Legal Docs

in accordance with Art. 28 GDPR

Between - the Client (the "Controller") - itellico internet solutions GmbH, Postgasse 19, A-1010 Vienna, Austria (the "Processor")

Preamble

This Data Processing Addendum (DPA) governs the rights and obligations of the parties in connection with the processing of personal data for the performance of the service agreement concluded between the parties ("Main Agreement").

1. Subject Matter, Duration, and Specification of Data Processing

1.1 Subject Matter

The subject matter of the data processing is the provision of the services defined in the Main Agreement.

1.2 Nature and Purpose of Processing

The processing serves exclusively to provide the services defined in the Main Agreement.

1.3 Nature of Personal Data

Content Data:

Voice and audio data from all interactions
Conversation content in text form (transcripts)
All data and content provided by the Controller under the Main Agreement
All data and information voluntarily provided by the end-user

Contact Data (if provided by the end-user):

Phone number (as part of connection data)
Name (if actively provided by the end-user, as it is not proactively requested)
Email address (if actively provided by the end-user, as it is not proactively requested)

Usage Data (Metadata for billing and analysis):

Unique identifiers (e.g., Call ID, Session ID)
Timestamp and duration of the interaction
Token consumption (for AI-based services and billing purposes)
Technical parameters of the transmission
IP address

1.4 Categories of Data Subjects

End-users of the Controller (e.g., customers, prospects) who interact with the AI voice assistant.

1.5 Duration of Processing

The duration of the processing corresponds to the term of the Main Agreement.

2. Obligations of the Processor

2.1 Processing on Instructions

The Processor shall process personal data exclusively on the documented instructions of the Controller, unless required to do so by law. The use of the services defined in the Main Agreement by the Controller constitutes such an instruction.

2.2 Confidentiality

The Processor shall ensure that persons authorized to process the personal data are committed to confidentiality.

2.3 Technical and Organizational Measures (TOMs)

The Processor shall take all measures required pursuant to Art. 32 GDPR for the security of processing. The specific TOMs implemented are listed in the Appendix to this agreement.

2.4 No Use for AI Training

The Processor warrants that for the processing of content data such as voice and text data (e.g., for transcription, content generation, and text-to-speech synthesis), it exclusively uses APIs from sub-processors that contractually guarantee that submitted data is not used for training AI models. This applies to all deployed providers with the exception of Cartesia. Processing is carried out in accordance with the respective data protection provisions of the deployed providers and the obligations set forth in this agreement.

3. Sub-processors

3.1 Use of Sub-processors

The Controller grants general authorization for the use of sub-processors to provide the contractual services. The Processor maintains and keeps an up-to-date list of all engaged sub-processors at https://itellico.ai/legal/data-processors/.

3.2 Contractual Obligations and Guarantees

The Processor shall ensure, by concluding contracts (typically the standard data processing agreements of the providers), that every sub-processor is subject to data protection obligations that are materially equivalent to those set forth in this DPA (in accordance with Art. 28(4) GDPR).

3.3 Third-Country Transfers

For sub-processors located outside the EU/EEA, the Processor shall ensure that an adequate level of data protection is in place, for example, by certification under the EU-US Data Privacy Framework (where applicable) or by concluding EU Standard Contractual Clauses (SCCs) and implementing necessary additional safeguards.

3.4 Information and Right to Object

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors at least 15 days prior to the planned engagement, thereby giving the Controller the opportunity to object on important data protection grounds.

4. Rights of the Data Subject

The Processor shall, as far as possible, assist the Controller with appropriate technical and organizational measures in fulfilling its obligations concerning the rights of data subjects (e.g., access, rectification, erasure).

5. Assistance to the Controller

The Processor shall assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of processing, Notification of a personal data breach, Data protection impact assessment).

5.1 Notification of Data Breaches

The Processor shall notify the Controller of any personal data breach without undue delay after becoming aware of it, in accordance with Art. 33(2) GDPR. The notification shall be made no later than 24 hours after becoming aware of the breach to privacy@itellico.ai.

6. Data Retention and Deletion

6.1 Processing During the Term of the Agreement

Standard Storage of Content and Contact Data: As long as the Main Agreement is active, content data (e.g., recordings, transcripts, knowledge bases, settings) and associated contact data are stored for the Controller as part of the agreed service and are not automatically deleted.
Configurable Data Processing: The Controller can control the processing of various data types via the platform settings:

Flexible Processing: The Controller can configure retention settings for various data types with the following categories:

Fully Configurable Settings: Certain data types can be completely disabled (Zero Retention) or assigned freely configurable retention periods (e.g., call recordings, automated post-call analyses such as summaries).
Minimum Retention Settings: Other data types are subject to minimum retention periods as defined elsewhere in this DPA for operational and legal purposes, but can be configured for longer retention periods beyond these minimums (e.g., transcripts, system prompts, API call logs).

Minimum Retention: IP addresses are retained for 30 days for IT security and fraud prevention and are then deleted or anonymized. Phone numbers and other technical metadata are retained for up to 90 days after billing to comply with telecommunications regulations and are then automatically deleted or anonymized.
Abuse Monitoring and Legal Defense: In accordance with industry standards, certain data is retained for up to 30 days to identify abuse and ensure compliance with usage policies:

System prompts and conversation context: retained for up to 30 days for abuse detection and pattern analysis
Conversation transcripts and events: retained for up to 30 days for monitoring compliance with platform policies
API call logs and function calls: retained for up to 30 days for technical investigation and dispute resolution
This retention period applies regardless of customer-configured retention settings and serves legitimate business interests in preventing platform abuse and defending against potential violations reported by AI service providers.

Legal Retention: Billing-relevant metadata must be retained in accordance with legal obligations and cannot be deleted prematurely.

Limits of Configurability: The retention periods for content data configurable by the Controller cannot be shorter than the minimum retention periods for metadata defined by the Processor in Section 6.3. The generation and retention of billing-relevant and other metadata by the Processor remain unaffected by customer-specific settings.

6.2 Deletion of Traffic Data and Other Personal Data

Automatic Deletion of Traffic Data according to § 167 TKG 2021: The Processor automatically deletes or anonymizes traffic data (phone numbers, exact timestamps, call IDs) according to the following schedules:

- Prepayment/Prepaid: For calls covered by prepayments or annual contracts, deletion occurs 90 days after the call date. - Post-Billing: For calls that are billed subsequently, deletion occurs 90 days after the billing date.

Deletion and Return after Contract End or on Request: After Contract End: Upon conclusion of the provision of processing services (i.e., after termination of the Main Agreement), the Processor is obligated to irrevocably delete all remaining content and contact data after a period of 90 days, including all existing copies.

On Instruction from the Controller: At the Controller's choice, the Processor will either (a) return all personal data to the Controller or (b) irrevocably delete all personal data and existing copies, unless storage is required by EU or member state law.

Billing-relevant metadata must continue to be retained in accordance with statutory retention periods.

6.3 Retention of Metadata

The retention of metadata is purpose-bound and differentiated by data type:

Billing-Relevant Metadata: To comply with statutory accounting and documentation obligations (e.g., 7 years according to § 212 UGB in Austria), billing-relevant metadata (e.g., Customer ID, duration, token consumption) is retained for the duration of the statutory periods.
Anonymized Data: After complete anonymization, data may be retained indefinitely for statistical analysis and product improvement, as it no longer has any personal reference.

7. Audit Rights

The Controller has the right to verify the Processor's compliance with the provisions of this agreement. Such inspections shall be announced with reasonable notice and conducted during normal business hours. The Processor may also provide evidence of compliance by submitting suitable, current certificates, reports, or attestations from independent auditors (e.g., auditors, data protection officers, security certifications).

---

Appendix – Technical and Organizational Measures (TOMs)

As of: July 15, 2025

The following are the actual technical and organizational measures implemented by the Processor to ensure the security of the data processing.

1. Physical Access Control

Data Centers: AWS Frankfurt (eu-central-1) with GDPR compliance.
Access: Biometric controls and 24/7 monitoring by the AWS data center.

2. System Access Control

Administrators: Multi-factor authentication (MFA) is mandatory.
Applications: Token-based API authentication.
Principle: Strict role-based access control (RBAC).

3. Data Access Control (Permissions)

Databases: Access exclusively from within the protected Kubernetes cluster.
Storage: Granular S3 bucket policies according to the least privilege principle.
Secrets: Use of AWS Secrets Manager for all credentials.

4. Separation Control

Tenants: Strict logical tenant separation at the application level. Each tenant is assigned a unique ID (UUID) that is validated on every data access request. This ensures that queries can only return data belonging to the respective tenant.
Environments: Separate Virtual Private Clouds (VPCs) for development and production systems.
Containers: Kubernetes namespaces for service isolation.

5. Pseudonymization and Encryption

Data in Transit: TLS 1.3 for all data transfers.
Data at Rest: AES-256 encryption for S3 storage and backups.
Pseudonymization: Applied to specific personal data where necessary.

6. Availability Control

High Availability: Multi-AZ deployment across at least 3 Availability Zones.
Backups: Regular automatic backups with appropriate retention periods.
Monitoring: 24/7 system performance monitoring with automated alerts.

7. Input Control (Logging)

System Logs: Use of AWS CloudTrail for all API calls.
Access Logs: Complete logging of all access to sensitive data.
Audit: Kubernetes audit logs for tracking container activities.

8. Job Control (Compliance)

Processes: Documented Standard Operating Procedures (SOPs) for critical operations.
Change Management: Version-controlled infrastructure (Infrastructure-as-Code).
Training: Regular data protection and security training for all relevant employees.