Data Processing Agreement (DPA)

This Data Processing Agreement pursuant to Art. 28 GDPR is concluded between the Tenant (the “Controller”) and

Timon Filipovic, trading as “Recelia”
In der Breite 54, 79224 Umkirch, Germany
(the “Processor” or “Recelia”).

The DPA is part of the Terms and Conditions. In the event of conflicts in data protection matters, the DPA takes precedence.

• Subject matter: processing of personal data of the Controller’s end customers within the Recelia platform (AI receptionist).
• Duration: for the term of the main contract (Terms).
• Nature and purpose: handling customer enquiries, appointment booking, answering FAQs, sending confirmations and reminders, optional voice recording and transcription, sending via WhatsApp, SMS and email, AI-assisted answers via language models.

• Data categories: name, phone number, email address (if provided), appointment history, conversation content (chat, WhatsApp, SMS), voice audio and transcripts (if active), and for medical verticals potentially health data (Art. 9 GDPR).
• Data subjects: end customers, prospects and other callers or message senders of the Controller.

Recelia processes personal data exclusively on the documented instructions of the Controller, unless a legal obligation requires otherwise. The configuration in the dashboard and the acceptance of the Terms and DPA are deemed standard instructions. Recelia informs the Controller without delay if, in its opinion, an instruction infringes data protection law.

Recelia obliges the persons involved in the processing to confidentiality pursuant to Art. 28(3)(b), Art. 29 and Art. 32(4) GDPR.

• Confidentiality: role-based access permissions, multi-factor authentication for administrative accounts, logical tenant separation per Tenant via tenant ID and row-level security.
• Integrity: encryption in transit (TLS 1.2+) and at rest (AES-256), version control, code reviews.
• Availability: regular backups in the EU region (Frankfurt), monitoring, incident-response process.
• Review: regular review of the measures, data protection impact assessment for material changes.

The Controller grants general authorisation for the engagement of the subprocessors listed in the Privacy Policy. Recelia gives notice of intended changes at least 30 days in advance. The Controller may object for legitimate data protection reasons. Recelia concludes a DPA with each subprocessor imposing essentially comparable obligations.

Recelia assists the Controller in fulfilling data subject rights (Art. 12 to 22 GDPR) and the obligations under Art. 32 to 36 GDPR through appropriate technical and organisational measures. Recelia informs the Controller without undue delay, and at the latest within 48 hours, of any personal data breach that becomes known (Art. 33 GDPR).

After the end of the processing activity, Recelia returns or deletes all personal data at the Controller’s choice, unless a statutory retention obligation precludes this. Deletion is confirmed on request.

On request, Recelia provides the Controller with the information necessary to demonstrate compliance with its obligations. The Controller may carry out audits once a year or on a specific occasion, as a rule based on meaningful certificates of the subprocessors and written information. On-site inspections are possible with reasonable advance notice of at least 30 days; the Controller bears the costs.

Where Recelia transfers personal data to third countries, this is done on the basis of an adequacy decision (EU-US Data Privacy Framework, Implementing Decision (EU) 2023/1795) or on the basis of standard contractual clauses pursuant to Implementing Decision (EU) 2021/914 with the necessary supplementary measures.

Externally vis-à-vis data subjects, Art. 82 GDPR applies; internally, the liability provisions of the Terms apply. German law applies, the place of jurisdiction is Freiburg im Breisgau. Amendments require text form.

This DPA is provided for acceptance during onboarding and is available as a signed document on request. Enquiries to kontakt@recelia.app.