AI Will Do Platform – Data Processing Agreement (DPA)

Last updated: 12.01.2026 (version 1)

Between:

Viktal Sàrl
Registered in the Grand Duchy of Luxembourg
RCS Number: B213459
Registered address: 1 Rue Bender, 1229 Luxembourg
Email: [email protected]

(“Processor”)

and

Client (“Controller”)

This Data Processing Agreement (“DPA”) supplements and forms an integral and inseparable part of the AI Will Do Platform – Terms of Service (SaaS) dated 07.01.2026 (the “Terms”) and the Contract as defined therein. The current version of the Terms is made available by the Provider on its website and may be accessed via a publicly available URL referenced therein.

For the avoidance of doubt, the “Contract” consists of (a) the executed Order Form(s), (b) the Terms, and (c) any executed Agreement, as such terms are defined in the Terms. In the event of any conflict, the order of precedence defined in the Terms shall apply.

This DPA governs the processing of personal data under Regulation (EU) 2016/679 (“GDPR”) carried out by the Processor on behalf of the Controller in connection with the provision of the Service.

Definitions

For the purposes of this DPA, the following terms shall have the meanings assigned to them:

Capitalised terms used but not otherwise defined in this DPA shall have the meanings assigned to them in the Terms, including but not limited to: “Service”, “Software”, “Contract”, “Order Form”, “Agreement”, “Client Data”, “AI Agent”, “Knowledge Base”, “Instructions for AI Agent”, “Communication Channel” and “Third‑Party Platforms”.

1. Subject and Duration

1.1. Subject of Processing — The Processor shall process personal data on behalf of the Controller strictly for the purposes of delivering, maintaining, securing, and supporting the Service.

1.2. Duration — This DPA remains in force for the duration of the Contract and any period during which the Processor retains Client Data in accordance with the Contract.

2. Nature and Purpose of Processing

The processing activities performed by the Processor include, but are not limited to:

1. transmission and routing of messages via integrated Communication Channels;
2. storage and organisation of conversation history;
3. automated and AI‑based processing of message content for generating responses;
4. management of contact profiles and communication metadata;
5. execution of automation workflows required for service operation.

The purpose of processing is to enable communication and service delivery through the AI Agent and human operators, as well as to ensure proper functionality of the platform.

3. Categories of Data Subjects and Data Types

3.1. Data Subjects

1. End users who contact the Controller via communication channels connected to the Service;
2. Personnel of the Controller who use the Service.

• Types of Personal Data Processed

1. Identification and contact data (e.g., names, phone numbers, email addresses, channel identifiers);
2. Conversation content (messages, attachments, instructions, Knowledge Base content);
3. Technical data and metadata (timestamps, IP addresses, device identifiers, message routing information).

The Service is not intended to process special categories of personal data under Art. 9 GDPR. Any such processing occurs solely under the responsibility and control of the Controller.

4. Obligations of the Processor (Viktal)

The Processor shall:

1. process personal data only in accordance with the documented instructions of the Controller as set out in the Contract, which consist exclusively of (i) the Controller’s configuration and use of the Service, including settings, enabled features, and selected Communication Channels, (ii) the content intentionally entered by the Controller into the Knowledge Base, and (iii) any additional written instructions expressly agreed between the Parties. The Processor shall not process personal data for any purpose outside the scope of the Service or the Contract;
2. ensure that persons authorised to process personal data are bound by confidentiality obligations;
3. implement appropriate technical and organisational measures (“TOMs”) aligned with GDPR requirements, taking into account the nature, scope, context, and risks of processing;
4. assist the Controller in meeting obligations related to data subject rights, data protection impact assessments, and consultations with supervisory authorities, as applicable;
5. notify the Controller without undue delay in the event of a personal data breach;
6. delete or return all personal data after the termination of the Contract, unless Union or Member State law requires retention.

5. Obligations of the Controller (Client)

The Controller shall:

1. ensure that personal data is processed lawfully and that the Processor receives only data which the Controller is entitled to process;
2. provide accurate, up to date, and relevant data;
3. inform end users transparently about the processing activities performed through the Service;
4. ensure that appropriate legal grounds exist for all processing activities;
5. independently fulfil all obligations regarding data subject rights (access, rectification, erasure, etc.).

The Controller remains solely responsible for the content of communications, Knowledge Base content, and all instructions given to the Processor.

6. Sub-processors

6.1. Authorization — The Controller authorizes the Processor to engage sub processors necessary for the operation of the Service. These may include:

1. hosting providers (e.g., EU based data centers such as Hetzner),
2. communication infrastructure providers (e.g., Twilio, Meta, Telegram, Google, etc.),
3. AI model providers (e.g., OpenAI EU endpoint; OpenAI international endpoints with Standard Contractual Clauses (SCCs); Anthropic Claude via EU or SCC-based endpoints; Google Gemini/Vertex AI EU region; Mistral AI EU-hosted models; X (Grok) models via SCC-based endpoints; DeepSeek models via SCC-based or EU-hosted endpoints, where applicable).

6.2. Obligations — The Processor shall ensure that sub processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA.

6.3. Changes to Sub processors — The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub processors, giving the Controller the possibility to object on reasonable grounds.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that:

1. transfers are made to countries with an adequacy decision; or
2. Standard Contractual Clauses (SCCs) or other appropriate safeguards are implemented; and
3. supplementary measures are applied where required to ensure an adequate level of protection.

8. Technical and Organizational Measures (TOMs)

The Processor implements and maintains industry standard TOMs, including:

1. HTTPS/TLS encryption is applied for all external data transfers across public networks. Internal system components communicate within secured infrastructure environments.
2. controlled and authenticated access;
3. role based access permissions;
4. data segregation per Client workspace;
5. logging, monitoring, and anomaly detection;
6. secure EU based hosting infrastructure;
7. regular software updates and security patches.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Client Data. The notification shall include information reasonably required for the Controller to comply with its legal obligations.

10. Deletion or Return of Data

Upon termination of the Contract:

1. the Processor will delete all Client Data within 30 days, unless otherwise required by law or agreed with the Client;
2. backups and residual copies will be overwritten or expire automatically according to the retention schedule;
3. earlier deletion may be requested by the Controller in writing, provided it does not violate legal obligations.

11. Audit Rights

The Controller may request documentation, security information, or remote assessments to verify the Processor’s compliance with this DPA. Audits must be reasonable, proportionate, and must not compromise the security or functioning of the Service.

12. Governing Law

This DPA is governed by the laws of Luxembourg. Jurisdiction for disputes lies with the courts of Luxembourg City.