Himala is an AI meeting assistant designed to make meetings shorter, sharper, and more effective. Instead of juggling calendars, notes, and files, Himala brings everything together in one streamlined workflow. It goes beyond scheduling by preparing agendas, surfacing insights about attendees, and keeping your meetings on track from start to finish.

How does Himala AI meeting assistant work?

Himala works quietly in the background by connecting to your calendar, contacts, and files. It uses AI to handle the prep for you by creating agendas, setting clear objectives, highlighting who you’re meeting with, and pulling in the documents that matter. Instead of spending hours getting ready, you open Himala and everything you need is already there, so you can walk into every meeting prepared and confident.

How does Himala help with meeting prep?

When a meeting is coming up, Himala shows you the most important details ahead of time. You’ll see the meeting type, objectives, attendee insights, and linked documents. This AI-driven workflow makes prep faster than traditional meeting planning software, while still giving you control to refine or add context.

How is Himala different from a calendar app?

A calendar tells you when your meetings are. Himala is an AI meeting assistant that tells you how to succeed in them. By surfacing context, agendas, and key files, it acts as a meeting management software that eliminates guesswork and saves you time.

Is my data safe with Himala?

We are a GDPR and SOC2 compliant company, we also use encryption protocols to safeguard data transmission, regularly monitor for any vulnerabilities, and implement industry-standard security practices. Rest assured, your data is in safe hands.

Is Himala AI meeting assistant free?

We’re currently offering early access while we shape the product. When paid plans are introduced later, we’ll let you know clearly and give you time to decide.

Can I cancel anytime?

Yes. You’re never locked in. If you no longer want to use Himala, you can stop at any time without any hassle. Please refer to our cancellation policy for any specific terms and conditions regarding cancellations.

Jetzt starten

1 Validity and definitions

1.1 This Data Processing Agreement ("DPA") supplements Oxolo's General Terms and Conditions (“GTC”) for the use of the himala software. This DPA does not apply to natural persons who use himala exclusively for the exercise of personal or family activities within the meaning of Art. 2 (2) lit. c GDPR.

1.2 In the event of a conflict between this DPA and Oxolo's GTC, this DPA shall take precedence.

1.3 Terms used in this DPA and their variations correspond to those used in Oxolo's GTC, unless otherwise or additionally regulated below. By way of derogation or addition, the following terms shall apply:

"Client": Refers to the user within the meaning of the User Agreement. This is the natural or legal person who uses or wishes to use the himala software solution and any other services offered by Oxolo on the basis of the User Agreement.
"Contractor”: Refers to Oxolo within the meaning of the User Agreement, i.e. Oxolo GmbH, Bohnenstrasse 2, 20457 Hamburg.
"User Agreement": Refers to the contract concluded between the user (or Client) and Oxolo (or Contractor) for the use of the himala software. The content of the contract of use is set out in Oxolo's GTC.
"Parties": Joint designation for the Client and the Contractor.
"DPA": Designates this data processing agreement pursuant to Art. 28 GDPR and its annexes.

2 Subject matter and duration of the order

2.1 This DPA specifies the data protection obligations of the parties arising from the data processing that the Contractor carries out for the Client in accordance with the User Agreement. Subject matter of the agreement is the provision of the himala software solution and its functions, including the integration and linking of Client-authorized third-party services and data sources (e.g., calendars, emails, document management systems, and communication platforms), the automated processing of Client Input for meeting preparation and productivity workflows, and the generation of outputs such as summaries, drafts, and task suggestions, in each case within the scope of documented instructions from the Client and the product-specific parameters of himala.

2.2 In addition, this DPA shall apply to all work activities that are related to the work activities in accordance with Annex 1 and in which employees of the Contractor or any third parties commissioned by the Contractor may come into contact with personal data of the Client.

2.3 This DPA is concluded between the parties together with the User Agreement. The duration of this DPA corresponds to the term of the User Agreement. However, the obligations arising from this DPA shall continue to apply after termination of the User Agreement of use as long as the Contractor has not released, deleted or otherwise destroyed all of the Client's personal data in accordance with this DPA.

2.4 The Client remains solely responsible for the lawfulness of the personal data provided to the Contractor and for ensuring that the collection, disclosure and further processing of such data by the Contractor in accordance with the Client’s documented instructions comply with applicable data protection law. Special categories of personal data within the meaning of Art. 9 GDPR or other data subject to heightened protection requirements under applicable law are not intended to be processed. If the Client nevertheless transmits such data to the Contractor, the Client shall ensure a lawful basis and provide documented instructions and appropriate safeguards; the Contractor may suspend processing to the extent necessary to comply with applicable law. The Contractor shall not be obliged to review the lawfulness of the data provided or the instructions issued by the Client, but shall immediately inform the Client if, in the Contractor’s opinion, an instruction infringes applicable data protection law.

3 Specification of the order details

3.1 The nature and purpose of the processing of personal data by the Contractor for the Client are specifically described in Annex 1.

3.2 The Contractor shall ensure compliance with all statutory provisions on data protection in its area of responsibility.

3.3 The Contractor processes the Client’s personal data primarily in a member state of the European Union or a country belonging to the European Economic Area. Processing and/or transfers to third countries may occur where required to provide the Services, in particular where subcontractors listed in Annex 2 are used. Any transfer to a third country shall take place only if the requirements of Art. 44 et seq. GDPR are fulfilled and an appropriate transfer mechanism applies (e.g., adequacy decision, EU Standard Contractual Clauses, or other applicable safeguards), and the Contractor shall implement supplementary measures where required.

3.4 The Client hereby agrees to the relocation of individual processing operations to the third countries listed in Annex 2. For an overview of how an adequate level of data protection is ensured in the respective third country, please refer to Annex 2. Transfers to third countries shall take place on the basis of an applicable transfer mechanism under Chapter V GDPR, including (where applicable) an adequacy decision and/or the EU Commission’s Standard Contractual Clauses (2021/914/EU), and any legally required addenda.

3.5 The subject of this data processing is the following types of personal data:

Client Input. The Client’s input includes all content and data that the Client or its users (i) enter into himala, (ii) upload, (iii) generate or capture using himala, (iv) make available by connecting and authorizing external data sources, or (v) otherwise transmit to Oxolo for processing within himala (“Client Input”). Client Input may include content in a wide variety of file formats and media (e.g., text, image, audio, video). The categories of personal data contained in Client Input are determined by the Client and depend on the Client’s configuration, selected features, and the external data sources connected by the Client. Oxolo does not determine the categories of personal data contained in Client Input.

Connected data sources (as part of Client Input). Depending on the Client’s selection and enabled integrations, Client Input may include personal data retrieved from or synchronized with connected third-party services, in particular:

(a) Email data: email metadata and content (including email bodies, subject lines, sender/recipient information), email attachments and extracted text, and signature and drafting-related data;

(b) Calendar and meeting data: calendar entry metadata (e.g., titles, descriptions, times, locations), attendee lists, meeting links, and scheduling-related data;

(c) Contacts/people data: contact identifiers and profiles (e.g., name, email address, phone number, company, role/title, profile images), relationship history and interaction context;

(d) Files and documents: document metadata and, where enabled, extracted text/content from files in connected storage systems;

(e) Chat/messages (where enabled): message content and metadata from connected communication tools;

(f) Meeting notetaker/transcripts (where enabled): meeting metadata, participant lists, transcripts (including raw transcript text), summaries, notes, and action items;

(g) Scheduling bookings (where enabled): booking form inputs and related scheduling information (e.g., guest name and contact details).

Client Output / derived data. himala may generate outputs based on Client Input (“Client Output”), including summaries, meeting preparation materials, agendas, suggested questions, email drafts, task suggestions, contact insights, relationship metrics, and other AI-assisted content. Client Output may contain personal data to the extent such personal data is present in or inferred from Client Input or the connected data sources as configured by the Client.

Technical identifiers necessary to provide the Services under the Client’s instruction. To the extent required to process Client Input in accordance with the Client’s documented instructions and the product-specific parameters of himala, processing may also include technical identifiers and security-related data tied to the Client’s configuration and integrations (e.g., encrypted OAuth tokens/refresh tokens, integration identifiers, granted scopes, and related access logs).

Special categories of personal data. The Services are not intended to process special categories of personal data within the meaning of Art. 9 GDPR. The Client shall not provide such data as Client Input unless expressly agreed in writing and supported by appropriate documented instructions and safeguards. If the Client nevertheless provides such data without such agreement, the Client remains solely responsible for establishing a lawful basis and implementing appropriate safeguards, and Oxolo may suspend processing to the extent necessary to comply with applicable law.

3.6 The categories of data subjects affected by the processing: Persons who are identifiable in the Client’s input, including (where applicable) employees and representatives of the Client, the Client’s customers, suppliers, business partners, other contacts, and meeting participants whose personal data is included in meeting metadata, transcripts, notes, summaries, or related outputs.

4 Technical and organizational measures

4.1 The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the requirements of data protection law. To this end, it must establish the security of data processing in accordance with Art. 28 (3) lit. c, 32 GDPR, in particular in conjunction with Art. 5 (1), (2) GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account. The specific measures taken by the Contractor are set out in Annex 3 (Technical and Organizational Measures).

4.2 As proof of the measures taken, the Contractor may also submit current certificates, reports or report extracts from independent bodies (e.g. auditors, data protection officers, IT security or data protection audits). In particular, compliance with approved codes of conduct in accordance with Art. 40 GDPR or an approved certification procedure in accordance with Art. 42 GDPR is suitable for demonstrating compliance with the requirements mentioned here. If an audit of the Client reveals a need for adjustment, this must be implemented by mutual agreement.

4.3 The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes must be documented.

5 Authority of the Client to issue instructions

5.1 The Contractor shall process personal data on behalf of the Client in accordance with the provisions of the User Agreement and Annex 1. The Contractor and any person under the authority of the Contractor who has access to personal data may only collect, process and use the data processed on behalf of the Client in accordance with documented instructions from the Client, including the powers granted in this DPA, unless they are legally obliged to process it (Art. 29 GDPR).

5.2 The Client already now issues the instruction to process the Client's personal data (a) for the operation of himala and for the provision of the services in accordance with the User Agreement, (b) as further specified by the contractual use of himala by the Client, and (c) as documented in the User Agreement. Within the framework of the existing contractual relationship, the Client may also issue instructions in individual cases ("individual instructions") for the automated processing of personal data at any time. If the Client issues individual instructions that go beyond the legal requirements or the product-specific parameters of himala, the resulting costs shall be borne by the Client. The Contractor shall inform the Client of this circumstance as well as the amount of the costs likely to be incurred and shall only carry out the relevant individual instruction after express confirmation by the Client.

5.3 The Contractor shall not use the data for any purposes other than providing the Services under the User Agreement and this DPA and is in particular not entitled to pass it on to third parties, except to subcontractors in accordance with Section 8 and Annex 2. Copies and duplicates of data shall not be made without the Client's knowledge. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as copies of data that are necessary in order to comply with statutory retention obligations. Where the User Agreement provides an explicit opt-in setting allowing processing of Client content for product improvement, such processing shall occur only if enabled by the Client and only within the scope described in the User Agreement. For the avoidance of doubt, the Contractor does not process the Client’s Input, processed Input and/or Output to train the large language models used in himala’s AI systems, regardless of any product-improvement setting.

5.4 The Client shall confirm verbal instructions immediately (at least in text form).

5.5 The Contractor must inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. If the Client confirms the instruction and instructs the Contractor to carry out this instruction despite the Client's concerns with regard to a possible illegality of the instruction, the Client shall indemnify the Contractor against all damages and costs incurred by the Contractor due to the implementation of this instruction if the instruction actually proves to be unlawful and claims should therefore be asserted against the Contractor or a fine should be imposed.

6 Duties of the Contractor

In addition to complying with the rules set out in this order, the Contractor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Contractor ensures, in particular, compliance with the following requirements:

6.1 The Contractor shall maintain confidentiality in accordance with Art. 28 (3) sentence 2 b, 32 (4) GDPR. To this end, the Contractor shall entrust only such employees with the performance of services pursuant to the Service Agreement who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The confidentiality obligation shall continue to apply after termination of the work activities.

6.2 The Client and the Contractor shall cooperate, on request, with the supervisory authority in performance of its tasks.

6.3 The Contractor shall inform the Client without undue delay of any inspections and measures taken by the supervisory authority insofar as they relate to this order. This shall also apply if a competent authority investigates the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the Contractor.

6.4 If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, liability claims by a data subject or a third party or any other claims in connection with the commissioned data processing by the Contractor, the Contractor shall provide the Client with reasonable support to the best of its ability.

7 Rectification, restriction and erasure of data, rights of data subjects

7.1 The Contractor may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client.

7.2 If a data subject contacts the Contractor directly concerning the rights referred to in paragraph 1 or for the purpose of exercising their other data subject rights, the Contractor shall forward this request to the Client without delay. The Contractor shall provide reasonable assistance to the Client in fulfilling its obligations under Art. 12–23 GDPR by appropriate technical and organizational measures. The Contractor shall not respond to the data subject directly unless legally required.

8 Subcontracting

8.1 Subcontracting for the purpose of this DPA is to be understood as meaning services which relate directly to the provision of the principal service under this DPA. This does not include ancillary services from which the Contractor benefits, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Contractor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.

8.2 The Contractor may use the subcontractors listed in Annex 2 to provide the services. In addition, the Client shall grant the Contractor general approval for the future use of new subcontractors and/or the future change of existing subcontractors.

8.3 The Contractor shall inform the Client of any intended change regarding the involvement or replacement of a subcontractor at least four (4) weeks before enabling this subcontractor to process the Client's personal data ("Notification Period"). The Client may object in writing to the appointment of the new subcontractor by the Contractor within the Notification Period, provided that this objection is based on objective grounds (e.g. in connection with data protection). In such a case, the parties shall discuss these concerns in good faith in order to find a solution. If the objection cannot be resolved within a reasonable period, the Client may terminate the affected part of the Services for convenience with effect from the date the new or replacement subcontractor would start processing.

8.4 The transfer of personal data of the Client to the subcontractor and the subcontractor's initial activities are only permitted once all requirements for subcontracting have been met, in particular a contractual agreement in accordance with Art. 28 (4) GDPR.

8.5 If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure that the service is permissible under data protection law by taking appropriate measures. The same applies if service providers within the meaning of paragraph 1 sentence 2 are to be used.

8.6 The Contractor shall be liable to the Client for data processing by the subcontractors engaged by it in the same way as for its own services under this DPA.

9 Supervisory powers of the Client

9.1 The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases, provided that these inspectors are not competitors of the Contractor. The Client may conduct one inspection per calendar year with at least thirty (30) days’ prior written notice during normal operating and business hours, in a manner that does not unreasonably disrupt operations. Event-related inspections may be conducted on reasonable grounds with prior notice where feasible. The scope of inspections shall be limited to information necessary to verify compliance with this DPA.

9.2 The Contractor shall ensure that the Client is able to verify compliance with the obligations of the Contractor in accordance with Art. 28 GDPR Upon request, the Contractor undertakes to provide the Client with the information required to carry out an inspection and, in particular, to provide evidence of the implementation of the technical and organizational measures.

9.3 Evidence of such measures, which do not only concern the specific order, can be provided by

Compliance with approved codes of conduct pursuant to Art. 40 GDPR;
Certification according to an approved certification procedure pursuant to Art. 42 GDPR;
Current certificates, reports or reports from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors);
A suitable certification through an IT security or data protection audit (e.g. in accordance with BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)).

10 Duties of the Contractor to provide support

10.1 The Contractor shall support the Client with the compliance of its duties regarding the security of the processing of personal data, the obligation to notify a personal data breach, implementation of data protection impact assessments, and prior consultations (Article 32 to 36 GDPR). Support provided by the Contractor includes in particular:

a) Ensuring an adequate level of protection by implementing technical and organizational measures which consider context and purposes of the processing as well as the predicted probability and seriousness of a potential breach due to security gaps, and enable immediate de-termination of relevant breaches (§ 3 of this DPA);

b) The obligation to notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA. The Contractor shall provide the information available to it that is reasonably required for the Client to comply with its notification obligations under Art. 33 and, where applicable, Art. 34 GDPR, and shall provide updates as further information becomes available. Further, the Contractor shall promptly notify the Client of serious disruptions of operational processes, suspected violations of data privacy, and other material irregularities concerning the Client’s data in connection with the processing under this DPA. The Contractor shall implement necessary and reasonable measures to secure relevant data and to mitigate adverse effects;

c) The obligation to support the Client in its duty to notify the supervisory authority and, if applicable, the data subjects and to provide the Client with all relevant information in this context without undue delay;

d) The support of the Client in the context of any data protection impact assessment;

e) The support of the Client in the context of prior consultations with the supervisory authority;

f) The obligation to cooperate with the Client at the request of the competent supervisory authority in responding to this request and to provide the Client with appropriate support.

10.2 The Contractor may claim remuneration for support services that are not included in the service description himala (see Annex 1) or are not attributable to misconduct on the part of the Contractor.

11 Deletion and return of personal data or destruction

11.1 After conclusion of the contracted work, or earlier upon request by the Client – at the latest upon completion of the services pursuant to the User Agreement – the Contractor shall make Client personal data available for export in accordance with the export functionality and export period defined in the User Agreement (including any minimum export period). After expiry of the export period, the Contractor shall, upon the Client’s instruction and subject to Art. 17(3) GDPR and statutory retention obligations, delete or return the personal data processed under this DPA in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The Contractor shall provide reasonable confirmation of deletion upon request, to the extent technically feasible.

11.2 The Client shall determine the necessary measures to erase stored data after termination of the order. Export and deletion functions that are included in the standard Services are provided without additional charge. If the Client requests non-standard assistance (e.g., bespoke formats, additional data extraction, or extensive professional services) that goes beyond the standard Services and Annex 1, the Contractor may charge reasonable remuneration. The Contractor shall delete the data without undue delay after expiry of applicable statutory retention periods, subject to the deletion approach described in Section 11.1.

11.3 Documentation which is used to demonstrate orderly data processing in accordance with the order shall be stored beyond the contract duration by the Contractor in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Contractor of this contractual obligation.

12 Liability of the parties

12.1 The Contractor shall be liable for the fulfillment of its obligations under this DPA in accordance with the provisions of the User Agreement.

12.2 The Client shall remain responsible to the data subject as the controller within the meaning of the GDPR (Art. 82 (1), (2) sentence 1 GDPR) for compensation for damages suffered by a data subject due to data processing by the Contractor that is inadmissible or incorrect under the GDPR or other data protection regulations. Insofar as the Client is obliged to pay damages to the data subject, it reserves the right to take recourse against the Contractor in accordance with Art. 82 (2) sentence 2 GDPR; otherwise, Art. 82 (3) to (6) GDPR shall apply.)

13 Miscellaneous

13.1 Any right to retention on part of the Contractor to the data processed under the Agreement pursuant to Section 273 BGB (German Civil Code) shall be excluded.

13.2 Should the Client's data be endangered at the Contractor due to seizure or attachment, insolvency or composition proceedings, or any other events or measures by third parties, the Contractor shall inform the Client immediately. The Contractor shall promptly inform all parties responsible in this context that the Client as controller in the meaning of the GDPR exclusively holds control and ownership in these data.

13.3 The following Annex shall form an integral part of this DPA:

Annex 1 - Service description himala
Annex 2 - Subcontractors
Annex 3 - Technical and organizational measures

Annex 1 - Service description himala

The Contractor shall provide the Client with the himala software with the following functions:

Description of the service

himala is an advanced, digital AI assistant that helps users to efficiently organize, prioritize and automate personal and professional tasks. As a platform for intelligent support, himala integrates data from various sources such as calendars, emails, document management systems and communication platforms to seamlessly bring together relevant information.

Depending on the Client’s configuration, permissions granted by the Client’s users, enabled features and connected third-party services, himala may integrate, retrieve, analyze and present information from, in particular, calendar and email systems (e.g., Google Workspace and Microsoft 365), communication tools (e.g., Slack and Teams), meeting tools (e.g., Zoom), knowledge/document tools (e.g., Notion and Dropbox), and messaging integrations (e.g., WhatsApp), in order to provide AI-powered productivity functions.

In particular, himala may provide the following capabilities (where enabled):
AI-powered meeting preparation, including context aggregation from connected data sources, and the generation of suggested agendas, questions, summaries, and follow-up items;
Automated email draft generation (including style-adapted drafting), with drafts stored in the user’s draft folder where supported;
A meeting notetaker function, which may join meetings and create transcripts, notes, summaries and action items;
Contact enrichment and relationship insights based on connected data sources and, where applicable, publicly accessible information, to generate contact profiles and interaction histories;
Scheduling links and booking functionality (Calendly-like), including automated handling of booking inputs;
Task and action-item extraction and aggregation from emails, connected tools and meeting outputs, and the presentation of task status signals; and
Cross-platform availability (e.g., web application, desktop applications, browser extensions), where supported.

himala works proactively and automatically identifies tasks, priorities and optimization opportunities without the user having to constantly intervene. Depending on the permissions granted and the enabled features, himala may propose and (subject to user confirmation in the user interface, unless an explicit automation feature is enabled) create drafts and propose or create/modify calendar entries and scheduling elements.

himala's focus is on providing a personalized and intuitive user experience backed by strict security and privacy standards. The aim is to help customers gain more time for the essentials by automating repetitive and time-consuming tasks.

Purpose of the processing

Personal data is processed solely for the purpose of providing the following himala services:

Integration and linking of Client data sources to optimize task management and automation.
Provision of personalized recommendations based on the data sources provided and synchronized.
Automation of routine tasks such as appointment management, document management and communication.
Proactive support through the analysis and prioritization of data.

For this purpose, personal data is collected, categorized, converted, queried, organized and sorted, stored, analyzed (e.g. pattern recognition), summarized and transmitted to the Client, updated, processed and deleted or destroyed by the Contractor on the instructions of the Client.

Annex 2 - Subcontractors

Company Subcontractor	Address/Country	Data transfer to third countries	Ensuring the appropriate level of data protection	Services
Amazon Web Services EMEA SARL (AWS)	38 Avenue John F. Kennedy, L-1855 Luxembourg	Possible	Amazon Web Services Inc. is certified under the EU-US Data Privacy Framework (DPF). In addition, a data processing agreement (DPA) with standard data protection clauses of the EU Commission (EU-SCC) has been concluded	Cloud server
Customer.io, Inc.	9450 SW Gemini Dr, Suite 43920, Beaverton, Oregon 97008-7105, USA	Yes	DPF certification DPA with EU-SCC	Customer loyalty, email marketing
Google Ireland Limited (Analytics)	Gordon House, Barrow Street, Dublin 4, Ireland	Possible	DPF certification by Google LLC DPA with EU-SCC	Analysis
OpenAI Ireland Limited	1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland	Possible	DPA with EU-SCC	LLM reference service
Pathway Payment Partners LLC	100 Sun Ave NE, Suite 650, PMB 2437, Albuquerque, NM 87109, USA	Yes	DPA with EU-SCC	Accounting interface connection
AC PM LLC (Postmark)	1 N Dearborn Street, Suite 500, Chicago, IL 60602, USA	Yes	DPF certification DPA with EU-SCC	Transactional email delivery (system emails, notifications)
Functional Software, Inc. (Sentry)	45 Fremont St, 8th Floor, San Francisco, CA 94105, USA	Yes	DPF certification DPA with EU-SCC	Monitoring and error analysis
Stripe Payments Europe	Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland	Possible	DPF certification by Stripe Inc. DPA with EU-SCC	Payment processing service
Supabase Inc.	970 Toa Payoh North, #07-04, Singapore	Yes	DPA with EU-SCC	Database and authentication service
PostHog, Inc.	PostHog, Inc. 2261 Market Street #4008, San Francisco, CA 94114, USA	Possible	DPA with EU-SCC	Product analytics platform
Langchain Inc. (Langsmith)	42 Decatur Street · San Francisco, CA 94103 · United States	Possible	DPA with EU-SCC	LLM Monitoring
Anthropic, PBC	548 Market St, PMB 90375, San Francisco, CA 94104, USA	Possible	DPA with EU-SCC	LLM reference service
Slack Technologies LLC	415 Mission St, 3rd Floor, San Francisco, CA 94105, USA	Possible	DPA with EU-SCC	Communication service
Crystal Project, Inc. incorporated	9450 SW Gemini Dr PMB 72836, Beaverton 97008, Oregon, United States	Possible	DPA with EU-SCC	Data collection service
WhatsApp LLC	1 Meta Way, Menlo Park, California 94025, United States	Possible	DPF certification DPA with EU-SCC	Communication service
SideGuide Technologies, Inc.	2261 Market Street Suite 85367 San Francisco, CA 94114 United States	Possible	DPF certification	Data collection service
Linkup Technologies (a French société par actions simplifiée)	28 avenue des Pépinières, 94260 Fresnes, France	Possible	DPA with EU-SCC	Data collection service

Annex 3 - Technical and organizational measures

Access control (physical access control)

Access rights: Physical access is regulated by video surveillance, alarm and access control systems.
Access restrictions: Server rooms and hosting environments are protected against unauthorized access, especially outside business hours. The Contractor uses the hosting and infrastructure providers listed in Annex 2; physical access controls are implemented by the respective infrastructure providers and complemented by the Contractor’s organizational measures.
Monitoring of external persons: Visitors are accompanied and documented in visitor lists.

Access control (Logical Access Control)

Authentication: Access is based on individual user accounts. Multi-factor authentication (MFA/2FA) is enforced for administrative access and for systems where it is technically supported.
Access rights follow the need-to-know principle and are reviewed at regular intervals.
Roles and authorizations: Authorizations are granted by system owners and C-level executives.

Storage control

Encryption: Data on mobile IT systems is fully encrypted.
Password protection: All users use complex passwords that are changed regularly.
Screen lock: Password-protected screen saver during work interruptions.

Transmission control

Secure transmission paths: Data is transmitted via encrypted connections (e.g. HTTPS, VPN).
No physical data carriers: No physical data carriers are used.

Recovery

Access rights follow the need-to-know principle and are reviewed at regular intervals.
Emergency plans: Emergency and crisis management measures exist; they are reviewed and updated periodically.

Separation requirement

Data isolation: Customer data is separated from each other by access restrictions and separate databases.
Test and production data: These are processed separated from each other.

Communication control

Confidentiality agreements: External service providers are contractually obliged to comply with data protection.
Remote access: Maintenance work is only carried out after approval and is documented.

Integrity and availability control

Protective measures: Malware protection and regular security updates for all systems.
Fire protection: Server rooms are equipped with fire doors and extinguishing systems.

Engagement of external service providers

Data processing: There are written contracts (Data Processing Agreements, DPA) with all sub-processors, including AWS.