Custom DPA

For enterprise customers, we are happy to provide a DPA with your company details upon request.

Inquire

Data Processing Agreement | Safina AI

Last updated: 2025-04-26

Data Processing Agreement pursuant to Art. 28 GDPR

As of: April 26, 2025

This Data Processing Agreement (hereinafter “DPA”) applies between the user of the Safina AI service acting as the controller within the meaning of Art. 4(7) GDPR (hereinafter “Client” or “Customer”),

and

DK Tech Solutions UG (haftungsbeschränkt) Schwanthalerstr. 141 80339 Munich, Germany (hereinafter “Processor”).

Preamble

This DPA is an integral part of the Terms of Use for the Safina AI service and governs the rights and obligations of the parties with respect to the processing of personal data on behalf of the Client pursuant to Art. 28 GDPR. It applies to all Clients who use the service as entrepreneurs and have personal data processed by the Processor. This DPA becomes effective upon the Client’s acceptance of the Safina AI Terms of Use and/or use of the service.

Against this background, the parties agree as follows:

I. Subject Matter of the Agreement, Scope, and Responsibility

The subject matter of this agreement is defined by the Safina AI Terms of Use and the service description.

The Processor processes personal data on behalf of the Client. This includes activities specified in the Terms of Use and service description of Safina AI. In particular, this concerns the provision and operation of an AI-powered voicemail / AI phone assistant (Safina AI). This includes, among other things:

  • Receiving phone calls on behalf of the Client.
  • Recording phone conversations (audio), provided this feature has been explicitly enabled by the Client (disabled by default).
  • Transcribing phone conversations.
  • Creating call summaries and analyses (e.g., sentiment assessment, to-do recognition).
  • Identifying and flagging potential spam or phishing calls.
  • Storing call data (audio, transcript, metadata, summaries).
  • Making processed information available to the Client via the Safina AI application and configurable notifications (e.g., push, email).
  • Managing the Client’s contact data and configuration settings within the scope of the service.

Within the scope of this agreement, the Client is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of data processing (e.g., informing callers about recording, obtaining any necessary consent) and the transfer of data to the Processor (“Controller” within the meaning of Art. 4(7) GDPR).

Instructions are initially defined by the Terms of Use and the Client’s configuration of the service and may subsequently be amended, supplemented, or replaced by the Client in writing or in electronic form (text form) through individual instructions, insofar as the functionality of the service permits. Oral instructions must be confirmed in writing or in text form without undue delay.

II. Duration of the Agreement

The duration of this agreement (term) is tied to the duration of the Client’s use of the Safina AI service in accordance with the accepted Terms of Use (e.g., through active payment of a subscription).

Notwithstanding the foregoing paragraph, the agreement shall remain in effect for as long as the Processor processes personal data on behalf of the Client (including system-related backups).

Insofar as other agreements between the Client and the Processor contain different provisions for the protection of personal data, this Data Processing Agreement shall take precedence unless the parties expressly agree otherwise.

III. Specification

Types of Data

The following types/categories of personal data are subject to collection, processing, and/or use within the scope of providing Safina AI:

  • Communication data: Phone numbers (callers, Client), email addresses (Client for notifications/login), call metadata (date, time, duration).
  • Audio data: Voice recordings of calls received by Safina AI (only when enabled by the Client).
  • Content data: Conversation transcripts, call summary content, extracted information (e.g., to-dos, names if mentioned during the conversation).
  • Personal master data: Names of callers (if mentioned during the conversation or transmitted), name and contact details of the Client’s users.
  • Analysis and assessment data: Results of sentiment analysis, spam classification.
  • Configuration data: Settings chosen by the Client (e.g., voice, tone, forwarding rules, notification preferences, audio recording activation status).
  • Client’s contact data: Contact data optionally stored or synchronized by the Client in Safina AI for managing call rules.
  • Client’s user data: Login data, user profile settings.

Categories of Data Subjects

The categories of persons affected by the processing of their personal data within the scope of this agreement include:

  • Callers: Persons who contact the Client by phone and whose call is received by Safina AI.
  • Employees/Users of the Client: Persons who use and manage the Safina AI service on behalf of the Client.
  • Client’s contacts: Persons whose contact data the Client optionally stores or synchronizes in Safina AI for configuration purposes.

Place of Processing and Confidentiality

Data processing shall take place exclusively within a member state of the European Union or another contracting state of the Agreement on the European Economic Area (in particular Germany). Any relocation to a third country requires the Client’s prior consent and may only take place if the special requirements of Art. 44 to 50 GDPR are met (e.g., through Standard Contractual Clauses). The Client may not unreasonably withhold consent.

The contracting parties are obligated to maintain strict confidentiality regarding all trade and business secrets of the respective other party, to keep them strictly confidential, and not to disclose them to third parties — unless the respective other party gives its prior written consent or there is a legal obligation to disclose. This confidentiality obligation applies to all non-public information of which the contracting parties become aware in the context of their collaboration.

The Processor shall process personal data exclusively within the framework of the Client’s instructions and the provisions of the Terms of Use. The Processor is prohibited from using the data for purposes other than those agreed, in particular from analyzing them for its own purposes or disclosing them to unauthorized third parties. The Processor warrants that the personal data processed under this agreement, in particular audio recordings and transcripts, will not be used for training its own or third-party AI models.

IV. Technical and Organizational Measures

The Processor shall implement all necessary technical and organizational measures within its area of responsibility pursuant to Art. 32 GDPR to ensure adequate protection of personal data, taking into account the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons. A description of the current TOMs will be made available to the Client upon request or as an annex to this agreement.

The agreed technical and organizational measures are subject to technical progress and further development. In this regard, the Processor is permitted to implement alternative adequate measures. The security level of the defined measures must not be undercut. The Processor shall document significant changes and communicate them to the Client upon request.

V. Rights of Data Subjects

The Processor shall assist the Client within its area of responsibility and, where possible, by means of appropriate technical and organizational measures in fulfilling the Client’s obligations to respond to requests for the exercise of data subjects’ rights (Art. 12-23 GDPR).

The Processor may not independently rectify, delete, or restrict the processing of data processed on behalf of the Client, but only upon documented instruction from the Client. If a data subject (in particular a caller) contacts the Processor directly in this regard, the Processor shall forward this request to the Client without undue delay.

Insofar as the provision of information, deletion, restriction, or data portability is covered by the scope of services and can be carried out by the Client through the functionalities of Safina AI, this shall be the Client’s responsibility. Otherwise, the Processor shall provide support upon instruction.

VI. Quality Assurance and Other Obligations of the Processor

In addition to compliance with the provisions of this agreement, the Processor has its own statutory obligations under the GDPR; in this regard, the Processor ensures compliance with the following requirements in particular:

Maintaining confidentiality pursuant to Art. 28(3)(2)(b), 29, 32(4) GDPR. The Processor shall only employ staff who have been bound to confidentiality and have previously been familiarized with the relevant data protection provisions. The Processor and any person subordinate to the Processor who has access to personal data may process such data exclusively in accordance with the Client’s instructions, unless they are legally required to process it.

The Client and the Processor shall cooperate with the supervisory authority upon request in the performance of its tasks.

The Processor shall promptly inform the Client of any supervisory authority inspections and measures that relate to this agreement. This also applies insofar as a competent authority investigates the Processor in the context of administrative or criminal proceedings relating to the processing of personal data in connection with this data processing arrangement.

Insofar as the Client is subject to an inspection by a supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party, or any other claim in connection with the data processing by the Processor, the Processor shall support the Client to the best of its ability and to the extent necessary.

The Processor shall regularly monitor its internal processes as well as the technical and organizational measures to ensure that the processing within its area of responsibility is carried out in accordance with the requirements of applicable data protection law and that the protection of the rights of data subjects is guaranteed.

The Processor shall demonstrate the technical and organizational measures taken to the Client within the framework of the Client’s audit rights under Section VIII of this agreement (e.g., through appropriate certifications, attestations, reports, or self-assessments).

The Processor shall assist the Client in complying with the obligations pursuant to Art. 33 and 34 GDPR (notification of personal data breaches). The Processor shall notify the Client without undue delay of any breach of the protection of personal data processed under this agreement after becoming aware of it. The notification shall contain at least the information required under Art. 33(3) GDPR.

The Processor shall support the Client in fulfilling its information obligations toward data subjects and shall provide the Client with the necessary information about the processing carried out by the Processor.

Insofar as the Client is required to carry out a data protection impact assessment pursuant to Art. 35 GDPR in relation to the use of Safina AI, the Processor shall support the Client with the necessary information available to it. The same applies to any obligation to consult the supervisory authority pursuant to Art. 36 GDPR.

This agreement does not release the Processor from compliance with other requirements of the GDPR.

VII. Subcontracting

The Processor is entitled to engage subcontractors (sub-processing relationships) for the provision of the contractually owed services. Sub-processing relationships within the meaning of this provision are those services that directly relate to the provision of the main service (Safina AI service). These include, for example, hosting providers, providers of AI models for transcription or analysis, and communication service providers.

The Processor shall inform the Client of any intended engagement or change of a subcontractor. A current list of the subcontractors engaged, indicating their location and the services provided, shall be made available to the Client separately (e.g., on the Processor’s website or as an annex). The Client has the right to object to the engagement or change of a subcontractor for important data protection reasons. The objection must be submitted to the Processor in writing or in text form within 14 days of receipt of the information. If the Client does not object within the specified period, the engagement of the subcontractor shall be deemed approved.

The Processor shall ensure that a contractual agreement pursuant to Art. 28(2)-(4) GDPR is concluded with each subcontractor, which essentially corresponds to the obligations under this agreement, in particular with regard to technical and organizational measures and confidentiality.

The transfer of the Client’s personal data to the subcontractor and the subcontractor’s initial activity shall only be permitted once the subcontractor has been bound pursuant to Art. 28(4) GDPR.

If the subcontractor provides the agreed service outside the EU/EEA, the Processor shall ensure the permissibility under data protection law by means of appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., EU Standard Contractual Clauses), unless an adequacy decision exists. The Processor shall regularly verify the subcontractor’s compliance with its obligations.

Further outsourcing by the subcontractor (sub-sub-processing) requires the Processor’s prior consent and, if necessary, the Client’s notification in accordance with the procedure described above.

VIII. Audit Rights of the Client

The Client has the right to verify the Processor’s compliance with statutory data protection provisions and the contractual agreements to the extent necessary, either directly or through auditors to be designated on a case-by-case basis.

The Processor undertakes to provide the Client, upon written request and within a reasonable period, with all information and evidence necessary to carry out the audit. This may include, in particular, the provision of appropriate evidence such as attestations, reports from independent bodies, self-assessments, or appropriate certifications.

On-site inspections at the Processor’s premises are possible after timely notice (generally at least 10 business days) during normal business hours and without disrupting operations. The Processor is entitled to charge reasonable compensation for such inspections, unless the inspection is conducted due to a specific suspicion of a data protection breach by the Processor.

IX. Client’s Right to Issue Instructions

The Processor shall process personal data exclusively within the framework of the provisions of this agreement and in accordance with documented instructions from the Client, unless it is required by Union or Member State law to process such data (Art. 28(3)(2)(a) GDPR). The initial instructions are derived from the Terms of Use and the Client’s use/configuration of Safina AI.

The Processor shall immediately inform the Client if, in its opinion, an instruction violates the GDPR or other data protection provisions of the Union or Member States. The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Client.

X. Deletion and Return of Personal Data

Upon termination of the Client’s use of the service (e.g., by cancellation of the subscription) or at any time upon instruction from the Client, the Processor shall, at the Client’s choice, either delete in a data-protection-compliant manner or return to the Client all personal data that is the subject of this Data Processing Agreement and is within the Processor’s control, unless statutory retention obligations or legitimate interests of the Processor preclude deletion.

Deletion shall include all existing copies, including system-related backup copies, whereby deletion from backups shall be carried out within the scope of technical capabilities and standard backup cycles.

The Processor shall confirm the completed deletion or return to the Client in writing upon request.

XI. Liability

The statutory provisions, in particular Art. 82 GDPR, shall apply to the liability of the parties in the event of data protection breaches. The Client and the Processor shall be liable to data subjects in accordance with the provisions of Art. 82 GDPR.

XII. Written Form Requirement, Severability Clause

Amendments and additions to this Data Processing Agreement and all of its components require written form (text form pursuant to § 126b BGB (German Civil Code) is sufficient). This also applies to the waiver of this form requirement. No oral side agreements exist.

This Data Processing Agreement shall be governed by German law, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

Should individual provisions of this Data Processing Agreement be or become wholly or partially invalid, the validity of the remaining provisions shall not be affected. The parties undertake to replace the invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision. The same shall apply to any gaps in this agreement.

For the Processor:

Munich

DK Tech Solutions UG (haftungsbeschränkt) David Schemm & Karsten Kreh, Managing Directors

Authoritative Version

This document is a translation provided for informational purposes only. In case of any discrepancy between this translation and the German original, the German version shall prevail.