Data Processing Agreement (DPA)
(according to Art. 28 GDPR between the customer as data controller and Voico as data processor)
1. Scope and Role Distribution
1.1 Relationship of the Parties: This DPA specifies the data protection obligations of the parties when processing personal data on behalf. It applies to all processing activities where Voico processes personal data on behalf of the customer (as data controller in the sense of Art. 4 No. 7 GDPR). This is particularly the case for all end customer data, conversation contents, traffic and content data generated when the customer uses Voico services (see platform privacy policy). Voico acts as a data processor as per Art. 4 No. 8, Art. 28 GDPR.
1.2 Precedence of the Main Agreement: The provisions of this DPA take precedence over the terms of the main agreement (T&Cs/Service Agreement) in matters concerning data processing. Otherwise, the main agreement terms remain unaffected.
1.3 Adherence to Instructions: Voico processes the personal data solely within the framework of the customer’s written instructions (established in the agreement, this DPA, and any subsequent instructions). The customer hereby confirms they are authorized to engage Voico for processing and have the necessary legal bases for this.
2. Subject and Duration of Processing
2.1 Subject: The subject of data processing is defined in the main agreement. Fundamentally, it involves the provision of an AI voicebot platform, including telephony integration, through which the customer processes data from their callers/customers.
2.2 Duration: This DPA applies for the duration of the main agreement regarding the use of Voico services. It terminates automatically upon the end of the service agreement unless statutory obligations mandate otherwise.
3. Nature and Purpose of Processing
3.1 Nature of Processing: Collecting, storing, reading, using, analyzing (via AI analysis), transmitting, and deleting data—each automated in IT systems. Transmission to recipients designated by the customer (e.g., via integration) may also be included.
3.2 Purpose: Processing is conducted exclusively to enable the customer to use Voico services, especially to receive and handle phone calls automatically, conduct dialogues using AI, and provide relevant connection data to the customer. No processing for other purposes occurs. Voico will not process data for its own purposes, particularly not to create profiles for its own use or to sell data to third parties.
4. Type of Personal Data and Categories of Data Subjects
4.1 Types of Data: The following categories of personal data may be included in data processing (depending on customer usage): Master data of end customers/callers (e.g., name, phone number, customer number, contract or account information), communication data (content of phone calls and text transcriptions derived from them; requests and information shared by the caller, potentially sensitive data if expressed during the call), traffic data (dialed number, date, time, call duration, IP addresses in the case of VoIP, possibly recordings or chat protocols), integrated external data (e.g., data from customer systems like CRM), and usage data (log files, conversation history, error logs, notes). Voico does not know the specific content of the data in advance; the customer decides which data categories arise in their use cases.
4.2 Data Subjects: Typically callers/communication partners of the customer (customers of the customer, prospects, end consumers, employees). Potentially also third parties mentioned during calls. The customer confirms that the specified categories are exhaustive and that no processing of special data categories is intended unless explicitly agreed. Should the customer still process special categories, they ensure that suitable consent or legal permission is in place.
5. Obligations of the Data Processor (Voico)
5.1 Instructions: Voico processes personal data only according to the customer's documented instructions. The main agreement and this DPA contain initial instructions. Further instructions (e.g., deletion, delivery of specific data) must be sent in text form to support@voico.ai. Instructions outside the agreed scope may incur additional costs. If Voico recognizes an instruction violates GDPR, it will be suspended until the customer confirms or modifies it.
5.2 Security Measures: Voico is committed to all technical and organizational measures (TOM) required by Art. 32 GDPR. These include, among others, access controls, encryption, backup, logging, and logical separation of tenants. Voice data and sensitive content are transmitted and stored encrypted. Voico maintains an information security management system (ISO 27001).
5.3 Supporting the Controller: Voico supports the customer with obligations under Art. 32–36 GDPR, particularly in data security, reporting data breaches, responding to data subject requests, and conducting data protection impact assessments. Support services outside contractual duties may be charged.
5.4 Confidentiality: All personnel with data access are bound by confidentiality and trained accordingly. The telecommunications secrecy as per TTDSG is preserved.
5.5 Proof and Audit: Voico provides the customer with information necessary to demonstrate compliance with the DPA’s obligations (e.g., certifications, reports, TOM). The customer may conduct audits, subject to prior coordination (at least 2 weeks in advance). Alternatively, Voico may provide current audit reports. Costs are borne by the customer, except in cases of severe deficiencies.
6. Obligations of the Controller (Customer)
The customer remains responsible for assessing the permissibility of processing. They obtain necessary consents, inform data subjects as per Art. 13 GDPR, document instructions, regularly verify compliance with TOM at Voico, and inform Voico of any irregularities.
7. Subcontracting
Voico may engage subcontractors (e.g., Hetzner Online GmbH, telecommunications carriers, Microsoft Azure EU). The customer will be informed in advance and can object within 10 days on legitimate grounds. Voico enters into contracts with subcontractors according to Art. 28(4) GDPR and is liable for their breaches as if they were its own.
8. Data Subject Requests
Voico assists the customer in fulfilling data subject rights. If a request is received directly by Voico, it will be immediately forwarded to the customer without independent action.
9. Data Transmission to Third Countries
Processing generally occurs within the EU/EEA. Transmissions to third countries occur only when required by subcontractors (e.g., for international telephony or AI services). Voico ensures standard contractual clauses (SCC) and additional protective measures are in place.
10. Termination of Processing, Return, and Deletion
Upon contract termination or upon the customer's request, Voico will delete or return all personal data. Documentation necessary to demonstrate proper processing may be retained according to statutory retention periods.
11. Liability and Compensation
The liability provisions of the main agreement also apply to this DPA. Voico is liable for culpable breaches of duty. The customer indemnifies Voico internally from claims by data subjects, as long as Voico is not at fault.
12. Miscellaneous
Communications regarding data protection are conducted via designated contacts. Changes to this DPA must be in writing. In the event of a conflict, the provisions of this DPA take precedence over the main agreement. The law agreed upon in the main agreement and the specified jurisdiction apply, unless mandatory data protection regulations stipulate otherwise.
Data Processing Agreement (DPA)
(according to Art. 28 GDPR between the customer as data controller and Voico as data processor)
1. Scope and Role Distribution
1.1 Relationship of the Parties: This DPA specifies the data protection obligations of the parties when processing personal data on behalf. It applies to all processing activities where Voico processes personal data on behalf of the customer (as data controller in the sense of Art. 4 No. 7 GDPR). This is particularly the case for all end customer data, conversation contents, traffic and content data generated when the customer uses Voico services (see platform privacy policy). Voico acts as a data processor as per Art. 4 No. 8, Art. 28 GDPR.
1.2 Precedence of the Main Agreement: The provisions of this DPA take precedence over the terms of the main agreement (T&Cs/Service Agreement) in matters concerning data processing. Otherwise, the main agreement terms remain unaffected.
1.3 Adherence to Instructions: Voico processes the personal data solely within the framework of the customer’s written instructions (established in the agreement, this DPA, and any subsequent instructions). The customer hereby confirms they are authorized to engage Voico for processing and have the necessary legal bases for this.
2. Subject and Duration of Processing
2.1 Subject: The subject of data processing is defined in the main agreement. Fundamentally, it involves the provision of an AI voicebot platform, including telephony integration, through which the customer processes data from their callers/customers.
2.2 Duration: This DPA applies for the duration of the main agreement regarding the use of Voico services. It terminates automatically upon the end of the service agreement unless statutory obligations mandate otherwise.
3. Nature and Purpose of Processing
3.1 Nature of Processing: Collecting, storing, reading, using, analyzing (via AI analysis), transmitting, and deleting data—each automated in IT systems. Transmission to recipients designated by the customer (e.g., via integration) may also be included.
3.2 Purpose: Processing is conducted exclusively to enable the customer to use Voico services, especially to receive and handle phone calls automatically, conduct dialogues using AI, and provide relevant connection data to the customer. No processing for other purposes occurs. Voico will not process data for its own purposes, particularly not to create profiles for its own use or to sell data to third parties.
4. Type of Personal Data and Categories of Data Subjects
4.1 Types of Data: The following categories of personal data may be included in data processing (depending on customer usage): Master data of end customers/callers (e.g., name, phone number, customer number, contract or account information), communication data (content of phone calls and text transcriptions derived from them; requests and information shared by the caller, potentially sensitive data if expressed during the call), traffic data (dialed number, date, time, call duration, IP addresses in the case of VoIP, possibly recordings or chat protocols), integrated external data (e.g., data from customer systems like CRM), and usage data (log files, conversation history, error logs, notes). Voico does not know the specific content of the data in advance; the customer decides which data categories arise in their use cases.
4.2 Data Subjects: Typically callers/communication partners of the customer (customers of the customer, prospects, end consumers, employees). Potentially also third parties mentioned during calls. The customer confirms that the specified categories are exhaustive and that no processing of special data categories is intended unless explicitly agreed. Should the customer still process special categories, they ensure that suitable consent or legal permission is in place.
5. Obligations of the Data Processor (Voico)
5.1 Instructions: Voico processes personal data only according to the customer's documented instructions. The main agreement and this DPA contain initial instructions. Further instructions (e.g., deletion, delivery of specific data) must be sent in text form to support@voico.ai. Instructions outside the agreed scope may incur additional costs. If Voico recognizes an instruction violates GDPR, it will be suspended until the customer confirms or modifies it.
5.2 Security Measures: Voico is committed to all technical and organizational measures (TOM) required by Art. 32 GDPR. These include, among others, access controls, encryption, backup, logging, and logical separation of tenants. Voice data and sensitive content are transmitted and stored encrypted. Voico maintains an information security management system (ISO 27001).
5.3 Supporting the Controller: Voico supports the customer with obligations under Art. 32–36 GDPR, particularly in data security, reporting data breaches, responding to data subject requests, and conducting data protection impact assessments. Support services outside contractual duties may be charged.
5.4 Confidentiality: All personnel with data access are bound by confidentiality and trained accordingly. The telecommunications secrecy as per TTDSG is preserved.
5.5 Proof and Audit: Voico provides the customer with information necessary to demonstrate compliance with the DPA’s obligations (e.g., certifications, reports, TOM). The customer may conduct audits, subject to prior coordination (at least 2 weeks in advance). Alternatively, Voico may provide current audit reports. Costs are borne by the customer, except in cases of severe deficiencies.
6. Obligations of the Controller (Customer)
The customer remains responsible for assessing the permissibility of processing. They obtain necessary consents, inform data subjects as per Art. 13 GDPR, document instructions, regularly verify compliance with TOM at Voico, and inform Voico of any irregularities.
7. Subcontracting
Voico may engage subcontractors (e.g., Hetzner Online GmbH, telecommunications carriers, Microsoft Azure EU). The customer will be informed in advance and can object within 10 days on legitimate grounds. Voico enters into contracts with subcontractors according to Art. 28(4) GDPR and is liable for their breaches as if they were its own.
8. Data Subject Requests
Voico assists the customer in fulfilling data subject rights. If a request is received directly by Voico, it will be immediately forwarded to the customer without independent action.
9. Data Transmission to Third Countries
Processing generally occurs within the EU/EEA. Transmissions to third countries occur only when required by subcontractors (e.g., for international telephony or AI services). Voico ensures standard contractual clauses (SCC) and additional protective measures are in place.
10. Termination of Processing, Return, and Deletion
Upon contract termination or upon the customer's request, Voico will delete or return all personal data. Documentation necessary to demonstrate proper processing may be retained according to statutory retention periods.
11. Liability and Compensation
The liability provisions of the main agreement also apply to this DPA. Voico is liable for culpable breaches of duty. The customer indemnifies Voico internally from claims by data subjects, as long as Voico is not at fault.
12. Miscellaneous
Communications regarding data protection are conducted via designated contacts. Changes to this DPA must be in writing. In the event of a conflict, the provisions of this DPA take precedence over the main agreement. The law agreed upon in the main agreement and the specified jurisdiction apply, unless mandatory data protection regulations stipulate otherwise.
Data Processing Agreement (DPA)
(according to Art. 28 GDPR between the customer as data controller and Voico as data processor)
1. Scope and Role Distribution
1.1 Relationship of the Parties: This DPA specifies the data protection obligations of the parties when processing personal data on behalf. It applies to all processing activities where Voico processes personal data on behalf of the customer (as data controller in the sense of Art. 4 No. 7 GDPR). This is particularly the case for all end customer data, conversation contents, traffic and content data generated when the customer uses Voico services (see platform privacy policy). Voico acts as a data processor as per Art. 4 No. 8, Art. 28 GDPR.
1.2 Precedence of the Main Agreement: The provisions of this DPA take precedence over the terms of the main agreement (T&Cs/Service Agreement) in matters concerning data processing. Otherwise, the main agreement terms remain unaffected.
1.3 Adherence to Instructions: Voico processes the personal data solely within the framework of the customer’s written instructions (established in the agreement, this DPA, and any subsequent instructions). The customer hereby confirms they are authorized to engage Voico for processing and have the necessary legal bases for this.
2. Subject and Duration of Processing
2.1 Subject: The subject of data processing is defined in the main agreement. Fundamentally, it involves the provision of an AI voicebot platform, including telephony integration, through which the customer processes data from their callers/customers.
2.2 Duration: This DPA applies for the duration of the main agreement regarding the use of Voico services. It terminates automatically upon the end of the service agreement unless statutory obligations mandate otherwise.
3. Nature and Purpose of Processing
3.1 Nature of Processing: Collecting, storing, reading, using, analyzing (via AI analysis), transmitting, and deleting data—each automated in IT systems. Transmission to recipients designated by the customer (e.g., via integration) may also be included.
3.2 Purpose: Processing is conducted exclusively to enable the customer to use Voico services, especially to receive and handle phone calls automatically, conduct dialogues using AI, and provide relevant connection data to the customer. No processing for other purposes occurs. Voico will not process data for its own purposes, particularly not to create profiles for its own use or to sell data to third parties.
4. Type of Personal Data and Categories of Data Subjects
4.1 Types of Data: The following categories of personal data may be included in data processing (depending on customer usage): Master data of end customers/callers (e.g., name, phone number, customer number, contract or account information), communication data (content of phone calls and text transcriptions derived from them; requests and information shared by the caller, potentially sensitive data if expressed during the call), traffic data (dialed number, date, time, call duration, IP addresses in the case of VoIP, possibly recordings or chat protocols), integrated external data (e.g., data from customer systems like CRM), and usage data (log files, conversation history, error logs, notes). Voico does not know the specific content of the data in advance; the customer decides which data categories arise in their use cases.
4.2 Data Subjects: Typically callers/communication partners of the customer (customers of the customer, prospects, end consumers, employees). Potentially also third parties mentioned during calls. The customer confirms that the specified categories are exhaustive and that no processing of special data categories is intended unless explicitly agreed. Should the customer still process special categories, they ensure that suitable consent or legal permission is in place.
5. Obligations of the Data Processor (Voico)
5.1 Instructions: Voico processes personal data only according to the customer's documented instructions. The main agreement and this DPA contain initial instructions. Further instructions (e.g., deletion, delivery of specific data) must be sent in text form to support@voico.ai. Instructions outside the agreed scope may incur additional costs. If Voico recognizes an instruction violates GDPR, it will be suspended until the customer confirms or modifies it.
5.2 Security Measures: Voico is committed to all technical and organizational measures (TOM) required by Art. 32 GDPR. These include, among others, access controls, encryption, backup, logging, and logical separation of tenants. Voice data and sensitive content are transmitted and stored encrypted. Voico maintains an information security management system (ISO 27001).
5.3 Supporting the Controller: Voico supports the customer with obligations under Art. 32–36 GDPR, particularly in data security, reporting data breaches, responding to data subject requests, and conducting data protection impact assessments. Support services outside contractual duties may be charged.
5.4 Confidentiality: All personnel with data access are bound by confidentiality and trained accordingly. The telecommunications secrecy as per TTDSG is preserved.
5.5 Proof and Audit: Voico provides the customer with information necessary to demonstrate compliance with the DPA’s obligations (e.g., certifications, reports, TOM). The customer may conduct audits, subject to prior coordination (at least 2 weeks in advance). Alternatively, Voico may provide current audit reports. Costs are borne by the customer, except in cases of severe deficiencies.
6. Obligations of the Controller (Customer)
The customer remains responsible for assessing the permissibility of processing. They obtain necessary consents, inform data subjects as per Art. 13 GDPR, document instructions, regularly verify compliance with TOM at Voico, and inform Voico of any irregularities.
7. Subcontracting
Voico may engage subcontractors (e.g., Hetzner Online GmbH, telecommunications carriers, Microsoft Azure EU). The customer will be informed in advance and can object within 10 days on legitimate grounds. Voico enters into contracts with subcontractors according to Art. 28(4) GDPR and is liable for their breaches as if they were its own.
8. Data Subject Requests
Voico assists the customer in fulfilling data subject rights. If a request is received directly by Voico, it will be immediately forwarded to the customer without independent action.
9. Data Transmission to Third Countries
Processing generally occurs within the EU/EEA. Transmissions to third countries occur only when required by subcontractors (e.g., for international telephony or AI services). Voico ensures standard contractual clauses (SCC) and additional protective measures are in place.
10. Termination of Processing, Return, and Deletion
Upon contract termination or upon the customer's request, Voico will delete or return all personal data. Documentation necessary to demonstrate proper processing may be retained according to statutory retention periods.
11. Liability and Compensation
The liability provisions of the main agreement also apply to this DPA. Voico is liable for culpable breaches of duty. The customer indemnifies Voico internally from claims by data subjects, as long as Voico is not at fault.
12. Miscellaneous
Communications regarding data protection are conducted via designated contacts. Changes to this DPA must be in writing. In the event of a conflict, the provisions of this DPA take precedence over the main agreement. The law agreed upon in the main agreement and the specified jurisdiction apply, unless mandatory data protection regulations stipulate otherwise.
