SS
SuperSmart

Data Processing Agreement

Pursuant to Art. 28 GDPR

Version 1.0
December 2025
GDPR Compliant

Download DPA

Download the complete DPA as PDF for your records

Preamble

This Data Processing Agreement ("DPA") forms part of the agreement between KONSOLE LABS GmbH ("Processor") and the Customer ("Controller") for the provision of the SuperSmart Cloud services.

This DPA reflects the parties' agreement regarding the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Subject" means the natural person to whom the Personal Data relates.

2. Subject Matter and Duration

2.1 Subject Matter: The Processor provides AI-powered content creation, transcription, text-to-speech, voice cloning, news aggregation, workflow automation, and content distribution services.

2.2 Duration: This DPA remains in effect for the duration of the main service agreement.

2.3 Nature and Purpose: Processing includes storage of user data, AI content processing, audio transcription, voice cloning, and content distribution.

3. Types of Personal Data

3.1 Categories of Data:

  • Contact information (name, email)
  • Account credentials (encrypted)
  • Billing and payment information
  • User-created content
  • Voice samples and audio recordings
  • Usage data and access logs

3.2 Categories of Data Subjects:

  • Controller's employees and authorized users
  • Individuals in uploaded content
  • Voice owners (with consent)

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure authorized persons are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-Processors without prior authorization
  • Assist the Controller with Data Subject requests
  • Assist with security, breach notification, and impact assessments
  • Delete or return all Personal Data upon termination
  • Allow for audits and provide compliance information

5. Sub-Processors

5.1 Authorization: The Controller provides general authorization for Sub-Processors. The Processor shall inform of any changes.

5.2 Sub-Processor Obligations: Each Sub-Processor is bound by equivalent data protection obligations.

Annex: List of Sub-Processors

Sub-ProcessorLocationPurposeData Types
Hetzner Online GmbH
EU
GermanyServer hosting, database, self-hosted services (Supabase, n8n, WhisperX, PyAnnote, Chatterbox, OBS)All data processed through the Service
OpenAI, Inc.
Non-EU
USAText generation (GPT-4), TTS, Whisper transcription, DALL-E images, Sora videoText content, audio files, images
Anthropic, Inc.
Non-EU
USAText generation (Claude models)Text content
Google LLC
Non-EU
USAText generation (Gemini), Imagen, Veo video, translationText content, images, video
ElevenLabs, Inc.
Non-EU
USAText-to-speech, voice cloningText content, voice samples, audio
DeepL SE
EU
GermanyTranslation servicesText content
Mistral AI
EU
FranceText generationText content
Stability AI Ltd.
Non-EU
United KingdomImage generation (Stable Diffusion)Text prompts, images
Perplexity AI, Inc.
Non-EU
USAAI search and text generationText content
xAI Corp. (Grok)
Non-EU
USAText generationText content
DeepSeek
Non-EU
ChinaText generationText content
Meta Platforms (via Together AI)
Non-EU
USAText generation (Llama models)Text content
Cohere Inc.
Non-EU
CanadaText generationText content
Black Forest Labs (Flux)
EU
GermanyImage generationText prompts, images
Synthesia Ltd.
Non-EU
United KingdomAI avatar video generationText content, avatar videos
HeyGen Inc.
Non-EU
USAAI avatar video generationText content, avatar videos
Meta Platforms, Inc.
Non-EU
USASocial media distribution (Facebook, Instagram), Meta Business SuiteContent, engagement data
TikTok (ByteDance)
Non-EU
China/IrelandSocial media distributionContent, engagement data
Google LLC (YouTube)
Non-EU
USAVideo streaming, distribution, analyticsVideo content, engagement data
Amazon (Twitch)
Non-EU
USALive streamingVideo streams, chat data
Stripe, Inc.
Non-EU
USAPayment processingBilling information, transaction data

6. International Data Transfers

For transfers outside the EEA, the Processor ensures safeguards through:

  • EU-U.S. Data Privacy Framework for certified US processors
  • Standard Contractual Clauses (SCCs) for other non-EU transfers
  • Supplementary Measures where required

7. Technical and Organizational Measures

7.1 Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication for admin access
  • Individual user accounts with strong passwords
  • Automatic session timeouts

7.2 Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption at rest
  • Encrypted backups

7.3 Availability

  • Redundant infrastructure
  • Regular backups (daily)
  • Disaster recovery procedures
  • 99.9% uptime SLA

7.4 Monitoring

  • Security logging and monitoring
  • Intrusion detection systems
  • Regular security audits

8. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests including:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

9. Data Breach Notification

In case of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay (within 24 hours)
  • Provide information about the nature and scope of the breach
  • Describe likely consequences and measures taken
  • Cooperate with the Controller's investigation

10. Audit Rights

The Controller has the right to:

  • Request information demonstrating compliance
  • Conduct audits with reasonable notice (30 days)
  • Engage third-party auditors (bound by confidentiality)

Audits shall be conducted during normal business hours and shall not unreasonably disrupt operations.

11. Data Deletion

Upon termination of the service agreement:

  • Controller may request data export within 30 days
  • Processor shall delete all Personal Data within 90 days
  • Backups are deleted within 30 days of production deletion
  • Data required for legal compliance may be retained as necessary

12. Liability

Liability for data protection breaches shall be governed by Article 82 GDPR and the main service agreement. The Processor shall be liable for damages caused by processing that violates GDPR or this DPA.

13. Governing Law

This DPA shall be governed by the laws of the Federal Republic of Germany. The courts of Berlin shall have exclusive jurisdiction.

Contact Information

KONSOLE LABS GmbH

Gritznerstraße 42

12163 Berlin, Germany

Data Protection Contact: privacy@supersmart.cloud

→ Terms of Service→ Privacy Policy→ Imprint