The DPA is an agreement between our third-party provider (Data Processor) and Dstny Sverige AB (Data Controller) that regulates the handling of personal data in accordance with GDPR. The agreement ensures that the third-party provider processes personal data in compliance with applicable legal requirements and in accordance with the customer’s instructions.

The third-party provider handles, among other things:

• Customer data – such as account details and transaction history

• Behavioral data – including interaction patterns and engagement levels

• Contact details for meeting participants – including name, email address, and phone number

To ensure the highest level of data security, the third-party provider applies a combination of technical and organizational security measures, such as:

• Encryption of data both in transit and at rest

• Strict access controls with role-based permission management

• Regular security audits, including penetration testing

• Established incident response plan for swift action in case of security incidents

Yes, the third-party provider uses approved sub-processors

• Entire Nordic AB (Hosting services, Sweden)

• Scaleway (Hosting, storage, and transactional emails, France)

• Symplify Technologies AB (Email and SMS communication, Sweden)

No, all storage and processing of personal data take place within the EU/EEA. If a transfer outside this area becomes necessary, written approval from the customer is required along with the implementation of appropriate safeguards in accordance with GDPR Chapter V.

In the event of a personal data incident, the third-party provider notifies Dstny within 24 hours. The incident report includes:

• Type of incident

• Categories of affected data

• Assessed consequences

• Measures taken and planned actions to mitigate the impact

Customers can use the platform to retrieve and manage their data. Data subjects who wish to exercise their rights under GDPR (such as the right to erasure or correction of data) should contact the customer’s data controller.

Customers have the right to conduct audits and inspections of both the third-party provider and its potential sub-processors. Audits are carried out in accordance with the processes and terms outlined in the DPA.

As a default, personal data is stored for 12 months, but the retention period can be customized through settings. Upon termination of the service, the customer has 30 days to download their data before it is permanently deleted.

The AI provider’s AI policy aims to ensure the responsible, transparent, and compliant use of AI-based conversational intelligence. The policy is designed to comply with the EU’s AI Regulation and GDPR.

The AI provider applies AI technology to:

• Transcribe speech to text

• Identify speakers and analyze conversations

• Automatically summarize conversations

• Detect conversation patterns

• Analyze customer interactions and process fulfillment

The AI provider is not considered a high-risk AI under the EU’s AI Regulation. A comprehensive risk management strategy ensures that the AI system is used in a safe and predictable manner. Measures include:

• Human oversight of AI-generated insights

• Transparency and traceability in AI analysis

• Regular risk assessments and compliance checks

No, all AI processing and data storage take place within the EU’s data centers in accordance with GDPR and our Data Processing Agreement (DPA).

The AI provider implements robust security procedures, including:

• End-to-end encryption of data during transmission and storage

• Strict access controls based on role-based permissions

• Regular security audits and risk assessments

To maintain high transparency, the AI provider offers:

• Clear information about AI-generated content

• Explanations of the system’s capabilities and limitations

• Options for human oversight and the ability for manual adjustments

• Regular updates on system changes and policy updates

No, the AI provider’s technology functions only as decision support and does not make independent decisions. The end user always retains ultimate responsibility for decisions based on AI-generated insights.

To ensure fair and accurate AI usage, the AI provider conducts:

• Regular algorithm reviews and quality controls

• Systematic bias detection and action plans for identified deviations

• Continuous monitoring and updating of AI models to improve accuracy and neutrality

The AI provider adheres to established regulations and security standards, including:

• EU’s AI Regulation – for responsible AI usage

• GDPR (General Data Protection Regulation) – for protection of personal data

• ISO 27001 and SOC 2 Type II – international standards for information security and data protection

For AI-related questions or support, please contact your contact person at Dstny or Dstny support.