Data Processing Agreement

Data Processing Agreement

AiAssistant24.com

1. Parties

1. Parties

This Data Processing Agreement (“Agreement”) is entered into between:

Digimark
Zgornje Škofije 115m
6281 Škofije
Slovenia
Email: info@aiassistant24.com

(“Processor”)

and

The Customer / Client using AiAssistant24 services
(“Controller”)

2. Purpose

2. Purpose

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of AiAssistant24 services.

It ensures compliance with the General Data Protection Regulation (GDPR).

3. Definitions

3. Definitions

Personal Data: Any information relating to an identifiable individual

  • Processing: Any operation performed on personal data

  • Controller: The entity determining purposes and means of processing

  • Processor: The entity processing data on behalf of the Controller

Sub-processor: Third party engaged by the Processor

4. Roles of the Parties

4. Roles of the Parties

The Controller determines how and why personal data is processed

  • The Processor processes data solely on behalf of the Controller

The Processor does NOT use personal data for its own independent purposes.

5. Scope of Processing

5. Scope of Processing

Nature of Processing:

  • AI-based call handling (inbound/outbound)

  • Call recording and transcription (if enabled)

  • SMS and messaging automation

  • Appointment booking and scheduling

  • Storage and routing of communication data

Categories of Data Subjects:

  • Customers of the Controller

  • Website visitors

  • Callers and message participants

Types of Personal Data:

  • Name

  • Phone number

  • Email address

  • Voice recordings

  • Message content

  • Booking and reservation data

6. Duration

6. Duration

This Agreement remains in effect for as long as the Processor processes personal data on behalf of the Controller.

7. Processor Obligations

7. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller

  • Ensure confidentiality of all personal data

  • Implement appropriate technical and organizational measures

  • Not sell or use personal data for its own purposes

  • Assist the Controller with GDPR obligations where reasonably possible

  • Notify the Controller without undue delay in case of a data breach

8. Controller Obligations

8. Controller Obligations

The Controller is responsible for:

  • Ensuring a lawful basis for processing personal data

  • Informing users that AI systems may handle communications

  • Obtaining consent where required (e.g., call recording)

  • Ensuring compliance with GDPR and applicable laws

The Controller acknowledges full responsibility for how the service is used.

9. Sub-processors

9. Sub-processors

The Controller authorizes the Processor to use sub-processors necessary to deliver the service.

These include, but are not limited to:

  • OpenAI – natural language processing

  • Google (including Gemini) – AI processing and infrastructure

  • ElevenLabs – voice synthesis

  • Twilio – telephony and messaging

Additional sub-processors may include:

  • Cloud hosting providers

  • Analytics providers

  • Monitoring and infrastructure services

The Processor ensures that all sub-processors are subject to GDPR-compliant obligations.

The Processor may update or replace sub-processors at any time. An updated list will be available upon request.

10. International Data Transfers

10. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA).

The Processor ensures appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)

  • Use of GDPR-compliant providers

11. Data Security

11. Data Security

The Processor implements appropriate technical and organizational measures, including:

  • Encryption (where applicable)

  • Access controls

  • Secure infrastructure

The Controller acknowledges that no system can guarantee absolute security.

12. AI Processing & Automation

12. AI Processing & Automation

The Controller acknowledges that:

  • Personal data may be processed by AI systems

  • AI outputs are generated automatically and may not always be accurate

  • AI systems operate based on probabilistic models

The Processor does not guarantee accuracy or reliability of AI-generated outputs.

The Controller is responsible for reviewing and supervising use where necessary.

13. Data Subject Rights

13. Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations related to:

  • Access requests

  • Correction of data

  • Deletion requests

  • Data portability

The Controller remains responsible for responding to such requests.

14. Data Breach Notification

14. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay

  • Provide relevant information available at the time

15. Data Retention & Deletion

15. Data Retention & Deletion

Personal data is retained only as long as necessary to provide the service

  • Upon termination, data may be deleted within a reasonable period

  • The Controller may request deletion of data

16. Liability

16. Liability

Each party is responsible for its own compliance with GDPR.

The Processor is NOT liable for:

  • Unlawful use of the service by the Controller

  • Failure of the Controller to obtain required consent

  • Instructions that violate applicable law

17. Audit Rights

17. Audit Rights

The Controller may request information regarding data protection measures.

Formal audits are limited to reasonable requests and must not disrupt operations.

18. Termination

18. Termination

This Agreement terminates automatically upon termination of the main service agreement.

19. Governing Law

19. Governing Law

This Agreement is governed by the laws of Slovenia.

20. Acceptance

20. Acceptance

This Agreement is governed by the laws of Slovenia.