Data Processing Agreement

Contract for Data Processing by chatarmin.com GmbH according to Art. 28 GDPR, 08.07.2024

Please note that the German version of this Data Processing Agreement is the original and is authoritative in case of any interpretation issues. Translations are provided for informational purposes only and are not legally binding.

Art. 28 GDPR sets specific requirements for data processing. To meet these special requirements, the contracting parties enter into this data processing contract in addition to the Terms of Service. It applies to all activities related to the main contract where employees of the contractor or agents of the contractor process personal data (hereinafter "data") of the client. The definitions of the GDPR apply.

The definitions of the GDPR apply.

The AVV consists of two parts:

  1. Jump to Chatarmin AVV
  2. Jump to ArminCX AVV

Chatarmin (WhatsApp Marketing Tool)

1. Subject of the Contract and the Client's Right to Issue Instructions

  1. The subject of this contract is the services of the contractor for the client in the area of communication via WhatsApp using the chatarmin solution. Additionally, reference is made to Appendix 1 of this contract and the Terms of Service. If the commissioned service changes, this data processing contract in Appendix 1 must be adjusted and supplemented accordingly.

  2. The client, as the responsible party, is solely responsible for assessing the legality of the data processing according to the GDPR.

  3. In providing the service, the contractor gains access to personal data and processes this data exclusively on behalf of and according to the instructions of the client, unless the contractor is required by Union or Member State law to process it otherwise.

  4. The instructions of the client are specified in this contract and can be changed, supplemented, or replaced by the client in at least documented electronic format through individual instructions. If the contractor is required by European Union or Member State law to process data further, they will inform the client of these legal requirements before processing (Art. 28 para. 3 lit. a) GDPR).

  5. If the contractor believes that an instruction from the client violates data protection regulations, they must inform the client immediately. The contractor is entitled to suspend the execution of the instruction until it is confirmed or modified by the client. The contractor may refuse to execute an obviously illegal instruction without facing negative consequences. The client is responsible for issuing legally valid instructions (Art. 28 para. 3 sentence 3 GDPR).

  6. The term of this contract corresponds to the term of the main contract unless additional obligations or termination rights arise from the following provisions.

2. Technical and Organizational Measures

  1. The contractor complies with legal data protection requirements. Information of the client will not be disclosed to third parties without explicit instruction from the client. Documents and data are secured against unauthorized access considering the state of the art.

  2. The contractor organizes their internal operations to meet the special requirements of data protection and ensures that all necessary technical and organizational measures to protect the client's data according to Art. 32 GDPR are taken. Reference is made to Appendix 2.

  3. The client reviews the technical and organizational measures of the contractor before data processing begins and regularly thereafter. Changes to the agreed security measures can be made as long as they do not fall below the contractually agreed protection level.

3. Confidentiality

The contractor and their employees are prohibited from processing personal data without authorization. The contractor commits all individuals involved in the processing and fulfillment of this contract to confidentiality. The confidentiality obligations remain even after the termination of this contract or the employment relationship between the employee and the contractor.

4. Contractor's Information Obligations

  1. In case of disruptions, suspected data protection violations, breaches of contractual obligations by the contractor, suspected security incidents, or other irregularities in the processing of personal data by the contractor or their personnel, the contractor will inform the client immediately in writing or documented electronic format. The same applies to audits by the data protection supervisory authority concerning this contract.

  2. The notification of a personal data protection breach to the client will include, if possible, the following information:

a) a description of the nature of the personal data breach, including the categories and approximate number of affected individuals and records, if possible;

b) a description of the likely consequences of the breach, and

c) a description of the measures taken or proposed by the contractor to address the breach and mitigate its possible adverse effects.

  1. The contractor takes immediate measures to secure the data and mitigate possible adverse effects on the affected individuals, informs the client, and requests further instructions.

  2. If the client's data at the contractor is endangered by seizure, attachment, insolvency, or similar events, the contractor will inform the client immediately unless prohibited by court or official order. The contractor will inform all relevant parties that the decision-making authority over the data lies solely with the client as the "controller" according to the GDPR.

  3. The contractor supports the client with appropriate technical and organizational measures to fulfill their obligations under Art. 12 to 22 (Art. 28 para. 3 lit. e) GDPR) and Art. 32 to 36 GDPR (Art. 28 para. 3 lit. f) GDPR).

5. Client's Control Rights

  1. The contractor agrees to provide the client with all information and evidence required to conduct an audit of the contractor's technical and organizational measures upon oral, written, or electronic request within a reasonable timeframe.

  2. Inspections by the client or their auditors, who must not be competitors of the contractor, can be conducted during normal business hours with 14 days' notice. The client conducts audits only to the necessary extent and in a manner that does not unreasonably disrupt the contractor's operations. The contractor may charge for assistance during an inspection, as agreed in a separate contract.

6. Use of Subcontractors

  1. Personal data may only be processed in third countries in compliance with the provisions of Articles 44–49 GDPR. The contractually agreed services or the following partial services are carried out with the involvement of subcontractors listed in Appendix 3. All subcontractors already involved and approved by the client at the time of the contract conclusion are listed in Appendix 3. The client grants general approval to involve additional subcontractors for processing client data (subcontractors). We are obliged to inform our clients in writing of any new or changing subcontractors. Additionally, we enter into comparable data processing agreements with all subcontractors. We notify our clients at least 14 days in advance in writing of any intended changes to this list by adding or replacing subcontractors, giving the controller sufficient time to object to these changes before the subcontractor is engaged. The right to object under Art. 28 para. 2 sentence 2 GDPR expires if no objection is raised in writing within 14 days after notification. In case of an objection, both parties have the right to terminate the main contract and this data processing agreement with three months' notice.

  2. A subcontractor relationship under these provisions does not exist if the contractor engages third parties for ancillary services. These include, for example, postal, transport, and shipping services, cleaning services, telecommunication services without a direct connection to services provided to the client, and security services. Maintenance and inspection services constitute subcontractor relationships if provided for IT systems used in delivering services to the client.

7. Liability

The client and contractor are liable to affected individuals according to the provisions of Art. 82 GDPR.

8. Termination of the Main Contract

  1. Upon termination of the main contract or at any time upon request by the client, the contractor will return all documents, data, and storage media provided by the client or, at the client's request, delete them unless there is a legal obligation to retain personal data. This also applies to any data backups held by the contractor. The contractor must provide documented proof of proper deletion of any remaining data.

  2. The contractor is obliged to keep data confidential even after the termination of the main contract. This agreement remains valid as long as the contractor has personal data provided by or collected for the client.

9. Final Provisions

  1. The parties agree that the contractor cannot claim any right of retention regarding the data to be processed or the associated data carriers.
  2. Changes and additions to this agreement must be in writing or documented electronic format.
  3. If any provision of this agreement is or becomes invalid or unenforceable, the validity of the remaining provisions remains unaffected, and the legal regulations of Art. 28 GDPR apply.
  4. This agreement is governed by Austrian law. The exclusive place of jurisdiction is Vienna.

Appendices:

Appendix 1 – Description of affected individuals/groups and special data/data categories

Appendix 2 – Technical and organizational measures of the contractor

Appendix 3 – Subcontractors

Appendix 1 – Description of Affected Individuals/Groups and Special Data/Data Categories

Subject of Processing Type and Purpose of Processing WhatsApp communication infrastructure within a CRM system and an API for automating and synchronizing data streams and information flows for customer communication via WhatsApp and for evaluating and analyzing WhatsApp communication through chatarmin.

Purposes of processing:
- Personalization of WhatsApp communication
- Sending promotional content
- Analysis of behavior in WhatsApp chat
- Providing a chatbot

Interfaces to other applications that the client can link, such as shop systems, email tools, etc.
Type of Personal Data Master and contact data (client's customer phone numbers, WhatsApp profile names), communication in chats, click behavior in chats like surveys, delivery and open rates.

Are special categories of personal data processed? Depending on the client’s instructions. If special categories of personal data are processed, a supplementary agreement is required.
Categories of Affected Individuals Client’s subscribers, client’s customers

Annex 2 - Technical and Organizational Measures (TOMs) of chatarmin.com GmbH pursuant to Article 32 GDPR - Status 25.02.2026

chatarmin.com GmbH operates its systems based on a cloud-first and remote-first operating model. The technical and organizational measures described below are aligned with the state of the art, the nature, scope and risks of the processing activities, as well as the security measures implemented by the cloud and platform service providers used.

Physical security measures relating to data centers are exclusively implemented by the respective cloud service providers.

chatarmin operates an ISO/IEC 27001-compliant Information Security Management System (ISMS), which forms the foundation for the planning, implementation, monitoring and continuous improvement of all security measures.

1. Confidentiality

a. Physical Access Control

• chatarmin does not operate its own server rooms or data centers

• Physical access controls (e.g. access control systems, video surveillance, security services, fire protection) are implemented by the engaged data center and cloud service providers

• Cloud service providers are selected based on documented security measures and certifications

b. System Access Control

• Use of personalized user accounts

• Password policies (complexity, length)

• Multi-factor authentication (MFA) for critical systems, where technically available

• Use of a password manager

• Automatic screen locking

• Clean desk / clear screen policy

• Organizational prohibition of external storage media (e.g. USB devices)

• System access exclusively via approved cloud services

c. Data Access Control

• Role-based and need-based access concepts (strict need-to-know principle implemented)

• Management of access rights by authorized administrators

• Reduction of administrative privileges to the necessary minimum

• Consideration of access rights to data backups

• Logging of administrative activities

2. Integrity

a. Input and Change Control

• Logging of the creation, modification and deletion of personal data

• Individual user identifiers (no shared or group accounts)

• Protection and integrity of log and protocol files

• Dual control (four-eyes principle) for security-critical process steps, where organizationally appropriate

b. Transfer Control

• Data transfers are carried out exclusively via secure, encrypted communication channels (TLS/HTTPS) to approved cloud services; no physical data transport takes place

• Use of approved interfaces only

3. Availability and Resilience

Operation on a highly available cloud infrastructure • Use of redundant system architectures

• Backup and recovery concepts implemented within the utilized cloud services

• Regular testing of data recovery procedures

• Emergency and recovery planning (business continuity)

• No own physical servers, uninterruptible power supplies (UPS) or air conditioning systems due to the cloud-first approach

4. Separation Control

• Logical tenant separation at application and database level

• Separation of production, test and development environments

• No use of real personal data in test environments

• No physical separation on dedicated hardware (cloud architecture)

5. Pseudonymization and Anonymization

• Personal data is deleted or anonymized once the processing purpose ceases

• Pseudonymization with a separate attribution file is not used

• Anonymization is applied where technically and operationally appropriate

6. Processor and Sub-processor Control

• Engagement of sub-processors exclusively on a contractual basis

• Conclusion of data processing agreements (DPA/AVV)

• Evaluation of service providers based on:

  1. technical and organizational measures (TOMs)
  2. certifications
  3. audit reports

• Control is exercised through contractually agreed security measures

7. Data Protection and Security Management

• Appointment of an external Data Protection Officer

• Maintenance of a record of processing activities

• Integration of data protection-related processes into the ISMS

• Regular training and awareness measures regarding data protection and artificial intelligence

• Documented processes for:

  1. handling data subject rights
  2. reporting data protection and security incidents

8. Review and Continuous Improvement

• Regular review of the technical and organizational measures

• External certifications and audits

• Event-driven reviews in the event of security incidents or changes to processing activities

• Continuous adaptation to new risks and technological developments

Appendix 3 - Approved Subcontractors

Approved subcontractors according to section 6 of this contract:

Contracted Company Processing Activity Place of Processing
WhatsApp Ireland Limited Provision of WhatsApp for communication; hosting of the WhatsApp API Hosting the API in the European Union

WhatsApp LLC, 1601 Willow Road Menlo Park, California 94025 – Certification under the Data Privacy Framework here

Meta Platforms Inc., Meta Platforms, Inc. 1 Meta Way Menlo Park, California 94025-1453 – Data Privacy Framework certification here

Data Processing Agreement of WhatsApp Ireland Limited, including standard contractual clauses for processors and a complete list of subcontractors
Digital Ocean LLC., New York, 101 6th Ave, United States Hosting for "redirect links" for Chatarmin. Clicking on the short link will then redirect you to the real link. The IP address from which the link is clicked is processed United States of America and other third countries in which affiliated companies of Digital Ocean LLC are based

Data Processing Agreement from DigitalOcean (certification under the Data Privacy Framework here) including standard contractual clauses for processors and a complete list of subcontractors in Schedule 3
Intercom R&D Unlimited Company, 124 St Stephen's Green, Dublin 2, DC02 C628, Ireland Customer support Ireland

Data Processing Agreement from Intercom (certification under the Data Privacy Framework here)
Redis EMEA Ltd., Bridge House, 4 Borough High Street, London SE1 9QQ, UK Caching of API requests for optimisation of display speed in Chatarmin United Kingdom (Adequacy Decision)

Data Processing Agreement from Redis
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen API backend hosting by chatarmin, provision of the database for contact details, storage of analysis data for customer actions and statistical data on the number of flows per customer, opening rates and use for product development Germany

Data Processing Agreement from Hetzner
Typesense, Inc 14090 Southwest Freeway, Suite 300, Sugar Land, TX, 77478, USA Storage of chat history & contacts for quick data retrieval. Optional: storage of chatbot data, only in conjunction with Chatarmin AI USA

Data Processing Agreement including standard contractual clauses and a complete list of subcontractors
Vercel Inc. 440 N Barranca Ave #4133 Covina, CA 91723 Frontend Hosting USA

Data Processing Agreement (Certification under the Data Privacy Framework here)
Optional: Access only in conjunction with Chatarmin AI
OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland Provision of AI technology, processing of requests, generation of responses USA

Data Processing Agreement from Open AI, including standard contractual clauses for processors and a complete list of subcontractors

armincx (Customer Support Suite)

Data Processing Agreement according to Art. 28 GDPR

Art. 28 GDPR places specific requirements on data processing through a processor. In order to comply with these special requirements, the contracting parties conclude this contract in addition to the Terms of Service. It applies to all activities that are related to the main contract concluded and in which employees of the contractor or persons authorised by the contractor process personal data (hereinafter "data") of the client. The definitions of the GDPR apply.

1. Subject matter of the contract and the client's right to issue instructions

(1) The subject matter of this contract is the Contractor's services for the Client in the area of providing the armin.cx solution. In addition, reference is made to Annex 1 of this Agreement and the Terms of Use. In the event of changes to the commissioned service, this data processing agreement in Annex 1 must be adapted and supplemented accordingly.

(2) As the controller, the client is solely responsible for assessing the permissibility of data processing in accordance with the GDPR.

(3) When providing the service, the Contractor shall have access to personal data and shall process it exclusively on behalf of and in accordance with the instructions of the Client, unless the Contractor is obliged to process it differently under the law of the Union or the Member States to which it is subject.

(4) The Client's instructions are set out in this Agreement and may be amended, supplemented or replaced by the Client in at least documented electronic format by means of individual instructions (individual instructions). If the Contractor is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall inform the Client of these legal requirements prior to processing. (Art. 28 para. 3 lit. a) GDPR).

(5) If the Contractor is of the opinion that an instruction from the Client violates data protection regulations, it must inform the Client of this immediately. The Contractor shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Client. The Contractor may refuse to carry out an obviously unlawful instruction without incurring any negative consequences. The client is responsible for issuing legally valid instructions. (Art. 28 para. 3 sentence 3 GDPR).

(6) The term of this contract is based on the term of the main contract, unless the following provisions contain obligations or rights of cancellation that go beyond this.

2. Technical and organisational measures

(1) The Contractor shall comply with the statutory provisions on data protection. The Client's information shall not be passed on or disclosed to third parties without the Client's express instructions. Documents and data shall be secured against unauthorised access, taking into account the state of the art.

(2) The Contractor shall design the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection and ensures that it has taken all necessary technical and organisational measures to protect the Client's data in accordance with Art. 32 GDPR. Reference is made to Appendix 2.

(3) The Client shall review the Contractor's technical and organisational measures before commencing data processing and then regularly thereafter. Changes may be made to the agreed security measures, provided that these do not fall below the contractually agreed level of protection.

3. Confidentiality

The Contractor and its employees are prohibited from processing personal data without authorisation. The Contractor shall oblige all persons entrusted by it with the processing and fulfilment of this contract to maintain confidentiality. The confidentiality obligations shall also apply after termination of this contract or the employment relationship between the employee and the contractor.

4. Information obligations of the contractor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security incidents or other irregularities in the processing of personal data by the Contractor, persons employed by the Contractor within the scope of the order or by third parties, the Contractor shall inform the Client immediately in writing or documented electronic format, insofar as they relate to this contract. The same applies to audits of the Contractor by the data protection supervisory authority, insofar as they relate to this contract.

(2) The notification of a personal data breach to the client shall contain the following information, where possible: a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories concerned and the number of personal data records concerned; b) a description of the likely consequences of the injury and c) a description of the measures taken or proposed to be taken by the Contractor to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.

(3) The Contractor shall immediately take the necessary measures to secure the data and minimise possible adverse consequences for the data subjects, inform the Client and request further instructions from the Client.

(4) Should the Client's data be jeopardised by seizure or confiscation, by insolvency or composition proceedings or by other events or measures by third parties, the Contractor shall inform the Client of this immediately, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the Client as the "controller" within the meaning of the GDPR.

(5) Where possible, the Contractor shall support the Client with suitable technical and organisational measures in fulfilling its obligations under Art. 12 to 22 (Art. 28 para. 3 lit. e) GDPR) and Art. 32 to 36 GDPR (Art. 28 para. 3 lit. f) GDPR).

5. Control rights of the client

(1) The Contractor undertakes to provide the Client with all information and evidence required to carry out a check of the Contractor's technical and organisational measures within a reasonable period of time at the Client's verbal, written or electronic request.

(2) Inspections by the Client or its authorised inspectors, who may not be in a competitive relationship with the Contractor, may be carried out during normal business hours and with a lead time of 14 days' notice. The Client shall only carry out inspections to the extent necessary and shall only disrupt the Contractor's operational processes in a proportionate manner. The Contractor may demand remuneration for assistance in carrying out an inspection. The remuneration shall be agreed in individual contracts.

6. Use of subcontractors

(1) The contractually agreed services or the partial services described below shall be carried out with the involvement of the subcontractors (sub-processors) listed in Annex 3. All other processors already involved and authorised by the client at the time of conclusion of the contract are listed in Annex 3. The client grants general authorisation to involve other processors with regard to the processing of client data (subcontractors). We are obliged to inform our clients about the involvement of or changes to other processors, whereby written information in text form is sufficient. Furthermore, we conclude comparable data processing agreements with all subcontractors. We inform our clients in writing at least 14 days in advance of any intended changes to this list by adding or replacing sub-processors and thus give the controller sufficient time to object to these changes before commissioning the sub-processor(s) concerned (right of objection pursuant to Art. 28 para. 2 sentence 2 GDPR). The right to object expires if you have not objected in writing within 14 days of receipt of the notification of the change or involvement. In the event of an objection, both parties have the right to terminate the main contract and this contract for commissioned processing with a notice period of 3 months.

(2) A subcontractor relationship within the meaning of these provisions does not exist if the Contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and dispatch services, cleaning services, telecommunications services with no specific connection to services provided by the contractor for the client and security services. Maintenance and testing services constitute subcontractor relationships requiring approval if they are provided for IT systems that are also used in connection with the provision of services for the client.

7. Liability

The client and contractor are liable to data subjects in accordance with the provisions of Art. 82 GDPR.

8. Termination of the main contract

(1) The Contractor shall return to the Client all documents, data and data carriers provided to it after termination of the main contract or at any time at the Client's request or - at the Client's request, unless there is a legal obligation to store the personal data - delete them. This also applies to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence.

(2) The Contractor shall be obliged to treat the data it has become aware of in connection with the main contract confidentially even after the end of the main contract. This agreement shall remain valid beyond the end of the main contract for as long as the Contractor has personal data that was forwarded to it by the Client or that it has collected for the Client.

9. Final provisions

(1) The parties agree that the defence of the right of retention by the Contractor with regard to the data to be processed and the associated data carriers is excluded.

(2) Amendments and supplements to this agreement must be made in writing or in a documented electronic format.

(3) Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions and the statutory provisions of Art. 28 GDPR shall apply.

(4) This agreement is subject to Austrian law. The exclusive place of jurisdiction is Vienna.

Attachments:

  • Annex 1 - Description of data subjects/groups of data subjects and particularly sensitive data/categories of data
  • Annex 2 - Technical and organisational measures of the contractor
  • Annex 3 - Subcontractor

Annex 1 - Description of data subjects/groups of data subjects and particularly sensitive data/categories of data

Object of the processing The specific processing depends on the use by the client.
Type and Purpose of the processing The Customer Support Suite is a web-based ticketing and communication system that has been developed specifically for e-commerce companies. The solution bundles customer enquiries from various channels – including WhatsApp, email, telephone and social networks (e.g. Facebook, Instagram) – and makes them available in a single user interface. This allows support enquiries to be processed efficiently across all channels.

Subject matter and purpose of processing:
The purpose of data processing is to manage and process customer enquiries and to communicate with data subjects (end customers) in the context of contract processing, customer care, support services and service optimisation.
Type of personal data Type of personal data processed:
• Contact details (e.g. name, telephone number, email address, social media handle)
• Communication content (e.g. message histories, emails, chat histories, audio recordings of telephone calls)
• Metadata (e.g. time stamps, channel used, processor information)
• If applicable, order and customer data from connected e-commerce systems (for context creation)

Are special categories of personal data processed?
Depending on the order and instructions of the client. If special categories of personal data are processed, a supplementary agreement is required.
Categories of affected persons • Subscribers of the client
• Customers of the client

Annex 2 - Technical and Organizational Measures (TOMs) of chatarmin.com GmbH pursuant to Article 32 GDPR - Status 25.02.2026

chatarmin.com GmbH operates its systems based on a cloud-first and remote-first operating model. The technical and organizational measures described below are aligned with the state of the art, the nature, scope and risks of the processing activities, as well as the security measures implemented by the cloud and platform service providers used.

Physical security measures relating to data centers are exclusively implemented by the respective cloud service providers.

chatarmin operates an ISO/IEC 27001-compliant Information Security Management System (ISMS), which forms the foundation for the planning, implementation, monitoring and continuous improvement of all security measures.

1. Confidentiality

a. Physical Access Control

• chatarmin does not operate its own server rooms or data centers

• Physical access controls (e.g. access control systems, video surveillance, security services, fire protection) are implemented by the engaged data center and cloud service providers

• Cloud service providers are selected based on documented security measures and certifications

b. System Access Control

• Use of personalized user accounts

• Password policies (complexity, length)

• Multi-factor authentication (MFA) for critical systems, where technically available

• Use of a password manager

• Automatic screen locking

• Clean desk / clear screen policy

• Organizational prohibition of external storage media (e.g. USB devices)

• System access exclusively via approved cloud services

c. Data Access Control

• Role-based and need-based access concepts (strict need-to-know principle implemented)

• Management of access rights by authorized administrators

• Reduction of administrative privileges to the necessary minimum

• Consideration of access rights to data backups

• Logging of administrative activities

2. Integrity

a. Input and Change Control

• Logging of the creation, modification and deletion of personal data

• Individual user identifiers (no shared or group accounts)

• Protection and integrity of log and protocol files

• Dual control (four-eyes principle) for security-critical process steps, where organizationally appropriate

b. Transfer Control

• Data transfers are carried out exclusively via secure, encrypted communication channels (TLS/HTTPS) to approved cloud services; no physical data transport takes place

• Use of approved interfaces only

3. Availability and Resilience

Operation on a highly available cloud infrastructure • Use of redundant system architectures

• Backup and recovery concepts implemented within the utilized cloud services

• Regular testing of data recovery procedures

• Emergency and recovery planning (business continuity)

• No own physical servers, uninterruptible power supplies (UPS) or air conditioning systems due to the cloud-first approach

4. Separation Control

• Logical tenant separation at application and database level

• Separation of production, test and development environments

• No use of real personal data in test environments

• No physical separation on dedicated hardware (cloud architecture)

5. Pseudonymization and Anonymization

• Personal data is deleted or anonymized once the processing purpose ceases

• Pseudonymization with a separate attribution file is not used

• Anonymization is applied where technically and operationally appropriate

6. Processor and Sub-processor Control

• Engagement of sub-processors exclusively on a contractual basis

• Conclusion of data processing agreements (DPA/AVV)

• Evaluation of service providers based on:

  1. technical and organizational measures (TOMs)
  2. certifications
  3. audit reports

• Control is exercised through contractually agreed security measures

7. Data Protection and Security Management

• Appointment of an external Data Protection Officer

• Maintenance of a record of processing activities

• Integration of data protection-related processes into the ISMS

• Regular training and awareness measures regarding data protection and artificial intelligence

• Documented processes for:

  1. handling data subject rights
  2. reporting data protection and security incidents

8. Review and Continuous Improvement

• Regular review of the technical and organizational measures

• External certifications and audits

• Event-driven reviews in the event of security incidents or changes to processing activities

• Continuous adaptation to new risks and technological developments

Appendix 3 - Authorised subcontractors

Authorised subcontractors according to 6. of this contract:

Commissioned company Processing activity Processing location
WhatsApp Ireland Limited Provision of WhatsApp for communication; hosting of the WhatsApp API Ireland and third countries in which affiliated companies of WhatsApp are based, such as WhatsApp LLC and Facebook Inc. (Meta Platforms Inc.)

WhatsApp LLC, 1601 Willow Road
Menlo Park, California 94025
- Obtain certification in accordance with the Data Privacy Framework here

Meta Platforms Inc, Meta Platforms, Inc.
1 Meta Way
Menlo Park, California
94025-1453 - Get certification according to the Data Privacy Framework here

Data Processing Agreement of WhatsApp Ireland Limited incl. processor-to-processor standard contractual clauses and complete list of subcontractors
Supabase Inc., Camden, 3500 S Dupont Hwy, United States Technical infrastructure for authentication, caching, image uploads and database management for all tool data USA
Mailgun Technologies, Inc., 112 E Pecan Street #1135, San Antonio, TX 78205 Verification of email addresses, email dispatch USA

Mailgun is certified under the EU-U.S. Data Privacy Framework.
Sequin Labs, Inc
156 2nd Street, Suite 403, San Francisco, CA 94105 		The solution captures real-time changes in data from a PostgreSQL database (Change Data Capture) and streams them directly to systems like Kafka Redis. USA

Data Processing Agreement incl. Standard Contractual Clauses
Redis EMEA Ltd., Bridge House, 4 Borough High Street, London SE1 9QQ, UK Caching of data UK (Adequacy decision)

Data Processing Agreement from Redis
Elest Limited, 66 Fitzwilliam Square, Dublin, 2 D02 AT27, Ireland, Europe Hosting of the chatarmin backend Germany (Hetzner Online GmbH)

Data Processing Agreement from Elest
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany API from chatarmin to establish communication with chatarmin Germany

Data Processing Agreement from Hetzner

Optional: Access only in conjunction with chatbot API

Commissioned company Processing activity Processing location
OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland Provision of AI technology, processing of requests, generation of responses. Data Processing Agreement from OpenAI incl. processor-to-processor standard contractual clauses and complete list of subcontractors