This Data Processing Agreement (“DPA”) is an annex and an integral part of the End-User License Agreement (EULA) between Pametne Tehnologije d.o.o. (the “Processor”) and the User (the “Controller”).

1. Subject and Term

The Processor undertakes to process personal data solely on behalf of and in accordance with the Controller’s instructions in connection with the provision of CRM integration services with the telephony service (Webex or Placetel). This DPA remains in force for the entire duration of the EULA.

2. Roles of the Parties

The Controller determines the purposes and means of processing personal data.
The Processor processes data only based on documented instructions from the Controller.

3. Categories of Data and Data Subjects

Categories of data subjects: Webex or Placetel users, clients, and contacts of the Controller.
Personal data processed by the Processor:

1. phone numbers;
2. call time and duration;
3. Webex or Placetel user’s name and e-mail;
4. links to call recordings (if recording is enabled in Webex or Placetel) Note: The system does not process or store the actual call recordings.

4. Location of Data Processing and Storage

All data is processed and stored exclusively within the European Union, in data centers located in the Netherlands.

5. Data Retention

• User’s name and number obtained from Webex or Placetel are stored until the subscription ends or the user logs out.
• Call records (numbers, call time) are stored for one week.
• Links to call recordings are not stored in the system.

• Upon expiry of the retention period, the relevant data is completely deleted.
• Upon logout, the user’s name and e-mail are deleted.
• Upon uninstalling the application, all data associated with the User is deleted.

7. Data Transfers

Data may be transferred to the Bitrix24 system: phone numbers, call time, links to call recordings.
Such transfer constitutes a Controller-to-Controller data disclosure. After the transfer, data processing is carried out in Bitrix24 under a separate agreement between the Controller and Bitrix24. The Processor is not responsible for data processing within Bitrix24.

8. Processor’s Obligations

The Processor undertakes to:

• process data only on the Controller’s instructions;
• ensure data confidentiality, including staff confidentiality obligations;
• implement appropriate technical and organizational security measures (Art. 32 GDPR);
• assist the Controller in fulfilling its GDPR obligations, including responding to data subject requests;
• upon completion of services, delete or return all personal data, unless otherwise required by EU law.

The Controller authorizes the use of the following subprocessors:

• eServer s.r.o. (IČO: 46845054, VAT: SK2023604297), Pekná cesta 19, 831 52 Bratislava, Slovakia — hosting provider, ensuring infrastructure and data storage in the EU. The Processor undertakes to notify the Controller of any changes in the list of subprocessors under its control.

10. Data Subject Rights

The Processor assists the Controller in fulfilling data subject rights (access, rectification, deletion, restriction, portability, objection) within a reasonable timeframe and to the extent of its technical capabilities.

11. Breach Notification

The Processor shall promptly notify the Controller of any personal data breaches and provide the necessary information for notification of supervisory authorities and data subjects in accordance with Articles 33 and 34 GDPR.

12. International Data Transfers

No international transfer of personal data takes place. All data is processed and stored exclusively within the European Union (Slovakia).

13. Audit and Inspections

The Controller is entitled to carry out an audit or request reports on the Processor’s security measures within a reasonable timeframe and scope. Audits are conducted at the Controller’s expense and require a written notice at least 90 days in advance.

14. Governing Law

This DPA is governed by the laws of Republic of Slovenia, in accordance with the provisions of the GDPR.

15. Contact Information

For all GDPR-related matters, the Processor can be contacted at: gdpr@pamteh.si

Pametne Tehnologije d.o.o. / Processor
Dunajska cesta 113, Ljubljana 1000
apps@pamteh.si