Data Processing Agreement

A. This Data Processing Agreement ("DPA") is entered into by and between the customer organisation below (the "Controller" or "Customer") and Eldevia MB (reg. nr. 305903643), Girulių g. 10, LT-12112 Vilnius, Lithuania ("DULTRA", "Processor", "we" or "us").

B. The Parties have entered into a separate software-subscription contract or terms of service (the "Service Agreement") under which DULTRA provides AI-supported sales-training tools, including real-time voice simulation, post-call evaluation, coaching analytics, and call-recording features. In the course of providing the Services, DULTRA will Process Personal Data on behalf of the Controller.

C. This DPA sets out the rights and obligations of the Parties with respect to such Processing, in accordance with Article 28 GDPR.

D. This DPA forms an integral part of, and is incorporated by reference into, the Service Agreement. In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail to the extent of the conflict, unless the Parties expressly agree otherwise in writing.

E. Capitalised terms not otherwise defined herein shall have the meanings given to them in the GDPR or, where relevant, in the Service Agreement.

F. The Parties expressly acknowledge that this DPA does not establish a joint controllership arrangement under Article 26 GDPR. Each Party remains solely responsible for its own compliance with Applicable Law in respect of its separate processing activities. DULTRA processes Personal Data solely on behalf of and under the documented Instructions of the Controller. DULTRA does not engage in automated decision-making with legal or similarly significant effects on Data Subjects.

0.1 Integral Documents. This DPA consists of the main body and the following annexes: Annex 1 — Detailed Instructions for Processing; Annex 2 — Technical and Organisational Measures (TOMs); Annex 3 — Approved Sub-Processors.

0.2 Headings and References. Clause headings are for convenience only and do not affect interpretation. References to Articles are to those of the GDPR unless otherwise stated.

0.3 Incorporation of Law. References to any statute or statutory provision include any modification, extension or re-enactment thereof.

0.4 No Waiver. Failure or delay by either Party in exercising any right under this DPA shall not constitute a waiver of that right.

0.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

0.6 Order of Precedence. In the event of any conflict between the provisions of this DPA and the Service Agreement, the provisions of this DPA shall prevail with respect to data protection matters. In the event of conflict between the main body of this DPA and any Annex, the main body shall prevail unless the Annex expressly states otherwise.

2.1 The Controller determines the purposes and means of Processing; DULTRA acts solely as a Processor based on the Controller's documented Instructions (Art. 4(7) & (8) GDPR).

2.2 Obligations of the Controller (Customer)

2.2.1 Documented Instructions. Initial Instructions are set out in Annex 1.

2.2.2 Lawful Basis. The Controller shall ensure that a valid legal basis exists for all Processing of Personal Data under this DPA. Where data captured during a call may include special-category data under Article 9 GDPR (e.g., health, political opinion, religious beliefs), the Controller shall ensure an appropriate Article 9(2) basis exists.

2.2.3 Transparency. The Controller shall inform Data Subjects of the Processing in accordance with Articles 13 and 14 GDPR — including clear notice that AI-assisted transcription, evaluation, and coaching tools are used.

2.2.4 Consent. Where the legal basis is consent, the Controller shall ensure valid, informed, specific, and freely given consent has been obtained from Data Subjects prior to Processing — including counterparty consent for any real-call recording feature.

2.2.5 Data Accuracy. The Controller shall ensure that all Personal Data provided to DULTRA is accurate, complete, and kept up to date.

2.2.6 Supervision. The Controller shall supervise the Processing of Personal Data under this DPA throughout its duration.

2.2.7 AI Content Verification. The Controller shall ensure that AI-generated evaluations, coaching tips, and call summaries are reviewed by a human reviewer before being acted upon for performance-management purposes.

2.2.8 Sectoral Compliance. The Controller shall ensure compliance with all applicable sector-specific laws — including, where relevant, financial-services conduct rules, insurance distribution rules, and consumer-protection law.

2.2.9 Staff Training. The Controller shall ensure that all personnel authorised to use the Services receive appropriate training on responsible use of AI-assisted sales tools.

2.3 Obligations of the Processor (DULTRA)

2.3.1 DULTRA shall Process Personal Data only for the Controller's documented Instructions.

2.3.2 If DULTRA considers that an Instruction infringes the GDPR, DULTRA shall immediately notify the Controller and may suspend the relevant Processing.

2.3.3 DULTRA shall maintain the confidentiality of all Personal Data processed under this DPA.

2.3.4 DULTRA shall ensure that personnel receive appropriate data protection training.

2.3.5 DULTRA shall implement and maintain the technical and organisational security measures set out in Annex 2.

2.3.6 DULTRA shall assist the Controller in responding to Data Subject requests.

2.3.7 DULTRA shall assist the Controller with Articles 32–36 GDPR compliance.

2.3.8 DULTRA shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits.

2.3.9 DULTRA shall notify the Controller of any Personal Data Breach without undue delay, in accordance with Section 6.

2.3.10 Upon termination, DULTRA shall delete or return all Personal Data in accordance with Section 8.

2.4 DULTRA may refuse, suspend, or propose alternatives to any Instruction it reasonably believes would breach this DPA or Applicable Law.

2.5 If the Controller provides additional instructions beyond those expressly stated in this DPA, DULTRA is entitled to compensation for costs and additional work.

2.6 DULTRA shall apply the principles of data protection by design and by default in accordance with Article 25 GDPR — including a zero-data-retention (ZDR) by default posture for raw audio, simulation streams, and AI inference layers (with opt-in storage available to the Controller per organisation), a real-time PII redaction pipeline applied to all transcripts before persistence, and zero-data-retention contractual terms with all AI sub-processors handling Personal Data (see Annex 3).

2.7 Limitation on Special-Category Data. The Controller shall not provide to DULTRA, and shall instruct its personnel not to elicit during simulated or recorded calls, any Personal Data falling within Article 9 GDPR beyond what is strictly necessary for the Approved Purpose. Incidental capture during a recorded business conversation is permitted to the extent unavoidable, provided that the Controller's redaction-policy settings are configured to filter such data prior to persistence wherever technically feasible.

3.1 All Processing shall take place exclusively within the Authorised Territory.

3.2 DULTRA shall not transfer Personal Data to, or allow access to Personal Data from, any location outside the Authorised Territory. All AI inference, storage, and processing are performed exclusively within EU regions. DULTRA implements encryption at rest and in transit (Section 5).

3.3 Operational staff with production access are based in the EU.

3.4 If a transfer outside the Authorised Territory becomes strictly necessary, DULTRA will: (a) give 30 days' prior written notice; (b) implement the EU Standard Contractual Clauses; (c) provide a documented Transfer Impact Assessment; and (d) honour the Controller's right to object.

3.5 DULTRA maintains up-to-date data-flow diagrams and region-lock logs.

3.6 If DULTRA receives a legally binding request from any public authority to disclose Personal Data, DULTRA shall immediately notify the Controller unless legally prohibited.

4.1 The Controller hereby grants DULTRA a general written authorisation to engage the third-party processors identified in Annex 3.

4.2 On-boarding Procedure for New Sub-Processors. (a) Prior notice of 30 calendar days before authorising any additional or replacement Sub-Processor. (b) Right to object on reasonable, documented grounds relating to data protection. (c) Resolution: DULTRA may cancel/delay engagement, propose mitigation, or offer the Controller the option to suspend the portion of Services that would involve the objected-to Sub-Processor.

4.3 DULTRA shall ensure every Sub-Processor contract imposes obligations equivalent to those in this DPA.

4.4 Before on-boarding a Sub-Processor and at least annually thereafter, DULTRA shall conduct a risk-based assessment of each Sub-Processor's security posture.

4.5 DULTRA shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations (Article 28(4) GDPR).

4.6 Emergency Replacement. DULTRA may replace a Sub-Processor without 30-day notice if urgently required, provided the Controller is informed as soon as practicable, the replacement meets or exceeds the previous provider's level, and the Controller retains a right to object.

4.7 Annex 3 shall always reflect the current roster of Approved Sub-Processors.

DULTRA maintains a documented information security programme based on recognised industry best practices. The measures are set out in Annex 2.

5.1 Governance and Risk Management. Security policy reviewed annually; risk register reviewed quarterly; named DPO accountable for data-protection oversight.

5.2 Data Minimisation and Encryption. AES-256 encryption at rest; TLS 1.2+ for all data in transit; HSTS enforced. Zero-data-retention by default: simulation audio is not persisted; real-call recording audio is not stored unless the Controller explicitly opts in; live coaching-tip and post-call evaluation inference layers operate under contractual ZDR terms with the AI sub-processors — inference inputs are not persisted by the LLM/STT providers beyond the request lifecycle. When the Controller opts to store transcripts or summaries, they pass through a two-stage redaction pipeline (regex + Google Cloud DLP, 24 PII info-types) before database persistence.

5.3 Access Control and Authentication. Role-based access with zero default staff permissions; production consoles protected by mandatory MFA; passkey-based authentication enforced for platform-administrator accounts.

5.4 Segregation and Multi-Tenant Isolation. Customer data is isolated at the database layer through organisation-scoped foreign keys and Row-Level Security policies; cross-tenant reads are architecturally prevented.

5.5 Resilience, Backup and Disaster Recovery. Daily encrypted snapshots stored in a separate EU region, retained 30 days.

5.6 Incident Response. 24×7 monitoring; documented incident-response plan with post-incident root-cause analysis; Controller notified within 24 h of confirmed Personal Data Breach.

5.7 Testing and Audit. Security controls tested before every production release; annual third-party penetration-test report summary provided to the Controller on request.

5.8 The Parties agree that these measures provide a level of security appropriate to the risk, consistent with Article 32 GDPR.

6.1 A Personal Data Breach means any event meeting the definition in Article 4(12) GDPR.

6.2 DULTRA shall notify the Controller without undue delay and in any event within twenty-four (24) hours of becoming aware.

6.3 DULTRA will send the initial breach notice to (a) the Controller Contact Person named in the Parties table, and (b) the 24h incident mailbox supplied by the Controller, using encrypted e-mail.

6.4 DULTRA's initial notice shall contain, to the extent known: (a) the nature of the incident; (b) categories and approximate number of Data Subjects affected; (c) categories and approximate number of Personal Data records affected; (d) likely consequences; (e) measures taken or proposed; and (f) name and contact details of DULTRA's incident lead.

6.5 DULTRA shall promptly take all measures necessary to contain, eradicate and remedy the Personal Data Breach.

6.6 DULTRA shall cooperate with and assist the Controller in meeting its obligations under Articles 33 and 34 GDPR.

6.7 If the Personal Data Breach has been caused by the Controller, DULTRA is entitled to compensation for costs and additional work.

6.8 If the Controller determines to notify any governmental entity or Data Subjects in a way that identifies DULTRA, the Controller agrees to notify DULTRA in writing in advance.

7.1 The Controller is solely responsible for furnishing Data Subjects with the information required by Articles 12–14 GDPR.

7.2 DULTRA shall assist the Controller with Data Subject requests for rights under Articles 15 (access), 16 (rectification), 17 (erasure), 18 (restriction), 20 (portability), 21 (objection), and 22 (automated decision-making). DULTRA provides self-service tooling in the admin console (DSR workflow under /admin/dsr). DULTRA shall respond to Controller-initiated requests within five (5) business days.

7.3 If a Data Subject contacts DULTRA directly, DULTRA shall forward these requests to the Controller Contact Person and take no further action unless instructed in writing.

7.4 DULTRA reserves the right to charge the Controller for the reasonable administrative costs of assistance with Data Subject requests.

8.3 Controller-Initiated Deletion or Export. The DULTRA admin console provides session-level delete and export functionality, plus an organisation-wide DSR workflow at /admin/dsr. Bulk deletion or export can be requested via dpo@dultra.lt and will be completed within five (5) business days.

8.4 Automatic Deletion on Termination. (a) Export window of 14 calendar days; (b) hard-delete 30 calendar days after termination; (c) proof of destruction available on request; (d) deleted data may persist in encrypted backups for up to 30 days.

8.5 DULTRA's deletion processes employ cryptographic erasure (destroying the encryption key) as the primary method, with secure overwrite procedures where applicable.

8.6 If DULTRA is required by law to retain specific data beyond the periods above, it shall isolate the data, notify the Controller, and delete the data immediately after the legal retention obligation ceases.

8.7 Backups are encrypted using a separate, hierarchical KMS key. When source data is deleted, DULTRA's backup lifecycle policy ensures corresponding backup objects are also purged within thirty (30) days.

9.1 The Controller may audit DULTRA's compliance once per rolling twelve (12) month period, or if a confirmed Personal Data Breach directly involving the Controller's data occurs.

9.2 Audits require: (a) 30 days prior written notice (or 5 days for breach-triggered audits); (b) scope limited to security controls, Sub-Processor contracts, and TOMs in Annex 2; (c) documentation review first, on-site only if insufficient.

9.3 Auditors must sign a confidentiality agreement. Audits must avoid disproportionate disruption.

9.4 ISO 27001 certificates, SOC 2 (Type II) reports, or equivalent third-party assessments may satisfy audit requirements.

9.5 DULTRA shall bear its own internal costs. All external costs shall be borne by the Controller.

9.6 DULTRA will remediate any identified non-conformities without undue delay.

9.7 If DULTRA receives any request or inquiry from the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) or other supervisory authority, DULTRA shall (a) notify the Controller within 48 hours; (b) provide copies of all relevant correspondence; (c) not respond substantively without first consulting the Controller; and (d) cooperate fully.

10.1 Each Party is liable for the damages it causes by breaching this DPA or Applicable Law.

10.2 Each Party's aggregate liability is limited to the total subscription fees paid by the Controller to DULTRA during the twelve (12) months immediately preceding the event.

10.3 Exclusions from the Cap. (a) wilful misconduct or gross negligence; (b) liability that cannot be limited under mandatory law; (c) breach of confidentiality obligations (Section 11); (d) DULTRA's breach of Section 3 (unauthorised international transfers); (e) DULTRA's breach of Section 4 (unauthorised Sub-Processors).

10.4 Claims must be brought within two (2) years after the claimant became aware of the event.

10.5 Customer Indemnity. The Controller shall defend, indemnify, and hold harmless DULTRA from any third-party claim arising from: (a) Controller's Instructions that cause a breach; (b) failure to secure lawful basis or consents; (c) provision of Prohibited Data Categories; (d) any breach of this DPA or Applicable Law by the Controller.

11.1 "Confidential Information" includes all non-public information in any form — specifically customer-personnel data, sales-call content, security reports, pricing, business plans, and trade secrets.

11.2 The Receiving Party shall: (a) use Confidential Information solely to perform rights or obligations under the Service Agreement and this DPA; (b) apply reasonable care; (c) disclose only to personnel with a strict "need-to-know" bound by written confidentiality obligations; (d) promptly notify of any unauthorised access.

11.3 The Receiving Party may disclose Confidential Information if required by law, provided it gives advance notice and cooperates to obtain a protective order.

11.4 Confidential Information excludes information that was already lawfully known, independently developed, is publicly available, or was lawfully received from a third party.

11.5 Upon written request or on termination, the Receiving Party will return or securely destroy all Confidential Information and certify completion in writing.

11.6 Confidentiality obligations survive five (5) years after termination; trade secrets must be kept confidential as long as they remain trade secrets under applicable law.

12.1 This DPA takes effect on the date of the last signature and remains in force for the full term of the Service Agreement.

12.2 Termination Events. (a) Ordinary termination when the Service Agreement expires. (b) Termination for breach with 30 calendar days' written notice to cure. (c) Termination required by law with immediate effect.

12.3 Effect of Termination. DULTRA will cease all Processing of Personal Data; delete or return Personal Data per Section 8; surviving sections (8, 10, 11, 13) remain in effect.

12.4 Termination does not entitle either Party to any refund or compensation except as provided in the Service Agreement.

13.1 This DPA shall be governed by the laws of the Republic of Lithuania, without regard to its conflict-of-laws rules.

13.2 The Parties shall first attempt good-faith negotiation. Negotiations will be deemed to have failed if no settlement is reached within thirty (30) calendar days.

13.3 Arbitration. Disputes not resolved under 13.2 shall be finally settled by arbitration administered by the Vilnius Court of Commercial Arbitration (VCCA) under its Rules of Arbitration. Seat: Vilnius, Lithuania. Language: English (with Lithuanian translation provided on request). The award is final and binding.

13.4 Nothing prevents either Party from applying to the Vilnius Regional Court for interim injunctive relief to prevent irreparable harm.

13.5 Both Parties agree to cooperate fully with the Lithuanian State Data Protection Inspectorate or any other competent supervisory authority.

14.1 DULTRA may collect, use, and process Service Data for: (a) accounting, billing, audit; (b) improving the Services; (c) investigating fraud or security incidents; (d) generating anonymised industry benchmarks; (e) as otherwise permitted by Applicable Law.

14.2 Service Data is not Customer Personal Data and the obligations of this DPA do not apply to DULTRA's processing of Service Data.

14.3 De-identification shall be performed using industry-standard techniques that are irreversible.

14.4 No additional fee is due for DULTRA's processing of Service Data.

15.1 DULTRA shall not use any Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any AI or machine learning models, except as strictly necessary to provide the Services.

15.2 Personal Data shall be processed solely for the purposes of providing, maintaining, securing, and supporting the Services as described in this DPA and Annex 1.

15.3 DULTRA may process fully anonymised and aggregated Service Data for statistical reporting, security analysis, or operational insights, provided that such information cannot be used to identify the Controller, its personnel, its prospects, or any natural person.

15.4 Sub-Processor Model Terms. All AI sub-processors used by DULTRA (see Annex 3) operate under enterprise-tier or equivalent terms that contractually prohibit training on customer inputs. DULTRA reviews these terms at least annually.

The measures below are implemented and operational unless an explicit "road-map" note is indicated.

1. Governance and Policy. DULTRA maintains a documented Information Security Management System aligned with ISO 27001 controls. A named DPO conducts quarterly risk-register reviews. Annual external review (road-map: ISO 27001 certification).

2. Access Control. Role-based access with least-privilege defaults. Staff have zero default access to customer transcripts or audio. Production console access requires hardware-key MFA / passkey.

3. Encryption and Key Management. All data at rest encrypted using AES-256 with envelope encryption; database-level encryption via PostgreSQL TDE. Hierarchical KMS keys rotated yearly. All data in transit protected by TLS 1.2 or higher; HSTS preload-list.

4. Data Minimisation and Retention Enforcement. DULTRA applies a zero-data-retention (ZDR) by default posture: simulation audio, real-call recording audio, and AI inference layers (live coaching tips, post-call evaluation) are not persisted unless the Controller explicitly enables storage per organisation. AI sub-processors operate under contractual ZDR terms — inputs are not persisted by the LLM/STT providers. Stored transcripts and summaries pass through a two-stage redaction pipeline (regex + Google Cloud DLP, 24 info-types) before database write. Retention enforced by automated daily purge job. Application logs retained for up to 400 days.

5. Segregation and Tenant Isolation. Customer data is isolated using organisation-scoped foreign keys, Row-Level Security policies, and migration-tested multi-tenant correctness checks.

6. Backup and Disaster Recovery. Daily encrypted snapshots stored in a separate EU region with a Recovery Point Objective (RPO) of 24 hours or less. Backups inherit deletion policies when source objects expire, with a 30-day hard limit.

7. Incident Response. 24×7 alerting via self-hosted error-tracking (sentry.dultra.lt) plus on-call rotation. Documented incident playbooks. Mandatory post-mortems within 10 business days of any incident. Controller notified within 24 hours of a confirmed Personal Data Breach.

8. Personnel and Training. Background checks for all staff with production access. Privacy and security training at hire and annually thereafter.

9. Physical Security. DULTRA uses ISO 27001- and SOC 2-certified cloud data centres operated by the approved Sub-Processors listed in Annex 3, all located within the EU. DULTRA does not operate any on-premise hosting.

10. AI-Specific Controls. All AI inference endpoints are pinned to EU regions. Sub-processor model contracts prohibit training on customer inputs. Real-time PII redaction applied to all transcripts before any AI evaluation step.