Skip to main content

Our Data Processing Agreement (DPA) pursuant to Art. 28 GDPR

On this page, you will find all relevant information regarding our Data Processing Agreement (DPA) pursuant to Art. 28 GDPR — including a compact summary of key contents, role definitions, required annexes, and access to the full agreement for download.

Our aim is to provide you with a transparent and legally secure foundation for using our AI-based solution to transcribe and analyze online meetings.

Download the DPA (English)
Download the DPA (German)

What does the DPA cover?

  • Standard contract for customers (AVV / DPA)
  • Scope: purpose limitation, deletion, security, subprocessors
  • Integral part of every contractual relationship
  • Available as PDF / link download
  • Contact person for questions (privacy@sally.io)

Key Contents of Our DPA

  • Purpose of processing: transcription and analysis of online meetings using AI.
  • Roles:
    • Processor: Aliru GmbH (provider of Sally AI solution)
    • Controller: The customer using the solution.
  • Personal data processed: meeting conversation data (audio, video, transcripts, participant details).
  • Storage & location: exclusively within the EU (preferably Germany), encrypted storage, no third-country transfer.
  • Security measures: documented in Annex 1 (e.g., access control, encryption, backups, audit logging).
  • Subprocessors: listed in Annex 3 (Microsoft Azure, AWS, DeepL, Stripe, etc.).
  • Deletion policy: data is deleted or returned within 30 days after contract termination, unless legal retention applies.
  • No AI training with customer data: personal data is not used for model training or Processor’s own purposes.
  • Audit rights: customers may review compliance and receive evidence (e.g., certifications, audit reports).
  • Incident response: Processor must notify the Controller of any personal data breaches within 24 hours.
  • Liability: defined responsibilities for Processor and Controller under GDPR Articles 28 and 82.

Annexes Included in the DPA

  1. Technical and Organisational Measures (TOMs)
  2. Record of Processing Activities
  3. List of Subprocessors
  4. Data Protection Impact Assessment (DPIA)
  5. AI Compliance Declaration (EU AI Act)
  6. Compliance with Regulation (EU) 2024/1689 – AI Act
  7. Process descriptions for the use of Sally

How to Get the Full DPA

You can access the full legally binding document here:

For any questions regarding the DPA or data protection, please contact our Data Protection Officer:
Fabian Kissel & Norten Engele — privacy@sally.io