Skip to main content

05 · DPA

Data processing
agreement.

Agreement between MyKonci (processor) and the Customer (controller) in line with article 28 of Regulation (EU) 2016/679 (GDPR). This DPA is integrated into the general terms and applies automatically from subscription.

Last updated · 2 April 2026

01Parties and roles

This agreement is entered into between:

  • The Processor: Dubai company, whose registered office is at Dubai address, UAE, represented by Nicolas Moussa, "MyKonci".
  • The Controller: any individual or legal entity that has subscribed to the MyKonci Service, the "Customer", as identified in their user account and invoices.

Representative in the European Union (article 27 of the GDPR): Nicolas Moussa, privacy@mykonci.com.

02Subject matter and duration

MyKonci processes personal data on behalf of the Customer as part of delivering the virtual concierge Service (WhatsApp/SMS chatbot, voice agent and, for professional plans, Cortex), as described in the T&Cs of sale.

Duration: this agreement applies for the entire duration of the subscription contract, as well as during post-cancellation retention periods set out in article 09.

03Nature, purpose and categories

Nature of processing: collection, storage, analysis, enrichment (scoring and profiling for professional plans), consultation, transmission to authorised sub-processors, deletion.

Purposes:

  • Delivery of the Service (automated reply to guests via chatbot and voice agent)
  • Supervision and steering by the Customer via the dashboard
  • Professional plans: emotional analysis, predictions, coaching, cross-stay memory, alerts and recommendations
  • Service improvement within the Customer's tenant only (per-tenant learning, pseudonymisation for overall product improvement)
  • Security, logging and compliance with legal obligations

Categories of data subjects: guests / renters of the Customer, and where applicable the Customer's teams (concierges, managers).

Data categories: identification (surname, first name, phone, language), stay dates, content of messages exchanged, audio recordings and call transcripts, derived analytical data (scores, profiles, predictions, embeddings). MyKonci does not actively process sensitive data within the meaning of article 9 of the GDPR. If sensitive data is incidentally transmitted by guests, MyKonci applies minimised processing and notifies the Customer without delay.

04Documented instructions

MyKonci processes the Customer's data only on documented instruction from the Customer, including regarding transfers outside the EU, unless a legal obligation requires different processing (in which case MyKonci informs the Customer before processing, unless prohibited by law).

Documented instructions include in particular: the subscription contract and its appendices, these T&Cs, this DPA, the privacy policy, and any additional instruction sent by the Customer in writing.

05MyKonci's obligations

  • Process data only within the agreed purposes and the Customer's instructions.
  • Ensure data confidentiality: any person authorised to process the data is subject to a contractual or legal confidentiality obligation.
  • Implement appropriate technical and organisational measures described in article 08.
  • Assist the Customer in handling data subject requests (access, rectification, erasure, portability, objection).
  • Assist the Customer in carrying out impact assessments (DPIAs) and prior consultations with the CNIL where applicable.
  • Notify the Customer of any personal data breach within 48 hours of detection, with a preliminary report (nature, volumes, measures taken) followed by a full report within 7 days.
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR.
  • Contribute to audits (see article 11).

06Sub-processors

The Customer authorises MyKonci to use sub-processors to run the Service. The up-to-date list is in the privacy policy (Sub-processors section) and is kept up to date. As of the date of this agreement:

  • Hetzner Online GmbH (Germany). Infrastructure and data hosting, EU (Gunzenhausen and Falkenstein sites).
  • OpenAI Ireland Ltd / OpenAI, L.L.C. (Ireland / United States). Natural language processing. DPA signed, no-training commitment, SCC + DPF. Option to switch to Azure OpenAI Europe (France Central / Sweden Central) on request from the Customer.
  • Open-source embedding models (sentence-transformers), run locally on MyKonci infrastructure in the EU. Not considered sub-processors in the strict sense (no external transfer) but mentioned for transparency.
  • Stripe Payments Europe, Ltd. (Ireland). Payment processing.
  • Twilio Ireland Limited (Ireland / United States). SMS, WhatsApp, telephony.
  • Retell AI or equivalent. Conversational voice for the voice agent (if enabled).
  • Migadu Mail Services (SA) (Switzerland). Transactional emails. EU-Switzerland adequacy decision (no SCC required).

MyKonci informs the Customer in writing (email or platform notification) of any addition or change of sub-processor at least 30 days before effective implementation. The Customer has a motivated right to object within that period. If an objection cannot be resolved, the Customer can cancel without penalty.

MyKonci contractually imposes on each sub-processor obligations equivalent to those provided in this DPA and in article 28 of the GDPR, and remains fully liable to the Customer for the performance of their obligations.

07Transfers outside the EU

Data transfers outside the European Economic Area are framed by:

  • The Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914);
  • The EU-US Data Privacy Framework (DPF) for certified sub-processors;
  • Additional technical measures (encryption, pseudonymisation) when necessary.

For professional plans, the Customer can request a switch to 100% EU processing (Azure OpenAI Europe).

08Security: technical and organisational measures

MyKonci implements the following security measures in line with article 32 of the GDPR:

  • Encryption at rest: AES-256 on databases and storage.
  • Encryption in transit: TLS 1.3 on all communications.
  • Key management: centralised storage, annual rotation, logged access.
  • Tenant isolation: unique customer identifier, application-level filtering and PostgreSQL Row-Level Security.
  • Access logging: every access to a Customer's conversations is logged (identity, date, resource, IP), kept for 12 months, accessible by the Customer.
  • Identity and access management: strong authentication for MyKonci administrators, principle of least privilege.
  • Backups: encrypted, EU geographic replication.
  • Tests and audits: periodic penetration tests and security audits.
  • Continuity and recovery: documented disaster recovery plan.

09End of contract: return or deletion

At the end of the contract, the Customer chooses in writing (default: deletion):

  • Full export of data (JSON format and SQL dump) within 30 days of the request;
  • OR permanent deletion within 30 days.

Backups containing Customer data are purged within a maximum of 90 days. A deletion certificate is provided on request.

Data required to comply with legal obligations (accounting, tax) is kept in line with applicable legal retention periods, in a restricted form.

10Assistance with data subject rights

MyKonci assists the Customer in handling requests to exercise data subject rights (access, rectification, erasure, restriction, portability, objection, including objection to Cortex profiling):

  • Requests can be sent directly to privacy@mykonci.com or via the Customer.
  • MyKonci replies within 30 days (GDPR time limit).
  • The Customer has tools in their dashboard to handle part of the requests themselves (export, deletion).
  • A guest can ask to be excluded from Cortex profiling; opt-out is applied within 7 days.

11Audits

The Customer can audit MyKonci's compliance with this DPA and with the GDPR, under the following conditions:

  • Once a year at most, except in case of incident;
  • 30 days' notice;
  • Format at choice: standard written questionnaire, on-site visit, or videoconference;
  • On-site audit costs are borne by the Customer;
  • MyKonci may eventually provide an independent audit report, acceptable in place of an individual audit.

12Liability and indemnification

Each party is liable for its own breaches of the GDPR and of this DPA. MyKonci's liability is capped under the conditions set out in the T&Cs of sale. Liability limitations do not apply in case of intentional breach, gross negligence or breach of confidentiality and security obligations.

13Governing law

This DPA is governed by French law for matters relating to the GDPR, without prejudice to the law applicable to the main contract set out in the T&Cs of sale.

14Acceptance and signature

This DPA is accepted by the Customer when subscribing to the Service through electronic acceptance of the T&Cs of sale and the privacy policy. It can be signed in physical or electronic form on the Customer's request for the purposes of their own processing register. Any signature request can be sent to privacy@mykonci.com.

A printable and signable PDF version of this document is available on request at privacy@mykonci.com.