Data Processing Agreement (DPA)
Pursuant to Article 28 of the EU General Data Protection Regulation (GDPR) and the equivalent provision of the UK GDPR
Effective: 5 June 2026
1. Subject Matter and Scope
1.1 Parties
- Controller: The Customer who uses the fonea AI phone assistant service (hereinafter "Customer").
- Processor: kraftscale GmbH, operator of fonea (details in the Legal Notice).
1.2 Subject Matter
This Data Processing Agreement ("DPA") governs the rights and obligations of the parties in connection with the processing of personal data by fonea on behalf of the Customer in the context of the AI phone assistant service.
1.3 Precedence
In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA prevail insofar as they concern the protection of personal data.
1.4 Duration
This DPA applies for the entire duration of the contractual relationship and for as long as fonea processes the Customer's personal data.
2. Nature and Purpose of Processing
fonea processes personal data exclusively to provide the AI phone assistant service: answering incoming calls; real-time speech recognition (speech-to-text) and synthesis (text-to-speech); AI-powered conversation management; creating call transcriptions and summaries; storing and providing call data to the Customer; forwarding messages and calls; and optional call recording (only when explicitly enabled by the Customer and with the caller's consent).
3. Categories of Data Subjects
- Callers who call a Customer that uses fonea.
- Customer employees (insofar as contact details are stored for call forwarding).
4. Categories of Data Processed
4.1 Data Processed by Default
| Data category | Description |
|---|---|
| Phone number | Caller's number (transmitted by the telephone network) |
| Call transcription | Text version of the spoken content |
| Call summary | AI-generated summary of the conversation |
| Metadata | Date, time, duration of the call, forwarding status |
4.2 Optionally Processed Data
| Data category | Prerequisite |
|---|---|
| Voice recording (audio) | Activation by Customer AND explicit consent of the caller |
4.3 Data Not Processed
fonea does not create voiceprints and does not use biometric voice recognition to identify callers.
5. Special Categories of Data
Audio signals are processed transiently (speech-to-text) and discarded immediately. No persistent audio storage occurs in standard operation. Depending on the Customer's industry, call content may contain special-category data within the meaning of Art. 9 GDPR (e.g. health data). The Customer, as controller, is responsible for ensuring an appropriate lawful basis under Art. 9 GDPR and compatibility with any professional secrecy obligations.
6. fonea's Obligations
6.1 Processing on Documented Instructions
fonea processes personal data only on the Customer's documented instructions (Art. 28(3)(a) GDPR), derived from this DPA, the Terms of Service, and the Customer's configuration of the AI assistant. If fonea considers that an instruction infringes data protection law, it will inform the Customer without delay.
6.2 Confidentiality
All persons authorised to process personal data are bound by an obligation of confidentiality (Art. 28(3)(b) GDPR). fonea ensures that only authorised persons have access to the data.
6.3 Technical and Organisational Measures
fonea implements appropriate technical and organisational measures pursuant to Art. 32 GDPR, as set out in Annex A of this DPA.
6.4 Assistance to the Controller
Taking into account the nature of the processing, fonea assists the Customer in responding to data-subject requests (Art. 15–22 GDPR), and in ensuring compliance with Art. 32–36 GDPR (security, breach notification, data protection impact assessments and prior consultation).
6.5 Deletion and Return
At the end of the contractual relationship, fonea will delete all of the Customer's personal data within 30 days, unless storage is required by law. Upon request, fonea will provide a data export in machine-readable format (JSON/CSV) before deletion (Art. 28(3)(g) GDPR).
7. Customer's Obligations
7.1 Lawfulness
The Customer, as controller, is responsible for ensuring that processing has a valid legal basis, that data subjects are informed, and that any required consents are obtained.
7.2 Obligation to Inform Callers
The Customer undertakes to inform their callers appropriately about the use of the AI phone assistant. fonea supports the Customer through an automatic AI disclosure at the beginning of each call, in line with Article 50 of the EU AI Act.
7.3 Industry-Specific Obligations
Customers in regulated industries are responsible for compliance with their professional secrecy and confidentiality obligations (e.g. medical confidentiality, attorney-client privilege, and equivalent national rules).
8. Sub-Processors
8.1 Approved Sub-Processors
The Customer grants general authorisation for the sub-processors listed at fonea.ai/subprocessors (Art. 28(2) GDPR). fonea ensures that all sub-processors are subject to data protection obligations that provide at least the level of protection of this DPA (Art. 28(4) GDPR).
8.2 Changes
fonea will inform the Customer at least 30 days in advance of planned changes to the list of sub-processors. The Customer may object within 14 days. If the parties cannot reach agreement, the Customer may terminate the contract without notice.
8.3 Liability
fonea remains fully liable to the Customer for the performance of its sub-processors' obligations (Art. 28(4) GDPR).
9. International Data Transfers
9.1 Storage in Switzerland
All persistently stored data is stored exclusively in Switzerland. Switzerland benefits from an EU adequacy decision and is recognised by the UK as adequate, so transfers of EU/UK personal data to fonea (as a Swiss processor) do not require additional safeguards.
9.2 Transient Processing
For real-time call processing, data is processed transiently on servers in Germany (EU). Details are at fonea.ai/subprocessors.
9.3 Safeguards
Processing takes place within Switzerland or the EU/EEA. Where any provider is established outside the EEA/UK, transfers are covered by an adequacy decision or by appropriate safeguards such as EU/UK Standard Contractual Clauses (Art. 46 GDPR). Data Processing Agreements are in place with all providers.
10. Technical and Organisational Measures (Annex A)
10.1 Encryption
In transit: TLS 1.3 for all data transmissions. At rest: AES-256 for all stored data. Voice recordings (if enabled): additionally encrypted with a customer-specific key.
10.2 Access Control
Role-based access control (RBAC) for the customer dashboard; multi-factor authentication (MFA) for all accounts; strict logical data separation between customers (multi-tenancy); principle of least privilege.
10.3 Audit Logging
Logging of all access to personal data, of all administrative actions, and of the AI disclosure for every call. Log retention for 90 days.
10.4 Backup and Recovery
Regular encrypted backups; backups within Switzerland; documented recovery procedure.
10.5 Deletion Policy
Automatic deletion after the configured retention period; deletion upon Customer request within 30 days; irreversible deletion after contract termination within 30 days.
11. Personal Data Breach Notification
fonea will inform the Customer without undue delay after becoming aware of a personal data breach (Art. 33(2) GDPR). The notification will include at minimum the nature of the breach and affected data categories, the estimated number of affected persons, the likely consequences, and the measures taken and proposed. fonea will assist the Customer in fulfilling its notification obligations to the competent supervisory authority and to affected data subjects (Art. 33–34 GDPR).
12. Deletion and Return upon Termination
The Customer may request a data export in machine-readable format (JSON/CSV) at any time. Within 30 days after termination, fonea will irreversibly delete all personal data, except data whose retention is required by law. fonea will confirm complete deletion in writing upon request.
13. Audit Rights
fonea makes available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer (Art. 28(3)(h) GDPR). Audits must be announced with at least 30 days' notice. The Customer bears the costs unless the audit reveals violations.
14. Liability
Liability is governed by the Terms of Service and applicable law. fonea remains liable for data protection infringements by its sub-processors as for its own.
15. Industry-Specific Supplementary Clauses
15.1 Healthcare
Where the Customer is subject to medical confidentiality: fonea acknowledges that call content may contain confidential health information and undertakes to treat it with particular care. The Customer is responsible for configuring the AI assistant such that no medical diagnoses or treatment recommendations are given, and confirms it has verified compatibility with applicable medical-confidentiality rules.
15.2 Law Firms
Where the Customer is subject to attorney-client privilege: fonea acknowledges that call content may contain privileged information and undertakes to treat it with particular care. The Customer confirms it has verified compatibility with applicable professional rules.
This DPA takes effect upon the Customer's registration and acceptance of the Terms of Service.
kraftscale GmbH (details in the Legal Notice)