Data Processing Agreement (DPA)
pursuant to Art. 28 GDPR — As of: February 2026
1. Subject Matter and Duration
The subject of this data processing agreement is the processing of personal data by the processor (Senorit, Ebrahim Seyfi, Seeschwalbentwiete 23, 22119 Hamburg) within the scope of the SaaS service agreement for the AI phone assistant service "Senorit AI". The duration of data processing corresponds to the term of the underlying service agreement.
2. Nature and Purpose of Processing
The processor operates an AI-powered phone assistant that answers incoming calls on behalf of the controller. Processing includes real-time transcription of conversations, creation of summaries, classification of requests, and notification of the controller about relevant calls.
3. Types of Personal Data
- Caller phone numbers
- Call transcripts and summaries
- Caller names (as mentioned in conversation)
- Appointment requests and other structured conversation data
- Call duration and timestamp
4. Categories of Data Subjects
Data subjects are callers (customers, prospects, and other contacts) of the controller whose calls are answered by the AI phone assistant.
5. Obligations of the Processor
- Processing of personal data exclusively based on documented instructions from the controller
- Ensuring confidentiality — all persons entrusted with data processing are bound by confidentiality obligations
- Implementation of all necessary technical and organizational measures pursuant to Art. 32 GDPR
- Assisting the controller in fulfilling data subject rights (Art. 15–22 GDPR)
- Assisting with data protection impact assessments and prior consultations (Art. 35–36 GDPR)
- Immediate notification to the controller of data protection breaches (Art. 33 GDPR)
- Deletion or return of all personal data upon termination of the contract
6. Sub-processors
The processor uses the following sub-processors. Changes are communicated to the controller in a timely manner; the controller has the right to object.
| Service | Provider | Location | Purpose |
|---|---|---|---|
| Supabase | Supabase Inc. | EU (Frankfurt) | Database, Authentication |
| Telnyx | Telnyx LLC | USA (EU SCC) | Telephony, SMS, Voice AI, Transcription |
| Stripe | Stripe Inc. | EU (Dublin) | Payment processing |
| Vercel | Vercel Inc. | EU (Frankfurt) | Hosting |
| Resend | Resend Inc. | USA (EU SCC) | Email delivery |
| Axiom | Axiom Inc. | EU (Frankfurt) | Error monitoring & logging |
| Google LLC | Google LLC | USA (EU-U.S. DPF) | Google Calendar integration (appointment management) |
7. Rights of the Controller
- Right to conduct audits and inspections, including through appointed third parties, upon reasonable notice
- Right to comprehensive information about technical and organizational measures in place
- Right to information about sub-processors and changes thereto
- Right to object to the engagement of new sub-processors
8. Deletion and Return
Upon termination of the service agreement, the processor deletes all personal data within 30 days, unless statutory retention obligations apply. At the controller's request, data is returned in a common, machine-readable format prior to deletion.
9. Technical and Organizational Measures (TOMs)
- Encryption: All data transmissions are encrypted with TLS 1.3; data is stored encrypted
- Access control: Row Level Security (RLS) at the database level ensures customers can only access their own data
- Authentication: Supabase Auth with secure session management and role-based access control
- EU hosting: All data is stored and processed in the EU (Frankfurt location)
- Monitoring: Real-time error monitoring via Sentry for quick detection and resolution of incidents
- Backup: Regular automated data backups with defined recovery procedures