Data Processing Agreement (DPA)

Subject and Duration

The processor provides the controller with the TWWIM AI SaaS platform – a voice- and text-controlled AI assistant embedded into the controller's platform (e.g. online shop, website or application) via a plugin or JavaScript snippet. Within this service, the processor processes personal data of the controller's end customers on behalf of the controller.

1. The subject matter of the processing follows from the main contract concluded between the parties and from this agreement; details of the processed data categories and data subjects are set out in Annex 1.
2. The duration of the processing corresponds to the term of the main contract and ends with its termination; the section Deletion at End of Contract remains unaffected.

Nature and Purpose of Processing

The purpose of the processing is to enable the controller's end customers to interact with the AI assistant – in particular to receive answers based on the content released by the controller and to have actions executed directly on the page the end customer is viewing. The processor processes personal data only insofar as this is necessary to provide the agreed service.

1. The processing covers two categories of data: operational data stored for the duration of the contractual relationship (such as the product catalogue released by the controller, uploaded knowledge documents, FAQ entries) and session and interaction data, which is processed only for the duration of the respective interaction plus a technically necessary follow-on period. This follow-on period typically does not exceed 30 minutes from the end of the session; thereafter the data is automatically and irretrievably deleted.
2. No further processing – in particular for training or profiling purposes – takes place.

Categories of Data Subjects and Data

A more detailed description of the data subjects and the data categories processed is set out in Annex 1. Where the controller itself provides content (e.g. knowledge documents, product descriptions), the responsibility for the lawful provision of such content lies within the controller's sphere of responsibility.

Place of Processing

The personal data is processed exclusively on servers operated within the European Union. No transfer to third countries takes place; should the controller wish such a transfer, this requires a separate written agreement and compliance with the requirements of Chapter V GDPR.

Processor's Obligations

The processor processes personal data exclusively on the documented instructions of the controller and in accordance with the requirements of the GDPR. The processor supports the controller, where necessary and possible, in fulfilling the controller's own obligations.

1. The processor implements the technical and organisational measures required under Art. 32 GDPR; the principal measures are described in Annex 2 and are adapted to the state of the art as required.
2. All persons involved in the processing of the data are bound to confidentiality unless they are already subject to a corresponding statutory duty of secrecy.
3. The processor supports the controller in fulfilling data-subject rights (Articles 12 to 22 GDPR) by appropriate technical and organisational measures.
4. In the event of a personal data breach, the processor informs the controller without undue delay – as a rule within 24 hours of becoming aware – and provides the information required for a notification under Articles 33, 34 GDPR. This ensures that the controller can comply with its own 72-hour notification obligation towards the supervisory authority in good time.
5. Upon termination of the processing, all personal data shall be deleted or returned in accordance with the section Deletion at End of Contract.

Sub-processors

The processor may engage further processors to provide the service. This does not release the processor from its responsibility towards the controller.

1. A list of the sub-processors currently engaged is contained in Annex 3. By concluding this agreement, the controller consents to the engagement of these sub-processors.
2. Intended changes – in particular the engagement of additional sub-processors – are notified to the controller in text form with reasonable advance notice (as a rule 30 days). The controller may object to such a change for important reasons; in that case the parties shall seek an amicable solution.
3. The processor contractually obliges its sub-processors to an appropriate level of data protection in line with the GDPR.

Controller's Rights

The controller has the audit and instruction rights it is entitled to under Art. 28 GDPR. Their practical implementation is specified as follows.

1. The controller may at any time request information on compliance with the agreed obligations, in particular on the technical and organisational measures in place.
2. The controller is entitled, after prior notice with reasonable notice (as a rule 14 days) and during regular business hours, to satisfy itself of compliance with this agreement. On-site inspections are limited to the extent necessary; alternatively, current attestations, certifications or reports of independent auditors may be accepted.
3. Instructions of the controller shall be issued in text form; oral instructions are documented by the processor without delay. If the processor considers an instruction to violate applicable data protection law, it informs the controller without undue delay.

Deletion at End of Contract

Upon termination of the processing services, all personal data processed on behalf of the controller is, at the controller's option, deleted or returned. Existing statutory retention obligations remain unaffected.

1. Operational data is generally deleted within 30 days after termination of the main contract.
2. Session and interaction data is already removed during ongoing operation by automatic deletion or expiry mechanisms; no such data remains after termination.
3. On request, the processor confirms the proper deletion to the controller in text form.

Liability

For the liability of the parties towards data subjects, Art. 82 GDPR applies. As between the parties, the liability rules of the main contract apply in addition.

Updating this Agreement

This agreement applies in version 1.0 dated 2026-04-26. The current version is available at twwim.ai/avv.

1. The processor is entitled to adapt this agreement to changed legal requirements, technical developments or changes in the way it provides its services.
2. Amendments are notified to the controller in text form at least 30 days before they take effect. The notice includes a summary of the material changes, the effective date, a link to the new version and a reference to the right to object.
3. Material amendments – in particular the introduction of new third-country transfers, a reduction in the level of protection provided by the technical and organisational measures, or the inclusion of new categories of data – require the controller's explicit consent.
4. For non-material amendments (in particular editorial adjustments, updated statutory references, concretisations of the TOMs at an unchanged level of protection), the amendment is deemed accepted if the controller does not object in text form within 30 days of receipt of the amendment notice.
5. If the controller objects to an amendment, either party may terminate this agreement with effect from the effective date of the amendment.
6. Updates to the list of sub-processors (Annex 3) follow the procedures set out there and in the section Sub-processors.

Final Provisions

This agreement is governed by German law. To the extent legally permissible, the place of jurisdiction for all disputes arising from this agreement is Aachen. Should individual provisions be ineffective, the validity of the remaining provisions remains unaffected; the ineffective provision shall be replaced by a provision that comes as close as possible to the parties' economic intention.

Annex 1 — Categories of Data Subjects and Data

This annex specifies the subject matter and scope of the processing within the meaning of Art. 28 (3) GDPR.

Categories of data subjects

The controller's end customers

Visitors and users of the controller's platform who interact with the TWWIM assistant.

Other persons mentioned in the content

Natural persons whose data may be contained in the content released by the controller (e.g. contact persons in knowledge documents, authors of product reviews).

Categories of data

Content provided by the end customer

Text typed or spoken during the interaction and transcriptions derived therefrom; information voluntarily provided by the end customer (e.g. requests, addresses, names, contact details).

Technical and session data

IP address, timestamps, browser and device information, session identifiers, the URL accessed and comparable telemetry data, to the extent necessary for secure operation.

Personal data indirectly contained in content

Personal data contained in content released by the controller for the knowledge base.

Annex 2 — Technical and Organisational Measures

The processor implements the technical and organisational measures summarised in this annex pursuant to Art. 32 GDPR. It adapts these measures to the state of the art, the likelihood and severity of the risks and the cost of implementation. A change of the measures is permissible provided that the agreed level of protection is not undercut.

Confidentiality (Art. 32 (1) (b) GDPR)

Physical access control

The servers are operated in certified data centres within the European Union; physical access is restricted to authorised personnel of the data-centre operator.

Logical access and authorisation control

Access to production systems is limited to a defined group of named administrators. Authentication uses strong, state-of-the-art authentication methods (e.g. multi-factor authentication, cryptographic keys). A documented role and authorisation concept is in place.

Tenant separation

Data of different controllers is processed in logically separated form (multi-tenancy).

Integrity (Art. 32 (1) (b) GDPR)

Transfer control

Personal data is transmitted in encrypted form according to the state of the art.

Input control

Material changes to operational data are logged in such a way that it can be retrospectively verified whether, when and by whom they were made.

Availability and resilience (Art. 32 (1) (b) GDPR)

Availability control

A documented backup concept for operational data is in place, together with continuous monitoring of system availability and a procedure for restoring the data in the event of an incident.

Procedure for regular review (Art. 32 (1) (d) GDPR)

The effectiveness of the implemented measures is reviewed at regular intervals and on an event-driven basis. Security-relevant updates are deployed in a timely manner.

Annex 3 — Approved Sub-processors

By concluding this agreement, the controller consents to the engagement of the sub-processors listed below. All sub-processors have their seat in the European Union; no transfer to third countries takes place.

Actual AI processing (speech and text recognition, language model, knowledge search) takes place exclusively on the EU-based servers listed above; no US cloud AI providers (e.g. OpenAI, Google, Anthropic, AWS Bedrock) are involved. No further third-party providers are involved in the processing of end-customer data.