Skip to main content
Last Updated: July 15, 2025 In accordance with Art. 28 GDPR Between
  • the Client (the “Controller”)
  • itellico AI GmbH, Postgasse 19, A-1010 Vienna, Austria (the “Processor”)

Preamble

This Data Processing Addendum (DPA) governs the rights and obligations of the parties in connection with the processing of personal data for the performance of the service agreement concluded between the parties (“Main Agreement”).

1. Subject Matter, Duration, and Specification of Data Processing

1.1 Subject Matter

The subject matter of the data processing is the provision of the services defined in the Main Agreement.

1.2 Nature and Purpose of Processing

The processing serves exclusively to provide the services defined in the Main Agreement.

1.3 Nature of Personal Data

  • Voice and audio data from all interactions
  • Conversation content in text form (transcripts)
  • All data and content provided by the Controller under the Main Agreement
  • All data and information voluntarily provided by the end-user
  • Phone number (as part of connection data)
  • Name (if actively provided by the end-user, as it is not proactively requested)
  • Email address (if actively provided by the end-user, as it is not proactively requested)
  • Unique identifiers (e.g., Call ID, Session ID)
  • Timestamp and duration of the interaction
  • Token consumption (for AI-based services and billing purposes)
  • Technical parameters of the transmission
  • IP address

1.4 Categories of Data Subjects

End-users of the Controller (e.g., customers, prospects) who interact with the AI voice assistant.

1.5 Duration of Processing

The duration of the processing corresponds to the term of the Main Agreement.

2. Obligations of the Processor

2.1 Processing on Instructions

The Processor shall process personal data exclusively on the documented instructions of the Controller, unless required to do so by law. The use of the services defined in the Main Agreement by the Controller constitutes such an instruction.

2.2 Confidentiality

The Processor shall ensure that persons authorized to process the personal data are committed to confidentiality.

2.3 Technical and Organizational Measures (TOMs)

The Processor shall take all measures required pursuant to Art. 32 GDPR for the security of processing. The specific TOMs implemented are listed in the Appendix to this agreement.

2.4 No Use for AI Training

The Processor warrants that for the processing of content data such as voice and text data (e.g., for transcription, content generation, and text-to-speech synthesis), it exclusively uses APIs from sub-processors that contractually guarantee that submitted data is not used for training AI models. This applies to all deployed providers with the exception of Cartesia. Processing is carried out in accordance with the respective data protection provisions of the deployed providers and the obligations set forth in this agreement.

3. Sub-processors

3.1 Use of Sub-processors

The Controller grants general authorization for the use of sub-processors to provide the contractual services. The Processor maintains and keeps an up-to-date list of all engaged sub-processors at https://itellico.ai/legal/data-processors/.

3.2 Contractual Obligations and Guarantees

The Processor shall ensure, by concluding contracts (typically the standard data processing agreements of the providers), that every sub-processor is subject to data protection obligations that are materially equivalent to those set forth in this DPA (in accordance with Art. 28(4) GDPR).

3.3 Third-Country Transfers

For sub-processors located outside the EU/EEA, the Processor shall ensure that an adequate level of data protection is in place, for example, by certification under the EU-US Data Privacy Framework (where applicable) or by concluding EU Standard Contractual Clauses (SCCs) and implementing necessary additional safeguards.

3.4 Information and Right to Object

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors at least 15 days prior to the planned engagement, thereby giving the Controller the opportunity to object on important data protection grounds.

4. Rights of the Data Subject

The Processor shall, as far as possible, assist the Controller with appropriate technical and organizational measures in fulfilling its obligations concerning the rights of data subjects (e.g., access, rectification, erasure).

5. Assistance to the Controller

The Processor shall assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of processing, Notification of a personal data breach, Data protection impact assessment).

5.1 Notification of Data Breaches

The Processor shall notify the Controller of any personal data breach without undue delay after becoming aware of it, in accordance with Art. 33(2) GDPR. The notification shall be made no later than 24 hours after becoming aware of the breach to privacy@itellico.ai.

6. Data Retention and Deletion

6.1 Processing During the Term of the Agreement

As long as the Main Agreement is active, content data (e.g., recordings, transcripts, knowledge bases, settings) and associated contact data are stored for the Controller as part of the agreed service and are not automatically deleted.
  • Legal Retention: Billing-relevant metadata must be retained in accordance with legal obligations and cannot be deleted prematurely.
  • Limits of Configurability: The retention periods for content data configurable by the Controller cannot be shorter than the minimum retention periods for metadata defined by the Processor in Section 6.3. The generation and retention of billing-relevant and other metadata by the Processor remain unaffected by customer-specific settings.

6.2 Deletion of Traffic Data and Other Personal Data

Automatic Deletion of Traffic Data according to § 167 TKG 2021: The Processor automatically deletes or anonymizes traffic data (phone numbers, exact timestamps, call IDs) according to the following schedules:
Billing ModelDeletion Schedule
Prepayment/Prepaid90 days after the call date
Post-Billing90 days after the billing date
Deletion and Return after Contract End or on Request:
  • After Contract End: Upon conclusion of the provision of processing services (i.e., after termination of the Main Agreement), the Processor is obligated to irrevocably delete all remaining content and contact data after a period of 90 days, including all existing copies.
  • On Instruction from the Controller: At the Controller’s choice, the Processor will either (a) return all personal data to the Controller or (b) irrevocably delete all personal data and existing copies, unless storage is required by EU or member state law.
Billing-relevant metadata must continue to be retained in accordance with statutory retention periods.

6.3 Retention of Metadata

Data TypeRetention Period
Billing-Relevant MetadataDuration of statutory periods (e.g., 7 years per § 212 UGB in Austria) — includes Customer ID, duration, token consumption
Anonymized DataIndefinitely — for statistical analysis and product improvement, as it no longer has any personal reference

7. Audit Rights

The Controller has the right to verify the Processor’s compliance with the provisions of this agreement. Such inspections shall be announced with reasonable notice and conducted during normal business hours. The Processor may also provide evidence of compliance by submitting suitable, current certificates, reports, or attestations from independent auditors (e.g., auditors, data protection officers, security certifications).

Appendix — Technical and Organizational Measures (TOMs)

As of: July 15, 2025 The following are the actual technical and organizational measures implemented by the Processor to ensure the security of the data processing.
  • Data Centers: AWS Frankfurt (eu-central-1) with GDPR compliance
  • Access: Biometric controls and 24/7 monitoring by the AWS data center
  • Administrators: Multi-factor authentication (MFA) is mandatory
  • Applications: Token-based API authentication
  • Principle: Strict role-based access control (RBAC)
  • Databases: Access exclusively from within the protected Kubernetes cluster
  • Storage: Granular S3 bucket policies according to the least privilege principle
  • Secrets: Use of AWS Secrets Manager for all credentials
  • Tenants: Strict logical tenant separation at the application level. Each tenant is assigned a unique ID (UUID) that is validated on every data access request. This ensures that queries can only return data belonging to the respective tenant.
  • Environments: Separate Virtual Private Clouds (VPCs) for development and production systems
  • Containers: Kubernetes namespaces for service isolation
  • Data in Transit: TLS 1.3 for all data transfers
  • Data at Rest: AES-256 encryption for S3 storage and backups
  • Pseudonymization: Applied to specific personal data where necessary
  • High Availability: Multi-AZ deployment across at least 3 Availability Zones
  • Backups: Regular automatic backups with appropriate retention periods
  • Monitoring: 24/7 system performance monitoring with automated alerts
  • System Logs: Use of AWS CloudTrail for all API calls
  • Access Logs: Complete logging of all access to sensitive data
  • Audit: Kubernetes audit logs for tracking container activities
  • Processes: Documented Standard Operating Procedures (SOPs) for critical operations
  • Change Management: Version-controlled infrastructure (Infrastructure-as-Code)
  • Training: Regular data protection and security training for all relevant employees

Privacy Policy

Review how personal data is handled across the platform

Terms and Conditions

See the general contractual terms for using itellicoAI

Service Level Agreement

Review uptime, response times, and service credits

Imprint

View company and contact details