Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between oHallo ApS ("oHallo", "processor") and the company using the oHallo platform ("customer", "controller").

This DPA governs the processing of personal data that oHallo carries out on behalf of the customer when providing the oHallo platform. It is entered into under Article 28 of the General Data Protection Regulation (GDPR).

By using the oHallo platform, the customer agrees to this DPA. It applies automatically to all customers and does not require a separate signature.

2. Definitions

• "Personal data", "processing", "data subject", "controller", "processor", and "sub-processor" have the meanings given in the GDPR.
• "Platform" means the oHallo service, including the dashboard (app.ohallo.eu), authentication (auth.ohallo.eu), APIs, and all related infrastructure.
• "End-customer" means a person who communicates with the customer via the platform (through email, chat, WhatsApp, or voice).

3. Scope and purpose of processing

Subject matter

oHallo processes personal data on behalf of the customer to provide an autonomous customer communication service. The platform receives inbound messages from the customer's end-customers, connects to the customer's business systems to gather relevant information, and sends validated replies on the customer's behalf.

Duration

Processing begins when the customer activates a channel on the platform and continues for the duration of the customer's subscription. Upon termination, data is retained for 90 days to allow for export, after which it is permanently deleted.

Nature of processing

The processing includes:

• Receiving, storing, and indexing inbound messages and attachments.
• Identifying and linking contacts and business accounts.
• Querying the customer's business systems via configured integrations to gather data relevant to the enquiry.
• Using large language models to classify the enquiry, plan an appropriate response, and compose a reply.
• Validating the composed reply against the customer's policies and the source data.
• Delivering the validated reply to the end-customer via the originating channel.
• Storing conversation history, metadata, and audit trails.
• Extracting knowledge base and policy proposals from resolved conversations for the customer's review.

Types of personal data

Categories of data subjects

The data subjects are the customer's end-customers —the individuals and business representatives who communicate with the customer via the platform.

4. Obligations of oHallo as processor

oHallo will:

• Process personal data only on documented instructions from the customer. The customer's instructions are defined by their configuration of the platform (channels, integrations, knowledge base, policies, and workspace instructions). oHallo will not process personal data for any other purpose. If oHallo becomes aware that an instruction from the customer infringes the GDPR or other applicable data protection law, oHallo will inform the customer without undue delay.
• Ensure that all persons authorised to process personal data are bound by confidentiality obligations.
• Implement and maintain the technical and organisational security measures described in section 7 of this DPA and section 11 of the Privacy Policy.
• Engage sub-processors only in accordance with section 6 of this DPA.
• Assist the customer in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) by providing the tools and data exports necessary to fulfil such requests.
• Assist the customer in meeting their obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments, and prior consultation) to the extent that the assistance relates to the processing oHallo performs.
• At the customer's choice, delete or return all personal data upon termination of the subscription, and delete existing copies within 90 days unless EU or member state law requires continued storage.
• Make available to the customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in section 8.

5. Obligations of the customer as controller

The customer will:

• Ensure that there is a lawful basis for the processing of personal data through the platform, including any consents required from end-customers.
• Inform end-customers that their enquiries may be processed using AI-assisted systems, in accordance with applicable transparency obligations.
• Configure the platform in a manner appropriate for the personal data being processed, including setting up approval gates, escalation rules, and quality thresholds where the business context requires human oversight.
• Monitor the quality of AI-handled conversations using the tools provided and respond to attention items and escalations in a timely manner.
• Not submit special categories of personal data (Article 9 GDPR) to the platform unless explicitly agreed in writing.

6. Sub-processors

The customer authorises oHallo to engage sub-processors to assist in providing the platform. All sub-processors are bound by data processing agreements that impose obligations equivalent to those in this DPA.

All sub-processors process data exclusively within the European Union. No personal data is transferred outside the European Economic Area. If a transfer outside the EEA becomes necessary in the future, oHallo will ensure that appropriate safeguards are in place (such as Standard Contractual Clauses approved by the European Commission) and will notify the customer in advance.

oHallo will notify the customer at least 30 days before engaging a new sub-processor or replacing an existing one. The notification will include the sub-processor's name, purpose, and data location. If the customer objects to a new sub-processor on reasonable data protection grounds, the customer may contact us via our contact form to discuss the objection. If the objection cannot be resolved, the customer may terminate their subscription.

A current list of sub-processors is available on request via our contact form.

7. Security measures

oHallo implements the following technical and organisational measures to protect personal data processed on behalf of the customer:

• Encryption in transit —all data transmitted between systems uses TLS 1.2 or higher.
• Encryption at rest —databases and object storage use AES-256 encryption.
• Data isolation —all data is logically isolated per customer. Every database query, cache key, and storage path is scoped to a single customer. No cross-customer data access is possible at any layer.
• Access control —access to customer data is restricted to authorised personnel and systems. Role-based access control is enforced at the application layer.
• Secrets management —credentials, API keys, and integration tokens are stored in a dedicated secrets manager, never in application code or databases.
• Authentication —platform users authenticate via a dedicated identity provider with support for SSO and multi-factor authentication. Passwords are never stored by oHallo.
• Infrastructure —the platform is hosted in EU data centres in Frankfurt and Falkenstein, Germany. All processing, including AI/LLM processing, takes place within the European Union.
• Monitoring —infrastructure and application metrics are monitored continuously. Anomalies trigger automated alerts.

8. Audits

oHallo will make available to the customer the information necessary to demonstrate compliance with this DPA. This includes documentation of security measures, sub-processor agreements, and processing activities.

The customer may conduct an audit of oHallo's compliance with this DPA, subject to the following conditions:

• The customer must provide at least 30 days' written notice before an audit.
• Audits will be conducted during normal business hours and will not unreasonably disrupt oHallo's operations.
• The customer may appoint a qualified independent auditor to conduct the audit on their behalf, subject to confidentiality obligations.
• The scope of the audit is limited to oHallo's compliance with this DPA and the processing of the customer's data.
• The customer bears the cost of the audit.

If oHallo obtains a relevant third-party certification or audit report (such as SOC 2 or ISO 27001), the customer may accept that report in lieu of conducting their own audit.

9. Data breach notification

In the event of a personal data breach affecting the customer's data, oHallo will:

• Notify the customer without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide the customer with sufficient information to enable the customer to fulfil their own breach notification obligations under GDPR Articles 33 and 34, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
• Cooperate with the customer and take reasonable steps to mitigate the effects of the breach.

10. AI processing and automated decision-making

The platform uses artificial intelligence to process end-customer communications. This includes classifying the intent of inbound messages, querying the customer's business systems, composing replies, and validating those replies before delivery.

The customer instructs oHallo to carry out this processing by configuring channels, integrations, knowledge base entries, policy rules, and workspace instructions on the platform. oHallo processes data in accordance with these instructions.

oHallo provides the following safeguards for automated processing:

• Every AI-generated reply is validated against the customer's policies and fact-checked against source data before delivery. If validation fails after multiple attempts, the reply is suppressed and the conversation is escalated to the customer's team.
• The customer can configure approval gates that require human approval before specific actions are taken.
• The customer can configure escalation rules that automatically transfer conversations to humans based on the results of business system queries.
• Quality-based circuit breakers automatically pause AI handling and route to humans when quality metrics drop below configured thresholds.
• The customer's team can take over any conversation at any time and communicate directly with the end-customer.
• A complete audit trail of every decision, system query, and validation result is available in the customer's dashboard.

The customer is responsible for configuring these safeguards appropriately for their business context and for informing end-customers about the use of AI-assisted processing in accordance with applicable transparency obligations.

11. Data subject requests

If oHallo receives a request directly from a data subject regarding data processed on behalf of the customer, oHallo will promptly redirect the data subject to the customer.

oHallo will assist the customer in responding to data subject requests by providing:

• Data export tools to fulfil access and portability requests.
• Data deletion capabilities to fulfil erasure requests.
• The ability to correct contact and account records to fulfil rectification requests.

The customer is responsible for responding to data subject requests within the timeframes required by the GDPR.

12. Data return and deletion

Upon termination of the customer's subscription, oHallo will:

• Make the customer's data available for export for 90 days following termination.
• Permanently delete all of the customer's personal data from active systems within 90 days of termination.
• Delete personal data from backups within the normal backup rotation cycle (maximum 30 days after deletion from active systems).

oHallo may retain data where required by EU or Danish law (for example, billing and invoice data is retained for 7 years under Danish bookkeeping law).

13. Governing law

This DPA is governed by the laws of Denmark. Any disputes arising from this DPA will be resolved by the courts of Denmark.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

14. Contact

For any questions about this DPA or data processing:

Contact us via ohallo.eu/contact.