Order Processing Agreement (OPA)
between the Client (Controller) and ALL AVATAR GmbH (Processor) for the ‘Frag-Maria’ service
As of 1 January 2026
1. Parties, Scope and Term
1. Client / Controller:
The company that contractually books the ‘Frag-Maria’ services (company data as per the main contract/order).
2. Processor:
ALL AVATAR GmbH, Obere Spichermatt, 6370 Stans, Switzerland, email: fragmaria@allavatar.ai
3. Sub-processor:
Salesbroker GmbH, Obere Spichermatt, 6370 Stans, Switzerland (technical enablement services ‘powered by Salesbroker’) as well as the other sub-processors listed in Appendix 1.
4. Scope: This DPA governs the processing of personal data by ALL AVATAR within the scope of the AI service Frag-Maria (chat, telephony/voicebot, digital avatar) for the client.
5. Term: Applies for the duration of the contractual use of Frag-Maria. Ends automatically upon termination of the main contract. Deviations apply insofar as there are after-effects (e.g. deletion/return).
2. Subject matter, type and purpose of processing
1. Subject matter: Operation, provision and support of Frag-Maria, including necessary AI functions (ASR/STT, NLU/NLG, TTS), transcription, logging, monitoring, quality assurance and error analysis.
2. Type of processing: Collection, organisation, storage, adaptation, retrieval, transmission (within the order chain), restriction, deletion/anonymisation.
3. Purposes: Fulfilment of contractually agreed services (dialogue processing, scheduling/routing, support forwarding), operation & security, service quality, evaluation of technical key figures, legal obligations.
3. Categories of data subjects and types of data
1. Data subjects: Customers/prospective customers/website visitors of the client, communication partners, employees of the client (if involved).
2. Types of data:
– Dialogue/content data (chat, audio/transcripts), metadata/logs, contact details (e.g. email for callback), usage/technical data (e.g. timestamps, system events).
– Special categories within the meaning of Art. 9 GDPR / particularly sensitive personal data according to DSG: are not specifically processed. If, in exceptional cases, such data enters the dialogue, processing is only carried out on a situational basis for the purpose of fulfilling the contract; the client ensures that such content is not included if possible or that appropriate security queries/checks are provided for in the flow.
4. Responsibilities and instructions
1. The client is the controller (GDPR/DSG) and remains responsible for legality, transparency and information for data subjects.
2. ALL AVATAR processes data exclusively on the documented instructions of the client (including instructions stored in system configurations/flows).
3. ALL AVATAR may reject instructions that are manifestly unlawful and will clarify this with the client.
5. Confidentiality, personnel and access control
1. ALL AVATAR obliges all employees and commissioned persons to maintain confidentiality.
2. Access is granted according to the need-to-know principle and with role-based rights (least privilege, MFA for admins).
6. Technical and organisational measures (TOM)
1. ALL AVATAR maintains a level of security appropriate to the risk (Art. 32 GDPR/DSG), including:
– TLS transport encryption, protection of data at rest where possible,
– client separation, hardening & patch management,
– access controls, logging & monitoring,
– backup/recovery, incident and vulnerability management,
– Data minimisation, region pinning (EU/CH preferred), zero retention if supported by the respective sub-processor.
2. An overview of TOMs can be found in Appendix 2. ALL AVATAR reserves the right to make adjustments that do not reduce the level of protection.
7. Support obligations of the processor
1. Data subject rights: ALL AVATAR shall provide the client with appropriate support in relation to information, corrections, deletions, restrictions, data portability and objections/revocations.
2. Security measures & DPIA: Support in relation to Articles 32–36 GDPR (e.g. data protection impact assessment), insofar as this concerns the processing part.
3. Notifications: ALL AVATAR shall notify the client of any breaches of personal data protection immediately and without undue delay (guideline: within 24 hours of becoming aware of the breach), providing the available information in accordance with Art. 33(3) GDPR.
8. Subcontracting relationships (sub-processors)
1. The client approves the sub-processors listed in Appendix 1 (including Salesbroker GmbH).
2. ALL AVATAR contractually obliges sub-processors to at least the level of this DPA (Art. 28(4) GDPR/DSG).
3. Change procedure: ALL AVATAR shall provide advance notice of planned changes (e.g. email to the specified address). Right of objection within 14 calendar days; in the event of an irresolvable conflict, there is a special right of termination for the service concerned.
4. International data transfer: see Section 9.
9. Third country transfers
1. Transfers to third countries shall only take place in the event of an adequacy decision (e.g. EU-US DPF), on the basis of SCC including supplementary measures, or on the basis of legal exceptions or consent.
2. Where possible, ALL AVATAR shall choose EU/CH locations and zero retention/EU tenants.
10. Confidentiality and trade secrets
1. Confidential information and trade secrets of both parties must be protected; use only for the purpose of fulfilling the contract.Disclosure only within the order chain or in the event of a legal obligation.
11. Evidence, audits
1. ALL AVATAR shall provide adequate evidence of compliance with this DPA (e.g. policies, certificates/reports, information on TOM).
2. Audits/inspections by the client or designated auditors are permitted after reasonable advance notice and during business hours; they must not unreasonably interfere with operations. Audits of sub-processors must be coordinated directly with them; ALL AVATAR shall provide appropriate support.
12. Deletion and return of data
1. Upon termination of the contract or upon instruction, ALL AVATAR shall delete or return all personal data of the client (including copies), unless there are legal retention obligations to the contrary.
2. Standard deadlines: operational dialogue and log data at short notice; backups according to rotation plan; details according to Appendix 3 (deletion concept).
3. Deletions will be confirmed in writing upon request.
13. Notifications and contact point
ALL AVATAR GmbH – fragmaria@allavatar.ai
The client shall notify ALL AVATAR in writing of any other reporting points/contacts (e.g. data protection/security contact).
14. Liability
Material liability is governed by the main contract. With regard to the GTC, ALL AVATAR shall be liable for breaches of these GTC within the scope of the statutory provisions and the contractually agreed liability provisions.
15. Applicable law and place of jurisdiction
Swiss law shall apply exclusively (without conflict of law rules). Place of jurisdiction: 6370 Stans, Nidwalden (CH).