Preamble
This Data Processing Agreement (DPA) specifies the data protection obligations arising from the processing of personal data in the context of Audienca Reflection. It applies between the Customer using Audienca Reflection (“Controller”) and senseaition GmbH (“Processor”).
1. Subject Matter and Duration
The subject matter is the provision of services as described in the main contract (Terms of Service), in particular the AI-powered generation and management of responses to customer inquiries, reviews, and messages.
The duration of this DPA aligns with the duration of the main contract.
2. Nature and Purpose
Nature of processing: storage, retrieval, analysis, enrichment, and provisioning of customer messages for automated response generation.
Purpose: performance of services agreed in the main contract.
3. Categories of Data and Data Subjects
The following data categories are processed:
- Master data of customer contacts (name, email, optional phone number)
- Content of customer inquiries, reviews, comments, and messages
- Metadata (timestamps, source, sentiment analysis results)
- Personality profiles (TwentyFive analysis results)
Categories of data subjects: customers, prospects, and other contacts of the Controller.
4. Obligations of the Processor
The Processor:
- processes personal data only on documented instructions of the Controller
- ensures personnel authorized to process data are committed to confidentiality
- implements appropriate technical and organizational measures under Art. 32 GDPR (see Section 6)
- assists the Controller with data subject requests
- at the Controller’s choice, deletes or returns all data at the end of the contract
5. Sub-Processors
The Controller agrees to the engagement of the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting, server infrastructure | Germany |
| Google Ireland Limited / Google LLC | Firebase Authentication, cloud services | Ireland / USA (SCC + DPA) |
| OpenAI OpCo, LLC | Large language model API (no model training) | USA (SCC + DPA) |
| Stripe Payments Europe Limited | Payment processing | Ireland (EU) |
| united-domains GmbH | Transactional email delivery | Germany |
Any change to the list of sub-processors will be communicated to the Controller at least 14 days in advance. The Controller may object to planned changes within 7 days.
6. Technical and Organizational Measures (TOMs)
The Processor implements, in particular:
- Access control: two-factor authentication for administrative access
- Role-based access following the need-to-know principle
- Logging of security-relevant access and administrative actions
- Encryption in transit (HTTPS/TLS) and encryption at rest
- Pseudonymization where technically feasible
- Availability: regular, encrypted, and geographically distributed backups
- Order control: written data processing agreements with all sub-processors
7. Breach Notification
The Processor will notify the Controller without undue delay, and no later than 24 hours after becoming aware, of any personal data breach.
8. Deletion and Return
After termination of the main contract, the Processor will delete all personal data without undue delay, unless retention is legally required. At the Controller’s request, a standard-format export is provided prior to deletion.
9. Contact
Questions on this DPA: datenschutz@senseaition.com.