Data Processing Agreement

Data Processing Agreement - ExValu

Jump to: About this DPA DPA text Annex I - Processing details Annex II - Security measures Annex III - Sub-processors Signature

Overview

About This Document

This page explains ExValu's data processing obligations and provides the full text of ExValu's standard Data Processing Agreement (DPA) for B2B clients. If you are a business client whose data ExValu processes during an engagement, you need to sign this DPA before processing begins.

Important - who this document is for: This DPA governs the relationship between ExValu (as a data processor) and business clients (as data controllers) when ExValu processes personal data belonging to the client's business - for example, the client's customer records, employee data, or CRM contacts - during a consulting engagement. It is not a document for website visitors. If you are a website visitor looking for information about how ExValu handles your personal data, see the Privacy Policy.

Two different data relationships

ExValu operates in two distinct data roles depending on the context:

ExValu as Data Controller

Website visitors and prospects

When you visit exvalu.com, book a call, or enquire about services, ExValu is the data controller. ExValu decides why and how your contact data is processed. This relationship is governed by the Privacy Policy - not this DPA.

ExValu as Data Processor - THIS DPA applies

Business clients during engagements

When ExValu processes personal data belonging to a client's business - their customers, employees, or contacts - during delivery of the Exit Readiness Program or other services, ExValu acts as a data processor following the client's instructions. This relationship requires a signed DPA under GDPR Article 28.

A third relationship - joint controllership: For certain processing activities during exit readiness work, ExValu and the Client jointly determine the purposes and means of processing - for example, when ExValu researches the Client's key personnel from external sources such as public registers or licensed firmographic platforms. In those specific cases, ExValu and the Client are joint controllers under GDPR Article 26 and a separate Joint Controllership Agreement (JCA) applies. This DPA covers the processor role only. See Section 13 of the Privacy Policy for the essence of the joint-controller arrangement.

When you need to sign this DPA

A signed DPA between ExValu and your organisation is required before ExValu begins processing any personal data that belongs to your business. This includes:

Knowledge capture sessions involving recordings of your employees or team members
Access to your CRM, customer database, or contact lists for system configuration
Building or configuring automated email sequences using your contact data
Creating knowledge bases or SOP libraries that contain information about identified individuals
Any other processing of personal data on your behalf as part of the Exit Readiness Program

The DPA is included as a standard annex to all ExValu engagement proposals. If you have not yet received a signed DPA and believe you should have one, contact [email protected].

For M&A due diligence: If you are an M&A advisor, PE firm, or buyer conducting due diligence on an ExValu client, this DPA and the annexes below demonstrate ExValu's GDPR Article 28 compliance framework. A signed copy of the DPA specific to a client engagement is available on request with the client's consent.

The agreement

Data Processing Agreement - Full Text

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The business client named in the ExValu engagement proposal ("Controller", "you", "Client")

Data Processor: ExValu, operated by Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany ("ExValu", "Processor", "we")

This DPA forms part of and supplements the ExValu Terms of Service and any signed engagement proposal or Statement of Work between the parties (collectively the "Agreement"). Capitalised terms not defined here have the meaning given in the Terms of Service.

Article 1 - Purpose and Scope

1.1 This DPA governs the processing of personal data by ExValu on behalf of the Controller in connection with the services described in the Agreement, specifically where ExValu processes personal data belonging to the Controller's business (including Controller's customers, employees, prospects, and other data subjects).

1.2 This DPA implements the requirements of GDPR Article 28 and constitutes the written contract required between controller and processor under EU data protection law. The Annexes to this DPA form part of and are incorporated into it.

1.3 Processing details, including the subject matter, duration, nature, purposes, types of personal data, and categories of data subjects, are set out in Annex I. Technical and organisational security measures are set out in Annex II. Authorised sub-processors are listed in Annex III.

1.4 This DPA covers the processor relationship under GDPR Article 28 only. For processing activities in which ExValu and the Controller jointly determine the purposes and means of processing - in particular, research and enrichment of data relating to the Controller's key personnel from external public or licensed firmographic sources - a separate Joint Controllership Agreement (JCA) under GDPR Article 26 applies. The JCA is incorporated into the engagement proposal or signed as a separate instrument. Where this DPA and the JCA overlap, each instrument applies to the processing activities within its own scope.

Article 2 - Instructions and Processing Boundaries

2.1 ExValu shall process personal data only on documented instructions from the Controller, including as set out in this DPA, the Agreement, and any written instructions provided during the engagement. ExValu shall not process personal data for any other purpose.

2.2 If ExValu is required by EU or German law to process personal data beyond the Controller's instructions, ExValu shall inform the Controller before such processing unless the law prohibits such notification on grounds of public interest.

2.3 ExValu shall immediately notify the Controller if, in ExValu's opinion, an instruction from the Controller violates applicable data protection law. In such cases, ExValu is entitled to suspend the relevant processing until the Controller provides clarified instructions.

2.4 The Controller remains the data controller for all personal data it provides to ExValu and retains full responsibility for the lawfulness of processing, the lawfulness of the instructions given to ExValu, and for ensuring data subjects have been appropriately informed about the processing.

Article 3 - Confidentiality

3.1 ExValu shall ensure that all personnel authorised to process personal data under this DPA are subject to a binding duty of confidentiality with respect to that data, either by statute or by contractual obligation.

3.2 ExValu shall limit access to personal data to those personnel who need access to perform the services under the Agreement, applying the principle of least privilege.

3.3 The confidentiality obligation survives termination of this DPA and the Agreement.

Article 4 - Security of Processing

4.1 ExValu shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, as required by GDPR Article 32.

4.2 The specific technical and organisational measures ExValu implements are described in Annex II. ExValu shall review and update these measures as necessary to maintain appropriate security.

4.3 ExValu shall take appropriate steps to ensure that any natural person acting under its authority who has access to personal data does not process it except on the Controller's instructions.

Article 5 - Sub-processors

5.1 The Controller grants ExValu general written authorisation to engage the sub-processors listed in Annex III for the processing activities described in this DPA.

5.2 ExValu shall notify the Controller of any intended additions or replacements to the sub-processors listed in Annex III with at least 14 days written notice prior to engaging the new sub-processor. The Controller may object to a new sub-processor within that notice period on reasonable data protection grounds by written notice to ExValu.

5.3 If the Controller objects and the parties cannot resolve the objection within 14 days, the Controller may terminate the affected service on written notice without penalty, provided the objection relates specifically to the new sub-processor and not to the services generally.

5.4 Where ExValu engages a sub-processor, it shall impose equivalent data protection obligations on that sub-processor by written contract, including all requirements of GDPR Article 28(3). ExValu remains fully liable to the Controller for the performance of the sub-processor's obligations under this DPA.

5.5 ExValu shall make the list of current sub-processors available to the Controller on request. The current list is published in Annex III of this DPA.

Article 6 - Data Subject Rights Assistance

6.1 ExValu shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures where possible in fulfilling the Controller's obligation to respond to data subject rights requests under GDPR Chapter III (including rights of access, rectification, erasure, restriction, portability, and objection).

6.2 Upon receiving a data subject rights request directly from a data subject that relates to personal data processed under this DPA, ExValu shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller or required to by applicable law.

6.3 ExValu shall assist the Controller in ensuring compliance with its obligations regarding security of processing (GDPR Article 32), notification of personal data breaches (Articles 33-34), and, where applicable, data protection impact assessments (Article 35) and prior consultation with supervisory authorities (Article 36).

Article 7 - Data Breach Notification

7.1 ExValu shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting personal data processed under this DPA.

7.2 The breach notification shall include, to the extent available at the time of notification: a description of the nature of the breach including the categories and approximate number of data subjects and personal data records affected; the contact details of the ExValu privacy contact; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

7.3 Where all required information cannot be provided at the same time, ExValu may provide it in phases without undue further delay.

7.4 ExValu shall maintain records of all personal data breaches, including those that do not require notification to supervisory authorities, in accordance with GDPR Article 33(5).

7.5 ExValu's competent supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany. Where breach notification to a supervisory authority is required under GDPR Article 33, and where the breach affects personal data processed on behalf of the Controller, ExValu will cooperate with the Controller on any notification the Controller is required to make to its own lead supervisory authority.

Article 8 - Audit Rights

8.1 ExValu shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28, and shall allow and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller.

8.2 Audits shall be conducted with reasonable prior written notice (at least 14 days unless urgency requires otherwise), during normal business hours, and in a manner that minimises disruption to ExValu's operations.

8.3 The parties shall bear their own costs for audits unless the audit reveals material non-compliance by ExValu, in which case ExValu shall bear the reasonable costs of the audit.

8.4 Where the Controller requests audit information that ExValu provides by way of third-party certification, audit reports, or security attestations, these shall satisfy the audit right to the extent they cover the relevant processing activities.

Article 9 - International Data Transfers

9.1 ExValu shall not transfer personal data processed under this DPA to a country or international organisation outside the EU/EEA without the Controller's prior written authorisation and without ensuring appropriate safeguards under GDPR Chapter V are in place.

9.2 Where sub-processors listed in Annex III are located outside the EU/EEA, ExValu implements one or more of the following transfer mechanisms as applicable: (a) an adequacy decision under GDPR Article 45 (for example, the United Kingdom and Switzerland); (b) certification under the EU-US Data Privacy Framework (DPF), the UK Extension, or the Swiss-US DPF; (c) Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914; or (d) other valid Article 46 safeguards. The specific mechanism applied to each sub-processor is recorded in Annex III.

9.3 For each transfer to a country outside the EU/EEA that does not benefit from an adequacy decision, ExValu conducts a Transfer Impact Assessment (TIA) consistent with EDPB Recommendations 01/2020. The TIA evaluates the law and practice of the destination country and identifies any supplementary technical, organisational, or contractual measures necessary to ensure an essentially equivalent level of protection. Completed TIAs are held on file and made available to the Controller on reasoned request.

9.4 ExValu re-verifies the DPF certification status of US sub-processors quarterly at dataprivacyframework.gov and takes immediate action in the event of any lapse or change in certification status.

9.5 Where the Controller requests details of the transfer mechanisms in place for a specific sub-processor, ExValu shall provide this information within 14 days.

Article 10 - Return and Deletion of Data

10.1 Upon termination or expiry of the Agreement, or upon the Controller's request at any time, ExValu shall, at the Controller's choice: return all personal data to the Controller in a commonly used, machine-readable format; or securely delete and destroy all personal data processed under this DPA.

10.2 ExValu shall complete the return or deletion within 30 days of the relevant event and shall provide the Controller with written confirmation of completion.

10.3 ExValu may retain personal data beyond this period only where required by applicable EU or German law, and only to the minimum extent required. ExValu shall notify the Controller of any such retention obligation at the time of the deletion request, specifying the legal basis and retention period.

10.4 Specifically, German commercial and tax law (HGB §257, AO §147) requires ExValu to retain accounting books and invoices for 10 years and business correspondence for 6 years from the end of the calendar year in which the record arose. Where a document processed under this DPA falls within these statutory retention categories, ExValu retains the minimum version necessary to satisfy the statutory obligation. Retained documents are held with restricted access and are deleted once the statutory retention period expires.

10.5 This Article survives termination of the Agreement.

Article 11 - Liability and Indemnity

11.1 Each party shall be liable to the other and to data subjects for damage caused by processing that violates GDPR in accordance with GDPR Articles 82 and 83 and applicable German law.

11.2 ExValu shall be exempt from liability under GDPR Article 82(3) if it demonstrates that it is not in any way responsible for the event giving rise to the damage, including where the damage results from the Controller's instructions or the Controller's failure to fulfil its own GDPR obligations.

11.3 Liability between the parties for breach of this DPA is subject to the limitations set out in the Terms of Service, except where GDPR mandatory provisions apply.

Article 12 - Duration and Termination

12.1 This DPA takes effect on the date it is signed by both parties and remains in force for as long as ExValu processes personal data on behalf of the Controller under the Agreement.

12.2 Obligations under Articles 3 (Confidentiality), 10 (Return and Deletion), and 11 (Liability) survive termination.

12.3 In the event of a conflict between this DPA and the Agreement, this DPA shall prevail to the extent the conflict relates to data protection obligations.

Article 13 - Governing Law and Disputes

13.1 This DPA is governed by the laws of the Federal Republic of Germany. The parties submit to the exclusive jurisdiction of the courts of Munich, Germany for all disputes arising under this DPA, subject to mandatory provisions of applicable data protection law.

13.2 Nothing in this DPA restricts a data subject's right to lodge a complaint with a supervisory authority or to seek judicial remedy against either party in accordance with GDPR Articles 77 and 79.

Annex I - Processing Details

Required under GDPR Article 28(3) - subject matter, duration, nature, purpose, data types, and data subjects

A. Parties

Data Controller	As named in the ExValu engagement proposal
Data Processor	ExValu, Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany. Contact: [email protected]

B. Subject matter and duration

ExValu processes personal data on behalf of the Controller for the duration of the engagement as set out in the Agreement, plus any retention period required by law after engagement close. The subject matter is the delivery of the Exit Readiness Program and associated services including AI system configuration, process documentation, and knowledge capture.

C. Nature and purpose of processing

Processing activity	Purpose
Knowledge capture sessions	Recording and transcribing subject matter expertise of the Controller's personnel to build documented process libraries and Company Brain systems
CRM and workflow configuration	Accessing and configuring the Controller's CRM (GoHighLevel or equivalent) including contact records, pipeline stages, and automated sequences
Email sequence implementation	Building and testing automated email sequences using the Controller's contact database, including segmentation and personalisation fields
SOP and documentation creation	Creating documented processes, decision frameworks, and operational guides that may reference identified individuals by role or name
Exit Readiness Dossier compilation	Assembling documented evidence of operational systems, which may include references to the Controller's team, clients, and processes

Note on payment processing: Payment providers (Stripe, PayPal) act as independent controllers of payment data under their own privacy policies and PCI-DSS obligations. They are not sub-processors of ExValu and are not listed in Annex III. Payment processing does not fall within the scope of this DPA.

D. Types of personal data processed

Employee and team member data: names, roles, contact details, expertise areas, voice/video recordings
Customer and prospect data: names, email addresses, phone numbers, company details, interaction history
Business contact data: names, email addresses, phone numbers of suppliers, partners, and third parties
Operational data: process notes, decision records, and documentation that may reference identified individuals

Special category data is not anticipated. If any processing would involve special category data, the parties will agree an amendment to this Annex before such processing begins.

E. Categories of data subjects

The Controller's employees, contractors, and team members
The Controller's customers and prospects
The Controller's suppliers and business contacts
Former employees or clients referenced in historical process documentation

F. Retention during engagement

ExValu retains personal data processed under this DPA only for the duration necessary to deliver the agreed services. Session recordings are retained for a maximum of 2 years or until engagement close, whichever is sooner. All other personal data is returned or deleted within 30 days of engagement close, subject to any legal retention requirements notified to the Controller (see Article 10.4).

Annex II - Technical and Organisational Security Measures

Required under GDPR Articles 28(3)(c) and 32

ExValu implements the following technical and organisational measures (TOMs) to ensure the security of personal data processed under this DPA. These measures represent the minimum standard. ExValu reviews and updates them periodically.

Access control and authentication

Two-factor authentication (2FA) required for all accounts with access to personal data
Role-based access controls: access limited to personnel with a documented need
Principle of least privilege applied to all system permissions
Immediate access revocation procedures on personnel departure
Structured secret management: credentials and API keys stored in encrypted secret stores, never in plain text or source code

Encryption and data security

SSL/TLS encryption for all personal data in transit
AES-256 encryption for personal data at rest in cloud storage
Device-level encryption on all workstations and mobile devices used to access personal data
Encrypted backups stored in geographically separate locations
Secure deletion procedures for all personal data (overwrite, not just marking deleted)

System and infrastructure security

Firewalls and network-level intrusion detection on all systems handling personal data
Regular security updates and patch management
Vulnerability assessments on an ongoing basis
All sub-processors selected based on demonstrated security certifications (SOC 2, ISO 27001, or equivalent)
Quarterly re-verification of EU-US Data Privacy Framework certification status for all US sub-processors

Organisational measures

All personnel with access to personal data bound by confidentiality obligations
Annual data protection awareness training
Documented incident response procedure with 48-hour breach notification target for the Controller
Regular review and audit of sub-processor compliance
Data minimisation applied at collection: only data necessary for the defined purpose is processed

Physical security

All processing occurs on secured, encrypted devices
No personal data is processed on unsecured or public networks
Physical access to devices with personal data is controlled and limited to authorised personnel

Voice dictation rule

Sensitive client personal data is dictated only using on-device voice-to-text tools (Weesper Neon Flow) where audio is processed locally and never leaves the local device
Cloud-based voice dictation tools (Wispr Flow) are restricted to non-sensitive, general-purpose drafting (marketing copy, general correspondence); these tools remain listed as sub-processors in Annex III because cloud dictation inherently processes any personal data referenced in the dictated content
This separation is enforced as a documented operating rule and applies to all ExValu personnel

Recording and knowledge capture sessions

Sessions recorded only with explicit prior consent of all participants
Recording conducted exclusively on video-conference platforms (Zoom, Google Meet, Microsoft Teams) - not on PSTN telephone calls
Recordings stored in access-controlled cloud environments with 2FA protection
Recording links shared only with authorised parties via encrypted channels
Where meeting-transcription services (such as Fathom) are used, AI model training on meeting content is disabled in ExValu's account settings
Recordings deleted from ExValu systems within 30 days of engagement close or on Controller request

III

Annex III - Authorised Sub-processors

Required under GDPR Article 28(2) and (4) - list current as of 20 April 2026

The Controller grants general written authorisation to engage the following sub-processors. ExValu will notify the Controller of any changes with at least 14 days advance notice. The Controller may object to any new sub-processor within the notice period on reasonable data protection grounds.

Sub-processor	Purpose	Location	Transfer mechanism
GoHighLevel (HighLevel Inc.)	CRM, pipeline management, email and SMS automation, workflow configuration	USA / EU data centres	SCCs (2021/914); EU-US Data Privacy Framework; TIA completed
Notion (Notion Labs Inc.)	Knowledge base, Company Brain content, documented processes, SOP storage, compliance documentation	USA / EU region option	SCCs (2021/914); EU-US Data Privacy Framework; EU-region storage enabled; TIA completed
Google Workspace (Google LLC)	Email, calendar, document storage for engagement materials	EU data centres (primary)	EU adequacy for EU-region data; SCCs and EU-US DPF for any residual US processing
Google Drive (Google LLC)	Exit Readiness Dossier storage and collaboration (where used by the Controller)	EU data centres	EU adequacy; SCCs; EU-US DPF
Microsoft SharePoint (Microsoft Corp.)	Exit Readiness Dossier storage and collaboration (where the Controller operates on Microsoft infrastructure)	EU data centres	EU adequacy; SCCs; EU-US DPF (Microsoft certified)
Zoom / Google Meet	Video calls and knowledge capture sessions (where recordings are taken with all-participants consent)	USA / EU	SCCs (2021/914); EU-US DPF
Fathom (Fathom Video Inc.)	Video-meeting transcription and AI summary (video conferences only, never telephone)	USA	EU-US DPF (UK Extension, Swiss-US DPF); SCCs; DataRep EU/UK representative; AI-training opt-out enabled; TIA completed
Synthesia (Synthesia Ltd.)	AI avatar video generation for marketing content (public website content only; no Controller personal data processed)	United Kingdom	UK adequacy decision
Cookiebot (Cybot A/S)	Consent management platform for exvalu.com (TDDDG §25 compliance evidence)	Denmark (EU)	EU-hosted; no transfer required
Bunny.net (BunnyWay d.o.o.)	Font delivery (no personal data retained per Bunny.net privacy policy)	Netherlands / EU	EU-hosted; no transfer required
Apollo.io (firmographic-only mode)	Company-level business intelligence (no personal data sent)	USA	SCCs; EU-US DPF; personal-data enrichment disabled pending TIA sign-off
Clay (Clay Labs Inc., firmographic-only mode)	Firmographic data orchestration (no personal data sent)	USA	SCCs; EU-US DPF; personal-data enrichment disabled pending TIA sign-off
Wispr Flow (Wispr AI Inc.)	Cloud-based voice dictation for non-sensitive general drafting only (sensitive client personal data is dictated via on-device Weesper Neon Flow - see Annex II)	USA	SCCs; EU-US DPF; Privacy Mode enabled (zero retention after processing); AI training on user content opt-out confirmed in ExValu account; TIA in progress

Sub-processors are only engaged where necessary for the services agreed in the specific engagement. Not all sub-processors will be used in every engagement. ExValu will notify the Controller of which sub-processors are relevant at the start of each engagement.

Excluded from this list: Payment providers (Stripe, PayPal) - they act as independent controllers for payment data, not as sub-processors of ExValu. On-device tools where audio is processed locally and no data leaves the device (Weesper Neon Flow for sensitive client-data dictation).

Execution

Signature and Execution

This DPA is incorporated by reference into the ExValu engagement proposal. By signing the engagement proposal, both parties agree to be bound by this DPA and its Annexes. Where a separate signed DPA is required, the signature block below applies.

For engagement clients: You do not need to sign this document separately if you have already signed an ExValu engagement proposal that references this DPA. If your organisation requires a separately executed DPA for compliance purposes, contact [email protected] to arrange execution.

Data Controller

Name: ______________________________

Title: ______________________________

Organisation: ______________________________

Date: ______________________________

Email: ______________________________

Signature of authorised representative

Data Processor - ExValu

Name: Karl zu Ortenburg

Title: Founder, ExValu

Organisation: ExValu

Date: ______________________________

Email: [email protected]

Signature of Karl zu Ortenburg

This DPA may be executed electronically. An electronic signature or email confirmation of acceptance by an authorised representative of the Controller constitutes a valid execution of this DPA for the purposes of GDPR Article 28(3).

DPA Enquiries

For questions about this DPA, to request a separately executed copy, to object to a new sub-processor, or to exercise audit rights, contact:

ExValu
Karl zu Ortenburg
Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany
[email protected] | +49 (0) 89 83 999 089

Version history: v1.0 April 1, 2026: Complete rebuild. Previous document titled "Data Processing Agreement" was incorrectly structured as a privacy notice to website visitors. This version is a GDPR Article 28-compliant B2B DPA with all eight mandatory clauses, three required Annexes (processing details, security measures, sub-processor list), and a correct controller-processor role allocation. Brand updated from AIHub3 to ExValu throughout. v1.1 April 20, 2026: Art. 1.4 added clarifying the two-track architecture (this DPA covers processor role only; Art. 26 joint controllership is handled by a separate Joint Controllership Agreement where applicable). Art. 7.5 added naming BayLDA (Bayerisches Landesamt für Datenschutzaufsicht) as ExValu's competent supervisory authority. Art. 9 expanded to reference Transfer Impact Assessments per EDPB Recommendations 01/2020 and quarterly DPF re-verification. Art. 10.4 added explicitly addressing HGB §257 / AO §147 statutory retention obligations. Annex II expanded to document structured secret management, device-level encryption, quarterly DPF verification, voice-dictation rule, and explicit exclusion of PSTN telephone recording. Annex III sub-processor list expanded to include Notion, Google Drive (split from Google Workspace), Microsoft SharePoint, Fathom, Synthesia, Cookiebot, Apollo, and Clay with accurate transfer mechanisms for each. Annex I Section C updated to clarify that payment providers (Stripe, PayPal) are independent controllers, not sub-processors, and fall outside this DPA. v1.2 April 20, 2026 (current): Wispr Flow added back to Annex III as a US sub-processor - independent research confirmed Wispr Flow is cloud-based (not on-device as previously assumed); audio is sent to Wispr AI Inc. servers for processing. Annex II voice-dictation rule clarified to distinguish between on-device Weesper Neon Flow (sensitive client personal data, no sub-processor relationship) and cloud-based Wispr Flow (non-sensitive drafting only, listed as sub-processor). Annex III exclusions paragraph updated: only Weesper Neon Flow and Stripe/PayPal (independent controllers) remain excluded.

Legal review note: This DPA has been prepared by ExValu to comply with GDPR Article 28 requirements. It has not been formally reviewed by a qualified German data protection lawyer (Datenschutzanwalt). That review is pending and this note will be removed on completion. ExValu recommends that client organisations have their own legal counsel review this DPA before signature if they have specific compliance requirements.