Agreement on the Processing of Personal Data on Behalf of a Controller (Data Processing Agreement, Auftragsverarbeitungsvertrag)

Version dated: 5 June 2026

IMPORTANT NOTICE: CONVENIENCE TRANSLATION

This document is an English translation of the German original “Vertrag über die Verarbeitung von personenbezogenen Daten im Auftrag (Auftragsverarbeitungsvertrag)” of SynTwin GmbH, version dated 5 June 2026, Version 2.0. It is provided solely for the convenience of English-speaking customers and is not legally binding. Only the German version is legally binding and governs the contractual relationship between the parties. In the event of any conflict, ambiguity or discrepancy between the German version and this translation, the German version shall prevail. German legal terms indicated in italics and parentheses are authoritative for the interpretation of the corresponding English expressions.

Legally binding version (German): Auftragsverarbeitungsvertrag (AVV)

Between

SynTwin GmbH
Hechtseestraße 62
81671 Munich, Germany
Represented by its managing directors Adrian Indefrey and Joachim Van Erps.

— hereinafter referred to as the "Processor" (Auftragsverarbeiter) —

and

The details of the Client result from the respective main contract.

— hereinafter referred to as the "Client" (Auftraggeber) —

— both hereinafter referred to as "the Parties" —

All terms are to be understood as gender-neutral.

the following data processing agreement is concluded:

Preamble and Scope of Application

The Processor processes personal data on behalf of the Client. This Data Processing Agreement gives concrete form to the commissioned processing with regard to its subject matter and to the rights and obligations arising from the commissioned-processing relationship. This Agreement applies exclusively in business-to-business transactions; consumers (Verbraucher, Section 13 of the German Civil Code (BGB)) are excluded. The Client is the controller within the meaning of Art. 4 No. 7 GDPR.

Application only to the extent that the GDPR is applicable: this Data Processing Agreement does not apply if the GDPR is not applicable to the processing of personal data by the Client (for example, in the case of purely personal or household activities pursuant to Art. 2(2) lit. c GDPR) and the Processor therefore does not act as a processor within the meaning of Art. 4 No. 8 GDPR.

1. Terms and Definitions

1. “Commissioned processing” (Auftragsverarbeitung): in line with Art. 4 No. 8 GDPR, “commissioned processing” means the processing of personal data pursuant to Art. 4 No. 2 GDPR carried out by the Processor on behalf of the controller, in accordance with the subject matter of this Data Processing Agreement and irrespective of the number of processors engaged in between.

2. “Main contract” (Hauptvertrag): the term “main contract” covers all types of ongoing business relationships between the Client and the Processor in the course of which the Processor processes personal data on behalf of and on the instructions of the Client in accordance with the details on the subject matter of the commissioned processing set out in this Data Processing Agreement. If the application of this Data Processing Agreement has been limited elsewhere (i.e. within this agreement or outside it, in other contracts or arrangements) to certain kinds, types or specific business relationships, contracts, etc., these are each to be understood as the main contract. The term “main contract” also covers ongoing individual orders placed by the Client with the Processor within the framework of the main contract (e.g. in the case of framework agreements).

3. “Controller” (Verantwortlicher): the “controller” is the party which, alone or jointly with others, determines the purposes and means of the processing (Art. 4 No. 7 GDPR).

4. “Personal data” (personenbezogene Daten): in line with Art. 4 No. 1 GDPR, “personal data” (hereinafter also referred to in short as “data”) means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

5. “Data subjects” (betroffene Personen): in accordance with Art. 4 No. 1 GDPR, “data subjects” (in short, “subjects”) are persons who are at least identifiable by means of personal data. The data subjects affected by this commissioned processing result from the subject matter of the commissioned processing.

6. “Third parties” (Dritte): in accordance with Art. 4 No. 10 GDPR, “third parties” are natural or legal persons, public authorities, agencies or bodies other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data.

7. “Sub-processing” (Unterauftragsverarbeitung): where a processor has not been commissioned directly by the controller but by a processor of the controller, this constitutes “sub-processing”, and the processors following the first processor are referred to as “sub-processors” (Unterauftragsverarbeiter).

8. “Electronic format” (elektronisches Format): declarations are deemed to have been made in “electronic format” in accordance with Art. 28(9) GDPR if the declaring person is identifiable and the electronic declaration format is suitable for evidencing the declaration. “Electronic format” is understood to mean, in particular, text form (Textform), an agreement stored on durable media (e.g. email), digital signature procedures or the use of dedicated online functions (e.g. in user accounts).

2. Subject Matter of the Commissioned Processing

1. The commissioned processing takes place within the framework of the following legal relationship (main contract): agreement on the use of the SynTwin platform (SaaS agreement) in accordance with the applicable General Terms and Conditions (GTC) of SynTwin GmbH.

2. Details of the subject matter of the processing carried out on behalf of the Client, the personal data processed, the persons affected by the processing as well as the nature, scope and purpose of the processing are governed by the Annex “Subject Matter of the Commissioned Processing”.

3. Nature of the Commissioned Processing

The Client is the controller of the commissioned processing and, within the framework of this Data Processing Agreement, is responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the data processing and for the lawfulness of commissioning the Processor.

4. Authority to Issue Instructions

1. The Processor may process personal data only within the framework of the main contract and of the Client’s instructions, and only to the extent that the processing is necessary within the framework of the main contract.

2. The instructions are initially defined by the main contract or by this Data Processing Agreement and may thereafter be amended, supplemented or replaced by the Client by means of instructions in written form or in an electronic format (text form, e.g. email) addressed to the Processor or to the body designated by the Processor.

3. Oral instructions may be given where they are warranted by the circumstances (e.g. urgency) and must be confirmed without undue delay in written or electronic form.

4. If, on the basis of objective circumstances, the Processor is of the opinion that an instruction of the Client infringes applicable data protection law, the Processor will point this out to the Client without undue delay and provide an objective justification for its opinion. In this case, the Processor is entitled to suspend the execution of the instruction until the instruction is expressly confirmed by the Client, and to refuse manifestly unlawful instructions.

5. The Processor may refuse instructions where their fulfillment is not possible or cannot reasonably be expected of the Processor (in particular because compliance would entail disproportionate effort or because of a lack of technical capabilities). A refusal may only be made with due regard to the protection of the data of the data subjects and entitles the Client to terminate the Data Processing Agreement extraordinarily if its continuation cannot reasonably be expected of the Client.

6. The Processor may be obliged by Union or Member State law or by official or judicial measures to which the Processor is subject to carry out processing operations or to communicate information. In such a case, the Processor shall inform the Client of the legal requirements of the mandatory statutory obligation before the processing, unless the relevant law or order prohibits such notification on grounds of an important public interest; in the event of a prohibition of notification, the Processor shall take the measures possible and reasonable for it to prevent or limit the legally mandated processing.

7. The Processor designates the contact persons authorized to receive instructions and is obliged to notify without undue delay any changes of the contact persons or their contact information as well as substitutes in the event of a non-temporary absence or unavailability.

5. Protection of Professional Secrecy

1. The following obligations of the section “Protection of Secrecy” of this Data Processing Agreement apply if the data processed on behalf of the Client include professional secrets within the meaning of Section 203 of the German Criminal Code (Strafgesetzbuch, “StGB”). The obligations apply, irrespective of the temporal provisions of this Data Processing Agreement, without limitation in time even after the end of the contract.

2. The Processor may obtain knowledge of professional secrets only to the extent necessary for the performance of the main contract and of this Data Processing Agreement and for the fulfillment of the contractual obligations.

3. The Client instructs the Processor that a breach of the confidentiality obligations under the law and this Data Processing Agreement, by breaching secrecy or exploiting third-party secrets pursuant to Sections 203(1), 203(4) sentence 1 and 204 StGB, may result in the punishment of the Processor, which also includes persons acting for the Client, with imprisonment of up to one year, in the case of Section 204 StGB with imprisonment of up to two years, or with a fine. The threatened penalty increases to imprisonment of up to two years or a fine if the offender acts with the intent of enrichment, even if for the benefit of third parties, or with the intent to harm another person through the act.

4. If the Processor engages third parties (e.g. subcontractors) who participate in the Processor’s commissioned processing and may obtain knowledge of the professional secrets, the Processor shall place the third parties under a corresponding obligation of secrecy at least in text form. The Processor shall further inform the third parties of their obligations. Irrespective of the foregoing obligation, the Client must have permitted the engagement of third parties. As a precaution, the Client instructs the Processor that the involvement of third parties may result in imprisonment of up to one year or a fine if a third party breaches secrecy and the Processor has at the same time failed to ensure that the third party was placed under an obligation of secrecy (Sections 203(1), 203(4) sentence 2 No. 2 StGB). The threatened penalty increases to imprisonment of up to two years or a fine if the offender acts with the intent of enrichment, even if for the benefit of third parties, or with the intent to harm another person through the act.

6. Technical and Organizational Measures (Security and Protection Concept)

1. The Processor will organize its internal organization within its area of responsibility in accordance with the statutory requirements and will, in particular, take technical and organizational measures (hereinafter referred to as “TOMs”) for the appropriate protection, in particular of the confidentiality, integrity and availability, of the Client’s data, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, and will ensure their maintenance, in particular through regular evaluation at least once a year. With regard to the protection of personal data, the TOMs include, in particular, physical access control, system access control, data access control, transfer control, input control, commissioned-processing control, integrity and availability control, separation control and the safeguarding of data subjects’ rights.

2. The TOMs communicated by the Processor at the conclusion of the contract define the minimum level of security owed by the Processor. The TOMs may be further developed in line with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the security level of the defined measures and that material changes are communicated to the Client. The description of the measures must be sufficiently detailed that a knowledgeable third party can at any time recognize beyond doubt, solely on the basis of the description, that the required statutory level of data protection and the defined minimum level of security are not undercut.

3. The Processor warrants that the employees, agents and other persons working for the Processor who are involved in the processing of the data are prohibited from processing the personal data outside the scope of the instructions. The Processor further ensures that the persons authorized to process the Client’s data have been familiarized with the statutory data protection provisions and those arising from this Data Processing Agreement and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate statutory duty of secrecy. The Processor ensures that persons engaged in the commissioned processing are continuously and appropriately guided and supervised with regard to the fulfillment of the data protection requirements.

4. The Processor ensures that the persons engaged by it for the processing participate, at appropriate intervals, in recurring training and awareness measures with regard to the protection of personal data and compliance with statutory data protection provisions.

5. The processing of personal data outside the Processor’s business premises (e.g. in a home office, mobile office or via remote access) is permitted provided that the necessary technical and organizational measures are taken and documented which appropriately take into account the particularities of these processing situations and, in particular, also enable sufficient control of the data processing (e.g. conclusion of an agreement on data protection in the home and mobile office with employees). Upon request, the Processor shall provide the Client with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing.

6. The processing of personal data on private devices of the Processor’s employees and its agents is permitted provided that the necessary technical and organizational measures are taken and documented which appropriately take into account the particularities of these processing situations and, in particular, also enable sufficient control of the data processing (e.g. conclusion of an agreement permitting appropriate control of the private devices). Upon request, the Processor shall provide the Client with documentation of the implemented technical and organizational measures for such processing.

7. Where required by statutory provisions, the Processor designates a data protection officer who meets the statutory requirements. The Processor communicates to the Client the contact information of the data protection officer as well as any subsequent changes.

8. The processing operations carried out on behalf of the Client are separately documented by the Processor to an appropriate extent in a record of processing activities and made available to the Client upon request.

9. The data provided within the framework of the Data Processing Agreement as well as data media and all copies made thereof remain the property of, or in the ownership of, the Client, are subject to the Client’s right of disposal, must be carefully stored by the Processor, protected against access by unauthorized third parties and may only be destroyed with the Client’s consent. Destruction must be carried out in a manner compliant with data protection law and in such a way that the recovery of even residual information is no longer possible with reasonable effort and is not to be expected. Copies of data may only be made if they are necessary for the fulfillment of the Processor’s primary and ancillary performance obligations towards the Client (e.g. backups) and the contractual and statutory level of data protection is ensured.

10. The Processor is obliged to ensure that any return or deletion of data and data media to be effected without undue delay under this Data Processing Agreement is also effected at sub-processors.

11. The Processor must keep evidence of the proper destruction or deletion of data and files carried out within the framework of this Data Processing Agreement and make it available to the Client upon request.

12. The technical and organizational measures already in place at the conclusion of this Data Processing Agreement are listed by the Processor in the Annex “Technical and Organizational Measures” and accepted by the Client.

7. Information and Cooperation Obligations of the Processor

1. The Processor may provide information to third parties or to data subjects only with the prior consent of the Client or in the case of mandatory statutory obligations or judicial or statutory information requirements. If a data subject contacts the Processor and asserts their data subject rights (in particular rights of access or rectification or erasure of personal data), the Processor will refer the data subject to the Client, provided that an attribution to the Client is possible according to the data subject’s information. The Processor forwards the data subject’s request to the Client without undue delay and supports the Client to the extent reasonable and possible. The Processor is not liable if the data subject’s request is not answered by the Client, not answered correctly or not answered in time, unless the Processor is responsible for this.

2. The Processor must inform the Client without undue delay and in full if, with regard to the processing of the personal data, the Processor identifies errors or irregularities in compliance with provisions of this Data Processing Agreement and/or relevant data protection provisions. The Processor takes the necessary measures to secure the personal data and to mitigate possible adverse consequences for the data subjects and consults with the Client on this without undue delay.

3. The Processor will inform the Client without undue delay if a supervisory authority takes action vis-a-vis the Processor and its activity may concern the data processed for the Client. The Processor supports the Client in the fulfillment of its obligations (in particular obligations to provide information and to tolerate audits) vis-a-vis supervisory authorities.

4. If the security of the Client’s personal data is endangered by measures of third parties (e.g. creditors, authorities, courts, etc.) (attachment, seizure, insolvency proceedings, etc.), the Processor will inform the third parties without undue delay that the sovereignty over and ownership of the data lie exclusively with the Client and, after consultation with the Client, take appropriate protective measures where necessary (e.g. filing objections, applications, etc.).

5. The Processor makes available to the Client information concerning the processing of data within the framework of this Data Processing Agreement that is necessary for the fulfillment of the Client’s statutory obligations (which may include, in particular, requests from data subjects or authorities and compliance with its accountability obligations in connection with a data protection impact assessment) and supports the Client in complying with the obligations referred to in Art. 32 to 36 GDPR.

8. Measures in the Event of Endangerment or Breach of Data Protection

1. In the event that the Processor identifies facts justifying the assumption that the protection of the personal data processed for the Client may have been breached within the meaning of Art. 4 No. 12 GDPR, the Processor must inform the Client without undue delay and in full, take the necessary protective measures without undue delay and support the Client in the fulfillment of the obligations incumbent on the Client, in particular in connection with the notification of competent authorities or data subjects.

2. In accordance with Art. 33(3) GDPR, the notification by the Processor must contain at least the following information:

   • a description of the nature of the personal data breach including, where possible, the categories of data concerned and the approximate number of data subjects concerned and the approximate number of personal data records concerned;

   • the name and contact details of the data protection officer or other point of contact where more information can be obtained;

   • a description of the likely consequences of the personal data breach (e.g. with further details: identity theft, financial loss, etc.);

   • a description of the measures taken or proposed by the Processor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

3. Significant disruptions in the performance of the engagement as well as violations by the Processor or by persons employed or engaged by it of data protection provisions or of the stipulations made in this Data Processing Agreement must likewise be notified without undue delay.

9. Reviews and Inspections

1. The Client has the right to verify compliance with the statutory requirements and the provisions of this Data Processing Agreement, in particular the TOMs, at the Processor at any time and to the extent necessary, either itself or through third parties, and to carry out the necessary reviews, including inspections.

2. The Processor must support the Client in the audits and inspections to the extent necessary (e.g. by providing personnel and granting access and entry rights).

3. On-site audits take place within usual business hours and must be announced by the Client with reasonable advance notice (at least 14 days). In emergencies, i.e. where waiting would endanger the rights of the data subjects and/or of the Client to an unreasonable degree, a reasonably shorter period may be chosen. Conversely, a longer period may be required (e.g. where extensive preparations are necessary or during holiday periods). The deviations from the notice period must in each case be justified by the Party invoking them.

4. The audits are limited to the necessary scope and must take into account the Processor’s business and trade secrets as well as the protection of personal data of third parties (e.g. other customers or employees of the Processor). Avoidable operational disruptions must be avoided. To the extent sufficient for the occasion and purpose of the audit, an audit should be limited to random samples.

5. Only competent persons who can identify themselves and who are bound to confidentiality and secrecy with regard to the Processor’s business and trade secrets, internal processes and personal data are admitted to carry out the audit. The Processor may require evidence of a corresponding obligation. If the auditor commissioned by the Client is in a competitive relationship with the Processor or if there is another justified reason for objecting to the auditor, the Processor has a right of objection against that auditor.

6. Instead of inspections and on-site audits, the Processor may refer the Client to an equivalent review by independent third parties (e.g. neutral data protection auditors), to compliance with approved codes of conduct (Art. 40 GDPR) or to suitable data protection or IT security certifications pursuant to Art. 42 GDPR. This applies only if the referral can reasonably be expected of the Client and the nature and scope of the audit and of the referrals correspond to the nature and scope of the Client’s legitimate audit objective. The Processor undertakes to inform the Client without undue delay of any exclusion from approved codes of conduct pursuant to Art. 41(4) GDPR, any withdrawal of a certification pursuant to Art. 42(7) GDPR and any other form of revocation or material change of the aforementioned evidence.

7. As a rule, the Client exercises its audit right no more frequently than every 12 months, unless a specific occasion (in particular a data protection breach, a security incident or the result of an audit) makes audits necessary before the expiry of this period.

10. Sub-Processing Relationships

• The Processor must review compliance with the obligations of the sub-processors, in particular the TOMs, regularly, at the latest every 24 months or on an ad-hoc basis, to an appropriate extent. The review and its result must be documented in such a comprehensible manner that they can be followed by a knowledgeable third party. The documentation must be presented to the Client upon request. Instead of its own review, the Processor may refer to a review by independent third parties (e.g. neutral data protection auditors), to compliance with approved codes of conduct (Art. 40 GDPR) or to suitable data protection or IT security certifications pursuant to Art. 42 GDPR. The Processor undertakes to inform the Client without undue delay of any exclusion from approved codes of conduct pursuant to Art. 41(4) GDPR, any withdrawal of a certification pursuant to Art. 42(7) GDPR and any other form of revocation or material change of the aforementioned evidence at the subcontractor.

1. Without prejudice to any restrictions under the main contract, the Client expressly agrees that the Processor may engage sub-processors within the framework of the commissioned processing. The Processor informs the Client of new sub-processors with reasonable advance notice, which is regularly 14 working days, and gives the Client the opportunity to review the sub-processors to a reasonable extent before their deployment and, where there is a legitimate interest, to object to the deployment of the sub-processors. If the Client does not raise an objection within the advance notice period, the sub-processor may be deployed. The Client exercises its right of objection with regard to the changes only in compliance with the principles of good faith as well as reasonableness and equity.

2. Where the Processor uses the services of a sub-processor (e.g. a subcontractor) in order to carry out specific processing activities on behalf of the Client, it must impose on the sub-processor, by way of a contract or another legal instrument permitted by law, the same data protection obligations as those to which the Processor has committed itself in this Data Processing Agreement (in particular with regard to following instructions, complying with the TOMs, providing information and tolerating audits).

3. The Processor selects the sub-processor carefully, taking particular account of the sub-processor’s suitability and reliability for complying with the obligations under this Data Processing Agreement and the suitability of the TOMs taken by the sub-processor.

4. The transfer of personal data processed on behalf of the Client to sub-processors is permitted only once the Processor has satisfied itself that the sub-processor has fully complied with its obligations. The review must be documented and the documentation presented to the Client upon request.

5. Processing of personal data that has no direct connection with the provision of the main service under the main contract and in respect of which the Processor uses the services of third parties as a purely ancillary service in order to carry out its business activities (e.g. cleaning, security, maintenance, telecommunications or transport services) does not constitute sub-processing within the meaning of the foregoing provisions of this Data Processing Agreement. Nevertheless, the Processor must ensure, e.g. through contractual arrangements or notices and instructions, that the security of the data is not endangered and that the requirements of this Data Processing Agreement and of the data protection provisions are complied with.

6. Sub-processing relationships that were communicated to the Client at the conclusion of this Data Processing Agreement are deemed approved to the extent communicated, subject to the provisions of this Data Processing Agreement on sub-processing relationships.

7. The sub-processing relationships already in place at the conclusion of this Data Processing Agreement are listed by the Processor in the Annex “Sub-Processors” and updated by the Processor.

11. Territorial Scope of the Commissioned Processing

1. Processing may take place in third countries provided that the special requirements of Art. 44 et seq. GDPR are fulfilled, i.e. in particular (a) the EU Commission has determined an adequate level of data protection; (b) on the basis of effective standard data protection clauses (so-called Standard Contractual Clauses, SCC); or (c) on the basis of recognized binding corporate rules.

2. The approval of sub-processing relationships by the Client within the framework of this Data Processing Agreement also extends to the territorial scope of the commissioned processing.

3. Commissioned processing in a country other than those referred to above, including by sub-processors, requires the prior approval of the Client.

12. Obligations of the Client

1. The Client must inform the Processor without undue delay and in full if it identifies errors or irregularities with regard to data protection provisions in the results of the engagement, in instructions or in processing operations.

2. The Client designates the contact persons authorized to issue instructions and is obliged to notify without undue delay any changes of the contact persons or their contact information as well as substitutes in the event of a non-temporary absence or unavailability.

3. In the event that claims are asserted against the Processor by data subjects, third-party companies, bodies or authorities with regard to any claims arising from the processing of personal data within the framework of this Data Processing Agreement, the Client undertakes to support the Processor in the defense against the claim within the scope of its possibilities and taking into account the degree of fault of the Parties.

13. Liability

The liability provisions and limitations of liability of the main contract apply.

14. Term and Continued Application After the End of the Contract

1. The term and the end of this Data Processing Agreement are governed by the term and the end of the main contract.

2. The Parties reserve the right of extraordinary termination, in particular in the event of a serious breach of the obligations and requirements of this Data Processing Agreement and of applicable data protection law. A serious breach exists, in particular, if the Processor fails or has failed to a significant extent to fulfill the obligations specified in the Data Processing Agreement and the agreed technical and organizational measures.

3. In the case of insignificant breaches of obligations, the extraordinary termination must be preceded by a warning notice regarding the breaches with a reasonable period for remedy; the warning notice is not required if it cannot be expected that the breaches complained of will be remedied, or if they are so serious that the terminating Party cannot reasonably be expected to adhere to the Data Processing Agreement.

4. The termination of this Data Processing Agreement, as well as the cancellation of this form clause, must be effected at least in electronic format.

5. The obligations arising from the Data Processing Agreement to protect confidential information continue to apply after the end of the Data Processing Agreement, provided that the Processor continues to process the personal data covered by the Data Processing Agreement and compliance with the obligations can reasonably be expected of the Processor even after the end of the contract.

15. Deletion and Return of Data

• After completion of the provision of the processing services under this Data Processing Agreement, the Processor will, at the Client’s choice, either destroy or return all personal data and copies thereof (as well as all documents that have come into its possession in connection with the engagement, processing and usage results created, and data stocks), unless there is a statutory obligation to store the personal data. In that case, the Processor informs the Client of the obligation and its scope, unless the Client can be expected to be aware of the obligation. The destruction or deletion must be carried out in a manner compliant with data protection law and in such a way that the recovery of even residual information is no longer possible with reasonable effort and is not to be expected. The defense of a right of retention is excluded with regard to the processed data and the associated data media. With regard to the deletion or return, the Client’s information, evidence and audit rights apply in accordance with this Data Processing Agreement.

• The Processor is obliged to retain all documentation, evidence, records and other documents serving as proof of the proper data processing, of the technical and organizational measures and of the deletion, destruction, return or withdrawal of access, in accordance with the Client’s retention and deletion periods known to the Processor or which ought to be known to it, but at least for a period of three years beginning at the end of the year in which the commissioned-processing relationship ends. Upon the Client’s request, this documentation must be made available in full and without undue delay. The Processor is entitled to hand the documentation over to the Client at the end of the contract in order to discharge itself.

• The deletion and destruction of personal data must be carried out by the Processor in a manner compliant with data protection law and in accordance with the state of the art. Where data media are to be destroyed, the destruction must be carried out at least in accordance with DIN 66399 Parts 1 to 3, applying the protection class specified by the Client and at least security level 4 in the relevant material class. If the immediate deletion of personal data on backup copies is possible only with disproportionately high effort due to the particular nature of the storage, the affected data must, after consultation with the Client, be restricted from any further processing without undue delay and finally deleted at the latest in the next regular deletion or overwriting cycle.

• The deletion and destruction of personal data in compliance with data protection law must be documented by the Processor, to the extent required by law, completely, traceably and in an audit-proof manner. The resulting evidence and records must be made available to the Client to the extent owed by law and in text form. Where the applicable data protection provisions provide for coordination or cooperation obligations of the Client, suitable measures for deletion or destruction must be coordinated with the Client before they are carried out.

• To the extent that the Processor must store personal data beyond the end of the commissioned-processing relationship due to mandatory statutory retention obligations, it shall inform the Client thereof without undue delay in text form and set out the nature and scope of the respective retention obligation. The personal data concerned must be blocked from any further processing and may be processed exclusively for the purpose of fulfilling the statutory retention obligation. Once the retention obligation ceases to apply, the personal data concerned must be deleted or destroyed without undue delay in accordance with this section, and the deletion process must be documented and evidenced accordingly.

• The defense of a right of retention is excluded with regard to all personal data processed within the framework of the commissioned-processing relationship and the associated data media. This applies irrespective of any outstanding receivables or other claims of the Processor against the Client.

• By way of derogation from an immediate deletion after the end of the contract, the Processor stores the User Content and the created AI Counterparts (including the voice and video models) for a retrieval and reactivation period of three (3) months after termination of the main contract. This retention takes place on the basis of the documented instruction of the Client issued upon conclusion of this Data Processing Agreement; the Client may request earlier deletion at any time. During the retrieval period, the Processor makes the exportable data available to the Client upon request in a structured, commonly used and machine-readable format. Upon expiry of the retrieval period, all User Content and AI Counterparts, including the associated voice and video models, will be deleted within 30 days. This deletion is deemed instructed and approved upon conclusion of this Data Processing Agreement; no separate consent of the Client in the individual case is required.

16. Reimbursement of Expenses

1. Additional efforts in supporting the Client in the fulfillment of its data protection or other obligations are remunerated appropriately at the hourly rates specified in the service agreement.

2. The expense reimbursement or remuneration agreed under the Data Processing Agreement also includes an expense reimbursement for the working time of the personnel deployed by the Processor as well as necessary expenses (e.g. travel or material costs). Where possible, foreseeable and reasonable, the Processor informs the Client of the amount of the expense reimbursement or remuneration by way of an appropriate estimate before it is incurred.

3. If the effort for the Processor associated with the Client’s instructions exceeds a scope agreed under the main contract or otherwise to be expected as customary in the industry, and the Processor is not at fault in this respect, the Client must separately remunerate the Processor for the additional effort incurred.

4. If the effort for the Processor associated with the provision of information and/or the required cooperation of the Processor exceeds a scope agreed under the main contract or otherwise to be expected as customary in the industry, and the Processor is not at fault in this respect, the Client must separately remunerate the Processor for the additional effort incurred.

5. If the effort for the Processor associated with tolerating and cooperating in the audits, or in adequate alternative measures, exceeds a scope agreed under the main contract or otherwise to be expected as customary in the industry, and the Processor is not at fault in this respect, the Client must separately remunerate the Processor for the additional effort incurred.

6. If the effort for the Processor associated with the deletion or return of the data exceeds a scope agreed under the main contract or otherwise to be expected as customary in the industry, and the Processor is not at fault in this respect, the Client must separately remunerate the Processor for the additional effort incurred.

17. Final Provisions

1. The applicable law is determined by the main contract.

2. The place of jurisdiction is determined by the main contract.

3. This Data Processing Agreement constitutes the entire agreement between the Parties. There are no side agreements.

4. Upon the conclusion of this Data Processing Agreement, all prior agreements concluded between the Parties to this Agreement governing the processing of personal data on behalf of a controller are terminated, if and to the extent that they concern the same subject matter of commissioned processing and if and to the extent that the Parties have not expressly agreed otherwise in writing.

5. Amendments and supplements to this Data Processing Agreement, as well as the cancellation of this form clause, must be effected at least in electronic format.

6. In the event of any conflicts, the data protection provisions of this Data Processing Agreement take precedence over the provisions of the main contract.

7. Should one or more provisions of this Data Processing Agreement be invalid or unenforceable, the validity of the remaining provisions shall not be affected. Rather, the invalid provisions shall be replaced, by way of supplementary interpretation, by a provision that comes as close as possible to the economic purpose recognizably pursued by the Parties with the invalid provision(s). If the aforementioned supplementary interpretation is not possible due to mandatory statutory requirements, the Parties shall agree on a corresponding provision.

8. The Processor may amend this Data Processing Agreement with effect for the future to the extent necessary to take account of statutory or regulatory requirements, technical developments or changes to the services used, provided that the amendment does not lower the agreed level of data protection and does not materially burden the Client. Such amendments will be notified to the Client in text form at least six (6) weeks before they take effect; if the Client does not object within this period, they are deemed approved. This legal consequence will be specifically pointed out in the notification of the amendment. Amendments that lower the level of data protection or materially burden the Client require the Client’s express consent. The content of this Agreement that is mandatory pursuant to Art. 28(3) GDPR remains unaffected by all of the foregoing.

This Data Processing Agreement forms part of the main contract and takes effect upon its conclusion.

18. Annex: Subject Matter of the Commissioned Processing

The following details on the nature and purpose of the processing, the type of personal data and the categories of data subjects determine the subject matter of the processing governed by this Data Processing Agreement. Changes to the subject matter of the processing and further procedural changes must be jointly coordinated and documented between the Parties.

Personal data of the Client are processed on the basis of this Data Processing Agreement for the following purposes:

1. Creation and modeling of AI Counterparts from video, image, audio and text data of the depicted persons provided by the Client (synthesis of voice and video models).

2. Operation of the LLM-based dialogue engine for the communication of the AI Counterpart with the Client’s Communication Partners via chat, audio and video interfaces.

3. Processing and indexing of the Client’s knowledge sources (documents, conversation transcripts) for the context-related answering of queries (retrieval-augmented generation).

4. Analysis of conversation sessions, including automated summaries, goal-achievement evaluation and the creation and updating of profiles and contact data of the Communication Partners, to the extent that the Client has activated these functions.

5. Hosting, storage, maintenance, support and provision of interfaces (APIs, widgets).

6. Software-as-a-service (SaaS) services.

7. Processing within the framework of AI processes, i.e. using artificial intelligence (AI) in accordance with Article 4 of the AI Act.

8. Web and cloud hosting.

The types and categories of personal data processed on the basis of this Data Processing Agreement include:

1. Inventory data.

2. Contact data.

3. Content data.

4. Contract data.

5. Payment data and billing data.

6. Usage data.

7. Log data.

8. Meta and connection data.

9. Telemetry data.

10. Image and/or video recordings.

11. Audio recordings of depicted persons as well as biometric data within the meaning of Art. 4 No. 14 GDPR (voice and facial characteristics as well as the voice and video models generated from them). Clarification regarding biometric data: biometric data are processed exclusively for the purpose of synthesis, i.e. the creation and operation of the AI Counterpart. No processing for the purpose of uniquely identifying a natural person (biometric identification or verification) takes place. The voice and video models used have no recognition or matching function and are technically separated from such functions.

12. If the Processor offers in the future a function for verifying the identity of the depicted person (e.g. matching a consent video against the training material provided), this will be carried out as a separate processing of biometric data for the purpose of unique identification (Art. 9(1) GDPR) and will be activated only if (a) the Client separately commissions the function, (b) an express consent of the data subject pursuant to Art. 9(2) lit. a GDPR is obtained and documented, and (c) the Parties have specified the details (procedure, storage period, technical and organizational measures) in text form prior to activation.

13. With the exception of the biometric data governed above, the processing of special categories of personal data within the meaning of Art. 9(1) GDPR is not part of the subject matter of this Data Processing Agreement. The Client does not configure the platform for purposes of use aimed at the collection of such data and does not request Communication Partners to disclose them. Information disclosed by Communication Partners without solicitation is handled exclusively within the general processing and deletion routines; no targeted analysis takes place. If the Client intends a purpose of use in which the processing of special categories of personal data is to be expected, this requires a prior separate agreement between the Parties.

The groups of persons affected by the processing of personal data on the basis of this Data Processing Agreement include:

1. Software users.

2. Prospects.

3. Business customers.

4. Depicted persons (natural persons whose AI Counterpart is created and operated).

5. Communication Partners of the Client (e.g. prospects, customers, applicants, employees of the Client).

6. Users of the platform on the Client’s side.

7. Other persons whose data are contained in content provided by the Client.

The data processed on the basis of this Data Processing Agreement are collected or otherwise received from the following sources or within the framework of the following procedures:

1. Collection from data subjects.

2. Input or information provided by the Client.

3. Input or information provided by the Processor.

4. Collection in the course of the use of software, applications, websites and other online services.

5. Collection via interfaces to services of other providers.

6. Receipt by way of transmission or other communication by or on behalf of the Client.

Annex: Responsible Persons and Contact Persons

The contact persons named below are authorized to issue or receive instructions of the Client. Changes of the contact persons, their non-temporary unavailability or changes of their contact information must be notified to the other Party.

Responsible persons and contact persons at the Client:

The responsible contact persons at the Client result from the Client’s details in the main contract or in its user account.

Responsible persons and contact persons at the Processor:

SynTwin GmbH: mail@syntwin.ai

Annex: Technical and Organizational Measures (TOMs)

A level of protection appropriate to the risk to the rights and freedoms of the natural persons affected by the processing is ensured for the specific processing and the personal data processed within its framework. To this end, the protection goals of confidentiality, integrity and availability of the systems and services as well as their resilience are taken into account with regard to the nature, scope, circumstances and purposes of the processing in such a way that the risk is contained on a lasting basis through suitable technical and organizational remedial measures.

Organizational Measures

Organizational measures have been taken that ensure an appropriate level of data protection and its maintenance.

1. A suitable organizational structure for data security and data protection is in place, and information security is taken into account on a risk basis within the existing company processes and continuously developed further.

2. Risk-based system and security tests are carried out, including e.g. code scans and suitable security reviews.

3. Security-relevant events are documented to the necessary and economically reasonable extent, where this is necessary for risk assessment or statutory obligations. Any further documentation is carried out on a risk basis.

4. The protection of personal data is incorporated, on a risk basis, into the development and selection of systems, software and procedures, taking into account the state of the art, economically reasonable implementation costs and the nature and scope of the processing. Appropriate precautions for data protection by design and by default (“privacy by design” and “privacy by default”) are taken to the extent feasible within the technologies used and the Processor’s operating model.

5. The Processor has implemented an appropriate data protection management system or data protection concept and ensures its implementation.

6. Internal security policies and guidelines are defined and communicated internally to employees as binding rules.

7. The development of the state of the art as well as developments, threats and security measures are continuously monitored and transposed in a suitable manner into the Processor’s own security concept.

8. A concept is in place that ensures the safeguarding of data subjects’ rights by the Client (in particular with regard to access, rectification, erasure or restriction of processing, data transfer, revocations and objections). The concept includes informing employees about the information obligations vis-a-vis the Client, establishing implementation procedures, designating responsible persons and regularly reviewing and evaluating the measures taken.

9. Service providers engaged for ancillary business tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they observe the protection of personal data. Where such service providers obtain access to the Client’s personal data in the course of their activities or where there is otherwise a risk of access to the personal data, they are specifically bound to secrecy and confidentiality.

10. Software and hardware used are always kept up to date with the currently available version, and software updates are carried out without delay within a period appropriate to the degree of risk and any need for review. No software or hardware is used that is no longer updated by its providers with regard to data protection and data security concerns (e.g. expired operating systems).

11. Standard software and corresponding updates are obtained only from trustworthy sources.

12. Paper documents are retained only if no digital copy exists that is adequate with regard to the commissioned processing, its purpose and the interests of the persons affected by the contents of the documents, or if retention has been agreed with the Client or is required by law.

13. There is no biometric recognition or matching function; the voice and video models generated for synthesis are technically and organizationally separated from any identification or verification function.

Data Protection at Employee Level

Measures have been taken to ensure that the employees engaged in the processing of personal data have the expertise and reliability required under data protection law.

1. Employees are bound to confidentiality and secrecy (data secrecy).

2. Employees are sensitized and informed with regard to data protection in accordance with the requirements of their function. The training and sensitization are repeated at appropriate intervals or when circumstances so require.

3. Keys, access cards or codes issued to employees, as well as authorizations granted with regard to the processing of personal data, are collected or revoked after they leave the Processor’s service or change responsibilities.

4. Employees are required to leave their work environment tidy and thus, in particular, to prevent access to documents or data media containing personal data (clean desk policy).

Physical Access Control

Measures for physical access control have been taken that prevent unauthorized persons from physically approaching the systems, data processing equipment or procedures used to process personal data.

1. Apart from workstation computers and mobile devices, no data processing equipment is maintained on the Processor’s own business premises. The Client’s data are stored with external server providers in compliance with the requirements for commissioned processing.

2. Physical access to data processing equipment is additionally secured and possible only for authorized employees.

3. Documents (files, papers, etc.) are stored securely, e.g. in filing cabinets or other appropriately secured containers, and appropriately protected against access by unauthorized persons.

4. Data media are stored securely and appropriately protected against access by unauthorized persons.

System Access Control

Measures for electronic access control have been taken which ensure that access (i.e. even the mere possibility of use, utilization or observation) by unauthorized persons to systems, data processing equipment or procedures is prevented.

1. A password concept stipulates that passwords must have a minimum length and complexity corresponding to the state of the art and to the security requirements.

2. All data processing equipment is password-protected.

3. As a matter of principle, passwords are not stored in plain text and are transmitted only hashed or encrypted.

4. Anti-virus software kept up to date is used.

5. Use of software firewall(s).

Internal Data Access Control and Input Control (Authorizations for User Rights to Access and Modify Data)

Measures for data access control have been taken which ensure that persons authorized to use a data processing system can access only the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing. Furthermore, measures for input control have been taken which ensure that it can subsequently be reviewed and established whether and by whom personal data have been entered into, modified in, removed from or otherwise processed in data processing systems.

1. A rights and roles concept (authorization concept) ensures that access to personal data is possible only for a group of persons selected according to necessity criteria and only to the necessary extent.

2. The rights and roles concept (authorization concept) is evaluated regularly, at an appropriate frequency, as well as when an occasion so requires (e.g. violations of the access restrictions), and updated as necessary.

3. The activities of the administrators are appropriately monitored and logged within the scope of what is legally permissible and technically justifiable.

4. It is ensured that it is traceable which employees or agents had access to which data and when (e.g. through logging of software use or inference from access times and the authorization concept).

Transfer Control

Measures for transfer control have been taken which ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during their transport or storage on data media, and that it can be reviewed and established to which bodies a transfer of personal data by means of data transmission facilities is envisaged.

1. Mobile data media are encrypted.

2. Emails are encrypted during transmission, which means that the emails are protected on their way from the sender to the recipient from being read by anyone with access to the networks through which the email is sent.

3. The transmission and processing of the Client’s personal data via online offerings (websites, apps, etc.) is protected by means of TLS or equally secure encryption.

Commissioned-Processing Control, Purpose Limitation and Separation Control

Measures for commissioned-processing control have been taken which ensure that personal data processed on behalf of the Client are processed only in accordance with the Client’s instructions. The measures ensure that the Client’s personal data collected for different purposes are processed separately and that no mixing, merging or other joint processing of these data contrary to the engagement takes place.

1. The processing operations carried out for the Client are separately documented to an appropriate extent in a record of processing activities.

2. Careful selection of sub-processors and other service providers.

3. Employees and agents are informed comprehensibly and clearly about the Client’s instructions and the permissible scope of processing and instructed accordingly. Separate information and instruction are not required where compliance with the permissible scope can in any event be reliably expected, e.g. on the basis of other agreements or established operational practice.

4. Compliance with the Client’s instructions and the permissible scope of processing of the personal data by employees and agents is reviewed at appropriate intervals.

5. The deletion periods applicable to the processing of the Client’s personal data are documented within the Processor’s deletion concept, separately where necessary.

6. The Client’s personal data are processed logically separated from data of other processing procedures of the Processor and protected against unauthorized access or connection or merging with other data (e.g. in different databases or by means of appropriate attributes).

7. Production and test data are stored strictly separated from each other in different systems. The production systems are operated separately and independently from the development and test systems.

Safeguarding the Integrity and Availability of Data and the Resilience of Processing Systems

• The personal data are stored with external hosting providers. The hosting providers are carefully selected and hold recognized certifications and security concepts that ensure the state of the art with regard to physical security, power supply, physical access control, fire protection, network security, data backup and infrastructure management. SynTwin relies in this respect on the respective technical and organizational measures of the hosting provider.

Measures have been taken which ensure that personal data are protected against accidental destruction or loss and can be restored promptly in emergencies.

1. Fail-safe server systems and services with redundant or multiple configurations are used.

2. Personal data are processed on data processing systems that are subject to regular and documented patch management, i.e. in particular updated regularly.

3. Server systems with protection against moisture damage (e.g. moisture detectors) are used.

4. Server systems and services with an appropriate, reliable and controlled backup and recovery concept are used.

5. Recovery tests are carried out regularly at appropriate intervals to verify that the data backups can actually be restored (data integrity of the backups).

Special Measures for the Use of Artificial Intelligence

• A detailed risk assessment and analysis of all AI systems is carried out prior to their deployment in accordance with the statutory requirements. The systems are deployed only where the risk is acceptable or with the necessary protective measures and in compliance with the statutory requirements.

Suitable technical and organizational measures are implemented to ensure the secure and lawful use of artificial intelligence (AI). This includes, in particular, risk-based assessments, appropriate documentation, measures regarding data quality as well as control and monitoring to the necessary extent.

• All relevant technical details and functions of the AI systems are documented comprehensively and in accordance with the statutory requirements and updated regularly.

• The functioning and the decision-making processes of the AI systems are disclosed clearly and comprehensibly in accordance with the statutory requirements.

• Mechanisms are implemented that ensure the exercise of the rights of data subjects in accordance with the statutory requirements.

• The operation of the AI systems is continuously monitored and controlled in order to comply with the statutory requirements. Deviations or problems are identified and remedied promptly.

• The handling of data is strictly regulated in order to ensure their quality, integrity and security in accordance with the statutory requirements. Suitable data sets are selected in order to minimize bias, and the data are reviewed and validated.

• Employees are regularly trained and sensitized in order to know and implement the statutory requirements when dealing with AI systems. These trainings take place at regular intervals and cover all relevant statutory requirements.

• AI systems are used in accordance with the operating instructions and in conformity with technical specifications and requirements. Suitable technical and organizational measures are deployed to ensure the security and accuracy of the AI systems.

• The data protection laws are strictly complied with. It is ensured that data quality, integrity and security are guaranteed in accordance with the statutory requirements and that the data sets are suitable for minimizing bias. Data are regularly reviewed and validated in order to ensure the comprehensibility and traceability of the data sources.

• Measures are taken to ensure the accuracy and reliability of the AI systems. AI systems are made stable and resilient against disruptions and protected against cyber attacks and unauthorized access, in accordance with the statutory requirements.

• Employees are informed in advance and in accordance with the statutory requirements when AI systems are used in the workplace. This ensures that employees are informed about the use of such systems and their implications.

• Security incidents or irregularities in the operation of AI systems are reported without undue delay in accordance with the statutory requirements. A clearly defined incident management process is in place.

• Necessary corrective measures are taken where AI systems do not comply with the statutory requirements. Serious incidents and malfunctions are reported to the competent authorities in accordance with the statutory provisions or communicated to the affected persons together with the necessary information and protective measures.

• AI systems are reviewed both before their deployment and continuously during their use to verify that the certifications and standards required for their operation are complied with.

Annex: Sub-Processors

The Processor engages the following sub-processors in the context of the processing of data for the Client:

• Note: The Processor engages sub-processors established or with processing locations in third countries, in particular the USA. The transfers are safeguarded, for each provider, by the guarantees documented in this list pursuant to Art. 44 et seq. GDPR (in particular Standard Contractual Clauses and, additionally, the EU-US Data Privacy Framework in the case of certified providers). Where legal bases are stated in the entries below, this information is provided for informational purposes only. The legal bases of the processing carried out on behalf of the Client are determined by the Client as controller.

• Supabase: Cloud-based platform providing developers with a set of tools for building and scaling applications; its functions include: authentication (a secure way to add authentication to the application, with support for multiple authentication providers, passwordless login, social login and multi-factor authentication), real-time database, APIs (interfaces with built-in support for access control, filtering, sorting and pagination as well as serverless functions), storage (cloud file storage services with support for object and relational storage, image resizing and server-side rendering) and analytics (analytics services for measuring user behavior and application usage, with support for custom event tracking, cohort analysis and user segmentation as well as integration with other analytics platforms); Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Data processing agreement: https://supabase.com/legal/dpa. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992; Website: https://supabase.com/. Privacy policy: https://supabase.com/privacy.

• Cartesia API: The Cartesia API (programming interface for using the functions of Cartesia) enables AI-powered speech synthesis (text-to-speech), including realistic voices, adjustment of voice parameters, creation of custom voice profiles and voice cloning. Further functions include audio transcription (speech-to-text) and multilingual support; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://cartesia.ai/legal/dpa.html; Data processing agreement: https://cartesia.ai/legal/dpa.html. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Cartesia AI, Inc., 1766 18th St, San Francisco, CA 94107, USA; Website: https://cartesia.ai/. Privacy policy: https://cartesia.ai/legal/privacy.html.

• Beyond Presence API: The Beyond Presence API (programming interface for using the functions of Beyond Presence) enables AI-powered voice and video synthesis (text-to-speech, speech-to-video), including realistic voices and (video) avatars, adjustment of voice parameters, creation of custom voice/video profiles as well as voice and (video) avatar cloning; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Provider established in the EU (Germany), therefore no third-country transfer at this level; Data processing agreement: via Beyond Presence, Trust Center: https://trust.bey.dev/; Service provider: Beyond Presence GmbH, Haderunstraße 39, 81375 Munich, Germany; Website: https://www.beyondpresence.ai/. Privacy policy: https://trust.bey.dev/.

• Lemon Slice: The Lemon Slice API enables AI-powered voice and video synthesis (speech-to-video), in particular the generation of talking (video) avatars and talking-head videos, including realistic voices and avatar cloning; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Data processing agreement: upon request. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Infinity AI, Inc. (LemonSlice), 2108 North Street, Suite N, Sacramento, CA 95816, United States; Website: https://lemonslice.com/. Privacy policy: https://lemonslice.com/privacy.

• Convex: Cloud-based backend platform (backend-as-a-service) providing the database, server-side logic (serverless functions) and real-time synchronization for our application. Convex processes, in particular, account, content, transaction and usage data as well as technical log data to ensure operation and security; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR) and performance of contract (Art. 6(1) sentence 1 lit. b GDPR); Standard Contractual Clauses: https://www.convex.dev/legal/dpa; Data processing agreement: https://www.convex.dev/legal/dpa. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Convex, Inc., 1312 17th Street, Suite 258, Denver, CO 80202, USA; Website: https://www.convex.dev/. Privacy policy: https://www.convex.dev/legal/privacy.

• Axiom: Observability and log management platform for collecting, storing and analyzing event, log and telemetry data of our systems (e.g. for monitoring operation, stability and security). Technical data contained in logs, such as IP addresses and timestamps, may be processed in this context; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://axiom.co/docs/legal/data-processing; Data processing agreement: https://axiom.co/docs/legal/data-processing. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Axiom, Inc., 1390 Market Street Suite 200, San Francisco, CA 94102; Website: https://axiom.co/. Privacy policy: https://axiom.co/docs/legal/privacy.

• WorkOS: Authentication and enterprise SSO service (including single sign-on via SAML/OIDC, directory sync, user management) through which login and identity data are processed in the course of authentication; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://workos.com/legal/data-processing-addendum; Data processing agreement: https://workos.com/legal/data-processing-addendum. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: WorkOS, Inc., 548 Market Street, PMB 86125, San Francisco, CA 94104, United States; Website: https://workos.com/. Privacy policy: https://workos.com/legal/privacy.

• Daily API: Framework and cloud platform for real-time audio and video communication, including for voice, video and AI agents. Connection, usage and communication data are processed for conducting the real-time sessions; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://www.daily.co/legal/data-processing-addendum/; Data processing agreement: https://www.daily.co/legal/data-processing-addendum/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses; Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses; Service provider: Daily, Co., 548 Market St, Suite 39113, San Francisco, CA 94104, United States; Website: https://www.daily.co/. Privacy policy: https://www.daily.co/legal/privacy/.

• Tavus API: The Tavus API (programming interface for using the functions of Tavus) enables AI-powered voice and video synthesis (text-to-speech, speech-to-video), in particular the creation of realistic video avatars, adjustment of voice parameters, creation of custom voice and video profiles as well as voice and video avatar cloning; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Data processing agreement: via Trust Center (https://tavus.securitypal.com/) or upon request. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Tavus Inc., 2261 Market Street STE 86391, San Francisco, CA 94114; Website: https://www.tavus.io/. Privacy policy: https://www.tavus.io/privacy-policy.

• LiveKit API: Open-source framework and cloud platform for real-time audio and video communication, including for voice, video and AI agents (real-time plumbing). Connection, usage and communication data are processed for conducting the real-time sessions; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://livekit.com/legal/data-processing-addendum; Data processing agreement: https://livekit.com/legal/data-processing-addendum. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses; Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses; Service provider: LiveKit Inc., 4285 Payne Avenue Suite 9154, San Jose, California, 95157, United States; Website: https://livekit.com/. Privacy policy: https://livekit.com/legal/privacy-policy.

• Langfuse: Open-source platform for LLM observability and tracing (collection, storage and analysis of requests, outputs and telemetry of our AI-powered functions for quality assurance, error analysis and optimization). Content data and technical data contained therein may be processed; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR). Provider established in the EU (Germany); no third-country transfer when the EU data region is used; Data processing agreement: https://langfuse.com/security/dpa; Service provider: Langfuse GmbH, Gethsemanestr. 4, 10437 Berlin, Germany; Website: https://langfuse.com/. Privacy policy: https://langfuse.com/privacy.

• Cloudflare: Hosting, edge computing and content delivery network services (in particular Cloudflare Workers) through which our online offering and our application are provided, executed and delivered. In particular, connection and access data (e.g. IP addresses, access times) are processed for delivery, scaling and security; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://www.cloudflare.com/cloudflare-customer-scc/; Data processing agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses; Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Website: https://www.cloudflare.com. Privacy policy: https://www.cloudflare.com/privacypolicy/.

• ElevenLabs API: The ElevenLabs API (programming interface for using the functions of ElevenLabs) enables AI-powered speech synthesis (text-to-speech), including realistic voices, adjustment of voice parameters, creation of custom voice profiles and voice cloning. Further functions include audio transcription (speech-to-text) and multilingual support; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://elevenlabs.io/dpa; Data processing agreement: https://elevenlabs.io/dpa. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses; Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses; Service provider: Eleven Labs Inc., 169 Madison Ave #2484, 10016 New York, USA; Website: https://elevenlabs.io. Privacy policy: https://elevenlabs.io/privacy-policy.

• OpenAI API: An API (programming interface) for artificial intelligence providing access to language and image models such as GPT and DALL·E. It enables the integration of functions such as automatic text generation, natural language processing (NLP), translation, code generation, image generation and image analysis; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://openai.com/de-DE/policies/data-processing-addendum/; Data processing agreement: https://openai.com/de-DE/policies/data-processing-addendum/; objection option (opt-out): https://privacy.openai.com/policies?modal=select-subject. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: OpenAI Ireland Ltd, 117-126 Sheriff Street Upper, D01 YC43 Dublin 1, Ireland; Website: https://openai.com/. Privacy policy: https://openai.com/de-DE/policies/eu-privacy-policy/.

• Claude API: Interface access (API) to AI-powered services (Claude) that understand and generate natural language, analyze information and make predictions. The processing comprises the collection, storage and structuring of personal data in the context of language-based machine learning procedures as well as measures for quality assurance, troubleshooting and security of the services; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://www.anthropic.com/legal/data-processing-addendum; Data processing agreement: https://www.anthropic.com/legal/data-processing-addendum. Basis for third-country transfers: EU/EEA - Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Anthropic Ireland, Limited, Dublin, Ireland (contracting EEA entity); processing by Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA; Website: https://www.anthropic.com/. Privacy policy: https://www.anthropic.com/legal/privacy.

• Resend: Sending, receiving and managing emails (in particular transactional and system emails of our application) as well as tools for analyzing and optimizing email delivery; Legal bases: legitimate interests (Art. 6(1) sentence 1 lit. f GDPR); Standard Contractual Clauses: https://resend.com/legal/dpa; Data processing agreement: https://resend.com/legal/dpa. Basis for third-country transfers: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses; Switzerland - Standard Contractual Clauses; Service provider: Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA; Website: https://resend.com/. Privacy policy: https://resend.com/legal/privacy-policy.