Subject and Duration

Nature and Purpose of Processing

Roles and Responsibilities

Obligations of the Data Processor

Sub-Processors

International Data Transfers

Security Measures

Data Subject Rights

Data Retention and Deletion

Audit Rights

Liability

Termination

Governing Law and Jurisdiction

Contact

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Last updated: 1.4.2026

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service (“Principal Agreement”) between the customer (“Data Controller”) and Showdini (“Data Processor”).

It governs the processing of personal data that takes place when the Data Controller uses the Showdini platform.

  1. Subject and Duration

1.1. This DPA applies to all processing of personal data that the Data Processor carries out on behalf of the Data Controller while providing the Service.
1.2. Processing begins when the Data Controller starts using the Service and continues for as long as the Data Processor provides access to it.

  1. Nature and Purpose of Processing

2.1. The Data Processor provides a software platform that enables interactive, AI-powered product demos for website visitors.
2.2. Personal data processed may include:

  • Interaction data (e.g., chat messages, inferred insights, voice input, session logs)

  • Technical data (e.g., browser type, IP address, device info)

  • Optional contact data (e.g., name or email if provided by the visitor)
    2.3. The Data Processor processes this data only to:

  • Deliver and maintain the demo experience

  • Provide analytics, session information and sales insights to the Data Controller

  • Improve and secure the Service

  1. Roles and Responsibilities

3.1. The Data Controller determines the purpose and means of personal data processing.
3.2. The Data Processor acts only on the Data Controller’s documented instructions.
3.3. The Data Controller is responsible for ensuring that personal data is collected lawfully.

  1. Obligations of the Data Processor

The Data Processor shall:

  • Process personal data only as instructed by the Data Controller.

  • Ensure that persons authorized to process the data have committed to confidentiality.

  • Implement appropriate technical and organizational measures to protect personal data.

  • Assist the Data Controller, where possible, in fulfilling obligations related to data subjects’ rights.

  • Notify the Data Controller without undue delay after becoming aware of any personal data breach.

  • Delete or return all personal data at the end of the service relationship, unless required by law to retain it.

  1. Sub-Processors

5.1. The Data Controller authorizes the Data Processor to engage sub-processors necessary for operating the Service.
5.2. The Data Processor shall ensure that sub-processors are bound by equivalent data-protection obligations.
5.3. Current sub-processors include:

  • LiveKit, Inc. for real-time voice and streaming infrastructure. Data transfers outside the EU are protected under Standard Contractual Clauses (SCCs).

  • Google Cloud (Gemini AI) for AI language-model processing. Data may be processed within Google Cloud’s EU regions, and any transfers outside the EU are protected under Standard Contractual Clauses (SCCs).

  • Microsoft Azure for text-to-speech (TTS) services for Slovenian language. Data may be processed within Azure EU regions, and any transfers outside the EU are protected under Standard Contractual Clauses (SCCs).

  • Soniox for speech-to-text (STT) processing. Data transfers outside the EU are protected under Standard Contractual Clauses (SCCs).

  1. International Data Transfers

If personal data is transferred outside the European Economic Area (EEA), the Data Processor shall ensure adequate protection by relying on the European Commission’s Standard Contractual Clauses (SCCs) or other approved safeguards.

  1. Security Measures

The Data Processor shall maintain appropriate security measures, including:

  • Encryption in transit and at rest

  • Access control and authentication

  • Regular data deletion and system monitoring

  • Limiting data access to authorized personnel only

  1. Data Subject Rights

Where applicable, the Data Processor shall assist the Data Controller in responding to requests from data subjects, including access, correction, deletion, or restriction of processing.

  1. Data Retention and Deletion

The Data Processor stores personal data for as long as necessary to provide the Service.
Unless otherwise instructed by the Data Controller, demo session data is automatically deleted or anonymized within 30 days of collection.

  1. . Audit Rights

The Data Controller has the right to request documentation reasonably necessary to demonstrate the Data Processor’s compliance with this DPA.
Audits may be conducted no more than once per year, upon reasonable notice, and without disrupting service operations.

11. Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.

  1. . Termination

Upon termination or expiry of the Principal Agreement, the Data Processor shall delete or return all personal data processed on behalf of the Data Controller, unless retention is required by law.

13. Governing Law and Jurisdiction

This agreement is governed by the laws of Slovenia.
Any disputes arising out of or related to this DPA shall be resolved in the courts of Ljubljana, Slovenia.

14. Contact

For all data-protection inquiries, please contact:
privacy@showdini.ai

Ready to give every visitor a live demo?

Book a call

Book a call