Data Processing Agreement

Last updated: April 11, 2026 This Data Processing Agreement ("DPA") governs the processing of personal data by Sistava (acting as processor ) on behalf of the customer (acting as controller ) in connection with the customer's use of the Sistava platform and related Services. It applies whenever the customer's use of the Services involves the processing of personal data subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") , the UK GDPR , the Swiss FADP, or other equivalent data protection laws. This DPA is incorporated by reference into our Terms of Service and forms part of the agreement between you and Sistava. By using the Services, you accept the terms of this DPA. Enterprise customers may sign a counter-signed copy of this DPA on request — contact contact@sista.ai .

1. Definitions

Terms used in this DPA have the meaning given to them in the GDPR. In particular, "controller", "processor", "data subject", "personal data", "processing", "sub-processor", and "personal data breach" have the meanings set out in Article 4 of the GDPR. For the purposes of this DPA: " Customer Personal Data " means any personal data contained in customer content, training data, inputs, outputs, files, chat messages, configurations, journals, or other data processed by Sistava on the customer's behalf in the course of providing the Services. " Customer " or " you " means the legal entity or individual that has agreed to the Terms of Service. " Sistava " or " we " means SISTA AI (KvK 90724933, NL), operator of the Sistava platform.

2. Roles and Scope of Processing

The customer is the controller of Customer Personal Data and is responsible for determining the purposes and means of its processing. Sistava is the processor and processes Customer Personal Data only on documented instructions from the customer, including with regard to international transfers, except where required to do so by EU or member-state law. For the purposes of GDPR Article 28(3)(a) , the customer's " documented instructions " to Sistava consist of: (a) this DPA; (b) the Terms of Service and any related Order Form, Statement of Work, or written agreement between the customer and Sistava; (c) the customer's account settings, workspace configuration, and preferences as configured through the Sistava admin console; (d) the customer's configuration of AI employees, teams, skills, duties, tools, training data, schedules, and channels through the platform's built-in configuration tools; and (e) any other instruction provided by the customer through the platform's in-product tools or in writing to Sistava. Any instruction provided outside these documented channels is not binding on Sistava unless we expressly agree to it in writing.

3. Subject Matter, Duration, Nature & Purpose

• Subject matter: The processing of personal data by Sistava on behalf of the customer in connection with the customer's use of the Sistava platform and related Services.
• Duration: For the term of the customer's subscription, plus any retention period required by law or by the customer's exit, switching, and deletion process under Section 18.A of the Terms of Service.
• Nature and purpose: Hosting, storage, processing, transformation, indexing, embedding, search, retrieval, analysis, and transmission of personal data submitted by the customer or generated by AI employees acting on the customer's behalf, for the sole purpose of providing, securing, and improving the Services for that customer.
• Type of personal data: Any personal data the customer chooses to submit, including but not limited to names, email addresses, phone numbers, job titles, organizational affiliations, addresses, communication content (chat messages, emails, calls, voice transcripts), business documents, customer/prospect records, and any other data the customer uploads or trains AI employees on.
• Categories of data subjects: Any individual whose personal data is included in the customer's use of the Services, including the customer's own employees, contractors, customers, prospects, vendors, partners, and any other individuals reflected in the customer's data.

4. Sistava Obligations as Processor

Sistava will:

• Process Customer Personal Data only on the customer's documented instructions, including with regard to international transfers, unless required by EU or member state law (in which case we will inform the customer of the legal requirement before processing, unless the law prohibits it on important grounds of public interest).
• Notify the customer of unlawful instructions. If, in our reasonable opinion, a customer instruction infringes the GDPR or other applicable Data Protection Laws, we will promptly inform the customer in writing in accordance with Article 28(3) GDPR. We may, but are not obligated to, suspend processing of the affected instruction until the customer has clarified or amended it.
• Notify the customer of legally binding disclosure requests. If we receive a legally binding request from a public authority, court, regulator, or law enforcement agency to disclose Customer Personal Data, we will, to the extent legally permitted, notify the customer in writing without undue delay before responding, so that the customer may seek a protective order or other appropriate relief. Where law prohibits us from notifying the customer in advance, we will use lawful means to challenge the prohibition and document our efforts. We will only disclose the minimum amount of personal data legally required.
• Ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature of the processing, and the rights and freedoms of data subjects (see Section 8 below).
• Apply data minimization to customer-authorized integrations. Where the customer authorizes the Services to access a third-party application, channel, data source, or service (including but not limited to messaging platforms, mailboxes, file stores, CRMs, calendars, databases, knowledge bases, MCP servers, and custom webhooks), Sistava will limit access and processing to what is necessary to perform the task requested by the customer or the customer's authorized AI employee at the time of execution. Sistava will not bulk-extract, mirror, or warehouse the contents of those systems except where a specific Service feature elected by the customer (such as training or knowledge ingestion) expressly requires it and the customer has been informed of that processing. Raw content fetched on demand is discarded after the task turn, subject to the diagnostic, audit, and retention provisions described in the Privacy Policy and Section 8 below.
• Engage sub-processors only in accordance with Section 6 below.
• Assist the customer, taking into account the nature of the processing, in fulfilling the customer's obligation to respond to requests for exercising data subject rights (Articles 12-22 GDPR).
• Assist the customer in ensuring compliance with Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to us.
• At the customer's choice, return or delete all Customer Personal Data after the end of the provision of Services, in accordance with Section 18.A of the Terms of Service, unless EU or member state law requires retention.
• Make available to the customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as set out in Section 9 below.

5. Customer Obligations as Controller

The customer is responsible for and warrants that:

• It has a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories) for the processing of Customer Personal Data through the Services.
• It has provided all required notices to data subjects and obtained all required consents.
• Its instructions to Sistava comply with applicable data protection laws.
• It will not submit special categories of personal data, criminal offence data, or other sensitive personal data through the Services unless it has confirmed that the Services are appropriate for that category and obtained any necessary additional safeguards.
• It will respond to data subject requests directly and only forward such requests to Sistava where Sistava's assistance is genuinely needed.
• It will configure its AI employees, integrations, channels, and connected accounts in a manner consistent with applicable data protection law, including by minimizing the amount of personal data processed and by applying retention limits.

6. Sub-processors

The customer provides general written authorization for Sistava to engage sub-processors as necessary to provide the Services. We maintain a current list of sub-processors at sista.ai/en/subprocessors . That list is incorporated by reference into this DPA. We will inform the customer of any intended changes concerning the addition or replacement of sub-processors by updating that page, and the customer may object to such changes within thirty (30) days of the update by contacting contact@sista.ai . If the customer reasonably objects, the customer's sole remedy is to terminate the affected portion of the Services and request data export under Section 18.A of the Terms of Service. Sistava imposes contractual obligations on each sub-processor that are no less protective than those in this DPA. Sistava remains liable to the customer for the performance of each sub-processor's obligations.

7. International Data Transfers

Sistava processes Customer Personal Data primarily within the European Economic Area (EEA). Where personal data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, Sistava relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914 (Module 2: Controller to Processor, or Module 3: Processor to Sub-processor, as applicable), which are incorporated by reference into this DPA and apply to such transfers. Sistava also conducts transfer impact assessments where required and applies supplementary measures (such as encryption in transit and at rest) to ensure an essentially equivalent level of protection. For UK transfers, the UK Addendum to the EU SCCs (issued by the UK ICO) applies. For Swiss transfers, the SCCs apply with the references and amendments necessary to comply with the Swiss FADP.

8. Security Measures

Sistava implements and maintains appropriate technical and organizational security measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including but not limited to: Detailed security information is available on our Data Security page.

• Encryption of Customer Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Multi-tenant logical isolation enforced at the model, middleware, resolver, and application layers.
• Role-based access controls and least-privilege principles for staff with access to Customer Personal Data.
• Web application firewall, DDoS protection, and edge security via Cloudflare.
• Continuous security monitoring, error tracking, and anomaly detection.
• Regular backups, point-in-time recovery, and disaster recovery procedures.
• Vulnerability management, dependency monitoring, and timely patching of known security issues.
• Security training and confidentiality obligations for all personnel with access to the platform.

9. Audits

We make available to the customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, including by providing access to: (a) our Data Security page; (b) our Sub-processors page; (c) any current third-party audit reports, certifications, or attestations we hold; and (d) responses to reasonable written security and privacy questionnaires submitted by the customer. Where the customer reasonably believes that the information made available is insufficient to demonstrate compliance, the customer may request an audit by giving Sistava at least thirty (30) days' prior written notice. Audits will be conducted no more than once per twelve-month period (except where required following a personal data breach or by a data protection authority), at the customer's expense, by an independent third-party auditor agreed in advance with Sistava, subject to mutually-agreed scope, timing, and confidentiality safeguards. Audits must not unreasonably interfere with Sistava's normal business operations and must not require disclosure of information about other customers, internal architecture, or trade secrets.

10. Personal Data Breach Notification

Sistava will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within seventy-two (72) hours where feasible. The notification will include, to the extent known: (a) the nature of the breach; (b) the categories and approximate number of data subjects and personal data records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its possible adverse effects. Sista AI will provide updates as more information becomes available and will reasonably cooperate with the customer in fulfilling the customer's own breach notification obligations under Articles 33 and 34 GDPR.

11. Data Subject Requests

The customer is responsible for responding to data subject requests directly. Sistava will, taking into account the nature of the processing and the information available, provide reasonable assistance to the customer in responding to such requests, including by making available the export, retrieval, and deletion tools described in Section 18.A of the Terms of Service. Sistava will not respond to data subject requests directly unless legally required, in which case it will inform the customer of the request and the response, where permitted by law.

12. Return or Deletion of Personal Data

On termination of the customer's subscription or upon the customer's written request, Sistava will, at the customer's choice, delete or return all Customer Personal Data, in accordance with the export and deletion process set out in Section 18.A of the Terms of Service, unless EU or member state law requires storage of the personal data. Customer Personal Data may persist in standard backup and disaster-recovery systems for a limited period before being overwritten in the ordinary course of those systems.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in Section 24 of the Terms of Service, except where applicable mandatory law prohibits such limitation.

14. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict and only with respect to the processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

15. Contact

For data protection inquiries, including DPA signature requests, sub-processor objections, audit requests, and personal data breach notifications, contact contact@sista.ai .