Data Processing Agreement (Auftragsverarbeitungsvertrag)

Effective: 28 March 2026 - Version 1.0

This Data Processing Agreement (“DPA” / “Auftragsverarbeitungsvertrag” / “AVV”) forms part of the Terms of Service (“Principal Agreement”) between the Customer and Spokest UG (haftungsbeschränkt), and governs the processing of personal data by Spokest on behalf of the Customer in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the German Federal Data Protection Act (“BDSG”).

By subscribing to a Spokest plan that involves data processing (including Mastermind and Enterprise tiers with self-hosted databases), the Customer agrees to this DPA. This DPA supersedes any prior data processing terms between the parties.

1. Definitions

In addition to terms defined in the GDPR, the following definitions apply throughout this DPA:

“Controller” (Verantwortlicher) - the Customer, who determines the purposes and means of processing personal data via the Spokest Brain service.
“Processor” (Auftragsverarbeiter) - Spokest UG (haftungsbeschränkt), Heubaumweg 21, 91056 Erlangen, Germany, registered at the District Court of Fürth under HRB 22016, Managing Director: Phu Le.
“Brain Data” - all personal data processed through the Spokest Brain service, including conversation memories, extracted facts, cognitive profiles, entity relationship data, and consolidation outputs.
“Self-Hosted Deployment” - a configuration in which the Customer operates their own vector database and graph database instances on infrastructure they control, while Spokest’s brain-api processes data in transit.
“Cloud-Hosted Deployment” - a configuration in which Spokest operates the database instances on Spokest-managed infrastructure on behalf of the Customer.
“Sub-processor” (Unterauftragsverarbeiter) - any third party engaged by Spokest to process personal data on behalf of the Controller.
“Data Subject” (Betroffene Person) - an identified or identifiable natural person whose personal data is processed.
“Processing” (Verarbeitung) - any operation performed on personal data, as defined in Article 4(2) GDPR.
“Supervisory Authority” (Aufsichtsbehörde) - the competent data protection authority; for Spokest, the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach.

2. Parties

2.1 Controller

The Customer as identified in the Spokest account registration, acting as the data controller within the meaning of Article 4(7) GDPR. The Controller determines the purposes and means of processing personal data through the Spokest Brain service.

2.2 Processor

Spokest UG (haftungsbeschränkt)
Heubaumweg 21
91056 Erlangen
Germany

District Court of Fürth, HRB 22016
Managing Director: Phu Le
Data protection contact: privacy@spokest.com

3. Subject Matter and Duration of Processing

3.1 Subject Matter

This DPA governs the processing of personal data that the Processor carries out on behalf of the Controller when providing the Spokest Brain service. The Processor provides an AI-powered persistent memory system that stores, recalls, enriches, and consolidates conversational data for the Controller’s end users.

3.2 Duration

Processing begins when the Controller activates their Spokest Brain service and continues for the duration of the Principal Agreement (the subscription term). Upon termination of the Principal Agreement, the provisions of Section 13 (Data Return and Deletion) apply.

3.3 Deployment Models

This DPA applies to both deployment models offered by Spokest:

Self-Hosted Deployment (Mastermind/Enterprise tiers): The Customer operates their own database instances. Spokest’s brain-api processes data in transit (memory recall, storage, consolidation, enrichment) but does not persist Brain Data on Spokest-managed servers. Data at rest resides exclusively on the Customer’s infrastructure.
Cloud-Hosted Deployment (Spark/Genius tiers): Spokest operates database instances on Spokest-managed infrastructure (dedicated servers in Germany). Data at rest is stored on Spokest-managed servers with per-user AES-256-GCM encryption.

4. Nature and Purpose of Processing

The Processor processes personal data for the following purposes, all in furtherance of the Spokest Brain service as described in the Principal Agreement:

Processing Activity	Description
Memory Storage	Receiving conversation messages from the Controller’s end users, extracting factual memories, and writing them to the vector database and graph database.
Memory Recall	Querying stored memories using semantic similarity search (vector embeddings) and graph traversal to provide contextually relevant responses.
Embedding Generation	Converting text into high-dimensional vector representations for semantic search. Performed via a cloud-based embedding service in the EU (eu-central-1).
Fact Extraction	Using a large language model (LLM) to extract discrete facts, entities, and relationships from conversation text.
Consolidation	Aggregating memories into hierarchical layers (session summaries, daily, weekly, monthly, yearly summaries) to improve recall quality.
Enrichment	Classifying memory types, computing salience scores, reconciling data stores, and building entity relationship graphs. Runs as scheduled background processing.
Cognitive Profiling	Analyzing conversation patterns to build a cognitive profile (thinking styles, decision patterns, communication preferences) that enables personalized responses.
Conversational AI	Sending conversation context (including recalled memories) to an AI model provider for response generation. The model processes data transiently and does not retain it.

5. Types of Personal Data Processed

The following categories of personal data may be processed, depending on the content provided by the Controller’s end users:

Data Category	Examples
Account Data	Name, email address, authentication credentials (hashed), subscription tier, user preferences.
Conversation Content	Text messages exchanged between the end user and the AI brain, including questions, statements, and instructions.
Extracted Memories	Facts, preferences, opinions, plans, goals, and biographical details extracted from conversations.
Cognitive Profile Data	Inferred thinking styles, decision-making patterns, communication preferences, personality traits.
Entity and Relationship Data	Named entities (people, places, organizations, projects) and their relationships as mentioned by the end user.
Consolidation Outputs	Session summaries, daily/weekly/monthly/yearly digests, topic clusters.
Technical Metadata	Timestamps, message channel identifiers, session IDs, embedding vectors, salience scores.

Special Categories of Data (Article 9 GDPR): The Processor does not intentionally collect or solicit special category data (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, or genetic data). However, the nature of free-text conversation means end users may voluntarily disclose such data. The Controller is responsible for informing their end users about this possibility and obtaining any necessary explicit consent under Article 9(2)(a) GDPR.

6. Categories of Data Subjects

The data subjects whose personal data is processed under this DPA are:

End Users - natural persons who interact with the Spokest Brain service via the Controller’s account (e.g., the Controller themselves, or persons authorized by the Controller to use the service).
Third Parties Mentioned in Conversations - natural persons who are referenced by end users in their conversations with the AI brain (e.g., colleagues, family members, business contacts). The Controller is responsible for ensuring a lawful basis exists for processing any personal data of third parties mentioned in conversations.

7. Obligations of the Processor

7.1 Documented Instructions (Weisungsgebundenheit)

The Processor shall process personal data only on documented instructions from the Controller (Article 28(3)(a) GDPR), unless required to do so by Union or Member State law to which the Processor is subject. The Principal Agreement, this DPA, and the Controller’s configuration of the Spokest Brain service (including API calls, settings, and tier selection) constitute the Controller’s documented instructions.

If the Processor believes that an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions, the Processor shall immediately inform the Controller. The Processor may suspend processing of the affected data until the Controller confirms or modifies the instruction.

7.2 Confidentiality (Vertraulichkeit)

The Processor shall ensure that all persons authorized to process personal data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR). This obligation survives the termination of this DPA.

7.3 Security of Processing (Sicherheit der Verarbeitung)

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. The specific measures are detailed in Annex II (Technical and Organizational Measures).

7.4 Sub-processor Management (Unterauftragsverarbeiter)

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller (Article 28(2) GDPR). The Controller hereby grants general authorization for the sub-processors listed in Annex I.

The Processor shall:

Impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract (Article 28(4) GDPR).
Notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution can be reached within 30 days, the Controller may terminate the affected service component without penalty.
Remain fully liable to the Controller for the performance of any sub-processor’s obligations.

7.5 Data Subject Rights (Betroffenenrechte)

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (Articles 15–22), including the rights to:

Access (Article 15) - provide a copy of all Brain Data associated with a data subject.
Rectification (Article 16) - correct inaccurate memories or profile data.
Erasure (Article 17, “right to be forgotten”) - permanently delete all Brain Data associated with a data subject from all storage systems.
Restriction of processing (Article 18) - mark and exclude data from active processing while retaining it.
Data portability (Article 20) - export Brain Data in a structured, commonly used, machine-readable format (JSON).
Objection (Article 21) - cease processing where the data subject objects to processing based on legitimate interests.

The Processor shall respond to data subject assistance requests from the Controller without undue delay and in any event within 10 business days.

7.6 Data Breach Notification (Meldung von Datenpannen)

The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach (Article 33(2) GDPR). The notification shall include:

A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected.
The name and contact details of the Processor’s data protection contact.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

If it is not possible to provide all information at the same time, the Processor shall provide information in phases without undue further delay.

7.7 Data Protection Impact Assessments (DSFA)

The Processor shall assist the Controller in ensuring compliance with obligations pursuant to Articles 35 and 36 GDPR (data protection impact assessments and prior consultation with the supervisory authority), taking into account the nature of processing and the information available to the Processor.

7.8 Audit Rights (Prüfungsrechte)

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR).

Audit conditions:

The Controller shall provide at least 30 days’ prior written notice of any audit.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations.
The Controller shall bear the costs of any audit, unless the audit reveals a material breach by the Processor.
The Controller (and any mandated auditor) shall be bound by confidentiality obligations regarding any proprietary information of the Processor disclosed during the audit.
The Processor may satisfy audit requests by providing a current SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report, where available.
Audits shall not exceed one per calendar year, unless a data breach has occurred or a supervisory authority requires an additional audit.

8. Obligations of the Controller

The Controller shall:

Ensure it has a lawful basis under Articles 6 (and where applicable, Article 9) GDPR for the processing of personal data through the Spokest Brain service.
Provide appropriate privacy notices to data subjects informing them that their data will be processed by an AI brain system, including the nature of AI-generated outputs (cognitive profiles, inferred facts).
Obtain any required consents from data subjects, particularly for special categories of data that may be voluntarily disclosed in free-text conversations.
Ensure that any instructions given to the Processor are lawful and comply with applicable data protection legislation.
Promptly notify the Processor of any data subject requests that require the Processor’s assistance.
In a Self-Hosted Deployment, maintain appropriate security measures for the databases operated on the Controller’s infrastructure, including access controls, encryption, patching, and backup procedures.
Inform the Processor promptly of any changes to applicable data protection law that may affect the Processor’s obligations under this DPA.

9. Authorized Sub-processors (Annex I)

The Controller grants general authorization for the following sub-processors as of the effective date of this DPA. The Processor shall maintain an up-to-date list at spokest.com/dpa.html#sub-processors.

Sub-processor	Location	Purpose	Data Processed
Hetzner Online GmbH	Gunzenhausen, Germany (data centers: Falkenstein, Nuremberg, Germany)	Cloud server infrastructure hosting the brain-api application and, for Cloud-Hosted deployments, the database instances.	All Brain Data in transit through the brain-api. For Cloud-Hosted: Brain Data at rest (encrypted with per-user AES-256-GCM keys).
Amazon Web Services EMEA SARL (AWS Bedrock)	Luxembourg (data processing region: eu-central-1, Frankfurt, Germany)	Generating vector embeddings from text using a text embedding model. The embedding service converts text into numerical vectors for semantic search.	Conversation text and memory text sent transiently for embedding generation. AWS does not store input or output data from Bedrock inference. No Brain Data is persisted by AWS.
OpenAI, L.L.C.	San Francisco, CA, United States	Large language model inference for fact extraction, conversation responses, and enrichment processing.	Conversation text, recalled memories, and system prompts sent transiently for inference. Under Spokest’s API terms, OpenAI does not use API input/output data for training. Zero Data Retention (ZDR) is requested where available.
Stripe, Inc.	San Francisco, CA, United States (European processing through Stripe Payments Europe, Ltd., Dublin, Ireland)	Payment processing for subscription billing.	Customer name, email, payment method details (card type and last 4 digits), transaction amounts, subscription status. No Brain Data.
PayPal (Europe) S.à r.l. et Cie, S.C.A.	Luxembourg	Alternative payment processing for subscription billing.	Customer name, email, transaction amounts, subscription status. No Brain Data.

Self-Hosted Deployment note: For Self-Hosted customers, the infrastructure provider processes only the brain-api application layer (data in transit). All data at rest resides on the Customer’s own infrastructure and is not processed by the infrastructure provider.

10. International Data Transfers

10.1 General Principle

The Processor stores all data at rest within the European Economic Area (EEA), specifically in Germany. The Processor shall not transfer personal data to a country outside the EEA unless adequate safeguards are in place as required by Chapter V of the GDPR (Articles 44–49).

10.2 Transfers to the United States

The following sub-processors process personal data in the United States:

Sub-processor	Transfer Mechanism	Nature of Transfer
OpenAI, L.L.C.	EU-U.S. Data Privacy Framework (DPF) adequacy decision (Commission Implementing Decision (EU) 2023/1795). Additionally, Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 are in place as a supplementary safeguard.	Transient processing only. Conversation text and recalled memories are sent to OpenAI’s API for inference and are not persisted by OpenAI. Under the API Terms of Use, OpenAI does not use API data for model training.
Stripe, Inc.	EU-U.S. Data Privacy Framework (DPF). European payment processing handled by Stripe Payments Europe, Ltd. (Dublin, Ireland). SCCs as supplementary safeguard.	Payment data only. No Brain Data is transferred to Stripe.

10.3 Supplementary Measures

In addition to the transfer mechanisms above, the Processor implements the following supplementary measures for US transfers, in accordance with the EDPB Recommendations 01/2020:

Minimization: Only the minimum data necessary for the specific processing purpose is transferred (e.g., only the current conversation context, not the entire memory store).
Transient processing: Data sent to OpenAI is processed in real-time for inference and is not stored persistently by the sub-processor.
Encryption in transit: All data transfers use TLS 1.2 or higher.
Contractual restrictions: Sub-processor agreements prohibit data retention beyond the processing duration and prohibit use of data for training or model improvement.
Zero Data Retention: Where available, ZDR agreements are in place to ensure API providers do not retain input or output data.

10.4 Adequacy Review

The Processor shall monitor the status of adequacy decisions and transfer mechanisms. If a transfer mechanism is invalidated (e.g., by a court judgment or regulatory decision), the Processor shall promptly inform the Controller and implement alternative safeguards or suspend the transfer.

11. Technical and Organizational Measures (Annex II)

Pursuant to Article 32 GDPR, the Processor implements the following measures. For Self-Hosted Deployments, measures marked with an asterisk (*) apply to the brain-api transit layer only; the Controller is responsible for equivalent measures on their own database infrastructure.

11.1 Encryption (Verschlüsselung)

Encryption at rest: All Brain Data stored on Spokest-managed infrastructure is encrypted with per-user AES-256-GCM keys. Each user has a unique encryption key derived from their account credentials. Even Spokest administrators cannot read stored Brain Data without the user’s key.
Encryption in transit: All network communication uses TLS 1.2 or higher. API endpoints enforce HTTPS. Internal service-to-service communication uses encrypted channels.
Key management: Encryption keys are derived per-user and are never stored in plaintext alongside the data they protect. Key material is isolated from database storage.

11.2 Access Control (Zugriffskontrolle)

Authentication: All user access requires authentication (email/password with bcrypt hashing, or OAuth via Google/Apple Sign In). Multi-factor authentication (TOTP) is available.
Authorization: Strict tenant isolation ensures users can only access their own Brain Data. API endpoints validate tenant ownership on every request.
Administrative access: Server access is restricted to the Managing Director via SSH key authentication. Administrative dashboard access requires an encrypted VPN plus time-based one-time password (TOTP) two-factor authentication.
Principle of least privilege: Service accounts and API keys are scoped to the minimum permissions required for their function.

11.3 Tenant Isolation (Mandantentrennung)

Data separation: All database queries include mandatory tenant filters. Brain Data from different users is cryptographically separated by per-user encryption keys.
Query enforcement: The tenant filter layer is applied at the API middleware level before any database operation, preventing cross-tenant data access even in the event of application bugs.
Self-Hosted Deployment: Customers with self-hosted databases achieve physical isolation - their data never resides on Spokest infrastructure.

11.4 Availability and Resilience (Verfügbarkeit und Belastbarkeit)

Uptime monitoring: Automated health checks every 5 minutes with Telegram-based alerting on downtime and recovery.
Database backups (Cloud-Hosted): Regular automated backups of account data with multi-day retention. Database snapshots performed regularly.
Incident response: Documented incident response procedures. Target mean time to acknowledge: 4 hours during business hours.

11.5 Input Control and Audit Logging (Eingabekontrolle)

Error tracking: Built-in error logging system records application errors with timestamps, without logging personal data content.
Access logs: API access is logged with timestamps, user identifiers, and operation types. Logs are retained for 90 days.
No cookie tracking: The service uses no cookies, no third-party analytics, and no advertising trackers.

11.6 Anti-Bot and Rate Limiting

Rate limiting: Persistent rate limiting protects API endpoints from abuse. Limits are enforced per-user and per-IP.
Anti-bot protection: Multi-layered invisible anti-bot protection. No third-party CAPTCHA services that would involve additional data transfers.

11.7 Pseudonymization

Internal identifiers: Brain Data is associated with internal user IDs (UUIDs), not directly with names or email addresses. The mapping between user IDs and account data is maintained separately.
Embedding vectors: Text is converted to numerical vector representations (high-dimensional embeddings) that cannot be directly reverse-engineered to the original text, providing a form of pseudonymization for the search index.

11.8 Organizational Measures

Confidentiality: All personnel with access to personal data are bound by contractual confidentiality obligations.
Training: Personnel are trained on GDPR requirements and data protection principles.
Vendor assessment: Sub-processors are assessed for GDPR compliance before engagement.
Data minimization: Only the minimum necessary data is sent to sub-processors (e.g., only the current conversation context to the LLM, not the full memory store).

12. Self-Hosted Deployment: Shared Responsibility Model

For Mastermind and Enterprise tier customers operating Self-Hosted Deployments, the following shared responsibility model applies:

Responsibility	Spokest (Processor)	Customer (Controller)
brain-api application	Security, patching, availability of the API layer	Providing correct database connection credentials
Data in transit	TLS encryption, secure API design, input validation	Secure network configuration between API and databases
Data at rest	Not applicable (data resides on Customer infrastructure)	Encryption, access control, backup, patching of database instances
Embedding generation	Secure transmission to AWS Bedrock (TLS, EU region)	Awareness that text is sent to AWS for embedding
LLM inference	Secure transmission to OpenAI, data minimization	Awareness that conversation context is sent to OpenAI
Database backups	Not applicable	Full responsibility for backup and disaster recovery
Database access control	Not applicable	Full responsibility for who can access the database

13. Data Return and Deletion on Termination

13.1 Controller’s Choice

Upon termination of the Principal Agreement, the Controller may instruct the Processor to either:

Return all Brain Data in a structured, commonly used, machine-readable format (JSON export), and then delete all copies; or
Delete all Brain Data from all Spokest-managed systems.

If the Controller does not provide instructions within 30 days of termination, the Processor shall delete all Brain Data.

13.2 Deletion Scope (Cloud-Hosted)

For Cloud-Hosted Deployments, deletion includes:

All memory vectors from the vector database (including all hierarchical consolidation layers).
All entity nodes and relationship edges from the graph database.
All cognitive profile data.
All account data from the relational database (except as required for legal retention).
All cached data.
All backup copies within 30 days.

13.3 Deletion Scope (Self-Hosted)

For Self-Hosted Deployments, deletion by the Processor includes:

All account data from the relational database.
All cached data.
Any transient data in the brain-api application layer.

Brain Data stored in the Customer’s own database instances is under the Customer’s control and must be deleted by the Customer directly.

13.4 Confirmation

The Processor shall confirm the completion of deletion in writing within 10 business days of carrying out the deletion.

13.5 Legal Retention

The Processor may retain personal data to the extent required by Union or Member State law (e.g., tax record retention under § 147 AO, commercial retention under § 257 HGB). Such retained data shall be protected in accordance with this DPA and processed only for the purpose of complying with the legal obligation.

14. Liability

14.1 GDPR Liability

Each party’s liability for data protection breaches shall be governed by Article 82 GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller’s lawful instructions.

14.2 Indemnification

Each party shall indemnify the other party against all claims, actions, third-party claims, losses, damages, and expenses incurred as a result of the indemnifying party’s breach of this DPA or applicable data protection law.

14.3 Limitation

Any limitation of liability set out in the Principal Agreement shall apply to this DPA, except that neither party may limit its liability for breaches of its obligations under Article 82 GDPR, intentional misconduct, or gross negligence.

15. Term and Termination

15.1 Term

This DPA enters into force upon the Customer’s acceptance of the Principal Agreement and remains in effect for as long as the Processor processes personal data on behalf of the Controller.

15.2 Survival

The obligations of the Processor under Sections 7.2 (Confidentiality), 7.6 (Data Breach Notification), 7.8 (Audit Rights), and 13 (Data Return and Deletion) shall survive the termination of this DPA.

15.3 Termination for Breach

Either party may terminate this DPA with immediate effect by written notice if the other party materially breaches this DPA and fails to remedy such breach within 30 days of receiving written notice of the breach.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without regard to its conflict of laws provisions. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA shall be Erlangen, Germany, to the extent legally permissible.

This choice of law is without prejudice to the mandatory application of the GDPR and any other directly applicable EU or Member State data protection legislation.

17. Amendments

This DPA may be amended by the Processor to reflect changes in applicable data protection law, regulatory guidance, or the Processor’s sub-processor landscape. The Processor shall notify the Controller of material amendments at least 30 days before they take effect. If the Controller objects to a material amendment, the Controller may terminate the Principal Agreement without penalty.

Non-material amendments (e.g., updates to sub-processor addresses, clarification of existing terms) take effect upon publication at spokest.com/dpa.html.

18. Severability (Salvatorische Klausel)

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely achieves the economic purpose of the invalid provision.

19. Contact

For questions regarding this DPA, data protection, or to exercise data subject rights:

Spokest UG (haftungsbeschränkt)
Heubaumweg 21
91056 Erlangen
Germany

Data protection contact: privacy@spokest.com
General inquiries: hello@spokest.com

Competent supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
www.lda.bayern.de

← Back to homepage