Auftragsverarbeitungsvertrag (AVV) gemäß Art. 28 DSGVO — Stand: Mai 2026
1. Parties / Vertragsparteien
This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and Deskra, operated by John Jay Khalif, Henrik-Ibsen-Straße 5, 18106 Rostock, Deutschland ("Processor").
Dieser Auftragsverarbeitungsvertrag wird zwischen dem Kunden ("Verantwortlicher") und Deskra ("Auftragsverarbeiter") geschlossen.
2. Subject Matter / Gegenstand
The Processor provides an AI-powered voice tech support platform that processes personal data on behalf of the Controller in accordance with Art. 28 GDPR.
3. Nature and Purpose of Processing / Art und Zweck der Verarbeitung
Personal data is processed for the following purposes:
Handling inbound technical support calls on behalf of the Controller
Caller identity verification using customer numbers, PINs, and dates of birth
Automatic creation and management of support tickets (Jira or equivalent)
Call transcription for ticket documentation and quality assurance
Returning caller recognition based on phone number lookup
4. Types of Personal Data / Art der personenbezogenen Daten
Name and customer/employee identifiers
Phone numbers
Date of birth and service PINs (used for verification only)
Voice recordings and call transcripts
IT issue descriptions and resolution notes
5. Categories of Data Subjects / Kategorien betroffener Personen
Employees or customers of the Controller who contact the support line
6. Duration / Laufzeit
Processing continues for the duration of the service agreement. Upon termination, all personal data is deleted or returned within 30 days unless retention is required by law.
7. Obligations of the Processor / Pflichten des Auftragsverarbeiters
Deskra commits to:
Processing data only on documented instructions from the Controller
Ensuring all staff with data access are bound by confidentiality obligations
Implementing appropriate technical and organisational measures (Art. 32 GDPR)
Not engaging sub-processors without prior written consent of the Controller
Assisting the Controller with data subject rights requests (Art. 15–22 GDPR)
Deleting or returning all data upon end of service
Providing all information necessary to demonstrate compliance
8. Technical and Organisational Measures / Technische und organisatorische Maßnahmen
All data in transit encrypted via TLS 1.2+
API keys and credentials stored as environment variables, never in source code
Access to production systems restricted by SSH key authentication
Call logs retained for 7 days then automatically purged
Dashboard access protected by password authentication and rate limiting
Infrastructure hosted on IONOS EU servers (Frankfurt, Germany)
9. Sub-processors / Unterauftragsverarbeiter
Deskra uses the following sub-processors to deliver the service:
Anthropic, Inc. — AI language model (Claude) — USA (SCCs in place)
Deepgram, Inc. — Speech-to-text transcription — USA (SCCs in place)
ElevenLabs, Inc. — Text-to-speech synthesis — USA (SCCs in place)
Microsoft Azure — Fallback TTS, EU region — Ireland
Twilio, Inc. — Voice/telephony infrastructure — USA (SCCs in place)
IONOS SE — Server hosting — Germany
Atlassian (Jira) — Ticket management — Australia (SCCs in place)
The Controller will be notified of any changes to sub-processors with at least 14 days notice.
10. Data Transfers / Datenübermittlung
Some sub-processors are located outside the EU/EEA. Transfers are governed by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR or adequacy decisions where applicable.