Data Processing Agreement
Effective as of: 17 February 2026
Preamble
This Data Processing Agreement ("DPA") governs the data protection obligations between the Customer ("Controller") and Kolsetu GmbH ("Processor") arising from the Customer's use of Kolsetu software and services under the End User License Agreement (EULA) and General Terms and Conditions ("Main Agreement"). It applies to all activities in which employees or third parties acting on behalf of the Processor may come into contact with the Controller's personal data.
1. Definitions
The terms "personal data", "processing", "supervisory authority", "data subject", "member state" and "transfer" have the same meaning as in the GDPR (Regulation (EU) 2016/679).
2. Scope and Responsibility
The Processor shall process personal data solely on behalf of and in accordance with the documented instructions of the Controller. The Controller is solely responsible for compliance with the GDPR and other applicable data protection law (the Controller is the "controller" within the meaning of Art. 4(7) GDPR).
Instructions are initially set out in the Main Agreement and may subsequently be amended, supplemented or replaced by the Controller in writing or in electronic text form. Verbal instructions must be confirmed in writing without delay.
If the Processor considers that an instruction infringes the GDPR or other data protection provisions, it shall immediately inform the Controller of those legal concerns.
3. Subject Matter, Duration and Specification of Processing
- Subject matter: Processing of personal data in connection with the provision of Kolsetu software and services.
- Duration: The term of this DPA corresponds to the term of the Main Agreement, unless provisions of this DPA give rise to obligations beyond it.
- Nature of processing: Collection, storage, use, transfer and deletion of personal data by automated means.
- Purpose: Provision and use of the contractually agreed software functions pursuant to the Main Agreement and EULA.
3.1 Categories of Data and Data Subjects
| Data Category | Processing Purpose | Data Subjects |
|---|---|---|
| Master data (name, contact details) | Management and provision of software | Customers, users, employees, contacts |
| Special categories (health data) | Appointment management, patient communication, medical notes | Patients, end-customers of the Controller |
| Contract and billing data | Contract execution, billing | Customers, contacts |
| Usage and communications data (logs, IPs, chat/video) | Technical provision, support, error analysis | Users, customers, employees |
| Technical metadata (timestamps, device information) | Security, stability, monitoring | Software users |
| Content data (voice recordings, transcripts) | Communication, support, QA, provision to Controller | Users, customers, employees |
| User and employee data (login, roles) | User identification, access management | Controller's employees |
3.2 Special Processing Activities
In addition to providing the contracted services, the Processor may process communications and content data (e.g. voice recordings, transcripts, conversation data) for analysis, product improvement and development of voice and AI modules. Such use is preceded by anonymisation in accordance with GDPR, so that re-identification of data subjects is excluded.
3.3 Transfers to Third Countries
Processing of personal data takes place as a rule within the EEA or in countries with an EU Commission adequacy decision. Where a transfer to a third country is required, it occurs exclusively under Art. 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses (SCCs).
4. Obligations of the Processor
The Processor shall:
- Process data only within the scope of the order and the Controller's instructions, except where required by applicable law.
- Implement technical and organisational security measures meeting the requirements of Art. 32 GDPR (see Annex 1).
- Assist the Controller in responding to data subject requests under Chapter III GDPR and in fulfilling obligations under Art. 33-36 GDPR.
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
- Notify the Controller without undue delay upon becoming aware of any personal data breach.
- Rectify or erase personal data when instructed by the Controller.
Data Protection Contact: privacy@kolsetu.com
5. Obligations of the Controller
The Controller shall notify the Processor without delay of any errors or irregularities relating to data protection provisions.
5.1 Lawfulness of Processing
The Controller warrants that:
- Data transfers occur on a lawful basis under Art. 6 GDPR.
- The purpose limitation of processed data is respected.
- All required consents of data subjects are in place.
- Data subjects have been informed in accordance with Art. 13/14 GDPR.
- When using AI services, the applicable terms of use and data-protection obligations of sub-processors are observed.
5.2 Indemnification for Misuse
The Controller agrees to indemnify the Processor in the internal relationship against all third-party claims and regulatory fines attributable to: (i) improper use of Kolsetu software by the Controller; (ii) breaches of data protection obligations by the Controller; (iii) unlawful or non-compliant instructions from the Controller. This indemnification applies solely in the internal relationship and does not affect the rights of data subjects under Art. 82 GDPR.
5.3 Responsibility for Modular Processing
Where the Controller uses optional modules, it is responsible for: (i) lawful activation/deactivation of modules; (ii) implementation of required consents; (iii) compliance with sector-specific regulations.
6. Data Subject Requests
The Processor shall refer data subjects to the Controller and forward their requests without delay. The Processor shall assist the Controller in responding to such requests to the extent of its capabilities.
7. Evidence and Audits
The Processor shall demonstrate compliance with its obligations by appropriate means and shall permit reviews by the Controller or appointed auditors. Inspections are conducted during normal business hours with reasonable advance notice. The Processor may require execution of a confidentiality agreement.
8. Sub-processors
The Controller hereby provides general authorisation for Kolsetu to engage sub-processors in fulfilling its contractual obligations. Kolsetu shall inform the Controller in advance in text form (e.g. by email) of any change to or addition of a sub-processor. The Controller may object to a change within 14 days on substantiated data protection grounds.
Kolsetu shall conclude a data-protection agreement with each sub-processor corresponding in substance to this DPA and shall monitor compliance. Kolsetu remains responsible for ensuring that sub-processors fulfil their statutory and contractual data-protection obligations.
9. Term and Termination
This DPA enters into force upon signature and runs for the duration of the Main Agreement. Upon termination of the Main Agreement, this DPA also ends. After contract termination, Kolsetu shall, at the Controller's choice, return or delete all personal data within 30 days, unless a statutory retention obligation exists.
10. Notifications, Written Form, Governing Law
The Processor shall inform the Controller without delay of any official measures relating to the processed data. Amendments to this DPA require written or text form. In the event of conflict, the provisions of this DPA take precedence over the Main Agreement. Governing law: German law. Jurisdiction: Hamburg.
11. Liability
Liability is governed by the provisions of the Main Agreement. Each party bears responsibility for its own infringements and shall indemnify the other party against resulting third-party claims.
Annex 1 -- Technical and Organisational Measures (TOMs) under Art. 32 GDPR
A. Confidentiality
- Access control: No unauthorised access to processing facilities.
- System access control: No unauthorised use of systems (passwords, 2FA, encryption).
- Internal access control: No unauthorised reading, copying or modification of data.
- Isolation control: Separate processing for different purposes.
- Pseudonymisation: Personal data is stored separately where appropriate.
B. Integrity
- Data transfer controls: Protection during electronic transmission.
- Data input controls: Logging of changes and deletions.
C. Availability and Resilience
- Availability control: Protection against loss or destruction (backups, firewalls, contingency plans).
- Rapid recovery: Business continuity and recovery plans.
D. Additional Measures
- Privacy management and data protection by design and default.
- Incident response management.
- Vendor control and contractual obligations for service providers.
- No processing by third parties without documented instruction.
Annex 2 -- Sub-processor List
Kolsetu uses the following sub-processors. Processing is configured for EEA/EU regions where available. If cross-border processing is required in exceptional cases, appropriate safeguards (including SCCs) apply.
| Sub-processor | Service Scope | Data Location / Safeguards |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (compute, storage, network) | EU data centres (Frankfurt, Luxembourg) |
| Microsoft Azure | Cloud infrastructure | EU data centres (Frankfurt, Netherlands) |
| Microsoft Azure OpenAI Service | AI voice and text processing for demo and product workflows | EU deployment configured by Kolsetu. If a cross-border transfer is required in exceptional cases, SCC safeguards apply. |
| Google Cloud | Cloud infrastructure | EU data centres (Frankfurt, Ireland) |
| Zoho Corporation GmbH, Duesseldorf | CRM cloud solution for lead management, customer management and support | EEA |
| Stripe Payments Europe Ltd., Dublin | Credit card and cashless payment processing | EEA |
| PayPal Europe S.a.r.l., Luxembourg | Card and cashless payment processing | EEA |
| Telnyx UK Limited, London | Voice, messaging and network APIs (telephony, SMS, VoIP) | UK (adequacy decision) |
| LiveKit Cloud | Real-time audio/video API platform (WebRTC) for live AI interactions | Regional endpoint configured by Kolsetu for EU workloads. If non-EEA routing is required in exceptional cases, SCC safeguards apply. |
| Langfuse GmbH, Berlin | Monitoring and observability for AI applications | EEA |
| n8n GmbH, Berlin | Workflow automation and system integrations | EEA |