1. Purpose and duration of processing

1.1 The processor provides technical services within the framework of the "KIIAARA" platform for the provision of an AI-supported communication and interaction platform. 1.2 The subject matter of the processing is the technical processing of personal data in connection with:

• Using the AI avatar feature
• Processing of chat and interaction data
• Optional collection of contact and lead data
• Storage of user-entered content

1.3 Processing shall take place for the duration of the main contract (SaaS user agreement).

…………

2. Nature and purpose of processing

2.1 Processing is carried out exclusively for the purpose of technical provision of the platform and to carry out the interactions initiated by the controller. 2.2 The processor does not use the data independently for its own purposes, in particular for marketing or training purposes.

…………

3. Type of personal data

Depending on usage, the following data in particular may be processed:

• Name
• E-mail address
• phone number
• company information
• Communication content (chat histories)
• Technically necessary usage data (IP address, timestamp)

…………

4. Categories of data subjects

• Website visitors of the controller
• Customers or interested parties of the controller
• Employees of the controller

…………

5. Obligations of the processor

5.1 Processing exclusively on documented instructions from the controller. 5.2 Confidentiality: Persons who have access to data are bound to confidentiality. 5.3 Technical and organizational measures (TOMs): The processor shall implement appropriate security measures, in particular:

• TLS encryption
• access restriction
• role-based permissions
• regular security updates
• backup strategies

5.4 Support with data subject rights (information, deletion, etc.), as far as technically possible. 5.5 Reporting of data breaches immediately after becoming aware of them.

…………

6. Obligations of the controller

6.1 The controller is responsible for the lawfulness of data collection and processing. 6.2 The controller shall ensure that a valid legal basis (e.g., Art. 6 GDPR) exists. 6.3 The controller shall duly inform data subjects about data processing.

…………

7. subcontractor

7.1 The processor is entitled to use subcontractors. 7.2 The categories of subcontractors currently used may include, in particular:

• hosting provider
• AI model provider
• Infrastructure and cloud service providers
• payment service provider

7.3 The processor shall ensure that appropriate contractual agreements are in place with sub-processors in accordance with Art. 28 GDPR.

…………

8. third country transfer

8.1 If processing takes place outside the EU/EEA, the processor shall ensure that appropriate safeguards are in place in accordance with Art. 44 et seq. GDPR (e.g., standard contractual clauses).

…………

9. Deletion and return of data

9.1 After termination of the main contract, personal data will be deleted or anonymized, provided that there are no legal retention obligations to the contrary. 9.2 Backups will be overwritten as part of regular system cycles.

…………

10. control rights

10.1 The controller is entitled to verify compliance with the contractually agreed data protection obligations to a reasonable extent. 10.2 The processor shall provide suitable evidence upon request.

…………

11. liability

Liability is governed by the provisions of the main contract (Terms and Conditions), to the extent permitted by law.

…………

12. Final provisions

12.1 This AV Agreement is part of the SaaS User Agreement. 12.2 In case of contradictions, the provisions of this AV Agreement regarding data protection issues shall prevail. 12.3 Austrian law applies.