1. Definitions
In this DPA, the following terms have the meanings set out below:
- "Controller" means the Customer who determines the purposes and means of processing Personal Data.
- "Processor" means MicHelper, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
- "Data Subject" means the individual to whom the Personal Data relates.
- "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.
2. Scope & Application
2.1 Subject Matter
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the MicHelper service as described in the Terms of Service.
2.2 Duration
This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate upon termination or expiration of the Terms of Service, subject to the data deletion obligations set out herein.
2.3 Nature and Purpose of Processing
The Processor processes Personal Data for the purpose of providing the MicHelper sales quality control service, including:
- Receiving, storing, and processing audio recordings
- Transcribing audio to text using AI/ML technologies
- Analyzing transcripts against sales scripts and rules
- Generating performance scores, reports, and analytics
- Enabling data export and reporting functions
2.4 Types of Personal Data
The Personal Data processed may include:
- Employee identifiers (names, employee IDs, login credentials)
- Contact information (email addresses, phone numbers)
- Audio recordings of sales conversations
- Transcripts of conversations
- Performance data and scores
- Usage data and access logs
2.5 Categories of Data Subjects
The Data Subjects whose Personal Data may be processed include:
- Controller's employees (sellers, managers, administrators)
- Controller's customers (voices captured in recordings)
3. Processing Instructions
3.1 Controller's Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
3.2 Documented Instructions
The Controller's instructions are documented in:
- This DPA and its Annexes
- The Terms of Service
- Configuration settings in the MicHelper platform
- Written communications between the parties
3.3 Additional Instructions
If the Controller provides additional instructions that require changes beyond the scope of the Service, the Processor may charge additional fees for implementing such instructions.
3.4 Notification of Unlawful Instructions
If the Processor believes that an instruction from the Controller infringes applicable data protection law, the Processor shall promptly inform the Controller and shall not be required to follow such instruction until the matter is resolved.
4. Confidentiality
4.1 Confidentiality Obligations
The Processor shall ensure that persons authorized to process Personal Data:
- Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Process Personal Data only as instructed
- Are informed of the confidential nature of the Personal Data
4.2 Access Limitation
The Processor shall ensure that access to Personal Data is limited to those personnel who need access to perform the Service and that such personnel are trained in data protection requirements.
5. Security Measures
5.1 Technical and Organizational Measures
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B, including:
- Encryption of Personal Data in transit and at rest
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Measures to restore availability and access to Personal Data in a timely manner in the event of an incident
- Process for regularly testing, assessing, and evaluating effectiveness of security measures
5.2 Security Assessment
In assessing the appropriate level of security, the Processor takes into account:
- The risks presented by Processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
- The state of the art and costs of implementation
- The nature, scope, context, and purposes of Processing
6. Subprocessors
6.1 Authorization
The Controller provides general authorization for the Processor to engage Subprocessors. The current list of Subprocessors is available at /legal/subprocessors.html, upon request, or in the Controller's account settings.
6.2 Obligations
When engaging a Subprocessor, the Processor shall:
- Enter into a written agreement with the Subprocessor imposing data protection obligations equivalent to those set out in this DPA
- Remain fully liable to the Controller for the performance of the Subprocessor's obligations
- Conduct appropriate due diligence on the Subprocessor's security practices
6.3 Notification of Changes
The Processor shall provide the Controller with at least 30 days' notice before adding or replacing any Subprocessor, giving the Controller an opportunity to object. If the Controller objects on reasonable grounds, the parties shall discuss in good faith to resolve the matter.
7. International Data Transfers
7.1 Transfer Mechanisms
The Processor shall not transfer Personal Data to a country outside the European Economic Area unless:
- The European Commission has decided that the country ensures an adequate level of protection; or
- Appropriate safeguards are in place, such as Standard Contractual Clauses; or
- A derogation under Article 49 of the GDPR applies
7.2 Standard Contractual Clauses
Where transfers rely on Standard Contractual Clauses, the parties agree that the SCCs approved by the European Commission are incorporated by reference into this DPA.
The applicable Standard Contractual Clauses modules are:
- Module 2 (Controller to Processor) — for transfers of Customer Personal Data from Customer (controller) to MicHelper (processor)
- Module 3 (Processor to Processor) — for onward transfers from MicHelper (processor) to subprocessors (e.g., OpenAI for transcription)
7.3 Additional Safeguards
The Processor implements additional technical and organizational measures to protect transferred data, as detailed in Annex B.
7.4 Restricted Jurisdictions
The Processor shall not transfer Personal Data to Russia, China, Belarus, or any country subject to comprehensive EU or US sanctions. None of the Processor's current subprocessors are located in these jurisdictions.
8. Assistance with Data Subject Rights
8.1 Data Subject Requests
Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law.
8.2 Notification
If the Processor receives a request from a Data Subject directly, the Processor shall promptly notify the Controller and shall not respond to the request unless authorized by the Controller or required by law.
8.3 Tools and Features
The Processor provides self-service tools within the platform to enable the Controller to:
- Access and export Personal Data
- Correct inaccurate Personal Data
- Delete Personal Data
- Restrict or object to Processing
9. Data Breach Notification
9.1 Notification to Controller
The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed under this DPA. Notification shall be made within 72 hours where feasible.
9.2 Content of Notification
The notification shall include, to the extent known:
- A description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9.3 Assistance
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach and in meeting the Controller's obligations under applicable data protection law.
10. Data Deletion & Return
10.1 Upon Termination
Upon termination of the Terms of Service, the Processor shall, at the Controller's choice:
- Return all Personal Data to the Controller in a commonly used format; and/or
- Delete all Personal Data, unless retention is required by applicable law
10.2 Data Export Period
The Controller has 30 days following termination to export Personal Data. After this period, the Processor shall delete all Personal Data within 90 days, except as required by law.
10.3 Certification
Upon request, the Processor shall provide written certification that Personal Data has been deleted in accordance with this section.
11. Audit Rights
11.1 Audit Access
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.
11.2 Conditions
Audits shall be conducted:
- Upon reasonable notice (at least 30 days unless a Data Breach has occurred)
- During normal business hours
- In a manner that does not unreasonably disrupt the Processor's operations
- Subject to confidentiality obligations
- At the Controller's expense (unless the audit reveals material non-compliance)
11.3 Third-Party Certifications
The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or summaries thereof, where available.
12. Liability
12.1 Allocation
Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service.
12.2 Regulatory Fines
Nothing in this DPA shall limit either party's liability for regulatory fines or penalties imposed directly on that party by a supervisory authority.
Annexes
Annex A: Details of Data Processing
| Subject Matter | Processing of audio recordings and derived data for sales quality monitoring and analytics |
| Duration | For the term of the Customer's subscription plus 30 days |
| Nature and Purpose | Audio transcription, AI-powered analysis, performance scoring, compliance checking, reporting |
| Categories of Data Subjects | Customer's employees (sellers, managers), incidental recording of customers/visitors in retail environments |
| Categories of Personal Data | Voice recordings (transient), text transcripts, performance scores, names, login credentials, IP addresses, device identifiers, Telegram chat IDs (if applicable), payment transaction references |
| Special Categories (Art. 9 GDPR) | Voice data (biometric if used for identification — MicHelper does NOT use voice for identification purposes) |
Data Processing Lifecycle
| Data Category | Processing | Retention | Deletion Method |
|---|---|---|---|
| Audio recordings | Transcription via OpenAI Whisper API (zero data retention) | Deleted immediately after successful transcription | Permanent file deletion from server storage |
| Transcripts | Analysis via AI, stored encrypted (AES-256-GCM) | 7 days (configurable by Customer) | Automated scheduled deletion + encryption key destruction |
| Analytics & scores | Computed from transcripts, aggregated | Up to 500 days | Account deletion request or subscription termination |
| Account data | Authentication, configuration | Duration of subscription + 30 days | Account deletion process with confirmation |
Annex B: Technical and Organizational Security Measures
The Processor implements the following security measures:
1. Encryption:
- Data in transit: TLS 1.2 or higher
- Data at rest: AES-256 encryption
- Database encryption enabled
2. Access Controls:
- Role-based access control (RBAC)
- Principle of least privilege
- Two-factor authentication planned for a future release
- Password policies enforced
- Session management and timeout
3. Audit & Monitoring:
- Comprehensive audit logging
- Security monitoring and alerting
- Regular log review
4. Data Protection:
- Regular backups with encryption
- Data segregation between customers
- Secure deletion procedures
- Configurable retention policies
5. Organizational Measures:
- Security awareness training
- Incident response procedures
- Vendor security assessments
- Regular security reviews
Annex C: Authorized Subprocessors
The following subprocessors are authorized to process Personal Data on behalf of the Processor. The current list is also published in the Privacy Policy and at Subprocessors.
| Company | Purpose | Location | Data Processed |
|---|---|---|---|
| OpenAI, Inc. | Audio transcription (Whisper API), transcript analysis (GPT API). Zero data retention enabled. | United States | Audio (transient), transcripts (transient) |
| Render Services, Inc. | Cloud hosting, compute, persistent storage | United States (Oregon) | All platform data |
| Google LLC | OAuth (optional), Firebase Cloud Messaging (push) | United States | Auth tokens, device tokens, notification payloads |
| Apple Inc. | Apple Push Notification Service (iOS push) | United States | Device tokens, notification payloads |
| Telegram FZ-LLC | Bot notifications (optional) | United Arab Emirates | Chat IDs, notification content |
| Fondy (CloudIpsp) | Payment processing (cards) | Ukraine | Transaction data, payment references |
| LiqPay (PrivatBank) | Payment processing (cards) | Ukraine | Transaction data, payment references |
| CoinGate UAB | Cryptocurrency payments | Lithuania (EU) | Transaction data, wallet addresses |
| Whitepay LLC | Cryptocurrency payments | Ukraine | Transaction data, wallet addresses |
| SMTP Provider (configurable) | Transactional email | Depends on configuration | Email addresses, email content |
The Processor shall notify the Controller at least 30 days in advance of any intended changes to this list, giving the Controller an opportunity to object.