Data Processing Agreement

1.1

This Data Processing Agreement (hereinafter "DPA") supplements the Terms and Conditions (SaaS Agreement) concluded between the Controller and the Processor.

1.2

In order to provide the bitpull.ai services (e.g., AI speech agents, call transcriptions, lead qualification), the Processor will process personal data on behalf of the Controller. This DPA governs the rights and obligations of the parties regarding data protection.

1.3

The provisions of this DPA shall take precedence over the provisions of the Main Agreement in the event of any conflict regarding data protection matters.

2.1

The Processor provides a Software-as-a-Service (SaaS) platform for AI-supported voice interactions. The nature of the processing includes the collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, and deletion of personal data.

2.2

The purpose of the processing is exclusively the provision of the agreed services, specifically: receiving calls, conducting automated AI conversations, transcribing audio, summarizing content, and forwarding data to the Controller's systems via interfaces (APIs).

3.1. Categories of Data Subjects

Customers, potential customers, leads, employees, or other callers interacting with the AI agent configured by the Controller.

3.2. Types of Personal Data

• Contact details (e.g., name, phone number, email address).
• Audio/Voice data (voice recordings of the callers).
• Communication data (transcripts, conversation summaries, intent analysis).
• Metadata (timestamp, call duration, IP address, device data).
• Any other personal data the callers voluntarily share with the AI agent during the conversation.

4.1

The Controller remains solely responsible for the legality of the data processing and for safeguarding the rights of the data subjects in accordance with Art. 4 No. 7 GDPR.

4.2

The Controller is responsible for obtaining any necessary consents from the callers (e.g., for call recording and AI transcription) and for providing transparent information (privacy notices) under Art. 13/14 GDPR prior to the start of the recording.

4.3

The Controller shall issue all instructions regarding the processing of personal data in text form. The Main Agreement and the configuration settings chosen by the Controller within the bitpull.ai dashboard constitute documented instructions.

5.1

The Processor shall process personal data exclusively within the framework of the Main Agreement and according to the documented instructions of the Controller (Art. 28 para. 3 lit. a GDPR).

5.2

If the Processor believes that an instruction violates the GDPR or other data protection provisions, it shall immediately inform the Controller. The Processor may suspend the execution of the instruction until it has been confirmed or modified by the Controller.

5.3

The Processor guarantees that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 para. 3 lit. b GDPR).

6.1

The Processor shall implement and maintain appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, as required by Art. 32 GDPR.

6.2

These measures include, in particular, the encryption of data in transit (e.g., TLS) and at rest, strict access controls, and measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.

6.3

The Processor reserves the right to modify the implemented TOMs, provided that the overall security level is not degraded.

7.1

The Controller grants the Processor general authorization to engage further processors (Sub-processors) to fulfill the contractual obligations (Art. 28 para. 2 GDPR).

7.2. Current Sub-processor Categories

7.3

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors (e.g., via email or dashboard notification). The Controller may object to such changes within 14 days for objectively justified data protection reasons. If no objection is raised, the change is deemed approved.

7.4

The Processor shall impose the same data protection obligations on the Sub-processors as set out in this DPA.

8.1

Data processing generally takes place within the European Union (EU) or the European Economic Area (EEA).

8.2

If the Processor or its Sub-processors transfer personal data to a third country outside the EU/EEA, this shall only occur if the special requirements of Art. 44 et seq. GDPR are met.

8.3

Such transfers will be safeguarded by an Adequacy Decision of the EU Commission (e.g., EU-US Data Privacy Framework) or by the conclusion of Standard Contractual Clauses (SCCs).

9.1

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (e.g., access, deletion, rectification).

9.2

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Data Security, Notification of Data Breaches, Data Protection Impact Assessments), taking into account the nature of processing and the information available to the Processor.

10.1

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data.

10.2

The notification shall contain all necessary information enabling the Controller to comply with its reporting obligations to the supervisory authority.

11.1

The Processor will retain data (e.g., transcripts, recordings) only for as long as configured by the Controller within the bitpull.ai software or as long as necessary to provide the service.

11.2

Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller, and delete existing copies unless European Union or Member State law requires storage of the personal data.

11.3

For 30 days after contract termination, the Controller may export their data. After this period, all personal data will be irretrievably deleted by the Processor.

12.1

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

12.2

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are typically carried out by requesting written documentation, certificates (e.g., ISO 27001 of infrastructure providers), or independent audit reports. Physical inspections require prior written notice of at least 30 days and shall not disrupt the Processor's daily business operations.

13.1

Amendments and additions to this DPA require text form.

13.2

Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.

13.3

This DPA is governed by the law agreed upon in the Main Agreement (Austrian Law).