Data Processing Agreement

1.1  This data processing agreement (hereinafter DPA) pursuant to Art. 28 GDPR specifies the Contractual Partners’ rights and obligations under data protection law regarding the processing of personal data as defined by the GDPR within the framework of the contracts currently established (hereinafter referred to individually or jointly as the “Main Contract”).

1.2  The contractually agreed processing shall take place exclusively in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area. Any transfer of data pro-cessing to a third country requires the Controller’s prior approval and may take place only if the special conditions of Art. 44 et seq. of the GDPR are fulfilled.

1.3  In the event of contradictions, this DPA shall take precedence over the Main Contract and the annexes to this DPA shall take precedence over this DPA.

2.1 The Controller is responsible for compliance with the applicable statutory provisions (Art. 4 No. 7 GDPR) and solely decides on the purposes and essential means of the processing.

2.2   The Processor acts according to the Controller’s instructions, unless there is an exceptional case according to Art. 28 Para. 3 Clause 2 Lit. a GDPR (other statutory processing obligations). Oral instructions must be confirmed in text form. The current version of the applicable Main Contract shall constitute the instructions already given by the Controller.

2.3   The Processor shall correct or delete the contractual data or restrict its processing if instructed to do so by the Controller. Personal data that the Processor is legally obliged to continue storing shall not be deleted.

2.4   The Processor shall inform the Controller without delay if it believes that an instruction violates applicable provisions on data protection or this DPA. The Processor may wait to implement the instruction until it has been confirmed or amended by the Controller in text form. The Processor may refuse to execute instructions that are obviously contrary to data protection law.

2.5   The Processor guarantees that the persons in its organization who are authorized to process the data (a) know and follow the Controller’s instructions and (b) are obliged to confidentiality or are subject to an appropriate legal duty of secrecy. The obligation of confidentiality and secrecy shall continue to apply even after the processing ceases, within the scope of what is permissible under the employment contract.

3.1   In an annex to this DPA (hereinafter referred to as “TOM annex”), the Contractual Partners shall agree on technical and organizational measures to adequately protect the data pursuant to Article 32 of the GDPR (hereinafter referred to as “TOM”), taking into account the state of the art; the costs of implementation; the nature, scope, circumstances and purposes of the processing; and the varying likelihood and severity of threats to the rights and freedoms of natural persons.

3.2   The Processor reserves the right to modify the TOM, but the overall level of protection must not fall below the contractually agreed level. New versions of the TOM annex shall be communicated to the Controller in text form at the Controller’s request.

3.3   The Processor has appointed in writing a data protection officer who performs their activities in accordance with Articles 38 and 39 of the GDPR. The contact details of the data protection officer can be found in the Controller’s privacy policies, which are publicly available. The Controller must be immediately notified of any change of data protection officer.

4.1   The Contractual Partners shall notify each other without delay if:

· they become aware or have concrete suspicion of a data protection violation regarding the data processed by the Processor within the meaning of Art. 4 No. 12 and Art. 33 Para. 2 of the GDPR.

· they detect errors in the processing of personal data by the Processor.

4.2   Once notified, the Controller shall immediately issue instructions to remedy the data protection violation or the processing errors. If the Controller does not issue an immediate instruction and the Processor may reasonably assume that immediate action is necessary to prevent further violations or the occurrence of further errors, the Processor shall be entitled to take the measures necessary to remedy the data protection violation or error and to mitigate possible adverse consequences, in particular to discontinue data processing. The Processor shall coordinate the measures with the Controller after the fact.

4.3   If the Processor is of the opinion that an agreement or instruction violates data protection regulations, it shall notify the Controller in writing without undue delay. The Processor shall be entitled to suspend execution of the instruction in question until it is confirmed or amended by the Controller.

4.4   Oral notifications by either Contractual Partner pursuant to the aforementioned paragraphs shall be submit-ted in text form without delay.

4.5   Should the Controller’s data in the Processor’s possession be endangered by seizure, confiscation, insolvency or composition proceedings, other events or actions taken by third parties, the Processor shall immediately notify the Controller of this in text form. The Processor shall notify all third parties of this fact.

Transfer of data to a recipient in a third country outside the EU and the EEA is permissible under the conditions set forth in Art. 44 et seq. of the GDPR. Details are defined in “Specifications for data processing” Annex.

6.1 The Processor may commission other processors (hereinafter referred to as “subprocessors”) to process personal data, whether in whole or in part, only with the Controller’s permission. A list of pre-approved sub-processors can be found in “Specifications for data processing” Annex.

6.2 Notwithstanding the list in “Specifications for data processing” Annex, all companies of the d.velop Group that are affiliated with d.velop AG within the meaning of Section 15 et seq. of the German Stock Corporation Act (AktG) shall be deemed approved subprocessors. A list of the companies in the d.velop Group can be found at https://www.d-velop.de/impressum-d-velop-konzernunternehmen.

6.3 The Processor shall notify the Controller in text form and in advance of the intent to commission subprocessors or make changes to subcontracting arrangements. The Controller may object to the subcontracting for a compelling reason. In the event of a justified objection, the Controller shall grant the Processor a rea-sonable period of time to replace the subprocessor in question with another subprocessor, or to otherwise adjust the contractual processing such that it can be carried out without the subprocessor in question.

6.4 The Processor shall impose on the subprocessor the same data protection obligations, to the extent re-quired by law, as are set forth in this DPA for the Processor. In particular, the TOMs agreed with the subprocessor shall provide an equivalent level of protection.

6.5 Services that the Processor uses as a purely ancillary service to support his business activities outside the scope of data processing shall not constitute subcontracting. The Processor is, however, obliged to take appropriate precautions to ensure data protection for such ancillary services as well.

If a data subject asserts claims against one of the Contractual Partners pursuant to Section III of the GDPR, this Contractual Partner shall immediately notify the other Contractual Partner of the claims. The Processor shall assist the Controller to the extent possible in processing such claims and in complying with the obligations set out in Articles 32 to 36 of the GDPR.

8.1   The Processor shall demonstrate to the Controller by suitable means that he has complied with his obligations under this DPA.

8.2   Suitable means may include but are not limited to appropriate certifications or other suitable audit reports. Certification in accordance with Art. 40 of the GDPR or evidence in accordance with Art. 42 of the GDPR are considered particularly appropriate. The Controller’s statutory right to inspection remains unaffected.

8.3   The Controller shall be entitled to inspect the Processor’s premises during normal business hours, announced with sufficient advance notice and without disrupting business operations, in order to verify compliance with the obligations of this DPA. The Processor may make the inspection dependent on the signing of a confidentiality agreement with regard to the data of other customers of the d.velop Group and the TOMs.

8.4   If a supervisory authority exercises powers pursuant to Art. 58 of the GDPR, the Contractual Partners shall notify each other immediately. The Contractual Partners shall support each other in fulfilling their obligations towards the supervisory authority in their respective areas of responsibility.

The expenses incurred by the Processor in fulfilling his statutory obligations shall be covered by the remuneration paid in accordance with the Main Contract. For personnel expenses incurred for support services in accordance with Clause 7 Sentence 2 or for such on-site inspections in accordance with Clauses 8.3 and 8.4 that go beyond annual inspections or that are incurred in the course of event-driven inspections that do not reveal any data protection anomalies or violations, the Processor reserves the right to have its expenses re-imbursed at its current rates.

10.1 If a data subject asserts claims for damages against one Contractual Partner due to a violation of data protection regulations, this Contractual Partner must notify the other Contractual Partner immediately.

10.2 The Contractual Partners shall be liable to data subjects in accordance with the provisions of Art. 82 of the GDPR.

The term of this DPA shall be the same as the term of the Main Contract, but shall not be longer than the period in which the Processor continues to process data for the Controller. Upon termination of the Main Contract, the Processor shall, at the Controller’s discretion, surrender the data processed under the contract or delete it in accordance with data protection law and delete any existing copies of the data, unless there is an obligation to store them. Upon termination of this Agreement, the Processor shall, subject to any legal obligation to retain or other requirement entitling it to retain, release to the Controller or destroy or delete any data processed for the Controller under this Agreement.

12.1 Changes to, additions to or terminations of this DPA must be in text form in order to be effective. This also applies to any amendment to this form clause. A change shall become effective if the Controller is notified of the change in text form and does not object to the change within a period of 4 weeks. If the Controller objects to the change in text form, the previous DPA shall continue to apply. In this case, the Contractual Partners shall mutually agree on the necessary adjustments to this DPA. If the Contractual Partners do not reach an agreement, each has the right to terminate the DPA with a notice period of 4 weeks.

12.2 Oral agreements between the Contractual Partners that differ from the provisions of this DPA are invalid.

12.3 Should any provision of this DPA be or become invalid, this shall not affect the validity of the remainder of the Agreement.

12.4 The law of the Federal Republic of Germany shall apply to the exclusion of the principle of conflict of laws.

 

 

Annex Specifications for data processing

Personal data belonging to the Controller shall be processed by the Processor within the meaning of Art. 4 No. 2 of the GDPR, in particular collected, stored, modified, read, queried, used, disclosed, compared, linked or deleted as required, in order to fulfil the Processor’s obligations under the Main Contract. The purpose of the processing thus depends on the data processing described in the Main Contract.

The categories of personal data affected by the processing depend on how the Controller uses the Processor’s services. Categories of data that may be processed include:

• Master data (e.g. names, addresses, dates of birth)

• Contact details (e.g. e-mail addresses, telephone numbers, messenger services)

• Content data (e.g. text entries, photographs, videos, contents of documents/files)

• Contract data (e.g. subject of the agreement, terms, customer category)

• Payment data (e.g. bank details, payment history, use of other payment service providers)

• Usage data (e.g. usage history on our web services, information about specific content used, times of access)

• Connection data (e.g. device information, IP addresses, URL referrer)

• Location data (e.g. GPS data, IP geolocation, access points)

The Controller is responsible for conducting a risk assessment as to whether the provider’s services are suitable for processing special categories of personal data pursuant to Art. 9 Para. 1 of the GDPR.

The categories of data subject affected by the processing depend on how the Controller uses the Processor’s services. Possible data subject categories include (former) employees, trainees and interns, applicants, freelancers, shareholders, corporate bodies, family members of employees, customers, interested parties, suppliers, service providers, tenants, business partners, external consultants, visitors and members of the press.

The Processor shall commission the following subprocessors for the data processing, depending on the subject matter of the contract:

· CANCOM Managed Services GmbH, Von-der-Wettern-Straße. 27, 51149 Cologne (Purpose: Computer centre services)

· inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg (Purpose: E-mail notification)

· Amazon Web Services EMEA SARL (“AWS EUROPE”) 38 Avenue John F. Kennedy L-1855, Luxemburg (Purpose: receipt of emails and storage of attachments in the postbox – solely upon activation by the user)

 

Secure Data Transfer to Recipients in Unsafe Third Countries

For the infrastructure and platform services, the subprocessors use only data centers within the EU, usually within Germany. The subprocessors for the infrastructure and platform services are each certified according to various standards (for example, DIN ISO/IEC 27001).

As a rule, data is processed within the EU, usually within Germany. If this is not possible in exceptional cases because the applicable instructions require the data to be disclosed to recipients in third countries, e.g. to maintain the availability of cloud services during a support incident, this shall only be done if the EU Commission has decided that the third country has an adequate level of protection in accordance with Article 45 of the GDPR, or if the recipient of the data in the third country is subject to appropriate safeguards in accordance with Article 46 of the GDPR in the form of standard contractual clauses (SCC) or binding corporate rules (BCR).

Amazon Web Services EMEA SARL (“AWS EUROPE”) in Luxembourg and Microsoft Ireland Operations Limited in Ireland provide subcontracted hosting services to the Processor. Data is therefore explicitly processed in Europe even in these cases. Data is not transferred to unsafe third countries. However, these subcontractors have parent companies in the United States. The United States is subject to laws that are not fully aligned with the current GDPR (Patriot Act and Cloud Act). In light of this fact and in order to assure compliance for the Controller, the Processor shall conclude corresponding data processing agreements that contain the standard data protection clauses adopted as of 06/04/2021 and that include additional measures such as (256-bit) encryption of the per-sonal data. This procedure can be deemed an appropriate safeguard pursuant to Art. 46 GDPR to ensure an adequate level of protection within the meaning of Art. 32 GDPR.

 

Data Processing Agreement

As of: 08.2025