Parties
Germany
Contact: privacy@numigtm.com
This Data Processing Agreement ("DPA" or "AVV") forms part of the agreement between the Customer (as controller) and Numi (as processor) for the provision of the Numi sales call intelligence service (the "Service") and governs the processing of personal data on the Customer's behalf in accordance with Art. 28 of Regulation (EU) 2016/679 (the "GDPR").
1. Subject matter, duration and nature of processing
Numi processes personal data on behalf of the Customer for the sole purpose of providing the Service: ingesting sales call recordings or transcripts (whether captured by Numi or imported from a Customer-connected integration), transcribing audio, generating AI coaching content, and presenting the results to the Customer's authorised users.
The processing continues for the duration of the Customer's subscription to the Service and ends in accordance with Section 9 (Return and deletion) below.
2. Categories of data subjects and personal data
The categories of data subjects and the categories of personal data are described in Annex 1 to this DPA. The Customer warrants that it has a valid legal basis for the processing and has informed the relevant data subjects as required by Art. 13 and Art. 14 GDPR, including any obligation to obtain consent for the recording of communications under applicable national law.
3. Documented instructions
Numi processes personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law. In the latter case, Numi will inform the Customer of that legal requirement before processing, unless prohibited by law.
The Customer's instructions are the configuration choices made in the Service (integrations connected, retention settings, exports, deletion requests) and any written instructions sent to privacy@numigtm.com. Numi will inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.
4. Confidentiality
Numi ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, including after the end of their engagement.
5. Security of processing
Numi has implemented appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, as described in Annex 2. Numi reviews these measures regularly and may update them, provided the level of protection is not reduced.
6. Sub-processors
The Customer hereby grants Numi general authorisation to engage sub-processors. The list of current sub-processors is maintained at numigtm.com/legal/subprocessors and is incorporated by reference into this DPA.
Numi will notify the Customer at least 30 days in advance of any addition or replacement of a sub-processor that processes content data, by updating the sub-processor page and (where the Customer has subscribed to notifications) by email. The Customer may object to the change on legitimate data-protection grounds within 30 days. If the objection cannot be resolved, the Customer may terminate the affected portion of the Service on a pro-rata basis.
Numi imposes data protection obligations on each sub-processor that are no less protective than those set out in this DPA, by means of a written contract under Art. 28(4) GDPR.
7. Data subject rights
Taking into account the nature of the processing, Numi assists the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests from data subjects under Chapter III GDPR (rights of access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making).
Self-service tools for export and deletion are available in the Customer's account at Settings → Data. For requests Numi cannot fulfil through these tools, the Customer may contact privacy@numigtm.com.
8. Assistance to the Controller
Numi assists the Customer in ensuring compliance with Art. 32 to 36 GDPR (security of processing, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to Numi.
Breach notification. Numi will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification will include the information set out in Art. 33(3) GDPR to the extent then available.
9. Return and deletion of personal data
On termination of the Service, the Customer may, within 30 days, retrieve all personal data via the export tools in Settings → Data. After that 30-day window, Numi will delete all personal data processed on the Customer's behalf and ensure that the deletion propagates to all active backups within a further 30 days (60 days total from termination), unless Union or Member State law requires storage of certain data.
Data retained under legal obligation (e.g., billing invoices under German tax law, salted-hash deletion records to detect repeat fraud) is identified in the Privacy Policy and is the minimum required by law.
10. Audits and information
Numi makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
In the first instance, Numi will satisfy such audit requests by providing the most recent sub-processor list, the TOMs annex, and any third-party certifications or attestations held by Numi or its sub-processors (e.g., ISO 27001, SOC 2 Type II). On-site audits may be conducted no more than once per calendar year, with reasonable advance notice (at least 30 days), during business hours, and subject to confidentiality undertakings. The Customer bears its own and Numi's reasonable costs of any audit beyond the documentation review unless the audit reveals a material breach by Numi.
11. International transfers
Numi processes personal data primarily within the European Economic Area (Hetzner Cloud, Frankfurt). Where personal data is transferred to a third country (in particular the United States), Numi relies on appropriate safeguards under Art. 46 GDPR, in particular the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), supplemented by the technical and organisational measures in Annex 2.
The list of current sub-processors at numigtm.com/legal/subprocessors identifies each transfer and the safeguard applied.
12. Liability, order of precedence, term
Liability under this DPA is governed by the Customer's main service agreement with Numi (or, where none is in place, by the Numi Terms of Service in effect at the time the parties signed this DPA). In the event of conflict between this DPA and the main service agreement, this DPA prevails in respect of the processing of personal data.
This DPA takes effect on the latest signature date below and remains in force for the duration of the Customer's use of the Service.
13. Governing law and venue
This DPA is governed by the laws of the Federal Republic of Germany, excluding conflict-of-laws principles. The exclusive venue for disputes arising out of or in connection with this DPA is, to the extent permitted by law, the courts of the Customer's registered seat within the European Union, or otherwise the courts competent for Numi's registered seat in Germany.
Description of the processing
Subject matter and purpose
Ingestion, transcription, AI-based coaching analysis, and presentation of sales call recordings and transcripts on behalf of the Customer, for the purpose of sales coaching and revenue-team enablement.
Duration
For the duration of the Customer's subscription to the Service, plus the post-termination retrieval and deletion windows described in Section 9.
Nature of the processing
Collection, storage, transcription, semantic analysis, transformation into coaching cards and scores, presentation in the Numi web application, export on request, and deletion on instruction or on termination.
Categories of data subjects
- The Customer's employees and authorised users of the Service (sales representatives, managers, administrators);
- Counterparties to recorded calls (prospects, customers, partners) where the Customer has obtained the necessary legal basis for the recording.
Categories of personal data
- Account data: name, work email address, password hash, role, organisation membership;
- Call recordings: audio files from connected integrations or Numi's own capture, containing the voices of the parties to the call;
- Transcripts: text transcription of the recordings;
- Coaching data: AI-generated cards, scores, notes, and tags;
- Practice sessions: role-play recordings and AI feedback;
- Usage data: feature interactions, session metadata, IP address;
- Integration metadata: CRM identifiers, deal stage, contact metadata exposed by Customer-connected integrations (e.g., HubSpot, Fathom).
Special categories of personal data
The Service is not designed to process special categories of personal data (Art. 9 GDPR). The Customer must not knowingly upload, ingest, or generate such data through the Service.
Sub-processors
See the live list at numigtm.com/legal/subprocessors, incorporated by reference. The version referenced at signing is Version 2026.06 dated 2026-06-01.
Technical and organisational measures (TOMs)
Numi maintains the following technical and organisational measures in accordance with Art. 32 GDPR. The measures are reviewed at least annually and may be updated provided the level of protection is not reduced.
| Area | Measures |
|---|---|
| Confidentiality: access control | Production access restricted to a defined set of authorised personnel via SSH key + 2FA. Access is logged and reviewed. Workstations are encrypted and screen-locked. |
| Confidentiality: user access | Customer users authenticate via password (Argon2 / bcrypt salted hashes) or federated SSO (Google OAuth). Role-based access control (admin, manager, rep). Session tokens are short-lived; refresh tokens are revocable. |
| Confidentiality: pseudonymisation | Internal identifiers are UUIDs, decoupled from identifying user data. Analytics user IDs are pseudonymous. Deletion records are stored as salted hashes only. |
| Integrity: transit encryption | All traffic is encrypted in transit with TLS 1.2 or higher. HSTS enforced on numigtm.com and the Numi application. Internal traffic between application servers and database/object storage is on a private network. |
| Integrity: at-rest encryption | Database volumes and MinIO object storage volumes are encrypted at rest on Hetzner infrastructure (LUKS / equivalent). Backups are encrypted. |
| Availability: backups | 30-day rolling backups of PostgreSQL and MinIO. Backups are tested by restore drills. Deletion propagates to backups within 30 days. |
| Availability: resilience | Hosted in Hetzner's Frankfurt region with monitored uptime. Health checks and alerting for application, database, and storage tiers. Incident runbook maintained. |
| Resilience: restore testing | Database restore is tested at least quarterly against an isolated environment. |
| Procedure: vendor management | Sub-processors are bound by Art. 28-compliant DPAs. List published and maintained at numigtm.com/legal/subprocessors. 30-day change notification. |
| Procedure: incident response | Documented breach response with 72-hour customer notification. Root-cause analysis and remediation tracked to closure. |
| Procedure: secure development | Code review on all production changes. Dependency scanning. Secret scanning on commit. OWASP-aligned security headers on the application and marketing site. |
| Logging: audit | Authentication events, administrative actions, and data export/deletion requests are logged with timestamps and actor identifiers. |
| Data minimisation:AI processing | Transcripts sent to AI sub-processors (Anthropic, OpenAI) are processed under zero-retention API contracts and are not used for model training. Audio never leaves Numi's EU infrastructure. |
| Personnel: training | Personnel with access to personal data receive data-protection training and are bound by written confidentiality undertakings that survive termination. |
Signatures
This DPA is pre-signed by Numi. The Customer countersigns by signing below (electronically or in print) and returning a copy to privacy@numigtm.com. The agreement takes effect on the date of the Customer's countersignature.