DATA PROCESSING AGREEMENT
v1.0 — 29th April 2026
This Data Processing Agreement ("DPA") is entered into as of the date of electronic acceptance ("Effective Date") between:
TESTMYTEAM POWERED BY AI, S.L., a company organized under the laws of Spain and registered under CIF number B21860382, with registered office at Calle Augusto Figueroa 37, 5C 28003 Madrid, Spain ("Service Provider"); and
The individual or entity accepting these terms electronically ("Client").
Service Provider and Client are each a "Party" and together the "Parties".
1. Definitions
1.1 "Client Data" means all data, files, content, and materials provided or made available by or on behalf of Client to Service Provider, including any personal data.
1.2 "Personal Data," "Controller," "Processor," and "Processing" have the meanings set forth in the GDPR (Regulation (EU) 2016/679).
1.3 "Agreement" means the agreement entered into by the Service Provider and the Client, pursuant to which the Service Provider offers services whereas AI models analyze Client Data uploaded by Client and generate analytical reports on employee efficiency.
1.4 All capitalized terms whose definition is not included in this DPA have the meaning set forth in the Agreement.
Acceptance by Electronic Means
By checking the acceptance box at signup, Client agrees to be bound by this DPA. This electronic acceptance constitutes a valid and binding agreement between the Parties and has the same legal effect as a handwritten signature. The current DPA is always available at testmyteam.ai/legal/dpa.
2. Purpose and Scope
The Service Provider will process Personal Data on behalf of the Controller solely for the purpose described in the Agreement.
For Processing of Personal Data in Client Data, Client is Controller and Service Provider is Processor.
3. Security Measures
Service Provider will implement appropriate technical and organizational measures to protect Client Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
4. Personal Data Breach Notifications
The Service Provider shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Personal Data processed on behalf of the Controller. The notification will include the nature of the breach, categories and approximate number of data subjects and records concerned. The Service Provider will cooperate with the Controller in fulfilling any breach-related obligations.
5. Data Retention
Service Provider will retain Client Data only as necessary to provide the Service, comply with legal obligations, or resolve disputes. Client Data will be deleted at latest 60 days after deletion has been requested by Client, unless EU or Member State law requires storage of the Personal Data.
6. Miscellaneous
6.1 Severability. If any provision is invalid, the remainder remains effective.
6.2 Waiver. Failure to enforce any provision of this DPA cannot be construed as a waiver.
6.3 Order of precedence. In case of conflict, the Agreement prevails over this DPA.
6.4 Governing Law. This DPA is governed by and construed in accordance with the laws of France.
6.5 Jurisdiction. Any dispute in relation to this DPA shall be submitted to the exclusive jurisdiction of the courts within the jurisdiction of the Paris Court of Appeal (Cour d’appel de Paris).
ANNEX A — SUB-PROCESSORS
List of approved Sub-processors engaged by Service Provider
The following Sub-processors are approved by Service Provider to process Client Data in connection with the delivery of the Service. All Sub-processors are bound by data protection obligations equivalent to those set out in this DPA.
Transfers to Sub-processors outside the EU/EEA are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914).
|
Provider |
Legal Entity |
Purpose |
Location |
|
Supabase |
Supabase Inc. |
Database, auth, storage, edge functions |
EU — Ireland (AWS eu-west-1) |
|
AWS |
Amazon Web Services EMEA SARL |
Infrastructure provider for Supabase |
EU — Ireland |
|
Anthropic |
Anthropic, PBC |
AI call analysis |
USA — SCCs apply |
|
OpenAI |
OpenAI, LLC |
AI call analysis |
USA — SCCs apply |
|
Mistral AI |
Mistral AI SAS |
AI call analysis |
EU — France |
|
Dialpad |
Dialpad, Inc. |
Call data source via API integration |
USA — SCCs apply |
|
|
Google LLC |
OAuth authentication |
USA — SCCs apply |
|
Lovable |
Lovable Labs Incorporated |
Frontend hosting platform |
USA — SCCs apply |
|
Cloudflare |
Cloudflare, Inc. |
Frontend CDN delivery |
USA — global edge, EU PoPs |
Service Provider will notify Client of any intended changes to this list (addition or replacement of Sub-processors) by updating the published DPA at testmyteam.ai/legal/dpa. Continued use of the Service following such notification constitutes acceptance of the updated Sub-processor list.
ANNEX B — DESCRIPTION OF PROCESSING
Nature, purpose, and details of processing activities
|
Subject matter |
AI-powered analysis of sales call transcripts to generate coaching insights and performance reports on employee efficiency. |
|
Nature of processing |
Collection, storage, transmission, analysis, and deletion of call transcripts and associated metadata. AI-driven processing to generate scores, ratings, and coaching insights. Secure encrypted storage and access-controlled retrieval. |
|
Purpose of processing |
To deliver the Service: analyze Client Data using AI models and generate Outputs (reports, analytics, insights) for the Client. |
|
Duration of processing |
For the duration of the Client’s agreement with Testmyteam. Client Data is deleted immediately upon Client’s request, with written confirmation of complete removal within 60 days. |
|
Categories of personal data |
Call transcripts of employees. Full name and identifier of employees (where included in call metadata). Call metadata (date, time, duration, outcome). AI-generated scores and coaching notes referencing individual employees. |
|
Categories of data subjects |
Clients: sales managers, sales coaching consultants, revenue operations professionals, and other platform users who register directly with Testmyteam. Employees of Clients: sales representatives and other staff whose call transcripts are imported and analyzed through the Service. |
|
Special categories of data |
None intentionally processed. Clients are solely responsible for ensuring no special category data (as defined under GDPR Art. 9) is included in Client Data without appropriate legal basis. |
The Service Provider acts exclusively as Processor for Client Data. The Client, as Controller, is solely responsible for the lawfulness of the data provided, including obtaining all necessary consents and authorisations from data subjects, and ensuring a valid legal basis under whichever data protection laws are applicable to the Processing.