Standard Contractual Clauses (SCCs)

pursuant to Implementing Decision (EU) 2021/914 of the European Commission

Annex to the Data Processing Agreement (DPA) of the SalesFrank Platform

Version: March 2026

Preamble

This document supplements the Data Processing Agreement (DPA) between the Controller and Another Side Ventures Free Zone LLC and constitutes the legal basis for the transfer of personal data to third countries pursuant to Art. 46(2)(c) GDPR. The parties agree to apply the Standard Contractual Clauses pursuant to the Implementing Decision (EU) 2021/914 of the European Commission of 4 June 2021 (OJ L 199, 7.6.2021, pp. 31–61) as amended from time to time (hereinafter “SCCs”). The full text of the SCCs is published in the Official Journal of the European Union and available at the following link: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj The clauses of the SCCs may not be modified pursuant to Art. 46(5) GDPR and Recital 109 of the GDPR. This document therefore contains exclusively the annexes to be completed by the parties as well as the selection of applicable modules and optional clauses.

Part 1: Applicable Modules and Optional Clauses

1.1 Selected Module

The parties select Module 2 (Transfer from Controllers to Processors) of the SCCs. Rationale: The Controller (Customer) is a controller within the meaning of Art. 4(7) GDPR. Another Side Ventures Free Zone LLC (Processor) acts as a processor within the meaning of Art. 4(8) GDPR and is established in a third country (United Arab Emirates). The administrative remote access by the Processor from the UAE to the personal data stored in the EU constitutes a transfer within the meaning of Articles 44 et seq. GDPR.

1.2 Optional Clauses

Clause	Decision	Explanation
Clause 7 — Docking Clause	Applicable	Third parties may accede to the SCCs as Data Exporter or Data Importer, provided they complete the accession form and sign Annex I.A. This enables new customers to accede to the SCCs without requiring a separate execution.
Clause 9(a) — Authorization of Sub-processors	Option 2: General written authorization	The Data Importer has the general authorization of the Data Exporter for the engagement of Sub-processors in accordance with the list set out in Annex III. The Data Importer shall inform the Data Exporter at least 30 days in advance of any intended changes to that list and shall give the Data Exporter the opportunity to object to such changes.
Clause 11(a) — Independent Dispute Resolution Body	Not applicable	No independent dispute resolution body is designated. The parties agree to resolve disputes amicably in the first instance. In all other respects, the provisions of Clause 18 shall apply.
Clause 17 — Governing Law	Option 1	The SCCs shall be governed by the law of an EU Member State that provides for third-party beneficiary rights for data subjects. Chosen law: Law of the Federal Republic of Germany.
Clause 18(b) — Forum	Germany	The competent courts are those in Munich, Germany.

Part 2: Annexes

Annex I — Information on the Parties and the Transfer

Annex I.A — List of Parties

Data Exporter(s):

Field	Details
Name	The respective customer of the “SalesFrank” platform (hereinafter also referred to as “Controller”)
Address	As per registration on the SalesFrank platform
Name, position and contact details of the contact person	As per registration on the SalesFrank platform
Activities relevant to the transfer	Use of the SaaS platform SalesFrank for conducting AI-powered automated telephone communications (outbound and inbound). The Data Exporter uploads contact data to the platform and configures AI agents that conduct telephone calls on behalf of the Data Exporter.
Role	Controller (Art. 4(7) GDPR)

Data Importer:

Field	Details
Name	Another Side Ventures Free Zone LLC
Address	Al Shohada Road, Ras Al Khaimah, United Arab Emirates
Name, position and contact details of the contact person	Thomas Bergmann (EU Representative pursuant to Art. 27 GDPR), info@salesfrank.com
Activities relevant to the transfer	Provision and operation of the SaaS platform SalesFrank. Administrative remote access by authorized personnel of the Data Importer from the United Arab Emirates to systems hosted in the European Union (Microsoft Azure, Region EU West, Netherlands) for the purposes of technical operations, maintenance, support, and troubleshooting.
Role	Processor (Art. 4(8) GDPR)

Annex I.B — Description of the Transfer

Field	Description
Categories of data subjects	(a) Contact persons: Natural persons whose contact data is uploaded by the Data Exporter to the platform and who are contacted by the AI agents. Typically business contacts (B2B): managing directors, sales managers, decision-makers. (b) Platform users: Employees and representatives of the Data Exporter who operate the platform.
Categories of personal data	(a) Contact data of contact persons: Telephone number (mandatory), optional: first and last name, email address, company data (company name, position, industry), other information uploaded by the Data Exporter. (b) Call data: Call recordings (audio), transcripts, call metadata (date, time, duration, outcome, call status), structured data extracted from calls (e.g., appointment data, qualification results). (c) User data of the Data Exporter: First and last name, email address, telephone number, company data, login credentials.
Sensitive data	The transfer does not, as a general rule, involve special categories of personal data within the meaning of Art. 9 GDPR. Should the Data Exporter upload special categories of personal data to the platform or process them through call content, the data protection responsibility for this lies exclusively with the Data Exporter.
Frequency of transfer	Continuous during the term of the contract. Administrative remote access occurs on an as-needed basis within the scope of technical operations, maintenance, and support.
Nature of the processing	Administrative remote access to systems hosted in the EU (reading, querying, configuring, troubleshooting). No permanent storage, downloading, or export of personal data to end devices outside the EU takes place. The data remains physically on the EU servers.
Purpose of the transfer	(a) Technical operation and maintenance of the platform, (b) Customer support and troubleshooting, (c) System monitoring and security surveillance, (d) Further development and updating of the platform.
Retention period / Deletion deadlines	No personal data is stored in the UAE. The retention periods for data stored on EU servers are governed by Section 9 of the DPA and Annex 1 of the DPA. After contract termination: 30-day export period, followed by deletion within 60 days (maximum 90 days after contract termination in total).
Recipients in case of onward transfer	Not applicable. No onward transfer of personal data from the Data Importer to third parties in the UAE takes place.

Annex I.C — Competent Supervisory Authority

The competent supervisory authority is determined according to the following procedure:

Where the Data Exporter is established in an EU Member State: The data protection supervisory authority of the Member State in which the Data Exporter is established.
Where the Data Exporter is not established in the EU but falls within the scope of the GDPR pursuant to Art. 3(2) GDPR: The data protection supervisory authority of the Member State in which the EU representative is established or in which the data subjects are located.
Fallback jurisdiction: Since the EU representative of the Data Importer is established in Germany and the platform is primarily directed at the German market, the Bavarian State Commissioner for Data Protection (BayLDA) is to be regarded as the lead supervisory authority — to the extent that no overriding jurisdiction applies (forum Munich pursuant to Section 16(2) of the General Terms and Conditions).

Annex II — Technical and Organizational Measures (including measures to determine the adequacy of the level of security)

The Data Importer has implemented the following technical and organizational measures to ensure the security of personal data. The measures apply in particular to administrative remote access from the UAE.

A. Measures for the Encryption of Personal Data

Measure	Implementation
Encryption in transit	All data transmissions are carried out via TLS 1.2 or higher. Administrative remote access is carried out exclusively via VPN with end-to-end encryption.
Encryption at rest	All data stored on EU servers is encrypted using AES-256 (Encryption at Rest). This includes databases, call recordings, transcripts, and backups.
Encrypted database connections	MongoDB connections with TLS encryption.
Encrypted API communication	All API communication between system components is encrypted.

B. Measures to Ensure the Ongoing Confidentiality, Integrity, Availability, and Resilience of Systems and Services

Measure	Implementation
Access control (physical/logical)	Individual user accounts with strong password policies. Multi-factor authentication (MFA) for all administrative access. Automatic lockout after repeated failed login attempts.
Access control (authorization)	Role-based access control (RBAC) with strict separation by areas of responsibility. Need-to-know principle. Administrative access restricted to the development and operations team.
Availability	Hosting on Microsoft Azure with geo-redundant infrastructure (EU West). Automated daily backups with a minimum of 30 days retention. Redundant system architecture. 24/7 monitoring. Disaster recovery concept (RTO: 24h, RPO: 24h).
Tenant separation	Logical separation of customer data through individual tenant identifiers. Strict separation of production, staging, and development environments.
No local data storage	No personal data is stored on local end devices of the Data Importer’s employees — neither within nor outside the EU.

C. Measures to Ensure the Rapid Restoration of Availability and Access to Personal Data in the Event of a Physical or Technical Incident

Measure	Implementation
Backup strategy	Automated daily backups, stored encrypted in a geographically separate Azure availability zone within the EU.
Recovery times	Recovery Time Objective (RTO): 24 hours. Recovery Point Objective (RPO): 24 hours.
Recovery testing	Regular testing of recovery procedures.
Fallback infrastructure	Secondary voice infrastructure on AWS (Frankfurt) as a redundancy system.

D. Procedures for Regular Testing, Assessment, and Evaluation of the Effectiveness of Technical and Organizational Measures

Measure	Implementation
Annual review	At least annual review and updating of technical and organizational measures.
Logging	Audit-proof logging of all administrative access to production systems. User-level attribution of all actions.
Incident response process	Documented 6-step procedure: (1) Detection and classification, (2) Immediate containment measures, (3) Analysis and assessment, (4) Notification of the Controller within 24 hours, (5) Remediation and documentation, (6) Post-incident review and improvement measures.
Employee training	Regular awareness training and education on data protection and information security.

E. Measures for User Identification and Authorization

Measure	Implementation
Authentication	Individual user accounts. Multi-factor authentication. No shared credentials.
Authorization	Role-based access control. Regular review of access permissions. Immediate revocation upon departure or role change.
Session management	Automatic session termination after a defined period of inactivity.

F. Measures for the Protection of Data During Transmission

Measure	Implementation
Mandatory VPN	All remote access to production systems is carried out exclusively via encrypted VPN connections.
No data extraction	No personal data is downloaded, copied, exported, or cached on end devices outside the EU.
Transport encryption	TLS 1.2 or higher for all data transmissions.
End device security	End devices used for remote access are subject to internal security policies: full disk encryption, up-to-date operating system updates, screen lock, prohibition of unauthorized software installation.

G. Measures for the Protection of Data During Storage

Measure	Implementation
Storage location	Exclusively EU servers (Microsoft Azure, Region EU West, Netherlands; AWS, Region EU Frankfurt).
Encryption at rest	AES-256 for all stored data.
Access restriction	No external developers or service providers with access to personal data.

H. Measures to Ensure the Physical Security of Locations Where Personal Data Are Processed

Measure	Implementation
Cloud infrastructure	No proprietary data centers. Microsoft Azure complies with ISO 27001, SOC 1/2/3, and C5 (BSI). Physical access control by Azure: biometrics, video surveillance, security personnel, access logs.
End devices	The processing of personal data does not take place on end devices; these serve exclusively as access points via encrypted connections.

I. Measures for Event Logging

Measure	Implementation
Audit logging	Logging of data entries, modifications, and deletions. Audit-proof logging of administrative access. Complete access logs: timestamps, users, IP addresses, actions performed.
Monitoring	24/7 system monitoring for anomalies and security incidents.

Annex III — List of Sub-processors

The Data Exporter has granted general authorization for the engagement of the following Sub-processors (Clause 9, Option 2):

No.	Sub-processor	Registered Office	Processing Location	Processing Purpose	Safeguard for Third-Country Transfer
1	Microsoft Ireland Operations Ltd (Azure)	Ireland (EU)	EU West (Netherlands)	Hosting, compute, database, LLM processing	EU processing — no third-country transfer
2	Twilio Ireland Ltd	Ireland (EU)	EU (Ireland)	Telephony, number provisioning	EU processing — no third-country transfer
3	ElevenLabs, Inc.	USA	USA/EU	Speech synthesis (TTS), speech recognition (STT)	EU-US Data Privacy Framework; SCCs; TIA
4	Deepgram, Inc.	USA	USA	Speech recognition (STT), real-time transcription	EU-US Data Privacy Framework; SCCs; TIA
5	Cartesia, Inc.	USA	USA	Speech synthesis (TTS)	SCCs; TIA
6	Resend, Inc.	USA	USA	Email delivery	SCCs; DPA

Self-hosted components (not Sub-processors):

Component	Technology	Hosting	Location
Primary voice infrastructure	LiveKit (open-source, self-hosted)	Microsoft Azure	EU West (Netherlands)
Fallback voice infrastructure	VAPI (self-hosted)	Amazon Web Services	EU (Frankfurt)

Since these are self-hosted instances under the full technical control of the Data Importer, no personal data is transmitted to the respective software vendors (LiveKit, Inc.; VAPI, Inc.). They are therefore not to be classified as Sub-processors. Note regarding Stripe Payments Europe Ltd: Stripe is not listed as a Sub-processor in this list because Stripe acts as an independent controller (Art. 4(7) GDPR) with respect to payment data. Processing by Stripe is governed by Stripe’s Privacy Policy (stripe.com/privacy).

Part 3: Supplementary Measures

In accordance with the Recommendations 01/2020 of the European Data Protection Board (EDPB) on measures that supplement transfer tools, the Data Importer has implemented the following supplementary measures:

3.1 Supplementary Technical Measures

Measure	Description
No data storage in the third country	Personal data is stored exclusively on EU servers. No storage, downloading, or export to end devices in the UAE takes place. Remote access is exclusively of a read-only/administrative nature.
VPN with end-to-end encryption	All remote access is carried out via encrypted VPN connections. Third parties — including local internet service providers and authorities in the UAE — cannot view the content of data traffic.
Multi-factor authentication	Every administrative access requires a second authentication factor. A compromised password alone does not permit system access.
Automatic session termination	VPN and system sessions are automatically terminated after a defined period of inactivity to prevent unauthorized access via unattended devices.
End device encryption	All end devices used for remote access are subject to full disk encryption.

3.2 Supplementary Organizational Measures

Measure	Description
Confidentiality obligation	All employees with access to personal data are bound by a written confidentiality obligation.
Minimization of access permissions	Remote access to personal data is restricted to the minimum necessary for operations, support, and maintenance (need-to-know principle).
Access logs	All remote access is fully logged (timestamps, users, IP addresses, actions performed) and is available for inspection in the context of audits.
EU Representative	An EU representative pursuant to Art. 27 GDPR (Thomas Bergmann, info@salesfrank.com) has been designated and serves as a point of contact for data subjects and supervisory authorities.
Transparency report	The Data Importer shall inform the Data Exporter without undue delay if it receives requests from an authority in the UAE or another third country regarding access to personal data, to the extent legally permissible.

3.3 Supplementary Contractual Measures

Measure	Description
Notification obligation for government requests	The Data Importer undertakes to inform the Data Exporter without undue delay of any legally binding request by an authority in the UAE or another third country for access to personal data, to the extent this is not prohibited by law.
Review of legality	The Data Importer undertakes to review the legality of any government request for data access and to exhaust all available legal remedies before disclosing personal data.
Minimization of disclosure	In the event of a legally compelled disclosure, the Data Importer shall disclose only the minimum amount of personal data required and shall document the disclosure.
No voluntary disclosure	The Data Importer undertakes not to voluntarily disclose personal data to authorities in the UAE or other third countries.

Part 4: Transfer Impact Assessment — Summary

The Data Importer has conducted a Transfer Impact Assessment (TIA) in accordance with the EDPB Recommendations 01/2020 for the administrative remote access from the UAE. The full TIA is available as a separate document (see tia-salesfrank.md, TIA No. 4).

4.1 Key Findings

Assessment Criterion	Finding
Nature of the transfer	Administrative remote access (no data transfer, no local storage)
Legal framework of the recipient country	UAE: Federal Data Protection Law (PDPL 2021), modeled on the GDPR. No adequacy decision by the European Commission.
Risk of government access	Low. The UAE has no extraterritorial jurisdiction over EU servers. A B2B SaaS platform for sales automation is not of intelligence or national security interest.
Effectiveness of supplementary measures	High. The combination of VPN encryption, MFA, absence of local data storage, and comprehensive logging ensures that even in the theoretical event of government access to end devices in the UAE, no personal data would be compromised.
Overall assessment	Access permissible. In conjunction with the Standard Contractual Clauses and the supplementary technical, organizational, and contractual measures, an adequate level of protection is ensured.

4.2 Review Cycle

Parameter	Value
Initial assessment	March 2026
Next scheduled review	September 2026
Event-triggered review	Upon legislative changes in the UAE, upon changes to the access modalities, upon becoming aware of government access requests

Part 5: Signatures

The parties confirm by their signature the agreement to the foregoing Standard Contractual Clauses including the Annexes and supplementary measures.

Data Exporter (Controller): Place, Date: ____________________________ Company: ____________________________ Name, Function: ____________________________ Signature: ____________________________

Data Importer (Processor): Another Side Ventures Free Zone LLC Place, Date: ____________________________ Name, Function: ____________________________ Signature: ____________________________

This document constitutes an integral part of the Data Processing Agreement (DPA) between the parties. In the event of conflicts between this document and the DPA, the Standard Contractual Clauses shall prevail pursuant to Art. 46(5) GDPR.

Getting Started

Campaigns

Prompting & Agent

Phone Numbers

Integrations

Testing & Optimization

Analytics & Analysis

Platform

Help

Legal

Documentation Index

​Standard Contractual Clauses (SCCs)

​pursuant to Implementing Decision (EU) 2021/914 of the European Commission

​Annex to the Data Processing Agreement (DPA) of the SalesFrank Platform

​Preamble

​Part 1: Applicable Modules and Optional Clauses

​1.1 Selected Module

​1.2 Optional Clauses

​Part 2: Annexes

​Annex I — Information on the Parties and the Transfer

​Annex I.A — List of Parties

​Annex I.B — Description of the Transfer

​Annex I.C — Competent Supervisory Authority

​Annex II — Technical and Organizational Measures (including measures to determine the adequacy of the level of security)

​A. Measures for the Encryption of Personal Data

​B. Measures to Ensure the Ongoing Confidentiality, Integrity, Availability, and Resilience of Systems and Services

​C. Measures to Ensure the Rapid Restoration of Availability and Access to Personal Data in the Event of a Physical or Technical Incident

​D. Procedures for Regular Testing, Assessment, and Evaluation of the Effectiveness of Technical and Organizational Measures

​E. Measures for User Identification and Authorization

​F. Measures for the Protection of Data During Transmission

​G. Measures for the Protection of Data During Storage

​H. Measures to Ensure the Physical Security of Locations Where Personal Data Are Processed

​I. Measures for Event Logging

​Annex III — List of Sub-processors

​Part 3: Supplementary Measures

​3.1 Supplementary Technical Measures

​3.2 Supplementary Organizational Measures

​3.3 Supplementary Contractual Measures

​Part 4: Transfer Impact Assessment — Summary

​4.1 Key Findings

​4.2 Review Cycle

​Part 5: Signatures