Data Processing Agreement

Last Updated: January 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between number7even UG (haftungsbeschränkt) operating as VoiceCosmos² ("Processor") and the Customer ("Controller") to reflect the parties' agreement with regard to the Processing of Personal Data.

1. Definitions

Terms used in this DPA have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the EU General Data Protection Regulation 2016/679 ("GDPR").

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Sub-processor" means any third party engaged by Processor to Process Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Processing of Personal Data

2.1 Processor's Role

Processor shall Process Personal Data only on behalf of and in accordance with Controller's documented instructions and shall not Process Personal Data for any other purpose.

2.2 Nature and Purpose

The nature and purpose of Processing by Processor shall be to provide the VoiceCosmos² AI voice assistant services as described in the Terms of Service.

2.3 Duration

The duration of Processing shall be for the term of the Agreement between the parties.

3. Categories of Data and Data Subjects

Categories of Data

  • • Voice recordings and transcriptions
  • • Contact information (names, phone numbers)
  • • Communication preferences
  • • Appointment and scheduling data
  • • Business interaction history
  • • Custom data fields as configured

Categories of Data Subjects

  • • Controller's customers
  • • Controller's prospects
  • • Controller's employees (if applicable)
  • • Other individuals who interact with Controller's AI assistants

4. Processing Activities

Voice Data Processing

  • Real-time voice conversation processing
  • Voice-to-text transcription
  • Natural language understanding
  • Sentiment analysis and intent detection

Customer Data Management

  • Contact information storage
  • Conversation history archival
  • Analytics and reporting generation
  • Integration data synchronization

Technical Operations

  • System performance monitoring
  • Error logging and debugging
  • Load balancing and optimization
  • Backup and disaster recovery

5. Security of Processing

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

AES-256 encryption at rest and in transit
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Regular security audits and penetration testing
ISO 27001 certified data centers
Real-time threat monitoring and response
Data loss prevention (DLP) systems
Secure development lifecycle (SDLC)

6. Sub-processors

6.1 Authorized Sub-processors

Controller agrees that Processor may engage Sub-processors to Process Personal Data. A current list of Sub-processors is available at:

6.2 Sub-processor Requirements

Processor shall ensure that any Sub-processor is bound by written agreement to provide at least the same level of data protection as required by this DPA.

7. Data Subject Rights

Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise their rights under GDPR. Processor shall assist Controller in fulfilling its obligations to respond to such requests.

Data subject rights include: access, rectification, erasure, data portability, restriction of processing, and objection to processing.

8. International Data Transfers

Transfer Mechanisms

Any transfer of Personal Data outside the EEA shall be subject to appropriate safeguards as required by GDPR, including:

  • • EU Standard Contractual Clauses
  • • Adequacy decisions by the European Commission
  • • Binding Corporate Rules (where applicable)
  • • Other valid transfer mechanisms under GDPR

9. Audits and Information

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by Controller or an auditor mandated by Controller.

Controller agrees to provide reasonable notice of any audit and to conduct audits during normal business hours in a manner that minimizes disruption to Processor's business operations.

10. Personal Data Breach

Processor shall notify Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach. Such notification shall include:

  • • The nature of the breach including categories and approximate number of affected Data Subjects
  • • The likely consequences of the breach
  • • Measures taken or proposed to address the breach
  • • Contact details for more information

11. Deletion and Return of Personal Data

Upon termination of the Agreement, Processor shall, at Controller's option, delete or return all Personal Data to Controller and delete existing copies unless EU or Member State law requires storage of the Personal Data.

Contact Information

Data Protection Officer

number7even UG (haftungsbeschränkt)

Email: dpo@voicecosmos.com

Phone: +49 172 893 723 30

Address: Eisolzriederstrasse 12, 80999 Munich, Germany