Terminanfrage
ImpressumDatenschutz
dbl9 / Callfluence / Legal / Data Processing Addendum

Data Processing Addendum

cloud-based AI-powered platform for enterprise automation and intelligent workflows

Gueltig ab: 2026-04-12Version: 1.0dbl9 GmbH

Last Updated: 2026-04-12

This Data Processing Addendum ("DPA") forms part of the dbl9 Terms of Service or other written agreement between dbl9 GmbH ("dbl9," "Processor") and the entity identified as the customer ("Customer," "Controller") (collectively, the "Parties") governing Customer's use of the dbl9 Platform platform and services (the "Agreement").

This DPA applies to the extent dbl9 processes Personal Data on behalf of Customer in the course of providing the Service.

1. DEFINITIONS

1.1. "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: (a) the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other applicable data protection or privacy laws.

1.2. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.

1.3. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

1.4. "Personal Data" means any information relating to a Data Subject that is processed by dbl9 on behalf of Customer in connection with the Service. For the purposes of the CCPA, Personal Data includes "Personal Information" as defined therein.

1.5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.6. "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means.

1.7. "Processor" means the entity that processes Personal Data on behalf of the Controller.

1.8. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

1.9. "Sub-Processor" means any third party engaged by dbl9 to process Personal Data on behalf of Customer.

2. SCOPE AND ROLES

2.1. Roles. For the purposes of this DPA, Customer is the Controller and dbl9 is the Processor with respect to the processing of Personal Data under the Agreement.

2.2. Scope of Processing. dbl9 shall process Personal Data only as necessary to provide the Service in accordance with the Agreement and this DPA. The details of the processing activities are described in Annex I.

2.3. Customer Obligations. Customer represents and warrants that: (a) its instructions to dbl9 regarding the processing of Personal Data comply with Applicable Data Protection Law; (b) it has obtained all necessary consents, authorizations, and legal bases required for the processing of Personal Data by dbl9 under this DPA; and (c) it has provided all necessary privacy notices to Data Subjects.

3. PROCESSING OBLIGATIONS

3.1. Instructions. dbl9 shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law. The Agreement, this DPA, and Customer's use and configuration of the Service constitute Customer's documented instructions.

3.2. Confidentiality. dbl9 shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security. dbl9 shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including as appropriate:

(a) the pseudonymization and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The specific security measures implemented by dbl9 are described in Annex II.

3.4. Sub-Processing. dbl9 shall not engage any Sub-Processor without prior written authorization from Customer. Customer provides general written authorization for dbl9 to engage the Sub-Processors listed at https://dbl99.de/legal/subprocessors.

(a) dbl9 shall notify Customer of any intended addition or replacement of Sub-Processors at least 30 days in advance, giving Customer the opportunity to object.

(b) If Customer objects to a new Sub-Processor on reasonable grounds relating to data protection, the Parties shall discuss the matter in good faith. If no resolution is reached, Customer may terminate the affected Service by providing written notice within 14 days of receiving notice.

(c) dbl9 shall impose on each Sub-Processor data protection obligations no less protective than those set out in this DPA by way of a written contract.

(d) dbl9 shall remain fully liable to Customer for the performance of each Sub-Processor's obligations.

3.5. Data Subject Rights. dbl9 shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law.

3.6. Assistance. dbl9 shall assist Customer in ensuring compliance with the obligations set forth in Articles 32 to 36 of the GDPR (or equivalent provisions under other Applicable Data Protection Law), taking into account the nature of the processing and the information available to dbl9.

4. PERSONAL DATA BREACH

4.1. dbl9 shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

4.2. Such notification shall include, to the extent available:

(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;

(b) the name and contact details of dbl9's data protection officer or other contact point;

(c) a description of the likely consequences of the Personal Data Breach;

(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

4.3. dbl9 shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

5. DATA TRANSFERS

5.1. dbl9 shall not transfer Personal Data to a country or territory outside the EEA, UK, or Switzerland unless appropriate safeguards are in place in accordance with Applicable Data Protection Law.

5.2. To the extent that the processing of Personal Data involves a transfer to a third country, the Parties agree that the Standard Contractual Clauses shall apply as follows:

(a) EEA Transfers: The SCCs approved by Commission Implementing Decision (EU) 2021/914 shall apply, with Customer as the "data exporter" and dbl9 as the "data importer." Module Two (Controller to Processor) shall apply.

(b) UK Transfers: The UK International Data Transfer Addendum to the EU SCCs shall apply.

(c) Swiss Transfers: The SCCs shall apply with the modifications required under the FADP.

5.3. dbl9 processes Personal Data in accordance with GDPR and maintains compliance with applicable data protection standards.

6. AUDITS

6.1. dbl9 shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer.

6.2. Customer shall provide at least 30 days' prior written notice of any audit. Audits shall be conducted during normal business hours, no more than once per year (unless required by Applicable Data Protection Law or a supervisory authority), and subject to reasonable confidentiality obligations.

6.3. dbl9 may satisfy audit obligations by providing Customer with: (a) relevant third-party certifications (e.g., SOC 2 Type II, ISO 27001); (b) summary results of penetration tests; or (c) other evidence of compliance with this DPA, subject to reasonable confidentiality protections.

7. DATA RETENTION AND DELETION

7.1. Upon termination or expiration of the Agreement, dbl9 shall, at Customer's election, delete or return all Personal Data to Customer within 30 days, and delete all existing copies unless retention is required by Applicable Data Protection Law.

7.2. dbl9 shall certify in writing the deletion of Personal Data upon Customer's request.

8. CCPA/CPRA SPECIFIC TERMS

8.1. To the extent dbl9 processes Personal Data that is subject to the CCPA/CPRA, dbl9 shall:

(a) Process such Personal Data only for the specific business purposes set forth in the Agreement and this DPA;

(b) Not sell or share (as defined under the CCPA/CPRA) Personal Data;

(c) Not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, including any commercial purpose other than providing the Service;

(d) Not combine Personal Data received from Customer with Personal Data collected from other sources, except as permitted by the CCPA/CPRA;

(e) Comply with applicable obligations under the CCPA/CPRA and provide the same level of privacy protection as required thereby.

8.2. Customer has the right to take reasonable and appropriate steps to ensure that dbl9 uses Personal Data in a manner consistent with Customer's obligations under the CCPA/CPRA.

8.3. dbl9 shall notify Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA.

9. GENERAL

9.1. Precedence. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

9.2. Liability. Each Party's liability under this DPA is subject to the limitations of liability set forth in the Agreement, except to the extent prohibited by Applicable Data Protection Law.

9.3. Term. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 7.

ANNEX I — DETAILS OF PROCESSING

Categories of Data Subjects: Customer's employees, contractors, end users, and other individuals whose Personal Data is submitted to the Service by Customer.

Categories of Personal Data: Name, email address, IP address, usage data, and any other Personal Data submitted by Customer through the Service.

Sensitive Data (if applicable): None by default. If Customer submits sensitive/special category data, Customer is responsible for ensuring lawful processing.

Frequency of Transfer: Continuous, for the duration of the Agreement.

Nature and Purpose of Processing: To provide and maintain the Service as described in the Agreement, including processing Input Data through AI Features.

Duration of Processing: For the duration of the Agreement plus the data return/deletion period.

ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

dbl9 implements the following technical and organizational security measures:

1. Access Control

2. Encryption

3. Network Security

4. Incident Management

5. Business Continuity

6. Employee Security

7. Vendor Management

8. Certifications

dbl9 Data Processing Addendum v1.0