1. Scope, Roles and Definitions

1.1 This Data Processing Agreement ("DPA") specifies the data-protection obligations of the parties insofar as the Contractor processes personal data on behalf of the Client in connection with the provision and use of Oxolo.

This DPA applies exclusively to B2B relationships. Use of the Oxolo software by natural persons exclusively for personal or household purposes within the meaning of Article 2(2)(c) GDPR is not covered by the Contractor's range of services; the conclusion of a DPA with such persons is excluded.

1.2 In the event of a conflict between this DPA and the GTC for Oxolo, an offer, an Order Form or any other Usage Agreement, this DPA takes precedence with respect to commissioned processing and data-protection obligations.

1.3 The Client is the controller within the meaning of Article 4(7) GDPR for personal data whose purposes and means of processing it determines and which are processed via Oxolo. The Contractor is the processor within the meaning of Article 4(8) GDPR insofar as it processes such personal data on behalf of the Client.

Insofar as the Contractor processes personal data for its own purposes, for example for contract administration, billing, product security, abuse prevention, its own compliance purposes, obligations to provide evidence or aggregated/anonymized analyses, the Contractor acts as an independent controller. Such independent processing is not the subject of this DPA.

1.4 The definitions of the GDPR apply to this DPA. In addition, the following terms apply:

• "Client": The natural or legal person or partnership that uses or wishes to use Oxolo in a business capacity on the basis of the GTC for Oxolo or another Usage Agreement. The Client is the controller within the meaning of Article 4(7) GDPR.

• "Contractor": Oxolo GmbH, Bohnenstrasse 2, 20457 Hamburg, Germany. The Contractor is the processor within the meaning of Article 4(8) GDPR insofar as it processes Client Personal Data on behalf of the Client.

• "Usage Agreement" / "Contract" / "contract": The contract concluded between the Client and the Contractor on the use of Oxolo, including the GTC for Oxolo, an offer, an Order Form or other contractual documents.

• "Parties": Collective designation for the Client and the Contractor.

• "Oxolo" / "Services": The Contractor's software solution for digital project, deployment, construction-site and field documentation, including the functions respectively booked, activated or technically provided.

• "Client Input": All content and data that the Client or its users enter, upload, record, capture, generate, connect, synchronize into Oxolo or otherwise provide to the Contractor for processing within the framework of Oxolo.

• "Client Output": Content, reports, transcripts, summaries, tasks, analyses, labels, translations, project documentation and other results that Oxolo generates or structures on the basis of the Client Input on behalf of the Client.

• "Client Personal Data": Personal data that form part of Client Input or Client Output or are processed in connection with the use of Oxolo on behalf of the Client.

• "Users": Natural persons authorized by the Client to use Oxolo, in particular employees, representatives, contractors, administrators or other authorized persons of the Client.

• "Voice profile" / "Voiceprint": A biometric pattern or other technical representation of a voice that can be used for speaker recognition or speaker identification.

• "Subprocessor": Any further processor that the Contractor engages to process Client Personal Data within the framework of Oxolo.

2. Subject Matter and Duration of the Commission

2.1 The subject matter of this DPA is the processing of Client Personal Data by the Contractor to provide Oxolo as a software solution for digital project, deployment, construction-site and field documentation. The processing includes in particular, insofar as booked, activated or used by the Client:

• capture, upload, storage, structuring, analysis, translation and display of project, deployment, field and construction-site data;

• audio recording or upload of audio content;

• automated transcription;

• speaker assignment and, insofar as activated, voice-profile-based speaker identification;

• processing of photos, videos, signatures, evidence files and associated metadata;

• creation of reports, logs and other project documentation, including PDF, DOCX and other output formats, insofar as supported;

• extraction and structuring of tasks, variations, delays, labels and further project signals;

• team collaboration, invitations, role and permission management, shares, tokenized links and external access workflows;

• audit-trail, security and system logging to the extent technically available;

• account, subscription, billing, support and service-operation processes, insofar as such processing is carried out on behalf of the Client;

• optional WhatsApp accompanying channel for inbound/outbound communication and media processing, insofar as activated.

2.2 This DPA is concluded together with the Usage Agreement. Its term corresponds to the term of the Usage Agreement. The obligations under this DPA continue to exist after termination of the Usage Agreement for as long as the Contractor has not returned, deleted, anonymized or otherwise destroyed Client Personal Data in a data-protection-compliant manner in accordance with this DPA.

2.3 The Contractor processes Client Personal Data exclusively on the documented instructions of the Client, unless a legal obligation of the Contractor requires processing. The documented instructions result from this DPA, the Usage Agreement, the use and configuration of Oxolo by the Client, and permissible individual instructions of the Client.

2.4 The Client remains solely responsible for the lawfulness of the personal data provided to the Contractor and for ensuring that the collection, disclosure and further processing of such data by the Contractor in accordance with the documented instructions of the Client are compatible with applicable data-protection law. This includes in particular:

• the lawfulness of the collection, disclosure and transfer of Client Personal Data to the Contractor;

• the lawfulness of the processing of Client Personal Data by the Contractor on the Client's instructions;

• compliance with transparency obligations toward data subjects;

• obtaining consents insofar as these are required;

• carrying out a data protection impact assessment insofar as it is required under Article 35 GDPR;

• the assessment of whether Oxolo offers an appropriate level of protection for the respective use and the respective data.

2.5 The parties are aware that Oxolo provides an optional function for voice-profile-based speaker identification ("Voiceprints"). Voiceprints are biometric data for the unique identification of a natural person and thus special categories of personal data within the meaning of Article 9(1) GDPR, insofar as they are or can be used for unique identification. Voiceprints are processed in an organization-specific, isolated manner; no cross-organizational speaker recognition or cross-organizational voiceprint matching takes place.

Insofar as the Client activates this function, has it activated by its users, or triggers corresponding processing through its use of Oxolo, it instructs the Contractor to process voiceprints within the framework of the documented instructions and the product-specific parameters of Oxolo.

The Client is solely responsible for ensuring, prior to the processing of biometric data, an appropriate legal basis under Article 6(1) GDPR and an exception or authorization under Article 9(2) GDPR, in particular for obtaining the explicit consent of the data subjects pursuant to Article 9(2)(a) GDPR or maintaining another appropriate authorizing provision, as well as for providing the information required under Articles 13/14 GDPR. This applies to every speaker who can be captured by the function, and thus also to third parties whose voice is captured in the course of a recording, not only to employees of the Client.

The Client must refrain from, deactivate or organizationally avoid the use of voice profiles / voiceprints insofar as it cannot ensure the required transparency, legal basis, consent or other data-protection prerequisite.

2.6 The parties are aware that Oxolo contains an automatic speaker identification that is activated by default on the organization side and can be deactivated organization-wide by the organization owner. With this function, unknown speakers are automatically created as identities with an anonymized placeholder label (e.g. "Speaker b74bj73"); subsequent naming is carried out by authorized users of the Client. Insofar as the Client keeps this function activated or has it activated by its users, it may use it only if it has ensured in advance the required legal basis, transparency and, insofar as required, the explicit consent of all data subjects. The Client can deactivate the automatic capture on the organization side.

2.7 Beyond voiceprints, further special categories of personal data within the meaning of Article 9(1) GDPR are not primarily intended for processing. Nevertheless, audio recordings, photos, videos, transcripts, signatures or project content may, depending on the content provided by the Client, contain or reveal special categories of personal data, such as health data, trade-union membership, religious or philosophical beliefs or other sensitive information.

The Client is responsible for the lawfulness of such processing and must in particular ensure transparency, a legal basis, consents and protective measures. The Contractor may suspend the processing insofar as this is necessary to comply with applicable law.

3. Specification of the Subject Matter of the Commission, Places of Processing and Third-Country Transfers

3.1 Depending on the use and configuration of Oxolo, the processing includes in particular the collection, capture, recording, uploading, storage, organization, structuring, querying, display, categorization, conversion, transcription, analysis, summarization, translation, provision, transmission to authorized recipients, disclosure to authorized subprocessors, anonymization, restriction, deletion and destruction of Client Personal Data.

3.2 The purpose of the processing is the provision, operation, maintenance, securing and support of Oxolo in accordance with the Usage Agreement and the documented instructions of the Client. The purposes are further specified in Annex 1.

3.3 The categories of personal data result in particular from Annex 1. Through its use, configuration, user permissions and provided content, the Client determines which personal data are specifically processed.

3.4 The categories of data subjects result in particular from Annex 1. They may include in particular users of the Client, employees, contractors, subcontractors, project participants, customers, suppliers, visitors, report recipients, persons in audio recordings, persons in photos or videos, and signatories of signatures.

3.5 The Contractor processes Client Personal Data primarily within the European Union or the European Economic Area. The central infrastructure is operated in the EU, in particular AWS region eu-west-1 (Ireland), Supabase project region eu-west-1 (Ireland), RDS region for the transcript-embedding database eu-west-1 (Ireland), Sentry instance in Germany and PostHog instance in the EU.

Processing and/or transfers to third countries may take place insofar as this is necessary for the provision of Oxolo, in particular through the use of the subprocessors with a third-country connection named in Annex 3.

3.6 The parties are aware that, for the downstream diarization/batch processing of audio recordings, the API endpoint of the subprocessor AssemblyAI in the USA is used (api.assemblyai.com/v2). The real-time/streaming endpoint of AssemblyAI, by contrast, remains in the EU. The transfer to the US endpoint is carried out on the basis of appropriate safeguards pursuant to Chapter V GDPR, in particular the EU-US Data Privacy Framework (DPF), insofar as certified, and/or the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) between the Contractor and AssemblyAI. The Contractor implements supplementary measures where necessary.

3.7 Third-country transfers take place only if the requirements of Articles 44 et seq. GDPR are met and an appropriate transfer mechanism applies, in particular an adequacy decision, the EU-U.S. Data Privacy Framework, the EU Standard Contractual Clauses or other appropriate safeguards. Insofar as required, the Contractor implements supplementary measures taking into account the nature, scope, purpose and risk of the transfer. The Client hereby consents to the relocation of individual processing operations to the third countries named in Annex 3, insofar as this is necessary for the provision of the services and a permissible transfer mechanism exists.

3.8 Image files uploaded by users (evidence photos, project images, profile pictures) may contain embedded EXIF/GPS/device metadata, such as geocoordinates, time of capture, device model, camera/app information and comparable metadata. This metadata is not removed in the current state of the software. The Client is responsible for informing its users and, where applicable, for providing corresponding notices to third parties.

4. Technical and Organizational Measures

4.1 The Contractor takes technical and organizational measures pursuant to Article 28(3)(c) and Article 32 GDPR in order to ensure a level of protection appropriate to the risk for Client Personal Data. The measures take into account the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of the processing, as well as the likelihood of occurrence and severity of possible risks to the rights and freedoms of natural persons.

4.2 The specifically documented technical and organizational measures are described in Annex 2. The Client accepts these measures as the basis of the processing. As evidence, the Contractor may in particular present the respectively current SOC 2 report, internal security documentation in appropriately summarized or redacted form, current certificates, security reports, report excerpts from independent bodies, technical documentation, data-protection reports or comparable evidence.

4.3 The technical and organizational measures are subject to technical further development. The Contractor may implement alternative or modified measures, provided that the contractually agreed security level is not undercut. Material changes are to be documented.

5. Instructions of the Client

5.1 The Client instructs the Contractor to process Client Personal Data insofar as this is necessary to provide Oxolo in accordance with the Usage Agreement, this DPA, the configuration chosen by the Client and the functions activated by the Client.

5.2 The Client may issue individual instructions in text form. Oral instructions are to be confirmed in text form without undue delay. Instructions that go beyond the contractually agreed scope of services, the standard functions of Oxolo or statutory requirements may be made conditional by the Contractor on appropriate remuneration.

5.3 The Contractor informs the Client without undue delay if it is of the opinion that an instruction infringes applicable data-protection law. The Contractor may suspend the execution of the instruction concerned until the Client confirms, amends or withdraws it.

6. Obligations of the Contractor

6.1 The Contractor ensures that persons authorized to process Client Personal Data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. This obligation continues to exist even after the end of the activity.

6.2 The Contractor processes Client Personal Data only for the provision of Oxolo and the related services in accordance with the Usage Agreement, this DPA and the documented instructions of the Client. The Contractor may not use Client Personal Data for other purposes and may not disclose it to third parties, except to approved subprocessors pursuant to Section 8 and Annex 3 or insofar as legally required.

6.3 The Contractor does not use Client Personal Data to train its own general AI models. The Contractor furthermore does not use Client Personal Data to train the third-party large language models it deploys, insofar as this is excluded under the respective product and contractual terms of these third-party providers. Insofar as Oxolo uses AI functions or AI subprocessors, the processing takes place only within the scope of the services and in accordance with this DPA. Use of Client Personal Data for product improvement, quality assurance or the further development of algorithms takes place only insofar as the Client has expressly activated the corresponding system setting within the meaning of the GTC for Oxolo (Section 10.2). Any such activation does not affect the prohibition on training the Contractor's own general AI models or the prohibition on third-party LLM training under the foregoing sentences.

6.4 The Contractor supports the Client, taking into account the nature of the processing and the information available to it, to a reasonable extent in complying with its obligations pursuant to Articles 32 to 36 GDPR, insofar as the support concerns the processing of Client Personal Data under this DPA and the Contractor's effort is not disproportionate.

6.5 If the Contractor is requested by a supervisory authority, a law-enforcement body or another state authority to hand over or disclose personal data of the Client, it informs the Client - insofar as legally permissible - without undue delay before the handover and examines, with the requisite care, the lawfulness of the request.

7. Data Subject Rights, Rectification, Restriction and Deletion

7.1 The Contractor does not rectify, delete or restrict Client Personal Data on its own initiative, but only on the documented instructions of the Client, unless the Usage Agreement, the standard functions of Oxolo, statutory obligations or this DPA provide otherwise.

7.2 If a data subject contacts the Contractor directly in order to assert rights under Articles 12 to 23 GDPR in relation to Client Personal Data, the Contractor forwards the request to the Client without undue delay, insofar as attribution is possible and legally permissible. The Contractor does not answer such requests itself, unless it is legally obliged to do so or the Client instructs it accordingly.

7.3 The Contractor supports the Client, to a reasonable extent, through appropriate technical and organizational measures in fulfilling data subject rights. Non-standardized support services may be reasonably remunerated, insofar as they are not based on a breach of obligation by the Contractor. The Client addresses corresponding requests to gdpr@oxolo.com or a data-protection contact point of the Contractor named in the Usage Agreement.

7.4 The parties are aware that the deletion of a voice profile / voiceprint removes the biometric template as well as the associated S3 audio object, insofar as it is used specifically for the voice profile. Historical transcripts are not thereby automatically deleted or anonymized and may continue to contain the speaker name used at the time of recording. 

The deletion of a voiceprint occurs in particular when (i) a user deletes their own voiceprint via the app, (ii) a user is removed from an organization, (iii) the account is deleted or archived, (iv) the organization owner deletes an identity via the settings or (v) a speaker is marked as "noise"; upon a case-by-case instruction of the Client, the Contractor additionally deletes voiceprints, provided that this is technically possible and not otherwise prescribed by law.

The Client remains the controller for the decision whether and when historical transcripts, recordings or content derived therefrom must be deleted, rectified, restricted or anonymized.

8. Subprocessors

8.1 The Client approves the use of the subprocessors named in Annex 3 for the purposes described therein. The prerequisite is a contractual agreement between the Contractor and the respective subprocessor in accordance with Article 28(2) to (4) GDPR.

8.2 The Client grants the Contractor a general authorization to engage further subprocessors or to replace existing subprocessors, provided that the requirements of this Section 8 are complied with.

8.3 The Contractor informs the Client at least thirty (30) days before engaging a new or replacement subprocessor or before a material change concerning existing subprocessors. The information is provided in text form to the contact email of the Client stored in the Usage Agreement and/or by updating a subprocessor list on the website or in the product.

8.4 The Client may object within the notification period on documented, objective data-protection grounds. General commercial, competitive or non-data-protection-related grounds are not sufficient. If no objection is made within this period, the change is deemed approved.

In the event of a justified objection, the parties cooperate in good faith to address the objection, in particular through additional protective measures, explanations, technical configurations or an appropriate alternative, insofar as available. If the objection cannot be appropriately resolved and the subprocessor concerned is necessary for a separable part of Oxolo, the Client may terminate the affected part of the services, insofar as that part is separable. If separation is not possible or is unreasonable for the Contractor, the Contractor is entitled to terminate the Usage Agreement with reasonable notice.

8.5 The Contractor concludes a contract with each subprocessor that meets the requirements of Article 28(4) GDPR and obligates the subprocessor to data-protection and security requirements that substantially correspond to the requirements of this DPA. The Contractor is liable to the Client for the fulfillment of data-protection obligations by subprocessors in accordance with Article 28 GDPR and the Usage Agreement.

9. Inspection and Audit Rights

9.1 Upon request, the Contractor provides the Client with the information necessary to demonstrate compliance with the obligations under Article 28 GDPR and this DPA. Such evidence may in particular be provided by current certificates, security reports, audit excerpts, technical documentation, data-protection reports or comparable evidence.

9.2 The Client may conduct audits itself or through an independent auditor bound to confidentiality, provided that the auditor is not a competitor of the Contractor. Audits must be announced at least thirty (30) days in advance in text form, may only take place during ordinary business hours and may not unreasonably impair the Contractor's business operations.

Regular audits are limited to once per calendar year and, as a rule, to one business day. For-cause audits are permissible on a legitimate occasion, in particular in the case of a concrete suspicion of a material data-protection breach or upon a substantiated official request.

9.3 The Contractor may demand reasonable remuneration for audits and support services, insofar as the audit was not occasioned by a breach of obligation for which the Contractor is responsible.

10. Support with Security, Personal Data Breaches and Data Protection Impact Assessment

10.1 The Contractor supports the Client, to a reasonable extent, in complying with obligations under Articles 32 to 36 GDPR, insofar as the support concerns the processing of Client Personal Data under this DPA. This includes in particular reasonable support with the security of processing, the notification of personal data breaches, the communication to data subjects, data protection impact assessments and prior consultations with supervisory authorities.

10.2 The Contractor informs the Client without undue delay after becoming aware of a personal data breach, insofar as it concerns Client Personal Data processed under this DPA. The notification is made to the contact email of the Client specified in the Usage Agreement and contains the information required under Article 33(3) GDPR, insofar as it is available. If this information is not yet available at the time of the initial notification, it will be supplied without undue delay.

Insofar as a fixed deadline is agreed in the Usage Agreement or in an internal incident policy, this applies additionally. Without an agreement to the contrary, the Contractor aims for an initial notification at the latest within seventy-two (72) hours after becoming aware, provided that the information is available and the notification is legally permissible.

10.3 Insofar as further relevant information becomes known to the Contractor after the initial notification, the Contractor makes it available to the Client without undue delay.

11 Return, Deletion and Retention

11.1 After termination of the Usage Agreement, or earlier upon the documented instructions of the Client, the Contractor provides the Client, for at least thirty (30) days after the termination takes effect, with a reasonable opportunity to export Client Personal Data via the export functions available in Oxolo, insofar as this is technically available, legally permissible and justifiable for security reasons. Thereafter, the Contractor deletes Client Personal Data in a data-protection-compliant manner or returns it, insofar as no statutory retention obligations, legitimate interests in evidence or Article 17(3) GDPR conflict therewith.

11.2 The Contractor deletes or returns Client Personal Data within a reasonable period after termination of the Usage Agreement, as a rule at the latest within ninety (90) days, unless a longer statutory retention obligation, a legitimate interest in evidence, a technical backup retention or a deviating documented instruction of the Client conflicts therewith.

11.3 Transcripts and recordings are stored as Client Data for the duration of the Contract, unless the Client deletes them beforehand or triggers a deletion via the functions of Oxolo. Voice profiles / voiceprints are deletable upon request and are automatically deleted upon account closure in accordance with the documented technical target state.

11.4 Documentation, security evidence, billing data, audit-trail data and other evidence that is necessary to fulfill statutory obligations or to defend, exercise or assert legal claims may be retained beyond the end of the Contract, insofar as this is legally permissible.

12 Liability

The liability of the parties is governed, in their internal relationship, by the Usage Agreement, unless mandatory data-protection law, in particular Article 82 GDPR, provides otherwise.

The Contractor is liable to the Client for damages arising from a breach of this DPA or of statutory data-protection provisions by the Contractor or subprocessors engaged by it, in accordance with the statutory provisions and in accordance with the liability provisions effectively agreed in the Usage Agreement, insofar as these do not conflict with mandatory law.

The parties inform each other without undue delay if, in connection with the processing under this DPA, claims for damages, official measures, fines or other sanctions are threatened or asserted, and support each other appropriately in defending against such claims.

13. Final Provisions

13.1 Amendments and supplements to this DPA require text form, unless mandatory law requires a stricter form. This also applies to the amendment of this form clause.

13.2 Both parties are obliged to treat as confidential all knowledge of trade and business secrets and data-security measures of the other party obtained within the framework of the contractual relationship. This obligation continues to exist even after termination of this DPA.

13.3 A right of retention of the Contractor in Client Personal Data is excluded, unless mandatory law requires otherwise.

13.4 If Client Personal Data at the Contractor is endangered by attachment, seizure, insolvency proceedings, composition proceedings or other measures of third parties, the Contractor informs the Client without undue delay, insofar as legally permissible.

13.5 The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods. The place of jurisdiction for all disputes arising out of or in connection with this DPA is - insofar as legally permissible - Hamburg.

13.6 The following annexes form part of this DPA:
Annex 1: Description of the Processing;
Annex 2: Technical and Organizational Measures;
Annex 3: Subprocessors.

13.7 This DPA enters into force upon acceptance by both parties and, with effect from its entry into force, replaces the previous data processing agreement.

Annex 1: Description of the Processing

1. Description of the Service

Oxolo is a mobile-first software-as-a-service solution for digital project, deployment, construction-site and field documentation, marketed exclusively to business customers (B2B). Depending on the booked scope of services, the configuration of the Client, the permissions granted by the Client's users, the activated functions and the project workflows, Oxolo can capture, record, upload, structure, analyze, translate, share and display information in connection with project, deployment, construction-site and field-documentation workflows.

• audio recording of conversations on site or upload of audio content and capture of associated metadata, including timestamps, device context and - insofar as activated - location/GPS information;

• automated transcription, including speaker assignment and - as an optional feature - voice-profile-based speaker identification ("Voiceprints"; biometric data within the meaning of Article 9 GDPR);

• AI-supported analysis of transcripts and project data, including summaries, labels, tasks, variations, delays and associated project signals;

• creation of reports and project documentation, including PDF, XLSX and DOCX outputs as well as - insofar as relevant - embedded evidence files;

• capture and storage of evidence, including photos, videos, signatures and associated metadata including EXIF/GPS data;

• team collaboration, role-based project access, invitations, report downloads and activity logging;

• sharing and external access workflows for selected recordings, reports or other project outputs via tokenized links or email notifications;

• translation and multilingual display of project content;

• optional WhatsApp accompanying channel for inbound/outbound communication and media processing;

• cross-platform availability via iOS, Android and web application;

• account, support, billing and service-management functions.

2. Purposes of the Processing

The processing takes place exclusively for the provision of Oxolo on the instructions of the Client, in particular for:

• digital project, deployment, construction-site and field documentation;

• recording, transcription and structuring of conversations and project events;

• creation, storage, translation and sharing of project documentation and reports;

• extraction, organization and display of tasks, delays, variations and action items;

• management of projects, team collaboration, permissions, invitations, shares and audit trails;

• speaker recognition and speaker identification, insofar as lawfully activated and used;

• support, security, error analysis and service operation;

• billing and contract administration, insofar as this is carried out on behalf of the Client.

3. Types of Processing

The processing includes in particular the collection, capture, recording, uploading, storage, organization, structuring, querying, display, categorization, transcription, analysis, summarization, translation, enrichment through AI-supported procedures, provision, sharing, transmission, anonymization, restriction, deletion and destruction.

4. Categories of Data Subjects

• users of the Client;

• employees, managers, administrators and representatives of the Client;

• customers, suppliers and business partners of the Client;

• contractors, subcontractors, service providers and their employees;

• project participants, construction-site participants, site managers, architects, engineers, visitors and other persons present on site;

• persons whose voice is contained in audio recordings;

• persons appearing in photos, videos, evidence files or signatures;

• recipients of shared reports, recordings, links or other project outputs;

• support or contact persons of the Client.

5. Categories of Personal Data

• identification data, in particular name, user ID, role, title, company, team or project assignment;

• contact data, in particular email address, telephone number and communication data;

• account and permission data, in particular login data, roles, access rights, organization and project memberships;

• project and construction-site data, in particular project names, addresses, location information, project status and documentation context;

• audio recordings and audio metadata;

• transcripts, speaker labels, speaker assignments and summaries;

• voice profiles / voiceprints and associated technical identifiers, insofar as activated;

• photos, videos, signatures, evidence files and associated metadata;

• tasks, variations, delays, labels, comments and other project signals;

• reports, logs, exported documents and shared views;

• device, system, security and log data, in particular IP addresses, timestamps, device context, session data, error reports, audit-trail data and access data;

• billing, contract and support data, insofar as processed on behalf of the Client;

• AI-generated or automatically derived data, insofar as it is based on Client Input and contains personal data.

6. Special Categories of Personal Data

Insofar as Oxolo processes voice profiles / voiceprints for speaker identification, biometric data within the meaning of Article 9(1) GDPR may be processed. In addition, audio recordings, photos, videos, transcripts or project content may, depending on the content provided by the Client, contain or reveal special categories of personal data, such as health data, trade-union membership, religious or philosophical beliefs or other sensitive information.

The Client is responsible for the lawfulness of such processing and must in particular ensure transparency, a legal basis, consents and protective measures.

7. Image Metadata

Uploaded images may contain metadata, in particular location data, GPS data, device model, camera/app information, creation times and further EXIF or comparable metadata.

8. Duration of the Processing and Retention

The processing generally lasts for the term of the Usage Agreement plus the period required to fulfill statutory retention obligations. Transcripts and recordings are stored as Client Data for the duration of the Contract, unless the Client deletes them beforehand or triggers a deletion via the functions of Oxolo. 

Voice profiles / voiceprints are deleted in the following cases in accordance with the documented deletion logic:
(i) the user deletes their own voiceprint via the app;
(ii) the user is removed from an organization;
(iii) the account is deleted or archived;
(iv) the organization owner deletes an identity via the settings;
(v) a speaker is marked as "noise".
Upon deletion, the biometric template as well as the associated S3 source audio are removed. Historical transcripts, original recordings and audit-trail data are retained as Client Data, unless a separate deletion takes place.

Specific further deletion periods are governed by the Usage Agreement, the functions of Oxolo, statutory retention obligations and the documented instructions of the Client.

Annex 2: Technical and Organizational Measures

The measures described below comply with Article 32 GDPR and are taken by the Contractor to protect the personal data of the Client. The measures are subject to the state of the art and may be further developed by the Contractor, provided that the level of protection is not lowered.

1. Hosting and Data Residency

• Cloud workloads are operated in AWS eu-west-1.

• The primary Supabase project region is eu-west-1.

• The RDS region for the transcript-embedding database is eu-west-1.

• Biometric voice-profile data (voiceprints) are held in two separate databases: in the transcript-embedding database (AWS RDS, eu-west-1) and additionally in the app database (Supabase Postgres, eu-west-1). The deletion paths pursuant to Annex 1, Section 8 act on both storage locations.

• PostHog is used on an EU instance.

• Sentry is used on a DE instance.

• Speech streaming is carried out, via the AssemblyAI EU endpoint (streaming.eu.assemblyai.com).

• Speech batch diarization is carried out at the AssemblyAI endpoint api.assemblyai.com/v2 in the USA. Transfer mechanism: EU SCCs (Module 3) and - insofar as certified - DPF.

• AI inference for vision/text is carried out, via Anthropic Ireland Ltd. in Ireland/EU.

2. Physical Access Control

The physical protection of the data-center infrastructure is ensured primarily by the respective hosting and infrastructure providers. Physical access to server and hosting environments is implemented by the respective infrastructure providers, in particular AWS; the data processing takes place in their data centers with video surveillance, alarm and access-control systems. The Contractor's business premises are protected against unauthorized access outside business hours; visitors are accompanied and do not obtain unsupervised access to systems on which Client Personal Data are processed.

3. System Access Control

Access to systems is carried out via individual user accounts. Administrative access is granted on a role- and permission-based basis. Multi-factor authentication is used for administrative systems and - insofar as technically supported - for employee systems. Access rights follow the need-to-know principle and are reviewed as needed or regularly. Passwords and secrets are managed in appropriate password and secret-management systems. The Contractor's end devices are protected by passwords, screen lock and disk encryption.

4. Data Access Control and Separation Requirement

Role and permission concepts restrict access to the necessary user groups. Customer data are processed on a tenant-specific basis and logically separated by technical and organizational access restrictions. Permission concepts ensure that users can access only the organizations, projects and content for which they are authorized. Test and production environments are operated in an organizationally separated manner.

5. Transmission Control

Data are transmitted over encrypted connections, in particular HTTPS/TLS. Authenticated API endpoints are protected by appropriate authentication and authorization mechanisms (in particular JWT/bearer tokens, service keys). Incoming webhooks from subprocessors are, insofar as supported by the respective provider, verified via signature or bearer verification; individual public callback endpoints may, for compatibility reasons, be operated without signature verification and are secured by supplementary measures (input validation, logging, monitoring). No physical data carriers are used for the transmission of personal data. External transfers to subprocessors take place only insofar as they are necessary for the provision of the respective function.

6. Storage Control and Encryption

Data are stored with appropriate infrastructure and platform services. Encryption at rest and in transit is used, insofar as supported by the respective infrastructure and application, in particular with AWS S3, AWS RDS and Supabase Postgres. Mobile work devices are protected against unauthorized access and encrypted, insofar as technically provided for.

7. Availability and Recovery Control

Infrastructure providers and platform services are used to ensure availability and recoverability. Backups, recovery mechanisms and emergency measures are used within the framework of the technical possibilities and the deployed services. Protection against malware, security updates, monitoring and technical hardening are implemented on a risk-based basis.

8. Input Control, Logging and Monitoring

Oxolo uses audit-trail, security, monitoring and error-analysis mechanisms to the extent technically available. Audit-trail records are protected against deletion on an append-only basis via database triggers. Sentry is used for error analysis and monitoring. PostHog is used for product analytics, feature flags and LLM cost and usage analyses, insofar as configured.

9. Commission Control and Subprocessors

Subprocessors are selected according to data-protection criteria. Agreements are concluded with subprocessors insofar as they process personal data as processors on behalf of the Contractor. Third-country transfers take place only in accordance with Chapter V GDPR.

10. Data Minimization and Deletion Concept

Client Personal Data are deleted or returned in accordance with the Usage Agreement, this DPA, the available product functions and documented instructions. Voice profiles / voiceprints and associated S3 audio objects are deletable in accordance with the documented product functions. Historical transcripts and recordings are treated separately as Client Data.

11. Personnel

Employees and other persons authorized to process are committed to confidentiality. Access to Client Personal Data is restricted to persons who need it to perform their tasks. Data-protection and security training is carried out on a risk-based and occasion-based basis.

12. Incident and Breach Management

Defined processes exist for the detection, reporting, assessment and handling of data-protection breaches. Data-protection incidents are reported to the Client in accordance with Section 10 of this DPA.

Annex 3: Subprocessors

The Client consents to the engagement of the subprocessors listed in this Annex. Third-country transfers take place only in accordance with Section 3.7 of this DPA. In the case of third-country transfers, the Contractor additionally concludes the EU Standard Contractual Clauses with the respective subprocessor in the respectively relevant module variant, regularly Module 3 - processor to processor, and implements - insofar as required - supplementary measures. Insofar as a subprocessor is certified under the EU-US Data Privacy Framework, this may also be taken into account as an appropriate transfer mechanism.