Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.salesfrank.com/llms.txt

Use this file to discover all available pages before exploring further.

Data Processing Agreement (DPA)

pursuant to Art. 28 General Data Protection Regulation (GDPR)

between the customer of the platform “SalesFrank” (hereinafter “Controller” or “Data Controller”) and Another Side Ventures Free Zone LLC Al Shohada Road, Ras Al Khaimah, United Arab Emirates (hereinafter “Processor” or “Data Processor”) — jointly hereinafter “Parties” — EU Representative of the Processor pursuant to Art. 27 GDPR: Thomas Bergmann E-Mail: info@salesfrank.com As of: March 2026

§ 1 Subject Matter and Duration of Processing

(1) This Data Processing Agreement (hereinafter “DPA”) specifies the data protection obligations of the Parties pursuant to Art. 28 GDPR in connection with the Controller’s use of the SaaS platform “SalesFrank” (hereinafter “Platform”). (2) The Processor shall process personal data on behalf of and on the documented instructions of the Controller. The details of the processing, in particular the nature and purpose of the processing, the types of personal data, and the categories of data subjects, are described in Annex 1 of this DPA. (3) The term of this DPA shall correspond to the term of the main agreement (Platform usage agreement). This DPA shall terminate automatically upon termination of the main agreement, unless statutory retention obligations require continued storage.

§ 2 Right to Issue Instructions

(1) The Processor shall process personal data exclusively on the documented instructions of the Controller, unless the Processor is required to process such data under European Union law or the law of an EU Member State to which it is subject. In such a case, the Processor shall inform the Controller of those legal requirements before processing, unless the relevant law prohibits such notification on grounds of important public interest. (2) The Controller’s instructions shall initially be set out in this DPA and the usage agreement and may subsequently be amended in writing or in text form (e-mail). Oral instructions shall be confirmed in writing or in text form without undue delay. (3) The Processor shall inform the Controller without undue delay if, in the Processor’s opinion, an instruction infringes data protection provisions. The Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

§ 3 Obligations of the Processor

The Processor undertakes in particular: (1) To process personal data only within the scope of the Controller’s documented instructions and the purpose of the main agreement. (2) To ensure that all persons with access to personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of secrecy. The duty of confidentiality shall survive the termination of the contractual relationship. (3) To implement and maintain during the term of the agreement the technical and organizational measures for the protection of personal data as described in Annex 2. The Processor warrants that such measures correspond to the current state of the art and provide a level of protection appropriate to the risk of the processing (Art. 32 GDPR). (4) To assist the Controller in fulfilling the obligations set out in Art. 32 to 36 GDPR, in particular with respect to:
  • Security of processing (Art. 32 GDPR)
  • Notification of personal data breaches to the supervisory authority (Art. 33 GDPR)
  • Communication of personal data breaches to the data subject (Art. 34 GDPR)
  • Data protection impact assessments (Art. 35 GDPR)
  • Prior consultation with the supervisory authority (Art. 36 GDPR)
(5) To make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. (6) To grant access to personal data exclusively to authorized employees who require such access for the performance of their duties (need-to-know principle). (7) To assist the Controller in maintaining its records of processing activities pursuant to Art. 30 GDPR by providing the Controller, upon request, with the information required for this purpose. This includes, in particular, information on the categories of data processed, the processing purposes, the sub-processors engaged, the retention periods, and the technical and organizational measures implemented. The information contained in this DPA and its annexes shall serve as the basis for the Controller’s records of processing activities. (8) To assist the Controller in carrying out data protection impact assessments pursuant to Art. 35 GDPR, insofar as the processing performed by the Processor is concerned. The Processor shall, upon request, provide the Controller with the information necessary for this purpose regarding the nature, scope, context, and risks of the processing. The Processor shall further assist the Controller with prior consultation of the supervisory authority pursuant to Art. 36 GDPR, where such consultation is required. (9) To inform the Controller without undue delay — as a rule within 24 hours — if the Processor becomes aware of any unlawful use, access, or disclosure of personal data processed in the course of the data processing on behalf of the Controller. This notification obligation is supplementary to the notification obligation in the event of personal data breaches pursuant to § 6 of this DPA and covers, in particular, cases where authorized persons access data without authorization, disclose data to third parties without authorization, or use data for unauthorized purposes. The Processor shall implement appropriate measures for the detection of such incidents, in particular through access logging and regular review of access logs.

§ 4 Obligations of the Controller

(1) The Controller shall be solely responsible for the lawfulness of the data processing and for safeguarding the rights of the data subjects. (2) The Controller shall ensure that:
  • it has a legal basis for the processing of the personal data transmitted to the Processor
  • the data subjects are informed in accordance with Art. 13 and 14 GDPR
  • it issues and documents the processing instructions
  • it has assessed the technical and organizational measures taken by the Processor as adequate
(3) The Controller shall inform the Processor without undue delay if it identifies errors or irregularities in the processing. (4) Delineation of responsibilities: The Parties clarify that the Processor acts as a Processor within the meaning of Art. 4 No. 8 GDPR with respect to the personal data of contact persons (data uploaded by the Controller to the Platform and processed in the course of automated telephone calls). The provisions of this DPA apply without restriction to such data. With respect to the Controller’s own master data (registration data, contact data of the contact person, company data, payment information), the Processor acts as an independent Controller within the meaning of Art. 4 No. 7 GDPR. The processing of such data is based on Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (compliance with legal obligations, in particular commercial and tax law retention obligations). The processing of the Controller’s master data is not subject to the Controller’s right to issue instructions. Further information can be found in the Processor’s privacy policy at salesfrank.com.

§ 5 Rights of Data Subjects

(1) Where a data subject asserts claims for access, rectification, erasure, restriction of processing, data portability, or objection pursuant to Art. 15 to 21 GDPR directly against the Processor, the Processor shall refer the data subject to the Controller and shall inform the Controller without undue delay. (2) The Processor shall assist the Controller, to the extent technically feasible and reasonable, in fulfilling data subject rights. The Processor shall provide the Controller with the necessary technical functions in the dashboard for this purpose (including data export and data deletion). (3) Assistance with the fulfillment of standard data subject requests (in particular access, erasure, and rectification of individual data records) is covered by the agreed remuneration, insofar as they can be processed via the functions provided in the dashboard. Where assistance with the fulfillment of data subject rights causes disproportionate effort beyond this (e.g., extensive manual research, special exports), the Processor shall be entitled to charge separately for such additional effort.

§ 6 Notification of Personal Data Breaches

(1) The Processor shall inform the Controller without undue delay, and no later than 24 hours after becoming aware, of any breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR that relates to the data processing on behalf of the Controller. (2) The notification shall contain at least:
  • a description of the nature of the breach, where possible including the categories and approximate number of data subjects and data records affected
  • the name and contact details of a contact person
  • a description of the likely consequences of the breach
  • a description of the measures taken or proposed to remedy the breach and to mitigate its consequences
(3) The Processor shall assist the Controller in fulfilling the notification obligations pursuant to Art. 33 and 34 GDPR.

§ 7 Sub-processing

(1) The Processor engages the sub-processors listed in Annex 3 for the provision of the contractual services. By entering into this DPA, the Controller grants its general authorization for the engagement of these sub-processors. (2) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes (Art. 28(2) GDPR). (3) If the Controller objects to a new sub-processor, the Parties shall seek an amicable resolution. If no agreement can be reached, either Party shall be entitled to terminate the main agreement with 30 days’ notice to the end of the month. (4) The Processor shall impose on the sub-processor the same data protection obligations as set out in this DPA, in particular by entering into a data processing agreement. The Processor shall remain liable to the Controller for the sub-processor’s compliance with these obligations. (5) The current list of sub-processors may be requested from the Processor at any time and shall be published as part of the Platform documentation.

§ 8 Data Transfers to Third Countries

(1) The processing of personal data shall, as a general rule, take place within the European Union or the European Economic Area (EU/EEA). The Platform’s core systems (hosting, database, application servers) are operated on Microsoft Azure in the EU West region (Netherlands). (2) Where sub-processors transfer personal data to third countries or access such data from third countries, the Processor shall ensure that one of the following safeguards pursuant to Art. 44 et seq. GDPR is in place:
  • An adequacy decision of the European Commission pursuant to Art. 45 GDPR (e.g., EU-US Data Privacy Framework)
  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • Binding Corporate Rules (BCRs) pursuant to Art. 47 GDPR
(3) For sub-processors based in the USA, the Processor has verified participation in the EU-US Data Privacy Framework and/or has entered into Standard Contractual Clauses. In addition, Transfer Impact Assessments (TIAs) have been conducted to evaluate the level of data protection in the recipient country and, where necessary, provide for additional technical safeguards (e.g., encryption, pseudonymization, supplementary contractual safeguards). (4) The Processor is domiciled in the United Arab Emirates (UAE). However, the processing and storage of personal data takes place exclusively on servers within the EU (Microsoft Azure, EU West region). Remote administrative access to the systems by authorized personnel of the Processor takes place exclusively via encrypted connections (VPN with end-to-end encryption) and using multi-factor authentication. No personal data is stored on end devices outside the EU. Since remote access from the UAE may be classified as a transfer of personal data to a third country within the meaning of Art. 44 et seq. GDPR, the Processor has implemented Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 as the legal basis for such access. In addition, the Processor has conducted a Transfer Impact Assessment (TIA) which, taking into account the exclusively administrative nature of the access, the encryption used, the multi-factor authentication, and the fact that no data is stored locally, concludes that the Standard Contractual Clauses in conjunction with the supplementary technical and organizational measures (see Annex 2) ensure an adequate level of protection. (5) The Processor has designated a representative in the European Union pursuant to Art. 27 GDPR: Thomas Bergmann, reachable at info@salesfrank.com. The EU representative serves as a point of contact for data subjects and supervisory authorities. (6) The documented Transfer Impact Assessments — both for the remote administrative access and for the sub-processors engaged — can be reviewed by the Controller upon request. (7) The Parties additionally agree on the application of the Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 (Module 2: Transfer from Controllers to Processors) as the legal basis for the remote administrative access from the UAE as well as for any other transfers of personal data to third countries under this DPA. The details are set out in Annex 4 (Standard Contractual Clauses) of this DPA.

§ 9 Deletion and Return of Personal Data

(1) Upon termination of the main agreement, the Processor shall — at the Controller’s choice — irreversibly delete all personal data processed on behalf of the Controller or return such data to the Controller, unless a statutory obligation to continue storing the data exists (Art. 28(3)(g) GDPR). The Controller shall communicate its choice no later than within the period specified in paragraph 2. If no communication is received, the data shall be deleted. Deletion shall take place within 60 days after expiry of the export period specified in paragraph 2, and in any event no later than 90 days after termination of the agreement. (2) Before deletion, the Processor shall grant the Controller a period of 30 days from termination of the agreement to back up its data via the export function provided in the dashboard. The data export shall be made available in a machine-readable, structured, and commonly used format (CSV/JSON). (3) During the term of the agreement, the Controller may at any time via the dashboard:
  • View and export contact data and call data
  • Delete individual data records or campaigns
  • Delete call recordings and transcripts
(4) Upon complete deletion, the Processor shall confirm the deletion in writing or in text form upon request. (5) Statutory retention obligations (in particular commercial and tax law retention periods for invoicing data) shall remain unaffected by the foregoing provisions. Where further storage is required, the data concerned shall be restricted and processed only for the legally prescribed purpose.

§ 10 Audit Rights of the Controller

(1) The Controller shall have the right to verify the Processor’s compliance with the provisions of this DPA and the applicable data protection regulations. The Processor undertakes to make available to the Controller the information necessary for this purpose. (2) On-site inspections shall be permitted upon reasonable prior notice (as a rule at least 14 days in advance) and with due regard to the Processor’s operational requirements. The Controller may be represented by a third party bound by a duty of confidentiality. (3) As an alternative, the Processor may submit current certifications, audit reports, or attestations from independent auditors (e.g., SOC 2 reports, ISO 27001 certifications) as evidence of compliance. (4) Audits of sub-processors: Where the Controller wishes to audit a sub-processor engaged by the Processor, such audit shall, as a general rule, be coordinated and conducted directly with the relevant sub-processor. The Processor shall, upon request, assist the Controller in contacting the sub-processor. Where the sub-processor provides its own audit reports, certifications, or compliance documentation (e.g., SOC 2 reports, ISO 27001 certificates, DPA documentation), the Processor shall forward such documentation to the Controller upon request, insofar as it is authorized to do so. (5) Costs and conditions of audits: Inspections and audits shall be conducted in a manner that does not disproportionately disrupt the Processor’s ongoing business operations. The Controller shall bear its own costs for conducting audits. Where an audit causes disproportionate effort on the part of the Processor, exceeding the provision of the information referred to in paragraphs 1 and 3, the Processor shall be entitled to charge for such additional effort at the applicable hourly rates. The Processor shall inform the Controller of the estimated effort before the commencement of the audit.

§ 11 Liability

(1) The liability of the Parties shall be governed by Art. 82 GDPR. Accordingly, each party involved in the processing shall be liable for damages caused by processing that does not comply with the GDPR. (2) The Processor shall be liable to data subjects for damages caused by the processing only where it has not complied with obligations of the GDPR specifically directed at processors or where it has acted outside of or contrary to the lawful instructions of the Controller. (3) The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. (4) In the internal relationship between the Parties, the Controller shall be liable for damages resulting from unlawful data processing insofar as the Controller is responsible for the unlawfulness of the instruction or the data collection. This includes, in particular:
  • the unlawful collection of contact data
  • the lack of a legal basis for telephone contact
  • the content configuration of the AI agents

§ 12 Final Provisions

(1) Amendments and supplements to this DPA shall be made in text form. This shall also apply to the waiver of this text form requirement. (2) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall remain unaffected. (3) In the event of conflicts between this DPA and the main agreement (General Terms and Conditions), the provisions of this DPA shall prevail with respect to the protection of personal data. (4) With respect to data protection law, this DPA shall be governed by the law of the European Union (GDPR) in conjunction with the applicable national data protection law.

Annex 1: Description of Data Processing

1. Subject Matter of Processing

The Processor provides the Controller with the SaaS platform “SalesFrank.” Via the Platform, the Processor conducts automated, AI-powered telephone calls on behalf of the Controller, records calls, creates transcriptions, and makes the results available to the Controller via a dashboard.

2. Purpose of Processing

The processing of personal data is carried out exclusively for the purpose of:
  • Conducting automated inbound and outbound telephone calls on behalf of the Controller
  • Recording and transcribing the calls conducted
  • Displaying call results and campaign data in the dashboard
  • Scheduling and calendar integration (where configured by the Controller)
  • Follow-up tracking and automated follow-up
  • Provision and billing of the Platform

2a. Types of Processing Operations

In the course of the data processing on behalf of the Controller, the Processor performs the following processing operations within the meaning of Art. 4 No. 2 GDPR:
Processing OperationDescription
CollectionReceipt of contact data uploaded by the Controller via the Platform (dashboard, API upload, CSV import)
Organization and structuringStructuring of contact data into campaigns, lists, and categories according to the Controller’s configuration
StoragePersistent storage of contact data, call recordings, transcripts, and metadata on the Processor’s EU servers (Microsoft Azure, EU West)
Adaptation and alterationUpdating of contact data and call status based on call results (e.g., “appointment scheduled,” “not interested”)
RetrievalAccess to stored data by the Controller via the dashboard and by authorized personnel of the Processor in the course of operations
UseUse of contact data for conducting AI-powered telephone calls; use of audio data for real-time transcription and AI processing
Disclosure by transmissionTransmission of audio data to speech service providers (STT/TTS) for real-time processing; transmission of text data to LLM services for call management (see Annex 3)
CombinationLinking of contact data with call results, transcripts, and appointment bookings
RestrictionRestriction of data upon exercise of the right to restriction by data subjects or after termination of the agreement
Erasure and destructionDeletion of individual data records on instruction of the Controller (dashboard); complete deletion after termination of the agreement pursuant to § 9 DPA

3. Types of Personal Data Processed

a) Controller Data (User Data)

  • First and last name
  • E-mail address
  • Telephone number
  • Company data (company name, address)
  • Payment information (processed via Stripe)
  • Login data / user account information

b) Contact Person Data (uploaded by the Controller)

  • Telephone number (mandatory field for conducting the call)
  • Additional data optionally provided by the Controller, including:
    • First and last name
    • E-mail address
    • Company data (company name, position, industry)
    • Other information uploaded by the Controller

c) Call Data

  • Call recordings (audio)
  • Call transcripts
  • Call metadata (date, time, duration, result, call status)
  • Data extracted from calls (e.g., scheduled appointments, qualification results)

4. Categories of Data Subjects

  • Platform users: Employees and representatives of the Controller who use the Platform
  • Contact persons: Natural persons whose contact data is uploaded by the Controller to the Platform and who are contacted by the AI agents. These are typically business contacts (B2B) such as managing directors, sales managers, or other decision-makers.

5. Duration of Processing

Processing shall take place for the duration of the main agreement. After termination of the agreement, the data shall be deleted in accordance with § 9 of this DPA. Retention periods during the term of the agreement:
Data TypeRetentionDeletion
Contact dataFor the duration of the term of the agreementAt any time by the Controller via the dashboard, or no later than 90 days after termination
Call recordings (audio)For the duration of the term of the agreementAt any time by the Controller via the dashboard, or no later than 90 days after termination
TranscriptsFor the duration of the term of the agreementAt any time by the Controller via the dashboard, or no later than 90 days after termination
Call metadataFor the duration of the term of the agreementNo later than 90 days after termination
Invoicing dataIn accordance with statutory retention periodsAfter expiry of the statutory retention period (as a rule 10 years)

Annex 2: Technical and Organizational Measures (TOMs)

pursuant to Art. 32 GDPR

The Processor has implemented the following technical and organizational measures for the protection of personal data. The measures are reviewed regularly and updated in accordance with the state of the art.

1. Physical Access Control

Measures to prevent unauthorized persons from gaining physical access to data processing equipment.
  • The Platform is operated entirely on cloud infrastructure (Microsoft Azure, EU West region). The Processor does not maintain its own data centers.
  • Microsoft Azure meets the requirements of ISO 27001, SOC 1/2/3, and C5 (BSI) and ensures physical access control to data centers (biometrics, video surveillance, security personnel, access logs).

2. System Access Control

Measures to prevent data processing systems from being used by unauthorized persons.
  • Authentication via individual user accounts with strong password policies (minimum length, complexity)
  • Multi-factor authentication (MFA) for all administrative access
  • Automatic lockout after repeated failed login attempts
  • Encrypted VPN connection for all remote access to production systems
  • Regular review and updating of access permissions

3. Data Access Control

Measures to ensure that authorized users can only access data within the scope of their access authorization.
  • Role-based access control (RBAC) with strict segregation by area of responsibility
  • Need-to-know principle: access to personal data only for employees who require such access for the performance of their duties
  • Administrative access restricted to the development and operations team
  • No external developers or service providers with access to personal data
  • Logging of all administrative access to production systems

4. Data Transfer Control

Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during transmission and storage.
  • Encryption of all data in transit using TLS 1.2 or higher (Transport Layer Security)
  • Encryption of all data at rest using AES-256 on Azure infrastructure
  • Encrypted database connections (MongoDB with TLS)
  • Encrypted API communication between all system components
  • No storage of personal data on employees’ local end devices

5. Data Entry Control

Measures to ensure that it is possible to verify and establish retrospectively whether and by whom personal data have been entered, altered, or removed.
  • Logging of data entries, modifications, and deletions in the system (audit logging)
  • User-specific attribution of all actions through authenticated user accounts
  • Tamper-proof logging of administrative access

6. Processing Control

Measures to ensure that personal data processed on behalf of the Controller are processed only in accordance with the Controller’s instructions.
  • Written data processing agreements with all sub-processors
  • Careful selection of sub-processors based on data protection criteria
  • Regular review of sub-processors’ compliance with contractual obligations
  • Instruction-bound conduct of the Processor’s employees

7. Availability Control

Measures to ensure that personal data are protected against accidental destruction or loss.
  • Hosting on Microsoft Azure with geo-redundant infrastructure in the EU West region
  • Automated daily backups of the database (MongoDB) with a retention period of at least 30 days
  • Backups are stored encrypted and maintained in a geographically separate Azure availability zone within the EU
  • Redundant system architecture to avoid single points of failure
  • Monitoring and alerting for system outages and anomalies (24/7)
  • Disaster recovery concept with defined recovery times (RTO: 24 hours, RPO: 24 hours)
  • Regular testing of recovery procedures

8. Data Separation Control

Measures to ensure that data collected for different purposes can be processed separately.
  • Logical tenant separation: each customer’s data is stored and processed using individual tenant identifiers
  • Strict separation of production, staging, and development environments
  • Test environments use exclusively anonymized or synthetic data

9. Organizational Measures

  • Written commitment of all employees to data secrecy and confidentiality
  • Regular awareness training and education of employees on data protection and information security
  • Documented procedure for handling data protection incidents (incident response process):
    1. Detection and classification of the incident
    2. Immediate containment measures
    3. Analysis and assessment of the impact
    4. Notification of the Controller (within 24 hours)
    5. Remediation and documentation
    6. Post-incident review and derivation of improvement measures
  • Regular review and updating of technical and organizational measures (at least annually)

Annex 3: Approved Sub-processors

As of: March 2026

The Processor engages the following sub-processors for the provision of the contractual services:
No.Sub-processorDomicileProcessing LocationProcessing PurposeLegal Basis for Third-Country Transfer
1Microsoft Ireland Operations Ltd (Microsoft Azure)Ireland (EU)EU West (Netherlands)Hosting of the Platform, compute, storage, database (MongoDB), LLM processing (Azure OpenAI Service, Azure AI)Processing within the EU — no third-country transfer
2Twilio Ireland LtdIreland (EU)EU (Ireland)Provision of telephone numbers, telephony infrastructure, call connection setupProcessing within the EU — no third-country transfer
3Stripe Payments Europe LtdIreland (EU)EUPayment processing, subscription management, invoicingProcessing within the EU — no third-country transfer. Stripe acts as an independent Controller with respect to payment data (see note on No. 3).
4ElevenLabs, Inc.USAUSA/EUSpeech synthesis (text-to-speech) and, where applicable, speech recognition (speech-to-text) for AI telephone callsEU-US Data Privacy Framework; supplemented by SCCs pursuant to Art. 46(2)(c) GDPR; TIA conducted
5Deepgram, Inc.USAUSASpeech recognition (speech-to-text) — real-time transcription of telephone callsEU-US Data Privacy Framework; supplemented by SCCs pursuant to Art. 46(2)(c) GDPR; TIA conducted
6Cartesia, Inc.USAUSASpeech synthesis (text-to-speech) for AI telephone callsSCCs pursuant to Art. 46(2)(c) GDPR; TIA conducted
7Microsoft Ireland Operations Ltd (Microsoft Azure)Ireland (EU)EU West (Netherlands)Hosting of the self-hosted LiveKit instance — primary real-time voice communication infrastructure for orchestrating the AI telephone calls (connection between telephony, STT, LLM, and TTS)Processing within the EU — no third-country transfer (self-hosted open-source software)
8Amazon Web Services EMEA SARL (AWS)Luxembourg (EU)EU (Frankfurt)Hosting of the self-hosted fallback voice infrastructure (VAPI instance) as a redundancy system to the primary LiveKit infrastructureProcessing within the EU — no third-country transfer (self-hosted software)

Notes on the Sub-processors

Regarding No. 1 — Microsoft Azure: All core services (hosting, database, application servers, LLM processing) are operated in the Azure EU West region (Netherlands). The use of Azure OpenAI Service and Azure AI likewise takes place within the EU region. No transfer of personal data to third countries takes place. Regarding No. 2 — Twilio: Twilio Ireland Ltd operates the telephony infrastructure for the European market with servers located in Ireland. Telephone numbers are provisioned through the Irish subsidiary. Regarding No. 3 — Stripe: Stripe Payments Europe Ltd processes payment data exclusively within the EU. Stripe is PCI DSS Level 1 certified. Note on the data protection role: Stripe acts as an independent Controller pursuant to Art. 4 No. 7 GDPR with respect to payment data (credit card data, bank details, transaction data) and is accordingly not subject to the Controller’s right to issue instructions. Stripe is listed in this Annex for the sake of completeness and transparency, even though it is not a sub-processor in the strict sense. Processing by Stripe is carried out on the basis of Stripe’s own privacy policy (stripe.com/privacy). Regarding No. 4–6 — Speech Service Providers (ElevenLabs, Deepgram, Cartesia): These service providers are used for the real-time processing of speech data during telephone calls. The processing is carried out as real-time stream processing:
  • Audio data is transmitted to the service providers in real time and processed immediately
  • The service providers do not permanently store the audio data — processing is transient and takes place in working memory
  • Transmission is encrypted (TLS 1.2+)
  • Data processing agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) have been entered into with all service providers
  • A Transfer Impact Assessment (TIA) has been conducted for each US-based service provider, concluding that, in conjunction with the aforementioned technical and contractual measures, an adequate level of protection is ensured
Regarding No. 7 — LiveKit (self-hosted on Azure EU): The Processor operates a self-hosted instance of the open-source software LiveKit on Microsoft Azure in the EU West region (Netherlands). LiveKit serves as the primary real-time communication infrastructure for orchestrating the AI telephone calls and coordinates the connection between telephony (Twilio), speech recognition (STT), language model (LLM), and speech synthesis (TTS). As a self-hosted open-source solution, no personal data is transmitted to LiveKit, Inc. as a company. Data processing takes place exclusively on the Azure EU infrastructure controlled by the Processor. The Processor has full technical control over this instance, including configuration, updates, and access management. No third-country transfer takes place. Regarding No. 8 — AWS (Fallback Infrastructure, self-hosted): The Processor operates on Amazon Web Services (AWS, EU Frankfurt region) a self-hosted fallback voice infrastructure based on the open-source software VAPI. This instance serves exclusively as a redundancy system and is only activated when the primary LiveKit infrastructure is temporarily unavailable. As a self-hosted solution on EU servers (AWS Frankfurt), no personal data is transmitted to VAPI, Inc. as a company. The Processor has full technical control over this instance. No third-country transfer takes place. Calendar Integration (e.g., Cal.com, Calendly): The integration of calendar services is set up independently by the Controller. The Controller connects its own calendar provider to the Platform. The Processor is not a data processor for these third-party services; the data protection responsibility for the use and configuration of these services lies with the Controller.
Annexes to this DPA:
  • Annex 1: Description of Data Processing
  • Annex 2: Technical and Organizational Measures (TOMs)
  • Annex 3: Approved Sub-processors
  • Annex 4: Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 (separate document: sccs-salesfrank.md)
Signature of the Controller: Place, date: ____________________________ Name, function: ____________________________ Signature: ____________________________
Signature of the Processor: Another Side Ventures Free Zone LLC Place, date: ____________________________ Name, function: ____________________________ Signature: ____________________________