Data Processing Agreement

Between the Business Customer, hereinafter referred to as the Controller, and Solid Technologies AG, acting as Mono, hereinafter referred to as the Processor.

1. Subject of the Agreement The Processor provides artificial intelligence services to the Controller via the Mono platform. The Processor processes personal data on behalf of and upon the instructions of the Controller.

2. Categories of Data Subjects and Types of Data The processing includes text data, documents, and inputs that the Controller transfers into the Mono platform. This affects employees, customers, and business partners of the Controller. Special categories of personal data, especially health data, are explicitly excluded from processing. The Controller commits to mandatorily anonymizing such sensitive data before entering it into the system.

3. Use for Training Purposes The Processor hereby expressly guarantees that all inputs and generated outputs of the Controller will not be used for training, improving, or fine tuning the deployed AI models. This is ensured through the contractual API agreements with the model providers.

4. Location of Data Processing The physical storage and hosting of customer data take place exclusively on servers in Germany. For the generation of responses, the data is transmitted temporarily to the external AI interfaces purely as transit traffic and is not stored there.

5. Subprocessors The Controller agrees to the use of the following subprocessors for the provision of AI models:

  • Google
  • OpenAI
  • Anthropic
  • OpenRouter

The Processor shall inform the Controller in a timely manner of any intended changes concerning the addition or replacement of subprocessors.

6. International Data Transfers If a data transfer to the USA occurs during the use of subprocessors, the Processor relies on the adequacy decisions of Switzerland and the EU for certified companies. This is done specifically on the basis of the Swiss US Data Privacy Framework and the EU US Data Privacy Framework. For providers without this certification, such as Anthropic and OpenRouter, the Processor concludes the Standard Contractual Clauses of the European Commission as the legal basis for secure data transfer.

7. Technical and Organizational Measures The Processor ensures the security of the data through strict technical measures. All data is fully encrypted both during transmission and at rest on the hard drives. Access to the production database is subject to restrictive access controls and is exclusively limited to the CEO Jonas Kamber. No other employees or external service providers have access to the Controller's data.

8. Deletion of Data Deleted chat histories or account data are removed from the active systems once their purpose has been fulfilled. The Processor guarantees that all deleted data will be permanently and irrevocably destroyed from all backups and archives after a maximum period of 30 days.