Point11

Data processing agreement

Overview of Point11's Data Processing Agreement, covering GDPR Article 28 requirements, standard clauses, sub-processor management, and breach notification.

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that governs the processing of personal data. Under GDPR Article 28, a DPA is mandatory whenever a controller engages a processor to handle personal data on its behalf. When an enterprise deploys Point11's AI voice agents, chat agents, or MCP servers that process end-user PII, Point11 acts as the data processor and the enterprise acts as the data controller.

What a DPA Covers

Point11's DPA establishes the legal framework for data processing across the platform. It defines:

  • Subject matter and duration: The specific processing activities (AI agent conversations, MCP server data retrieval, voice synthesis) and the duration of processing, which aligns with the service agreement term.
  • Nature and purpose of processing: Point11 processes personal data solely to provide the contracted AI infrastructure services. Data is not used for model training, advertising, or any secondary purpose without explicit written consent.
  • Types of personal data: Names, email addresses, phone numbers, voice recordings, conversation transcripts, and any PII transmitted through AI agent interactions or MCP server tool calls.
  • Categories of data subjects: End users who interact with the enterprise's AI agents, enterprise employees who configure and manage the platform, and third parties whose data may be referenced in conversations.

GDPR Article 28 Requirements

Article 28 of the GDPR specifies mandatory provisions that must appear in every DPA. Point11's agreement addresses each requirement:

Processing Instructions (Article 28(3)(a))

Point11 processes personal data only on documented instructions from the controller. If Point11 receives a request from a law enforcement agency or regulatory body, it will notify the controller before complying unless prohibited by law.

Confidentiality (Article 28(3)(b))

All Point11 personnel with access to personal data are bound by contractual confidentiality obligations. Access is restricted to employees and contractors who require it to perform their duties, consistent with the principle of least privilege.

Security Measures (Article 28(3)(c))

Point11 implements technical and organizational measures appropriate to the risk, including AES-256 encryption at rest, TLS 1.3 in transit, RBAC access controls, audit logging, and multi-tenant data isolation. These measures are documented in Point11's Security Architecture Overview and validated through annual SOC 2 Type II audits.

Sub-Processor Management (Article 28(3)(d))

Point11 engages sub-processors to deliver specific platform capabilities. Each sub-processor is contractually bound to the same data protection obligations as Point11. Current sub-processors include:

  • AWS / Google Cloud / Azure: Cloud infrastructure and managed services for compute, storage, and networking.
  • ElevenLabs: Voice synthesis and voice agent capabilities. ElevenLabs maintains SOC 2 Type II certification with zero exceptions and offers HIPAA Business Associate Agreements.
  • Anthropic / OpenAI / Google DeepMind: Large language model providers for AI agent reasoning and response generation.

Point11 maintains a public sub-processor list and notifies controllers at least 30 days before engaging a new sub-processor. Controllers may object to a new sub-processor, and Point11 will work to provide an alternative or allow the controller to terminate the affected services without penalty.

Assistance with Data Subject Rights (Article 28(3)(e))

Point11 assists the controller in fulfilling data subject requests including access, rectification, erasure, restriction, portability, and objection. The platform provides self-service tools for data export and deletion, and the support team responds to data subject request escalations within 48 hours.

Deletion and Return of Data (Article 28(3)(g))

Upon termination of the service agreement, Point11 deletes all personal data within 30 days unless retention is required by applicable law. Controllers may request a full data export in machine-readable JSON format before deletion. Deletion is verified through automated scripts and confirmed in writing.

Audit Rights (Article 28(3)(h))

The controller has the right to audit Point11's compliance with the DPA. Point11 facilitates audits by providing the SOC 2 Type II report, security documentation, and access to relevant personnel. On-site audits may be conducted with 30 days written notice, subject to reasonable confidentiality and scheduling constraints.

Data Breach Notification

Point11 notifies the controller of a personal data breach without undue delay and no later than 48 hours after becoming aware of the breach. The notification includes:

  • The nature of the breach, including categories and approximate number of data subjects affected.
  • The name and contact details of Point11's Data Protection Officer.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach and mitigate its effects.

This 48-hour notification window allows the controller to meet the GDPR requirement of notifying the supervisory authority within 72 hours of becoming aware of a breach (Article 33).

International Data Transfers

When personal data is transferred outside the European Economic Area, Point11 relies on the EU-US Data Privacy Framework for transfers to the United States and Standard Contractual Clauses (SCCs) adopted by the European Commission for transfers to other jurisdictions. Point11 conducts Transfer Impact Assessments for each destination country.

Sources

SOC 2 Type II complianceGDPR and privacy controls

Need help implementing this?

Our team can walk you through the setup.

Talk to Sales