English (United States)
AVV with its own address

We are happy to issue a Data Processing Agreement (DPA) with your own address upon request for corporate clients.

Service Agreement in accordance with Art. 28 GDPR

Status: April 26, 2025

This service agreement (hereinafter "SA") is valid between the user of the Safina AI service, who acts as the controller within the meaning of Art. 4 No. 7 GDPR (hereinafter "Client" or "Customer"),

and

DK Tech Solutions UG (limited liability) Schwanthalerstr. 141 80339 Munich (hereinafter "Service Provider").

Preamble

This SA is part of the terms of use for the Safina AI service and regulates the rights and obligations of the parties in the context of processing personal data on behalf in accordance with Art. 28 GDPR. It applies to all Clients using the service as entrepreneurs and processing personal data by the Service Provider. This SA becomes effective through the Client's consent to the terms of use of Safina AI and/or the use of the service.

In this context, the parties agree to the following:

I. Subject matter of the contract, scope of application, and responsibility

The subject matter of this contract arises from the terms of use of Safina AI and the service description.

The Service Provider processes personal data on behalf of the Client. This includes activities that are specified in the terms of use and the service description of Safina AI. In particular, it concerns the provision and operation of an AI-controlled mailbox / an AI telephone assistant (Safina AI). This includes, among other things:

  • Receiving telephone calls on behalf of the Client.

  • Recording telephone conversations (audio), provided that this function is explicitly activated by the Client (disabled by default).

  • Transcription of telephone conversations.

  • Creation of call summaries and analyses (e.g., sentiment assessment, identification of to-dos).

  • Detection and marking of potential spam or phishing calls.

  • Storage of call data (audio, transcripts, metadata, summaries).

  • Providing the processed information to the Client via the Safina AI application and configurable notifications (e.g., push, email).

  • Management of the Client's contact data and configuration settings as part of the service.

The Client is solely responsible under this contract for complying with the legal provisions of data protection laws, in particular, for the lawfulness of data processing (e.g., informing callers about the recording, obtaining any necessary consents) and for transferring the data to the Service Provider ("Controller" within the meaning of Art. 4 No. 7 GDPR).

The instructions are initially set by the terms of use and the configuration of the service by the Client and may subsequently be changed, supplemented, or replaced by the Client in written form or in an electronic format (text form) to the Service Provider by individual instructions (individual instruction), provided that this allows the functionality of the service. Oral instructions must be confirmed in writing or in text form without delay.

II. Duration of the contract

The duration of this contract (term) is linked to the duration of the use of the Safina AI service by the Client in accordance with the accepted terms of use (e.g., through active payment of a subscription).

The contract remains valid irrespective of the preceding paragraph as long as the Service Provider processes personal data on behalf of the Client (including system-related backups).

To the extent that other agreements between the Client and the Service Provider result in different provisions for the protection of personal data, this contract for data processing shall take precedence, unless the parties expressly agree otherwise.

III. Specification

  1. Type of data

    The subject of the collection, processing, and/or use of personal data in the context of providing Safina AI includes the following types/categories of data:

    • Communication data: Telephone numbers (caller, Client), email addresses (Client for notifications/login), call metadata (date, time, duration).

    • Audio data: Voice recordings of calls received by Safina AI (only when activated by the Client).

    • Content data: Conversation transcripts, contents of call summaries, extracted information (e.g., to-dos, names if mentioned in the conversation).

    • Personal master data: Names of callers (if mentioned or transmitted in the conversation), name and contact details of the Client's users.

    • Analysis and assessment data: Results of sentiment analysis, spam classification.

    • Configuration data: Settings chosen by the Client (e.g., voice, tone, forwarding rules, notification preferences, activation status of audio recording).

    • Contact details of the Client: Possibly the contact data stored or synchronized by the Client in Safina AI for managing call rules.

    • User data of the Client: Login data, user profile settings.

  2. Circle of persons affected

    The circle of persons affected by the handling of their personal data in the context of this contract includes:

    • Callers: Individuals who contact the Client by phone and whose call is received by Safina AI.

    • Employees/Users of the Client: Individuals who use and manage the Safina AI service on behalf of the Client.

    • Contacts of the Client: Individuals whose contact data the Client may have stored or synchronized in Safina AI for configuration.

  3. Place of processing and confidentiality

    The processing of the data takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area (in particular Germany). Any transfer to a third country requires the prior consent of the Client and may only occur if the special conditions of Art. 44 to 50 GDPR are met (e.g., through standard contractual clauses). The Client may not unreasonably withhold consent.

    The contracting parties are obliged to maintain confidentiality about all business and trade secrets of the other party, keep them strictly confidential, and not disclose them to third parties – unless the respective other contracting party expressly gives prior written consent or there is a legal obligation to disclose. This confidentiality obligation applies to all non-publicly known information that the contracting parties learn in the context of conducting the cooperation.

    The Service Provider processes personal data exclusively within the framework of the Client's instructions and the regulations of the terms of use. It is prohibited for the Service Provider to use the data for purposes other than those agreed upon, in particular for its own purposes or to analyze or disclose to unauthorized third parties. The Service Provider assures that the personal data processed on behalf, especially audio recordings and transcripts, will not be used to train its own or third-party AI models.

IV. Technical-organizational measures

The Service Provider takes all necessary technical-organizational measures in its area of responsibility according to Art. 32 GDPR for the appropriate protection of personal data, considering the nature, scope, circumstances, and purposes of processing, as well as the different likelihood and severity of risks to the rights and freedoms of natural persons. A description of the current TOMs will be provided to the Client upon request or as an attachment to this agreement.

The agreed technical and organizational measures are subject to technical progress and further development. In this regard, the Service Provider is allowed to implement alternative adequate measures. The level of security of the specified measures must not be undercut. Significant changes will be documented by the Service Provider and communicated to the Client upon request.

V. Rights of affected persons

The Service Provider supports the Client in its area of responsibility and to the extent possible by suitable technical-organizational measures in fulfilling the Client's obligations to respond to requests to exercise the rights of affected persons (Art. 12-23 GDPR).

The Service Provider may not independently correct, delete, or restrict processing of the data processed on behalf but may only do so according to documented instructions from the Client. If an affected person (in particular a caller) makes such a request directly to the Service Provider, the Service Provider will forward this request immediately to the Client.

As far as the provision of information, deletion, restriction, or data portability is included in the scope of services and can be carried out by the Client using the functionalities of Safina AI, this is the responsibility of the Client. Otherwise, the Service Provider will provide support as instructed.

VI. Quality assurance and other obligations of the Service Provider

The Service Provider has, in addition to complying with the regulations of this contract, its own legal obligations under the GDPR; in this respect, it ensures in particular compliance with the following requirements:

  1. Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. The Service Provider employs only staff who are obliged to confidentiality and have been familiarized with the relevant data protection provisions prior to their work. The Service Provider and any person employed by the Service Provider who has access to personal data may only process such data in accordance with the Client's instructions unless they are legally obliged to process it.

  2. The Client and the Service Provider work together at the request of the supervisory authority in fulfilling their duties.

  3. Immediate notification of the Client about audits and measures of the supervisory authority to the extent that they relate to this contract. This also applies if a competent authority is investigating data processing in the context of the commissioning of the Service Provider in connection with an administrative offense or criminal proceeding.

  4. If the Client itself is subject to an audit by the supervisory authority, an administrative offense or criminal proceeding, a claim for damages from an affected person or a third party, or another claim related to data processing by the Service Provider, the Service Provider shall support it to the best of its ability in the necessary extent.

  5. The Service Provider regularly checks internal processes as well as technical and organizational measures to ensure that processing in its area of responsibility complies with the requirements of applicable data protection law and that the protection of the rights of affected persons is guaranteed.

  6. Demonstrability of the technical and organizational measures taken to the Client within the framework of its control powers according to Section VIII of this contract (e.g., by suitable certifications, attestations, reports, or self-disclosures).

  7. The Service Provider supports the Client in complying with the obligations under Art. 33 and 34 GDPR (reporting data breaches). The Service Provider shall promptly notify the Client of violations of the protection of personal data processed under this contract as soon as it becomes aware of them. The notification shall at least include the information required in Art. 33 para. 3 GDPR.

  8. The Service Provider supports the Client in meeting its information obligations to affected persons and provides them with the necessary information regarding processing by the Service Provider.

  9. Should the Client be obliged to conduct a data protection impact assessment pursuant to Art. 35 GDPR regarding the use of Safina AI, the Service Provider shall support them with the necessary information at its disposal. The same applies to any obligation to consult the supervisory authority pursuant to Art. 36 GDPR.

This contract does not relieve the Service Provider from complying with other requirements of the GDPR.

VII. Subcontracting relationships

The Service Provider is entitled to use subcontractors to provide the contractually owed service (subcontracting relationships). Subcontracting relationships in the sense of this provision are those services that relate directly to the provision of the main service (Safina AI Service). This includes, for example, hosting service providers, providers of AI models for transcription or analysis, and communication service providers.

The Service Provider informs the Client of any intended use or change of a subcontractor. An updated list of the subcontractors used, indicating their locations and the services provided, will be made available to the Client separately (e.g., on the Service Provider's website or as an attachment). The Client has the right to object to the use or change of a subcontractor for important data protection reasons. The objection must be made in writing or in text form to the Service Provider within 14 days of receiving the information. If the Client does not raise an objection in due time, the commissioning of the subcontractor shall be deemed approved.

The Service Provider ensures that a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is concluded with each subcontractor, which essentially corresponds to the obligations of this agreement, in particular regarding technical and organizational measures and confidentiality.

The transfer of personal data from the Client to the subcontractor and the initial activity of the subcontractor are only permissible once the obligation of the subcontractor under Art. 28 para. 4 GDPR has taken place.

If the subcontractor provides the agreed service outside the EU/EEA, the Service Provider ensures the legality of data protection through appropriate guarantees in accordance with Art. 44 et seq. GDPR (e.g., EU standard contractual clauses), unless there is an adequacy decision. The Service Provider regularly checks compliance with the obligations of the subcontractor.

Any further outsourcing by the subcontractor (sub-subcontracting) requires the prior consent of the Service Provider and, if necessary, the information of the Client in accordance with the procedure described above.

VIII. Control rights of the Client

The Client has the right to control compliance with the legal data protection regulations and the contractual agreements by the Service Provider to the necessary extent or to have them controlled by auditors designated in individual cases.

The Service Provider undertakes to provide the Client with all information and evidence necessary for the conduct of the control upon the Client's written request within a reasonable time. This may particularly occur by providing suitable proof such as attestations, reports from independent bodies, self-disclosures, or suitable certifications.

On-site inspections at the Service Provider are possible after timely notice (usually at least 10 working days) during regular business hours and without disturbing business operations. The Service Provider is entitled to request a reasonable reimbursement for expenses, provided the inspection does not occur due to a concrete suspicion of a data protection violation by the Service Provider.

IX. Instruction authority of the Client

The Service Provider processes personal data solely within the scope of the agreements of this contract and according to documented instructions from the Client, unless it is legally obliged to process (Art. 28 para. 3 sentence 2 lit. a GDPR). The initial instructions arise from the terms of use and the use/configuration of Safina AI by the Client.

The Service Provider promptly informs the Client if it believes that an instruction violates the GDPR or other data protection regulations of the Union or the member states. The Service Provider is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the Client.

X. Deletion and return of personal data

After termination of the use of the service by the Client (e.g., by termination of the subscription) or at any time at the request of the Client, the Service Provider shall delete all personal data that are the subject of this agreement and are in its control, either in compliance with data protection regulations or return them to the Client, provided that there are no legal retention obligations or legitimate interests of the Service Provider that oppose deletion.

The deletion also includes all existing copies, including system-related backup copies, with the deletion from backups occurring within the technical possibilities and usual backup cycles.

The Service Provider confirms to the Client the deletion or return upon request in writing.

XI. Liability

The statutory provisions apply to the liability of the parties in the event of data protection violations, in particular, Art. 82 GDPR. The Client and the Service Provider are liable to affected persons in accordance with the provisions of Art. 82 GDPR.

XII. Requirement for written form, severability clause

Changes and additions to this agreement and all its components require written form (text form according to § 126b BGB is sufficient). This also applies to the waiver of this requirement for form. There are no oral side agreements.

This agreement is subject to German law, excluding the UN Sales Convention.

If individual provisions of this agreement are wholly or partially ineffective or become so, the validity of the remaining provisions shall not be affected. The parties undertake to replace the ineffective provision with an effective regulation that comes closest to the economic purpose of the ineffective provision. The same applies to any contractual gaps.

For the Service Provider:

Munich

(DK Tech Solutions UG (limited liability) (in formation)) ([Name and title of the signatory for Safina AI, e.g., Managing Director])

Important notes for the website:

  • Linking: Ensure that your terms of use clearly refer to this SA and explain that it applies to entrepreneurs processing personal data and is accepted by agreeing to the terms of use.

  • Accessibility: Place the SA clearly visible in the "Legal" section of your website, along with the imprint, privacy policy, and terms of use.

  • Updating: Keep the "Status" date updated when you make changes. Remember to remove the addition "(in formation)" once the UG is registered in the commercial register.

  • TOMs & Subcontractors: As mentioned in the SA, you need to keep the list of subcontractors and the description of the TOMs updated and accessible (e.g., as separate documents in the legal area or upon request).