Appendix II: Data Processing Addendum
as of August 28th, 2025

In the course of rendering services as per the Konvo GmbH Terms & Conditions (hereinafter referred to as “Terms & Conditions”), it is necessary that Konvo GmbH, Berlin, Germany (hereinafter referred to as “Software Provider”) deals with personal data with regard to which you (hereinafter referred to as “Client”) act as a controller in terms of data protection law (hereinafter referred to as “Client Data”). This agreement amends the Terms & Services and specifies the data protection obligations and rights of the parties in connection with the Software Provider's use of Client Data to render the services under the Terms & Conditions.

1. Subject of the Agreement

The subject of this Agreement (Data Processing Addendum) is the processing of personal data on behalf of the Client by the Software Provider. This processing serves to enable AI-powered marketing services for the Client according to the Terms & Conditions. This Data Processing Addendum regulates data protection in this regard.

2. Scope of the commissioning

  1. The Software Provider shall process the Client Data on behalf and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (General Data Protection Regulation (EU) 2016/679 – Processing on Behalf). The Client remains the controller in terms of data protection law.
  2. The processing of Client Data by the Software Provider occurs in the manner and the scope and for the purpose determined in Annex 1 to this agreement; the processing relates to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Terms & Conditions.
  3. The Software Provider reserves the right to anonymize or aggregate the Client Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form solely for: (a) improving service accuracy and performance, (b) developing new features directly related to existing AI conversation services, (c) ensuring platform security and preventing abuse, and (d) providing aggregated analytics and insights to improve customer experience. Such use is strictly limited to service improvement purposes and excludes commercial product development for third-party licensing or unrelated business ventures. The parties agree that properly anonymized or aggregated Client Data are not considered Client Data for the purposes of this agreement. Where necessary, Software Provider and Client shall work closely together to ensure that the necessary data protection requirements for anonymization, aggregation, and reuse by the Software Provider for the aforementioned purposes are met to the greatest extent possible.
  4. The Software Provider may process and use the Client Data for his own purposes as controller to the extent legally permitted by data protection law, if permitted by a statutory permission or consent by the data subject. This Agreement does not apply to such data processing.
  5. The processing of Client Data by the Software Provider shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Software Provider is nevertheless permitted to process Client Data in accordance with the provisions of this agreement outside the EEA if he informs the Client in advance about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.

3. Right of the Client to issue instructions

  1. The Software Provider processes the Client Data in accordance with the instructions of the Client unless the Software Provider is legally required to do otherwise by European Union or Member State law to which the processor is subject. In the latter case, the Software Provider shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  2. The instructions of the Client are in principle conclusively stipulated and documented in the provisions of this agreement. Individual instructions which deviate from the stipulations of this agreement, or which impose additional requirements shall require the Software Provider's consent and shall be made in accordance with the change request procedure laid down in the Terms & Conditions or Commercial Agreement, the instruction shall be documented and any additional costs incurred by the Software Provider as a result thereof shall be borne by the Client.
  3. The Software Provider shall ensure that the Client Data is processed in accordance with the instructions given by the Client. If the Software Provider is of the opinion that an instruction given by the Client infringes this agreement or applicable data protection law, he is after correspondingly informing the Client entitled to suspend the execution of the instruction until the Client confirms the instruction. The parties agree that the sole responsibility for the processing of the Client Data in accordance with the instructions lies with the Client.

4. Legal Responsibility of the Client

  1. The Client is solely responsible for the permissibility of the processing of the Client Data and for safeguarding the rights of data subjects in the relationship between the parties. Should third parties assert claims against the Software Provider based on the processing of Client Data in accordance with this agreement, the Client shall indemnify the Software Provider from all such claims upon first request.
  2. The Client is responsible to provide the Software Provider with the Client Data in time for the rendering of services according to the Terms & Conditions and he is responsible for the quality of the Client Data. The Client shall inform the Software Provider immediately and completely if during the examination of the Software Provider's results he finds errors or irregularities with regard to data protection provisions or his instructions.
  3. On request, the Client shall provide the Software Provider with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Software Provider himself.
  4. If the Software Provider is required to provide information to a governmental body or person on the processing of Client Data or to cooperate with these bodies in any other way, the Client is obliged at first request to assist the Software Provider in providing such information and in fulfilling other cooperation obligations.

5. Requirements for personnel and systems

The Software Provider shall commit all persons engaged in processing Client Data to confidentiality with respect to the processing of Client Data.

6. Security of processing

  1. The Software Provider takes according to Art. 32 GDPR necessary, appropriate technical and organizational measures, considering the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Client Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Client Data appropriate to the risk.
  2. The Software Provider shall have the right to modify technical and organizational measures during the term of the agreement, as long as they continue to comply with the statutory requirements.

7. Engagement of further processors

  1. The Client grants the Software Provider the general authorization to engage further processors with regard to the processing of Client Data. Further processors consulted at the time of conclusion of the agreement result from Annex 2.      
    In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, if access to Client Data can reasonably be excluded. This may in particular be the case for development and testing services (code repositories or staging environments).
  2. The Software Provider shall notify the Client of any intended changes in relation to the consultation or replacement of further processors. In any case, the Client has the right to object to the engagement of a potential further processor. An objection may be raised by the Client for any reason. If the objection is not based on important reasons which have to be proven by the Client to the Software Provider the latter may terminate the whole contractual relationship (Commercial Agreement, Terms and Conditions and this agreement) for good cause in accordance with the Terms and Conditions and cease processing of Client Data.  If the Client objects for other reasons, the Software Provider is entitled to terminate the Terms & Conditions and this agreement with 30 days' notice. Insofar as the Client does not object within 14 days after receipt of the notification, his right to object to the corresponding engagement lapses.
  3. The agreement between the Software Provider and the further processor must impose the same obligations on the latter as those incumbents upon the Software Provider under this agreement. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this agreement, respectively if the obligations laid down in Art. 28 para. 3 GDPR are imposed on the further processor.
  4. Subject to compliance with the requirements of Section 2.5 of this agreement, the provisions of this Section 7 shall also apply if a further processor in a third country is involved. The Client declares his willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.

8. Data subjects’ rights

  1. The Software Provider shall support the Client within reason by virtue of technical and organizational measures in fulfilling the latter’s obligation to respond to requests for exercising data subjects’ rights.
  2. As far as a data subject submits a request for the exercise of his rights directly to the Software Provider, the Software Provider will forward this request to the Client in a timely manner.
  3. The Software Provider shall inform the Client of any information relating to the stored Client Data, about the recipients of Client Data to which the Software Provider shall disclose it in accordance with the instruction and about the purpose of storage, as far as the Client does not have this information at his disposal and as far as he is not able to collect it himself.
  4. The Software Provider shall, within the bounds of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by the Software Provider as a result of this and to be proven enable the Client to correct, delete or restrict the further processing of Client Data, or at the instruction of the Client correct, block or restrict further processing himself, if and to the extent that this is impossible for the Client.
  5. Insofar as the data subject has a right of data portability vis-à-vis the Client in respect of the Client Data pursuant to Art. 20 GDPR, the Software Provider shall support the Client within the bounds of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result of this and to be proven in handing over the Client Data in a structured, commonly used and machine-readable format, if the Client is unable to obtain the data elsewhere.

9. Notification and support obligations of the Software Provider

  1. Insofar as the Client is subject to a statutory notification obligation due to a breach of the security of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Software Provider shall inform the Client in a timely manner of any reportable events in his area of responsibility. The Software Provider shall assist the Client in fulfilling the notification obligations at the latter’s request to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result thereof and to be proven.
  2. The Software Provider shall assist the Client to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Software Provider as a result thereof and to be proven with data protection impact assessments to be carried out by the Client and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.

10. Evidence and audits

  1. The Software Provider shall provide the Client, at the latter’s request, with all information required and available to the Software Provider to prove compliance with his obligations under this agreement.
  2. The Client shall be entitled to audit the Software Provider with regard to compliance with the provisions of this agreement, in particular the implementation of the technical and organizational measures; including inspections.
  3. In order to carry out inspections in accordance with Section 10.2, the Client is entitled to access the business premises of the Software Provider in which Client Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification in accordance with Section 10.5 at his own expense, without disruption of the course of business and under strict secrecy of the Software Provider's business and trade secrets.
  4. The Software Provider is entitled, at his own discretion and taking into account the legal obligations of the Client, not to disclose information which is sensitive with regard to the Software Provider's business or if the Software Provider would be in breach of statutory or other contractual provisions as a result of its disclosure. The Client is not entitled to get access to data or information about the Software Provider's other clients, cost information, quality control and contract management reports, or any other confidential data of the Software Provider that is not directly relevant for the agreed audit purposes.
  5. The Client shall inform the Software Provider in good time (usually at least two weeks in advance) of all circumstances relation to the performance of the audit. The Client may carry out one audit per calendar year. Further audits are carried out against reimbursement of the costs and after consultation with the Software Provider.
  6. If the Client commissions a third party to carry out the audit, the Client shall obligate the third party in writing the same way as the Client is obliged vis-à-vis the Software Provider according to this Section 10 of this agreement. In addition, the Client shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Software Provider, the Client shall immediately submit to him the commitment agreements with the third party. The Client may not commission any of the Software Provider's competitors to carry out the audit.
  7. At the discretion of the Software Provider, proof of compliance with the obligations under this agreement may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-Grundschutz – (“audit report”), if the audit report makes it possible for the Client in an appropriate manner to convince himself of compliance with the contractual obligations.

11. Contract term and termination

  1. The term and termination of this agreement shall be governed by the term and termination provisions of the Terms & Conditions. A termination of the Terms & Conditions automatically results in a cancellation of this agreement. An isolated termination of this contract is excluded.
  2. At the choice of the Client, Software Provider deletes or returns all the personal data to the Client after the end of the provision of services relating to processing, and deletes existing copies unless European Union or Member State law requires storage of the personal data.

12. Liability

  1. The Software Provider's liability under this agreement shall be governed by the disclaimers and limitations of liability provided for in the Terms & Conditions. As far as third parties assert claims against the Software Provider which are caused by the Client’s culpable breach of this agreement or one of his obligations as the controller in terms of data protection law affecting him, the Client shall upon first request indemnify and hold the Software Provider harmless from these claims.
  2. The Client undertakes to indemnify the Software Provider upon first request against all possible fines imposed on the Software Provider corresponding to the Client’s part of responsibility for the infringement sanctioned by the fine.

13. Final provisions

  1. In case individual provisions of this agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. In such cases, the statutory provisions shall apply.
  2. In case of conflicts between this agreement and other arrangements between the parties, in particular the Terms & Conditions, the provisions of this agreement shall prevail.

----

Annex 1: Purpose, type and extent of the processing of Client Data, types of personal data and categories of data subjects

Purpose of data processing

Enabling AI-powered marketing services for the Client according to the Terms & Conditions.

Type and extent of data processing

Client Data will be processed in accordance with the Terms & Conditions which may include any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Types of personal data

Personal data relating to individuals provided to Software Provider via the services provided under the Terms & Conditions by (or at the direction of) Client or by Client’s (potential) customers, the extent of which is determined and controlled by Client in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data:

  • First, Middle and Last Name
  • Personal contact information (phone number, E-Mail address, Facebook/WhatsApp and other instant-chat channels' account information, physical addresses)
  • Date of birth, gender, language, nationality, profile pictures
  • Shopping history (ordered products, number of orders, money spend, applied discounts, applied loyalty programs, wishlists, returns, service requests and general order preferences)
  • Custom notes & properties (Date of birth, gender, language, nationality, profile pictures, sentiments, internal comments, tags, personal preferences)
  • Tracking information (cookies, browser fingerprints, attribution Facebook Ad Manager) 
  • Conversational chat history from and to Client’s (potential) customers (messages, audio files, video files, other attachments)
  • Survey & Feedback results (interviews, NPS scores, requests)
  • Billing data & plan Productivity and performance analytics (sales, speed, customer satisfaction)

Client may submit special categories of data to Software Provider as a part of its Client Data, the extent of which is determined and controlled by Client in its sole discretion, and which is for the sake of clarity personal data pursuant to Art. 9 GDPR with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Categories of data subjects

Clients’ (potential) end customers, business owners, employees, advisors, partners, agencies and freelancers.

----

Annex 2: Further Processors
Company, address Type of processing Purpose Type of data Categories of data subjects
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland All mentioned in Annex 1 Google Cloud – Hosting of Client Data (Infrastructure) and data from Client’s (potential) All mentioned in Annex 1 All mentioned in Annex 1
WhatsApp Inc., 1601 Willow Road, Menlo Park, California 94025, USA All mentioned in Annex 1 Communication with Client’s (potential) End Customers (Service Provider) All mentioned in Annex 1 All mentioned in Annex 1
Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland All mentioned in Annex 1 Communication with Client’s (potential) End Customers (Service Provider) All mentioned in Annex 1 All mentioned in Annex 1
Functional Software, Inc. dba Sentry, 132 Hawthorne St, San Francisco, CA 94107 All mentioned in Annex 1 Error tracking and logging of Client’s (potential) End Customer information All mentioned in Annex 1 All mentioned in Annex 1
Slack Technologies Ltd., One Park Place, 4th floor, Hatch Street Upper, Saint Kevin’s, Dublin 2, Ireland All mentioned in Annex 1 Client feedback and request handling All mentioned in Annex 1 All mentioned in Annex 1
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland All mentioned in Annex 1 Google Vertex AI (access to Google Gemini AI models for generating chat conversations) All mentioned in Annex 1 All mentioned in Annex 1
OpenAI, L.L.C., 1455 3rd Street, San Francisco, CA 94158, USA All mentioned in Annex 1 Access to GPT AI models for generating chat conversations All mentioned in Annex 1 All mentioned in Annex 1
Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104-5401, USA All mentioned in Annex 1 Access to Claude AI models for generating chat conversations All mentioned in Annex 1 All mentioned in Annex 1
Eleven Labs Inc., 169 Madison Ave #2484, New York, NY 10016, USA All mentioned in Annex 1 Access to AI models for generating chat conversations All mentioned in Annex 1 All mentioned in Annex 1
Jina AI GmbH, Prinzessinnenstraße 19 / 4th floor, 10969 Berlin, Germany All mentioned in Annex 1 Access to AI models for generating chat conversations All mentioned in Annex 1 All mentioned in Annex 1
Amazon Web Services EMEA S.à r.l., 38 Avenue John F. Kennedy, L-1855, Luxembourg All mentioned in Annex 1 Access to Bedrock AI system via API for generating chat conversations All mentioned in Annex 1 All mentioned in Annex 1

----

Annex 3: Technical and Organizational Measures (TOMs) – Security Services

The technical and organizational measures (“TOMs”) provided below apply to all standard service offerings provided by Konvo GmbH, Berlin (hereinafter referred to as “Software Provider”) except where Client is responsible for security and privacy TOMs. Software Provider reserves the right to revise these technical and organizational measures at any time, without notice, as long as any such revisions will continue to comply with the statutory requirements.

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Software Providers’ platform.
  2. Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
  3. Communication with Software Provider applications utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model.
  4. Data security controls which include logical segregation of data, restricted (e.g., role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
  5. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  6. Password controls designed to manage and control password strength, and policies including prohibiting users from sharing passwords.
  7. Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Software Provider technology and information assets.
  8. Incident / problem management procedures designed to allow Software Provider investigate, respond to, mitigate and notify of events related to Software Provider technology and information assets.
  9. Vulnerability assessment, patch management, and scheduled monitoring procedures designed to identify and assess identified security threats, and other malicious code.
  10. Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
  11. Furthermore, in case the provided client service is deployed on Google Cloud Platform, we refer also to their technical and organizational measures keeping the platform secure.

co-funded by EU logo.
berlin senatorial administration logo.
backed by htw logo.