Regulations on the commissioned processing of personal data

1. scope of application

  1. FlowLyne processes personal data of the customer in the context of the use of the services offered in accordance with Article 28 of the General Data Protection Regulation (GDPR). These regulations apply to all activities in which FlowLyne processes the customer's personal data on behalf of the customer.

2. object and duration of the processing

  1. Purpose: FlowLyne provides AI-supported telephone assistants that process personal data as part of the contractually agreed services.

  2. Duration: The processing takes place for the duration of the use of FlowLyne's services. After the end of use, the regulations on data deletion apply (see point 9).

3. type, purpose and data concerned

  1. Type of processing: Storage, retrieval, organization, adaptation, transmission and deletion of personal data.

  2. Purpose of processing: Provision of a telephone assistant to support the client's communication processes.

  3. Categories of data concerned:

    • Contact details (e.g. name, telephone number, e-mail address).

    • Conversation content (e.g. messages, recordings, minutes).

  4. Affected persons: Customers, interested parties, suppliers and employees of the client as well as callers who interact with the AI telephone assistant.

4. obligations of the contractor

  1. FlowLyne undertakes to process personal data exclusively within the scope of the contractually agreed services.

  2. FlowLyne ensures that all persons involved in processing are bound to confidentiality.

  3. FlowLyne may only provide information to third parties or the data subject with the customer's prior consent. FlowLyne will forward any requests sent directly to FlowLyne to the customer without delay.

  4. Technical and organizational measures (TOMs) are implemented in accordance with Art. 32 GDPR to ensure an adequate level of protection.

  5. Support obligations of FlowLyne, in particular for:

    • the fulfillment of data subject rights (e.g. information, correction, deletion).

    • the implementation of data protection impact assessments.

    • the reporting of data breaches.

5. subcontractors

  1. FlowLyne is entitled to use or change subcontractors for the processing of personal data without the prior consent of the customer being required.

  2. However, FlowLyne undertakes to inform the customer of any changes or new subcontractors in text form at least 30 days before the subcontractor starts processing the data.

  3. The customer has the right to object to the commissioning of a subcontractor if there is a legitimate interest (e.g. inadequate data protection measures). Such an objection must be declared in writing within 14 days of notification.

  4. If no objection is raised, the commissioning of the subcontractor shall be deemed approved.

  5. FlowLyne ensures that subcontractors are subject to the same data protection obligations.

6. technical and organizational measures (TOMs)

  1. FlowLyne is committed to ensuring an adequate level of protection for the processing of personal data. To this end, FlowLyne implements the following measures:
    Encryption: All data transmissions are TLS-encrypted to ensure the confidentiality and integrity of the data during transmission.
    Authentication: API accesses are authenticated by cryptographic keys to ensure that only authorized systems or persons have access to the data.
    Securing sensitive data: Sensitive configuration data (e.g. access data, tokens) is securely stored in the Google Secret Manager to prevent unauthorized access. access data, tokens) are securely stored in the Google Secret Manager to prevent unauthorized access.
    Access control: Access to systems and data is restricted by role-based permissions so that only authorized persons have access to the required information.
    Logging: Access to personal data is logged to make potential incidents traceable and to detect unauthorized access.

  2. Changes that do not impair the level of protection can be made as part of technical development. The customer will be notified of any significant changes.

7 Rights and obligations of the customer

  1. The customer is responsible for the lawfulness of the processing.

  2. The customer shall issue all orders, partial orders or instructions in documented form. In urgent cases, instructions may be issued verbally. The customer shall confirm such instructions in writing without delay.

  3. The customer is entitled to exercise control rights, e.g. through audits or reports.

8 Notification obligations

  1. FlowLyne reports data breaches immediately, at the latest within 24 hours of becoming aware of them.

  2. FlowLyne immediately forwards inquiries from affected parties to the customer.

9. termination of the processing

  1. Upon termination of the use of FlowLyne's services, all personal data of the customer will be either deleted or returned at the customer's discretion.

  2. FlowLyne documents the proper deletion or return of the data.

10. liability

  1. FlowLyne is only liable for damages caused by a breach of these regulations or applicable data protection laws.

  2. Liability is limited to the amount of the remuneration paid in the respective contract year. This limitation shall not apply in cases of intent or gross negligence.

11. final provisions

  1. These regulations are an integral part of FlowLyne's General Terms and Conditions. Amendments shall be made in accordance with the provisions set out in the General Terms and Conditions.

  2. German law shall apply. The place of jurisdiction is Berlin.

Status: 30.10.2024