This Data Processing Agreement (hereinafter the “Agreement”) is entered into by and between:
The entity identified as the Customer in the account registration or order form for the Let's Whisper service (hereinafter referred to as the “Controller”),
and
Let's Whisper s.r.o., Id. No: 238 49 959, with its registered office at Křižíkova 148/34, Karlín, 186 00 Praha 8, Czechia, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, insert 433436 (hereinafter referred to as the “Processor”; the Controller and the Processor hereinafter collectively referred to as the “Parties” or individually as the “Party”).
This Agreement is concluded electronically by the Controller's acceptance during the registration process or by signing an order form. By accepting this Agreement, the person acting on behalf of the Controller represents and warrants that they have the legal authority to bind the Controller. If such person does not have the requisite authority, they accept personal liability for the obligations arising under this Agreement.
1.1. Under this Agreement the Processor processes personal data provided by the Controller for the purposes of provision of the Let's Whisper service, an AI-powered communication automation platform (hereinafter the “Service”).
1.2. The Agreement is made in light of the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”) and other applicable legislation. Unless explicitly provided otherwise in this Agreement, definitions used in this Agreement shall have the same meaning as set out in the GDPR. This Agreement is based on the requirements set out in Article 28 of the GDPR.
1.3. The Parties agree that within the meaning of Article 4(7) of the GDPR, the Controller is the controller of personal data entrusted for processing to the Processor hereunder. Only the Controller shall decide on the purposes and means of processing the personal data. The Processor is the entity referred to in Article 28 of the GDPR.
1.4. The Processor shall process personal data to the extent and according to the rules as set forth in this Agreement, the GDPR, and other applicable legislation.
1.5. The Processor shall process personal data with professional care in order to provide legal, organizational and technical protection of the Controller's interests in connection with the processing of personal data according to this Agreement.
1.6. The scope of personal data entrusted for processing under this Agreement, the categories of data subjects, nature and purpose of the processing and duration of processing are defined in Schedule 1 hereto.
1.7. The personal data entrusted to the Processor under this Agreement shall be processed for the purpose set out in Section 1.1. The Controller represents and guarantees that it has acquired all necessary consents from the data subjects for the processing of their personal data, if needed.
1.8. The Processor guarantees that it has appropriate technical and organizational measures in place to meet the requirements of the GDPR and that it will ensure protection of the rights of the data subjects.
1.9. The Processor covenants that it shall not use Personal Data (specifically Customer's email content, voice recordings, or transcripts) to train, fine-tune, or improve general-purpose Artificial Intelligence or Machine Learning models for the benefit of third parties or the general public. The Processor may only use such data to perform automatic improvement of environment configuration specifically for the Controller (e.g., prompt tuning for the Controller's workspace and context retrieval logic).
2.1. The Processor may engage a third party for processing of personal data under this Agreement (hereinafter the “Sub-Processor”), provided that the Processor has notified the Controller in writing of such Sub-Processor, including any intended changes concerning the addition or replacement of the Sub-Processors, and the Controller has not objected thereto within 30 days of notification. If the Controller does not object, the Sub-Processor is considered approved by the Controller. The Processor shall maintain and update (as necessary) a list of all Sub-Processors used for the processing of personal data on behalf of the Controller under this Agreement. All Sub-Processors that are detailed in Schedule 1 hereto are expressly approved by the Controller as of the date of acceptance of this Agreement. The list of Sub-Processors can be also found at the website https://letswhisper.ai/subprocessors.
2.2. The Processor shall enter into a written agreement with every approved Sub-Processor, under which the Sub-Processor shall undertake obligations corresponding to those undertaken by the Processor under this Agreement. The Processor shall always remain liable for its Sub-Processor's performance and obligations as for its own.
2.3. The Controller might also explicitly authorize a Sub-Processor by taking necessary steps by connecting third-party application or service in the interface of the Service.
2.4. Where the Processor engages a Sub-Processor in a country outside the European Union (hereinafter the “EU”) and/or the European Economic Area (hereinafter the “EEA”), the Controller hereby authorizes the Processor to sign EU approved standard contractual clauses for the transfer of personal data with the Sub-Processor in the name and on behalf of the Controller in respect of such transfer of personal data to a third country.
2.5. If the Controller objects to a new Sub-Processor notified by the Processor, the Controller may terminate this Agreement with immediate effect by a written notice delivered to the Processor within 30 days of delivery of the notification to the Controller provided that the Processor insists on engaging the new Sub-Processor. If the Controller does not deliver a written termination notice to the Processor in accordance with the previous sentence, the Sub-Processor is considered approved by the Controller regardless of the Controller's objection and the Processor may engage such Sub-Processor for the processing of any personal data on behalf of the Controller under this Agreement. The Controller will not unreasonably object to any addition or replacement of a Sub-Processor.
3.1. The Processor shall process the personal data only on documented instructions from the Controller, including any transfer of data to third countries or international organizations.
3.2. The Parties agree that this Agreement, together with Schedule 1 hereto, constitutes a documented instruction within the meaning of Section 3.1. above.
3.3. The Controller's instructions may be updated from time to time when so requested by the Controller or if so required under applicable law.
3.4. The Controller may further express the instruction by taking necessary steps connecting third-party application or service (other data processors) in the interface of the Service. In such a case, the Processor acts as a sub-processor.
3.5. The Processor shall take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by the applicable law.
3.6. The Controller expressly approves that the Processor (and approved Sub-Processors) may transfer or authorize the transfer of personal data to countries outside the EU and/or the EEA. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on the EU-U.S. Data Privacy Framework, provided the recipient is duly certified thereunder.
4.1. Unless agreed or provided otherwise, the Processor shall not disclose any personal data entrusted to it, whether directly or indirectly.
4.2. The Processor shall ensure that the Processor's employees and other persons authorized to process the personal data shall be obligated to keep confidential all personal data obtained in connection with data processing under this Agreement or are under an appropriate statutory obligation of confidentiality.
4.3. The Processor shall maintain confidentiality of all information related to the entrusting of data and all personal data entrusted during the performance of this Agreement, during such performance and after expiration or termination of this Agreement, for an indefinite period of time.
5.1. The Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk. Security measures that are or may be employed by the Processor as of the effective date of this Agreement are listed in Schedule 1 hereto.
6.1. As further set out in Chapter III of the GDPR, the data subject has certain rights (e.g., information and access to personal data, rectification and erasure, restriction of processing, data portability, right to object and certain rights in relation to automated decision-making). The Controller is obliged to facilitate the exercise of these data subject rights under the GDPR.
6.2. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is commercially reasonable, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the GDPR and other applicable legislation. In particular, the Processor shall assist the Controller to ensure that the personal data are kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed.
7.1. As further set out in Articles 32 to 36 of the GDPR, the Controller has certain obligations (e.g., notification of data breach to the supervisory authority, communication of data breach to the data subject, making a data protection impact assessment and prior consultation with the supervisory authority in certain cases).
7.2. The Processor shall notify the Controller without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (personal data breach), and the Processor shall assist the Controller in ensuring compliance with obligations set out in Section 7.1. above.
8.1. The Processor shall, at the choice of the Controller, delete or return all the personal data to the Controller at the end of the performance of activity relating to processing, and delete any existing copies unless applicable law requires storage of the personal data.
9.1. The Processor shall make available to the Controller all information and documents necessary to demonstrate compliance with the obligations laid down in this Agreement, applicable legislation and the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
10.1. Neither the Processor nor the Controller shall be entitled to any compensation for carrying out its obligations under this Agreement.
11.1. The Parties acknowledge that they each respectively are liable, accountable and responsible in their respective roles as controller and processor under the requirements set forth in the GDPR and other applicable legislation and this Agreement.
11.2. The Controller is fully responsible for compliance of the instructions, requests and recommendations issued to the Processor with the determined purpose of the processing and any applicable legislation including the GDPR. The Controller declares and guarantees to the Processor that determined purpose of the processing according to this Agreement is lawful and in accordance with Article 6 of the GDPR.
11.3. Where the Sub-Processor fails to fulfil its obligations as specified in this Agreement and the applicable law, the Processor shall remain fully liable to the Controller for the performance and non-performance of the Sub-Processor's obligations.
11.4. Each Party shall promptly notify the other Party of any proceedings, in particular administrative or court proceedings, relating to personal data processing within the scope of each of the data sets provided to the Processor, and of any administrative decision or judgment concerning the processing of that data, as well as of any inspections pertaining to personal data processing within the scope of a set of data.
11.5. If any third party brings a legal action against the Processor and/or the Controller in connection with any infringement of the personal data processing rules, the Parties shall cooperate in order to take appropriate legal measures aimed, in particular, at having the competent court dismiss or reject such third-party claim, lodging an appeal or entering into a settlement agreement, or other legal measures.
12.1. The Agreement shall be valid for an indefinite period of time, but no longer than is necessary for the purposes for which the personal data are processed.
12.2. In the event of a material breach of any provision of the Agreement or the applicable law by one of the Parties, the other Party will be entitled to terminate the Agreement with an immediate effect.
13.1. This Agreement and any related legal relationships existing between the Parties shall be governed by the laws of the Czech Republic. Any disputes related to this Agreement arising between the Parties shall be resolved by the courts of general jurisdiction in the Czech Republic.
14.1. If any provision hereof is deemed to be invalid or unenforceable for any reason, all other provisions shall remain in force and the Parties shall be obliged to replace such invalid (unenforceable) provisions at the request of either Party with a provision which is valid and the economic effect of which is as close as possible to the economic effect of the replaced provision.
14.2. The Agreement constitutes the entire agreement between the Parties with respect to its subject matter and shall supersede any and all previous negotiations, both written and oral, between the Parties related to the subject matter hereof. The Parties have neither made nor will rely on any representations, undertakings, agreements or assurances which are not included herein.
14.3. Neither Party shall be entitled to assign any of its rights and obligations under the Agreement to any entity or third party without prior consent of the other Party made in writing, otherwise shall be null and void. The above provision shall not apply to the affiliates of the Parties.
14.4. The following schedule shall form an integral part hereof:
Schedule 1 — Instructions
Schedule 1 — Instructions
| Categories of personal data | The following personal data will be processed by the Processor: Data relating to individuals provided to the Processor by (or at the direction of) the Controller, e.g.:
|
|---|---|
| Categories of data subjects | The following categories of data subjects will be included in the processing:
|
| Nature and purpose of the processing | The nature and purpose of the processing is to provide the Service and fulfil associated obligations of the Processor. |
| Duration of processing | The processing shall continue during the term of the provision of the Service, unless otherwise instructed by the Controller. |
The Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk, which may include as appropriate:
The Processor shall at the request of Controller provide a description of its technical and organizational measures unless such description has already been provided to the Controller.
The current list of approved Sub-Processors is maintained at https://letswhisper.ai/subprocessors and includes the following as of the effective date of this Agreement:
| Sub-Processor | Purpose |
|---|---|
| Anthropic | Provision of AI models |
| DigitalOcean | Cloud infrastructure |
| Provision of AI models, company operations | |
| Smartlook.com, s.r.o. (A Cisco Company) | Product analytics |
| OpenAI | Provision of AI models |
| Langsmith | Orchestration and analytics platform for AI models |
| Linear | Engineering ticket tracking (GDPR and SOC2 compliant) |
| CodeRabbit | Automatic code reviewing software (GDPR and SOC2 compliant) |