Data processing

amber processes personal data exclusively on behalf of and under the instructions of its customers within the scope of the agreed services.

The scope and purpose of processing are determined by the respective service agreement and related service descriptions. Customers remain responsible for assessing the legal permissibility of the processing activities carried out through the platform.

Personal data processed may include:

  • personal master data

  • communication data, such as phone numbers and email addresses

  • contract master data

  • billing and payment data

  • planning and control data

  • information obtained from third parties or public directories

Affected data subjects may include:

  • customers

  • prospects

  • employees

  • suppliers

  • sales representatives

  • contact persons

Because certain personal data may arise as a byproduct of service usage, the exact categories of affected persons cannot always be determined in advance and may be broader in individual cases.

Customers may issue instructions regarding the processing of their data, including correction, deletion, and restriction. If an instruction appears to conflict with applicable data protection law, its execution may be suspended until it has been confirmed or amended.

Appropriate technical and organizational measures are implemented to protect personal data in accordance with Art. 32 GDPR. These measures may be updated over time, provided that the agreed level of protection is not reduced. The information security management system is ISO 27001 certified.

Transfers of personal data to countries outside the EEA take place only where the applicable requirements under Art. 44 et seq. GDPR are fulfilled.

At the end of the contractual relationship, personal data and data carriers are returned or deleted unless statutory retention obligations apply. Upon request, documented proof of deletion can be provided. Confidentiality obligations continue to apply for as long as personal data received from or collected for customers remains in scope.

Services may be provided with the involvement of subprocessors. Customers are informed in advance of intended changes to subprocessors and may object within two weeks if there is an important data protection reason. If no objection is raised within that period, the change is deemed approved. All subprocessors are bound by obligations corresponding to the applicable data protection requirements.

Subprocessors

Subprocessor Location Service Notes / safeguard

Telekom Deutschland GmbH

Bonn, Germany

Open Telekom Cloud and LLM hosting; provision of core software and data holdings

AVV under Art. 28 GDPR; processing under § 203 StGB stated as given

Microsoft Deutschland GmbH*

Munich, Germany

Azure OpenAI, Europe region

Optional for certain AI models; AVV under Art. 28 GDPR

Google Cloud EMEA Ltd*

Dublin, Ireland

Google Cloud Platform EMEA

Optional for certain AI models; AVV under Art. 28 GDPR

Brave Software Inc*

San Francisco, USA

Websearch API

Optional for web connectivity; EU Standard Contractual Clauses (SCC)

XQueue GmbH (Maileon)

Offenbach am Main, Germany

Information on permission changes and product updates

AVV under Art. 28 GDPR; processing exclusively within the EU

CORDNET OÜ (Featurebase)

Viimsi vald, Estonia

Rating / feedback functions

Optional; AVV under Art. 28 GDPR

Mistral AI*

Paris, France

LLM hosting / API (large language models)

Optional for certain AI models; AVV under Art. 28 GDPR; EU-based company, processing within the EU and not subject to the US CLOUD Act

Eleven Labs Inc. (ElevenLabs)*

New York, USA

Text-to-speech / voice AI (speech synthesis)

Optional for voice features; EU Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework certification; EU data residency and Zero-Retention Mode available


* Optional service providers

Optional service providers can be activated or deactivated depending on the services and features used.

Not every third-party service qualifies as a subprocessor relationship. Pure ancillary services such as postal, transport, shipping, cleaning, or telecommunications services without a direct connection to customer service delivery are not treated as subprocessors. Maintenance and testing services may qualify where they relate to IT systems used for providing the services.