Pursuant to Art. 28 GDPR
This Data Processing Agreement ("Agreement") is concluded between
Z360.AI (owner: Alper Koyuncu), Konrad-Adenauer-Str. 4, 93077 Bad Abbach, Germany – hereinafter the "Processor",
and
each customer who makes use of the services of Z360.AI – hereinafter the "Controller",
jointly referred to as the "Parties."
1. This Agreement specifies the obligations of the Parties with regard to the protection of personal data pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR") and the German Federal Data Protection Act ("BDSG").
2. It supplements the underlying Z360.AI Services Agreement and governs every transfer of personal data between the Parties, including the technical and organisational measures required to ensure confidentiality, integrity and availability.
3. The measures laid down herein prevent any disclosure or transfer of personal data to unauthorised third parties.
Term Definition within the meaning of the GDPR
Personal Data Any information relating to an identified or identifiable natural person.
Controller The party that determines the purposes and means of the processing of personal data.
Processor The party that processes personal data on behalf of the Controller.
Confidential Information All non-public business, technical, legal or financial information, in particular the personal data referred to in Clause 5.
Applicable Data-Protection Law GDPR, BDSG and all other relevant German or European data-protection provisions.
4.1 Lawful Processing – The Parties shall process personal data solely for the contractual purposes agreed upon. Unauthorised disclosure, alteration or use for other purposes is prohibited. This obligation survives the termination of the Agreement without limitation.
4.2 Technical and Organisational Measures – The Parties shall implement appropriate and demonstrable measures to:
• prevent unlawful processing,
• block unauthorised access,
• guarantee confidentiality, integrity and availability, and
• ensure that data are used exclusively for their intended purpose.
4.3 Sub-Processors – If a Party engages sub-processors, it shall contractually ensure compliance with the duties set out in Clause 4.1. Each Party is liable for breaches in proportion to its fault.
4.4 Data-Breach Notification – If personal data are unlawfully obtained by third parties, the Parties shall immediately notify each other, the competent supervisory authority and, where required, the data subjects.
5.1 Data transferred by the Controller
Category Purpose(s)
Name Contract execution, communication, customer service
E-mail, telephone, address Contract execution, purchase of goods/services, marketing & campaigns
Purchase history Operations, marketing analysis, marketing & campaigns
5.2 Data transferred by the Processor
Category Purpose(s)
Name, contact details Contract execution, customer service, marketing analysis
Call-centre recordings Communication, operations, quality assurance
Order/dispatch data Contract execution, logistics, customer service
IT usage data (IP, logins) Operational security, abuse prevention
6.1 Role as Processor: Z360.AI processes personal data exclusively as a Processor within the meaning of Art. 28 GDPR and is not an independent Controller with respect to data processed on behalf of the Controller. Processing takes place solely on the basis of the Controller's documented instructions. Z360.AI shall notify the Controller without delay if, in its view, an instruction infringes the GDPR or any other applicable data-protection provision.
6.2 Each Party fulfils its statutory obligations independently; risks arising from any breach remain with the defaulting Party.
6.3 The Parties process the personal data received solely for the agreed purposes and apply all technical and organisational safeguards against unauthorised access or loss.
6.4 Where special categories of data under Art. 9 GDPR are processed, the Parties adopt additional safeguards pursuant to Art. 32 GDPR.
6.5 Disclosure to employees follows the need-to-know principle; employees are bound to confidentiality and trained in data protection.
6.6 Transfers to third parties or third countries require the other Party's prior written consent, save for essential infrastructure service-providers that comply with EU data-protection standards. The sub-processors currently engaged are:
• Twilio Ireland Ltd., Ireland – SIP telephony services and telephone number management
• Supabase Inc., USA – database services
• ElevenLabs, Inc., USA – AI voice agent
• Make, Czech Republic – workflow automation
• WhatsApp Business Cloud (Meta Platforms Ireland Ltd.), Ireland – chatbot communication
• OpenAI Ireland Ltd., Ireland – AI language model
• ZeptoMail (Zoho Corporation), USA/India – transactional and notification e-mails
• DigitalOcean LLC, USA – MCP server / cloud infrastructure
• Vercel Inc., USA – hosting infrastructure
6.7 Once the legal basis for processing ceases to exist, or upon request, the Parties irrevocably delete the data. Personal data – including call-centre recordings – are stored by the Processor for a maximum of ninety (90) days and subsequently irrevocably deleted, unless the Controller issues different written instructions; additional costs are borne by the Controller. Z360.AI shall under no circumstances use personal data to improve or train AI models or machine-learning algorithms.
6.8 The Parties respond promptly and cooperatively to information requests and data-protection incidents.
6.9 Each Party is liable for breaches committed by its employees, agents or subcontractors.
6.10 The Parties warrant that they have lawfully collected the data and fulfilled all information obligations; evidence shall be provided upon request.
6.11 Processing is carried out solely for legitimate purposes in accordance with the GDPR principles (lawfulness, purpose limitation, data minimisation, etc.). Data subjects are informed pursuant to Art. 14 GDPR.
6.12 Instructions: The Processor shall process personal data solely on the basis of the Controller's documented written instructions, including those set out in this Agreement. Oral instructions shall be confirmed in writing without delay. The Processor shall inform the Controller if, in its opinion, an instruction infringes applicable data-protection law.
6.13 Assistance with Data-Subject Rights: The Processor shall, to the best of its ability, assist the Controller in responding to requests by data subjects exercising their rights under Art. 15–22 GDPR (in particular access, rectification, erasure, restriction of processing, data portability and objection). Any requests received directly from data subjects shall be forwarded to the Controller without delay.
6.14 Audit and Inspection Right: The Controller is entitled to verify the Processor's compliance with its data-protection obligations. Audits must be notified to the Processor in writing at least fourteen (14) days in advance and shall be limited to normal business hours. The Processor shall make available all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and shall permit inspections, including by the Controller or an auditor appointed by the Controller.
7.1 The Parties shall treat business secrets and personal data as strictly confidential.
7.2 Adequate protective measures shall be implemented; the GDPR requirements for confidentiality are fulfilled.
7.3 Confidential information shall not be disclosed to third parties and shall be processed only for contractual purposes; this duty survives termination.
7.4 Processing by the Processor is limited to contract fulfilment; disclosure to public authorities is permitted only where legally mandated.
7.5 The Processor implements at least the technical-organisational measures required by the GDPR; additional measures requested by the Controller may be subject to separate remuneration.
7.6 Upon security breaches, the Parties notify each other, data subjects and supervisory authorities without delay.
7.7 The Parties take all reasonable steps to mitigate damage; the defaulting Party compensates any loss incurred.
7.8 Upon termination, confidential information is either returned or destroyed.
Processing activities are guided by the following principles:
• neutrality (objective approach)
• equal treatment (fair handling)
• good faith (trust and integrity)
• confidentiality (highest care)
• secrecy (business secrets)
• data minimisation (necessary scope)
9.1 The Parties supply each other with all information required for proper contract execution.
9.2 Neither Party is liable for delays or defects resulting from inaccurate information supplied by the other Party.
9.3 Confidential information may only be disclosed to authorised persons; disclosure to third parties without consent is prohibited.
9.4 Where third parties are engaged, the engaging Party is liable for their compliance with this Agreement.
9.5 Unauthorised disclosure triggers full liability of the responsible Party for all resulting damages.
9.6 Business secrets must be specially protected:
a) disclosure only to authorised staff;
b) no unauthorised reproduction or forwarding;
c) physical records kept under lock and key or similarly secured.
Confidentiality does not apply to information that:
(1) must be disclosed by law or court order;
(2) is already in the public domain;
(3) was lawfully obtained without a confidentiality obligation.
Each Party is liable for breaches according to its degree of fault. The Processor's liability is limited to 50% of the fees paid by the Controller. Indirect damages (e.g., loss of profit) are excluded to the extent permitted by law.
The invalidity of any provision shall not affect the validity of the remainder of the Agreement. An invalid provision shall be replaced by one that comes closest to its economic intent. Statutory amendments shall be implemented without delay.
This Agreement shall be governed by German law. Exclusive venue for all disputes shall be Regensburg, Germany.
The Agreement enters into force upon the Controller's electronic acceptance. The data-protection obligations remain in force beyond termination of the underlying Services Agreement. Personal data may not be processed or transferred after termination, except to legally authorised authorities.
By using the services of Z360.AI, the Controller agrees to be bound by this Agreement. A separate signature is not required.
If you have any questions about this Data Processing Agreement, please contact us: