Version 1.0
Data Processing Agreement
Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)
1. Parties
Data Controller: The entity identified as "Client" in the accompanying Service Agreement.
Data Processor: Callsy AI OÜ, a private limited company registered in the Republic of Estonia.
This DPA forms part of and is incorporated into the Service Agreement between the parties.
2. Definitions
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.
- Personal Data: Any information relating to an identified or identifiable natural person as defined by the GDPR.
- Data Subject: The identified or identifiable natural person to whom Personal Data relates.
- Processing: Any operation or set of operations performed on Personal Data.
- Supervisory Authority: An independent public authority established by a Member State pursuant to the GDPR.
- Services: The Sofia AI CMO managed service as described in the Service Agreement.
- Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Security Incident: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
3. Subject Matter and Purpose of Processing
The Processor shall process Personal Data on behalf of the Controller for the following purposes:
- Automated analysis of advertising performance data from Meta Ads API and Google Ads API
- AI-powered inference via Anthropic's Claude API
- Storage of advertising performance snapshots
- Processing of API credentials
- Delivery of outputs to Slack
- Retention of conversational context
4. Nature and Categories of Processing
4.1 Nature
Automated retrieval, storage, analysis, AI inference, and report generation.
4.2 Categories of Data Subjects
- Controller's employees and authorised users
- Natural persons whose data appears incidentally within advertising data
4.3 Categories of Personal Data
- Contact details (name, email, Slack username)
- API credentials (encrypted)
- Advertising metrics
- Slack message content
4.4 Duration
From the effective date of the Service Agreement until the Agreement is terminated, then deletion per Article 11 of this DPA.
5. Processor Obligations
5.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
5.2 Confidentiality
All personnel authorised to process Personal Data shall be under appropriate confidentiality obligations.
5.3 Technical and Organisational Security Measures
- Encryption of API credentials at rest and in transit
- Dedicated isolated VPS per client
- Access controls
- Regular security reviews
- Automated 90-day deletion of advertising performance snapshots
- Complete deletion within 30 days of termination
5.4 Assistance with Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under the GDPR.
5.5 Assistance with Controller Obligations
The Processor shall assist the Controller in ensuring compliance with the obligations under Articles 32–36 GDPR, including security of processing and data protection impact assessments.
6. Sub-processors
6.1 General Authorisation
The Controller grants the Processor general authorisation to engage the following sub-processors:
| Sub-processor |
Location |
Purpose |
| Anthropic, Inc. |
United States |
Claude AI inference engine. Transfer safeguard: Standard Contractual Clauses. |
| Hetzner Online GmbH |
Germany (EU) |
Dedicated VPS hosting. |
| Slack Technologies LLC |
United States |
Messaging delivery. |
6.2 Right to Object
The Processor shall provide the Controller with 30 days advance notice of any intended changes concerning the addition or replacement of sub-processors. The Controller shall have 14 days to object to such changes.
6.3 Flow-Down Obligations
The Processor shall ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
7. Security Incidents and Breach Notification
- The Processor shall notify the Controller of any Security Incident within 72 hours of becoming aware of it
- The notification shall provide sufficient information for the Controller to meet its obligations under the GDPR
- The Processor shall cooperate with the Controller to investigate and remediate the incident
8. Audit and Cooperation
- The Controller shall provide 30 days prior written notice of any audit request
- Audits shall be conducted during normal business hours
- The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor
9. Data Protection Impact Assessment
The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities as required under Articles 35 and 36 GDPR.
10. International Data Transfers
International data transfers are conducted under Standard Contractual Clauses (Module 3: Processor to Processor) approved by the European Commission.
11. Return or Deletion of Data on Termination
Upon termination of the Service Agreement, the Processor shall delete or return all Personal Data within 30 days. Written confirmation of deletion is available upon request.
12. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the Service Agreement.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Republic of Estonia. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of Harju County Court, Tallinn, Estonia.