Data Processing Agreement (DPA) pursuant to Art. 28 GDPR between Number 44 s.r.o. and its clients.
Version 1.0 | March 2026
This Data Processing Agreement (hereinafter — the "DPA") is an integral part of the Terms and Conditions (hereinafter — the "Main Agreement") between:
Processor (hereinafter — the “Processor”): Number 44 s.r.o., Lidická 700/19, Veveří, 602 00 Brno, Česká republika, IČO: 213 44 132, DIČ: CZ21344132
Controller (hereinafter — the “Controller” or the “Client”): the legal entity that has purchased a subscription to the Services under the Main Agreement.
This DPA governs the processing of personal data in connection with the provision of the Services under the Main Agreement. By accepting the Terms and Conditions, the Client automatically accepts the terms of this DPA. In the event of a conflict between the provisions of this DPA and the Main Agreement, the provisions of the DPA shall prevail.
The terms used in this DPA shall have the meanings defined in the GDPR, unless otherwise specified below:
“Personal Data” — any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR.
“Processing” — any operation with personal data within the meaning of Art. 4(2) GDPR.
“Technology Provider” — the company that owns the AI assistant software and acts as a Sub-processor in accordance with Section 6 of this DPA.
“Security Incident” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
“Data Protection Legislation” — the GDPR, ePrivacy Directive 2002/58/EC and all applicable national data protection laws of EU/EEA countries.
Controller (Client) determines the purposes and means of processing the Personal Data of its end users and bears full responsibility therefor.
Processor (Number 44 s.r.o.) acts as a processor in a limited capacity: organisation of access to the service, integration, configuration and technical support. The Processor does not have technical access to the content of dialogues between the AI assistant and end users.
Technology Provider (Sub-processor) actually processes the Personal Data of end users. Data is transmitted directly between the Controller and the Technology Provider without transit through the Processor’s servers.
Provision of AI assistant services for the automation of consultations, lead generation and customer support in various business sectors.
This DPA shall be in effect for the entire term of the Main Agreement and shall automatically terminate upon the termination of the Main Agreement.
Categories of personal data that may be processed by the Technology Provider on behalf of the Controller:
Name, telephone number, email address of end users
Texts of dialogues with the AI assistant
Technical parameters of objects (dimensions, roof type, materials, etc.)
IP address, browser and device data
Messenger identifiers (WhatsApp ID, Instagram handle, Facebook ID)
Categories of data subjects: end users (visitors to the Client’s websites, messenger users, potential clients of the Controller).
The Processor shall process Personal Data exclusively on the basis of documented instructions of the Controller. This DPA, the Main Agreement and the settings made by the Controller through the service interface constitute the documented instructions of the Controller.
The Processor guarantees that all personnel involved in the provision of the Services and technical support are bound by obligations of confidentiality with regard to Personal Data.
The Processor shall implement appropriate technical and organisational measures (TOMs) in accordance with Art. 32 GDPR within its area of control, including:
TLS encryption of all data transmissions
Access control and authorisation
Isolation of each Client’s Knowledge Base at the software level
Regular security reviews
The Processor shall not be liable for failures in the infrastructure of the Technology Provider, LLM providers or third-party platforms (Meta, WhatsApp, Instagram).
The Controller undertakes to:
Ensure the existence of a legal basis for the processing of Personal Data of end users (Art. 6 GDPR)
Place on its website an appropriate Privacy Policy informing end users about the processing of their data
Ensure a clear notice that the user is communicating with AI and not with a human (AI Disclosure, EU AI Act)
Bear full responsibility for the content of the AI assistant’s Knowledge Base
Independently respond to data subject requests (Art. 15–22 GDPR)
The Controller grants the Processor general written authorisation to engage Sub-processors in accordance with Art. 28(2) GDPR.
As of the effective date of this DPA, the following Sub-processors are engaged:
The Processor shall inform the Controller of the addition or replacement of Sub-processors by updating the Privacy Policy on the Website. The Controller may object to the change within 14 days. If no objection is received, the change shall be deemed accepted.
The primary processing and storage of data is carried out within the EU (Germany). In the event of data transfers to third countries (for example, the USA — parent companies of LLM providers), the following shall apply:
EU-U.S. Data Privacy Framework (DPF) — adequacy decision pursuant to Art. 45 GDPR
Standard Contractual Clauses (SCC) — in accordance with Art. 46 GDPR, where the DPF is not applicable
The Processor shall assist the Controller in fulfilling its obligations regarding data subject requests (Art. 15–22 GDPR), to the extent technically feasible within the functionality of the Services.
Since the Processor does not have access to the content of dialogues, requests regarding access, erasure or portability of end user data must be directed by the Controller directly to the Technology Provider.
The Processor shall notify the Controller of any Security Incident within 72 hours of becoming aware of it. The notification shall include a description of the nature of the incident, the categories of data affected and the measures taken.
The Processor depends on the information provided by the Technology Provider regarding security incidents. The 72-hour notification period commences from the moment of receipt of information from the Technology Provider and not from the moment of the incident itself.
The Controller shall have the right to request information necessary to confirm compliance with this DPA in accordance with Art. 28(3)(h) GDPR. Audits shall be conducted by prior arrangement, no more than once per year and at the Controller’s expense.
The scope of the audit shall be limited to the Processor’s area of control. An audit of the Technology Provider’s infrastructure is not within the scope of this DPA.
Upon termination of the Main Agreement, the Processor shall, at the Controller’s choice, delete or return all Personal Data within its area of control, unless otherwise required by applicable legislation.
Deletion of end user data (dialogues, contact details) shall be carried out by the Technology Provider, as such data is stored on its servers.
The content of data uploaded by the Controller to the Knowledge Base
The accuracy of responses, calculations and recommendations of the AI assistant
Compliance by the Controller with its obligations as a data controller under the GDPR
Failures in the infrastructure of the Technology Provider or LLM providers
Acts or omissions of third-party platforms (Meta, WhatsApp, Instagram)
The aggregate liability of the Processor under this DPA shall be limited to the amount specified in Section 9 (Limitation of Liability) of the Main Agreement (Terms and Conditions).
This DPA shall be governed by the laws of the Czech Republic. This does not limit the mandatory provisions of the GDPR and the national data protection legislation of the Controller’s country. Any disputes shall be subject to the exclusive jurisdiction of the courts of the Czech Republic.
The Processor may update this DPA to reflect changes in legislation, technologies or services. The updated version shall be published on the Website. Continued use of the Services shall constitute acceptance of the updated DPA.
Lidická 700/19, Veveří, 602 00 Brno, Česká republika
Email: [email protected] | Support: [email protected]
IČO: 213 44 132 | DIČ: CZ21344132
Questions about this document?
Email us at info@n44.io or support@n44.io
Number 44 s.r.o. · Lidická 700/19, 602 00 Brno, CZ · IČO: 213 44 132