OpenAlice Embed← Home
Legal · Art. 28 GDPR

Data Processing Agreement

Version 2.0 · 2026-07-04 · prepared for legal review · Deutsch

1. Subject matter & roles

This DPA forms part of the Terms of Service. For conversations that visitors have with the customer's embedded widget, the customer is the controller and OpenAlice Laboratories is the processor (Art. 28 GDPR). We process visitor personal data solely to provide the Service and only on the customer's documented instructions, as expressed through the dashboard configuration and these terms.

2. Nature and purpose of processing

Receiving, storing, analysing and answering visitor messages (text and, where enabled, voice); capturing lead details visitors submit; producing conversation analytics for the customer; escalating to the customer's team.

3. Categories of data & data subjects

4. Duration, deletion & return

Processing lasts for the duration of the contract. Retention is controller-configured per widget: session-only or 7 / 30 / 90 / 365 days; expiry deletes automatically. On termination, the customer may export transcripts and leads; we delete remaining personal data within 30 days, backup rotation within a further 35 days, unless statutory law requires longer.

5. Technical and organisational measures (Art. 32)

6. Sub-processors (Art. 28(2))

The customer grants general authorisation for the sub-processors listed in the Privacy Policy § 5 (Hetzner DE, Mistral FR, Mollie NL; optionally OpenRouter US, ElevenLabs US, Fish Audio US — the US providers only where the customer enables them and the visitor consents under Art. 49(1)(a)). We announce additions or replacements at least 14 days in advance; the customer may object on reasonable data-protection grounds, in which case the affected feature stays disabled for them.

7. Personal data breach

We notify the customer without undue delay after becoming aware of a personal data breach affecting their data, with the information required by Art. 33(3), and support the customer's own notification duties.

8. Assistance & data-subject rights

Taking into account the nature of processing, we assist the customer with Art. 12–23 requests (export, correction, deletion of individual conversations via dashboard or support) and with Art. 32–36 obligations (this TOM list, DPIA input on request).

9. Audit

We make available the information necessary to demonstrate Art. 28 compliance and allow audits, normally satisfied by our documentation and third-party attestations; on-site audits require 30 days' notice, business hours, confidentiality, and no access to other customers' data.

10. Confidentiality

Persons authorised to process the data are bound to confidentiality. Our operating agents (human and AI) access conversation data only for operation, support and safety review, always logged.