractor is complying with the provisions of this Contract in its business operations by conducting random inspections; the Contractor shall be notified of such inspections in good time.
1The Contractor shall ensure that the Controller can be convinced of the Contractor's compliance with its obligations in accordance with Art. 28 GDPR. 2The Contractor undertakes to issue the necessary information to the Controller on request and particularly to demonstrate the implementation of the technical and organisational measures.
Such measures that do not relate solely to the specific order may be demonstrated by:
- compliance with the approved code of conduct pursuant to Art. 40 GDPR;
- certification in accordance with an approved certification mechanism pursuant to Art. 42 GDPR;
- current certificates, reports, or excerpts of reports by independent authorities (e.g. auditors, auditing department, data protection officer, IT security department, data protection auditors, quality auditors); and/or
- suitable certification by an IT security or data protection audit (e.g. in accordance with the BSI basic protection).
§ 7 | Support and notification obligations of the Contractor
pursuant to Art. 28(3)(2)(e) and (f) GDPR – Duty to notify of data breaches:
1The Controller is responsible for safeguarding the rights of the data subject. 2Taking into account the nature of the processing, the Contractor is obliged to assist the Controller by suitable technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR; this means responding to requests from data subjects with regard to the Controller's duties to provide information to the data subjects, their right of access, right to rectification, erasure, restriction of processing, data portability, as well as related notification obligations of the Controller, the right to object or to automated decision-making including profiling, if the data subject asserts such rights. 3If the data subject contacts the Contractor directly in order to assert a right, the Contractor shall pass on the data subject's requests immediately to the Controller.
1The Contractor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Contractor; this means the fulfilment of the Controller's legal obligations to secure data, report data breaches to the supervisory authorities and the data subjects, carry out data protection impact assessments as well as consult with the responsible supervisory authority beforehand if necessary as part of the data protection impact assessment. 2The Contractor and the Controller shall cooperate, on request, with the responsible supervisory authority in the performance of its tasks.
§ 8 | The Controller's authority to issue instructions
1The Contractor processes personal data only within the scope of the agreements made and on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Contractor is subject (Art. 28(3)(3)(a) GDPR, Art. 29 GDPR). 2In such a case, the Contractor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
1The Contractor shall ensure that data are processed in accordance with the Controller's instructions. 2If the Contractor is of the opinion that an instruction issued by the Controller violates this Contract or applicable data protection law, the Contractor shall immediately inform the Controller thereof; after informing the Controller, the Contractor is entitled to suspend performance of the instruction until the instruction has been confirmed or amended by the Controller. 3The Parties agree that the Controller is solely responsible for the processing performed in accordance with the instruction.
1The Controller's instructions are issued in written or text form. 2If necessary, the Controller may issue instructions verbally (by phone). 3The Controller shall confirm instructions issued verbally or by phone without undue delay in written or text form.
§ 9 | Erasure and return of personal data
pursuant to Art. 28(3)(2)(g) GDPR:
1Copies or duplicates of data shall not be created without the Controller's knowledge. 2This excludes backup copies, provided these are necessary to ensure proper data processing, as well as data that are required in order to comply with statutory storage obligations.
1After completion of the contractually agreed work or earlier at the Controller's request, but no later than at the end of the service agreement, the Contractor shall return to the Controller all documents in its possession, created results of processing and use, as well as data files relating to the order, or destroy these in accordance with data protection requirements after obtaining the Controller's prior consent. 2The same applies to test and scrap material. 3The record of the erasure shall be presented on request.
1Documentation that serves to demonstrate proper data processing in accordance with the order shall be stored by the Contractor beyond the end of the Contract in accordance with the respective retention periods. 2It may be handed over to the Controller at the end of the Contract.
§ 10 | Other provisions
(1) 1Both Parties are obliged to keep confidential all knowledge of business secrets and data security measures of the other Party obtained during the contractual relationship, including after termination of the Contract. 2If there is any doubt about whether information is subject to confidentiality, it is to be treated as confidential until it has been released by the other Party in writing.
(2) If the property of the Controller at the Contractor is at risk due to third-party measures (such as attachment or seizure), insolvency or similar proceedings, or other events, the Contractor shall notify the Controller without undue delay.
(3) 1The written form is required for ancillary agreements. 2This applies equally to waiving this written form requirement.
(4) The defence of the right of retention, regardless of the legal reason, shall be excluded with regard to the data processed on behalf of the Controller and the data carrier used.
(5) This Contract shall also apply if and to the extent authorities or courts accept a joint controller agreement between the Parties in accordance with Art. 26 GDPR.
(6) 1If individual provisions of this Contract prove to be invalid or unenforceable, either in whole or in part, or become invalid or unenforceable as a result of changes to legislation after entering into the Contract, this shall not affect the remaining provisions of the Contract or the validity of the Contract as a whole. 2The invalid or unenforceable provision shall be replaced with a valid and enforceable provision that comes as close as possible to the intent and purpose of the invalid provision. 3If the Contract contains loopholes, the provisions shall be considered agreed that meet the intent and purpose of the Contract and would have been agreed if the Parties had considered the loophole.
(7) The Contract will be governed solely by the law of the Federal Republic of Germany, excluding its provisions on the conflict of laws.
(8) The exclusive place of jurisdiction for all disputes arising out of or in connection with this Contract is the registered office of the Controller.