Data Processing Agreement
Preamble
The controller has commissioned the processor in the previously concluded contract (hereinafter referred to as the “main contract”) for the services mentioned therein. Part of the contract implementation is the processing of personal data. In particular, Art. 28 GDPR imposes certain requirements on such processing. To uphold these requirements, the parties conclude the following processing agreement (hereinafter referred to as the “agreement”), the fulfillment of which will not be compensated separately unless expressly agreed otherwise.
§ 1 Definitions
(1) The responsible party is as per Art. 4 para. 7 GDPR the entity that alone or jointly with others decides on the purposes and means of processing personal data.
(2) The processor is as per Art. 4 para. 8 GDPR a natural or legal person, authority, institution, or other entity that processes personal data on behalf of the responsible party.
(3) Personal data are as per Art. 4 para. 1 GDPR all information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
(4) Particularly sensitive personal data are personal data as per Art. 9 GDPR revealing racial and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, personal data as per Art. 10 GDPR concerning criminal convictions and offenses or related security measures as well as genetic data as per Art. 4 para. 13 GDPR, biometric data as per Art. 4 para. 14 GDPR, health data as per Art. 4 para. 15 GDPR, and data concerning the sex life or sexual orientation of a natural person.
(5) Processing is as per Art. 4 para. 2 GDPR any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(6) Supervisory authority is as per Art. 4 para. 21 GDPR an independent public authority established by a Member State in accordance with Art. 51 GDPR.
§ 2 Subject Matter of the Contract
(1) The processor provides the services specified in the main contract for the controller. In doing so, the processor gains access to personal data, which the processor processes for the controller exclusively on behalf of and according to the instructions of the controller. The scope and purpose of the data processing by the processor are derived from the main contract and any associated service descriptions. The controller is responsible for assessing the legality of the data processing.
(2) To specify the mutual data protection rights and obligations, the parties conclude this agreement. The provisions of this agreement take precedence over the provisions of the main contract in case of doubt.
(3) The provisions of this contract apply to all activities related to the main contract in which the processor and its employees or agents engaged by the processor come into contact with personal data that originates from the controller or has been collected for the controller.
(4) The term of this contract is determined by the term of the main contract, unless subsequent provisions impose further obligations or rights of termination.
§ 3 Right of Instruction
(1) The processor may collect, process, or use data only within the framework of the main contract and in accordance with the instructions of the controller. If the processor is required by the law of the European Union or the member states to carry out further processing, it shall inform the controller of these legal requirements prior to processing.
(2) The instructions of the controller are initially set out in this contract and may subsequently be modified, supplemented, or replaced by the controller in written form or in text form through individual instructions (individual instruction). The controller is entitled to issue corresponding instructions at any time. This includes instructions regarding the correction, deletion, and blocking of data.
(3) All instructions issued must be documented by the controller. Instructions that go beyond the performance contractually agreed upon will be treated as a request for a change in performance.
(4) If the processor believes that an instruction from the controller violates data protection regulations, it must immediately notify the controller. The processor is entitled to suspend the execution of the relevant instruction until it is confirmed or changed by the controller. The processor may refuse to execute an obviously unlawful instruction.
§ 4 Types of processed data, circle of affected persons, third country
(1) In the context of the execution of the main contract, the processor receives access to the personal data specified in Annex 1.
(2) The group of individuals affected by the data processing is presented in Annex 2.
(3) The transfer of personal data to a third country (outside the EEA) may take place under the conditions of Art. 44 et seq. GDPR.
§ 5 Protection Measures of the Processor
(1) The processor is obliged to observe the legal provisions on data protection and not to disclose the information obtained from the controller to third parties or to suspend their access. Documents and data must be secured against unauthorized access in consideration of the state of the art.
(2) The processor will organize its internal operations in such a way that it meets the special requirements of data protection. It has taken the technical and organizational measures mentioned in Annex 3 for the adequate protection of the controller's data according to Art. 32 GDPR, which the controller acknowledges as appropriate. A change of the security measures taken remains with the processor, ensuring that the contractually agreed level of protection is not undermined.
(3) The persons employed in data processing by the processor are prohibited from collecting, processing, or using personal data without authorization. The processor will obligate all persons entrusted with the processing and fulfillment of this contract (hereinafter “employees”) accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and will ensure compliance with this obligation with due diligence.
(4) The processor has appointed a data protection officer. The data protection officer of the processor is heyData GmbH, Schützenstr. 5, 10117 Berlin, datenschutz@heydata.eu, www.heydata.eu.
§ 6 Information Obligations of the Processor
(1) In the event of disturbances, suspicion of data protection violations, or breaches of contractual obligations by the data processor, suspicion of security-related incidents, or other irregularities in the processing of personal data by the data processor, by persons employed by him within the framework of the contract, or by third parties, the data processor will inform the controller immediately. The same applies to audits of the data processor by the data protection supervisory authority. The
notification of a breach of personal data protection includes at least the following information:
a) a description of the nature of the breach of personal data protection, if possible with details of the categories and number of affected individuals, the affected categories, and the number of affected personal data records;
b) a description of the measures taken or proposed by the data processor to rectify the breach and, if applicable, measures to mitigate its potential adverse effects;
c) a description of the likely consequences of the breach of personal data protection.
(2) The data processor shall promptly take the necessary measures to secure the data and mitigate any potential adverse effects on the affected individuals, inform the controller about this, and request further instructions.
(3) Furthermore, the data processor is obliged to provide the controller with information at any time, as far as the controller's data is affected by a breach according to paragraph 1.
(4) The data processor must inform the controller about significant changes to the security measures according to § 5 Abs. 2.
§ 7 Rights of the Controller
(1) The controller may verify the technical and organizational measures of the processor before the commencement of data processing and then annually. For this purpose, he can obtain information from the processor, have existing expert certificates, certifications, or internal audits presented to him, or personally check the technical and organizational measures of the processor after timely coordination during regular business hours, or have them checked by a knowledgeable third party, provided that this person is not in a competitive relationship with the processor. The controller will carry out controls only to the necessary extent and will not unreasonably disrupt the operations of the processor.
(2) The processor commits to provide the controller, upon his verbal or written request, within a reasonable period, all information and evidence necessary to conduct a review of the technical and organizational measures of the processor.
(3) The controller documents the results of the review and informs the processor. In case of errors or irregularities identified by the controller, particularly during the review of results, he must inform the processor immediately. If circumstances are identified during the review that require changes to the prescribed process to prevent recurrence in the future, the controller must inform the processor of the necessary procedural changes without delay.
§ 8 Use of Service Providers
(1) The contractually agreed services will be performed by involving the service providers named in Appendix 4 (hereinafter referred to as “subprocessors”). The controller grants the processor its general authorization within the meaning of Art. 28(2) sentence 1 GDPR to engage further subprocessors or replace those already engaged in the context of its contractual obligations.
(2) The processor will inform the controller before any intended change regarding the involvement or substitution of a subprocessor. The controller may object to an intended involvement or substitution of a subprocessor for significant data protection reasons.
(3) The objection against the intended involvement or substitution of a subprocessor must be raised within 2 weeks after receiving the information about the change. If no objection is raised, the involvement or substitution is deemed approved. If there is a significant data protection reason and an amicable resolution between the controller and the processor is not possible, the processor is entitled to a special right of termination at the end of the month following the objection.
(4) The processor must obligate subprocessors in accordance with the provisions of this agreement.
(5) A subprocessing relationship within the meaning of these provisions does not exist if the processor engages third parties for services that are considered mere ancillary services. These include, for example, postal, transport, and shipping services, cleaning services, telecommunication services without a direct connection to services provided by the processor for the controller, and security services. Maintenance and testing services represent processing relationships requiring consent, to the extent that they are provided for IT systems that are also used in connection with the provision of services for the controller.
§ 9 Requests and Rights of Affected Parties
(1) The processor assists the controller, where possible, with suitable technical and organizational measures in fulfilling its obligations under Articles 12–22 and 32 to 36 of the GDPR.
(2) If a data subject asserts rights, such as the right to access, rectification, or deletion of their data, directly against the processor, the processor does not respond independently, but refers the data subject to the controller and awaits its instructions.
§ 10 Liability
(1) For the compensation of damages that an affected party suffers due to unlawful or incorrect data processing or use under data protection laws in the context of order processing, the responsible party is solely liable to the affected party in relation to the order processor.
(2) The order processor is liable for damages without limitation, insofar as the cause of the damage is based on intentional or grossly negligent breach of duty by the order processor, its legal representative, or assistants.
(3) The order processor is only liable for negligent behavior if it violates a duty whose fulfillment enables the proper execution of the contract and on which the responsible party regularly relies and may rely, limited to the average typical contractual damage. Otherwise, the liability of the order processor - also for its assistants and agents - isexcluded.
(4) The limitation of liability according to § 10.3 does not apply to claims for damages arising from injury to life, body, health, or from the assumption of a guarantee.
§ 11 Termination of the main contract
(1) The processor will return to the controller all documents, data, and data carriers entrusted to him after the termination of the main contract or – at the request of the controller, provided that there is no obligation to retain personal data under Union law or the law of the Federal Republic of Germany – delete them. This also applies to any data backups held by the processor. The processor must document proof of proper deletion upon request.
(2) The controller has the right to control the complete and contractually compliant return or deletion of the data by the processor in an appropriate manner.
(3) The processor is obliged to treat any data that has come to his knowledge in connection with the main contract confidentially, even beyond the end of the main contract. This agreement remains valid as long as the processor has personal data that has been provided to him by the controller or that he has collected for the controller, beyond the end of the main contract.
§ 12 Final Provisions
(1) To the extent that the processor does not explicitly perform support actions under this agreement free of charge, it may charge the controller a reasonable fee for this, unless the processor's own actions or omissions have made this support directly necessary.
(2) Amendments and additions to this agreement require written form. This also applies to the waiver of this form requirement. The priority of individual contractual agreements remains unaffected.
(3) If individual provisions of this agreement are or become wholly or partially ineffective or unenforceable, the validity of the remaining provisions shall not be affected.
(4) This agreement is governed by German law.
Facilities
Appendix 1 – Description of the Data/Data Categories
User data: Name, email address, department, profile picture (optional),
Content data (if relevant under data protection law),
Meta and communication data (such as device information, IP addresses)
Usage & analysis data (such as saved time, number of prompts)
Annex 2 – Description of the Affected Parties/Affected Groups
Employees of the controller, possibly third parties (insofar as personal data of users is entered)
Appendix 3 – Technical and Organizational Measures of the Processor
Introduction
This document summarizes the technical and organizational measures taken by the processor in accordance with Article 32 (1) of the GDPR. These are measures with which the processor protects personal data. The purpose of the document is to assist the controller in fulfilling its accountability obligations under Article 5 (2) of the GDPR.
Confidentiality (Art. 32 para. 1 lit. b GDPR)
2.1 Access Control
The following implemented measures prevent unauthorized access to the data processing facilities:
Locking system with code lock
Security locks
Video surveillance of the entrances
2.2 Access Control
The following implemented measures prevent unauthorized access to the data processing systems:
Authentication with username and password
Authentication with biometric data
Use of firewalls
Use of VPN technology for remote access
Encryption of storage devices
Encryption of notebooks / tablets
Central password rules
Use of two-factor authentication
Company policy for secure passwords
Company policy "Cleandesk"
General instruction to manually lock the desktop when leaving the workplace
2.3 Access Control
The following implemented measures ensure that unauthorized persons do not have access to personal data:
Use of shredders (with cross cut function)
Physical deletion of data carriers before their reuse
The number of administrators is kept as small as possible
Secure storage of data carriers
Management of user rights by system administrators
Instruction to employees that only absolutely necessary data should be printed
2.4 Separation Control
The following measures ensure that personal data collected for different purposes are processed separately:
Separation of production and test systemsm
Logical client separation (software-based)
Creation of an authorization concept
Integrity (Art. 32 para. 1 lit. b GDPR)
3.1. Transfer Control
It is ensured that personal data cannot be read, copied, altered, or removed without authorization during transmission or storage on media, and it can be verified which individuals or entities have received personal data. The following measures are implemented to ensure this:
Establishment of VPN tunnels
WLAN encryption (WPA2 with strong password)
Provision of data via encrypted connections such as SFTP or HTTPS
Prohibition of uploading official data to external company servers
3.2. Input control
Through the following measures, it is ensured that it can be verified who processed personal data and at what time in data processing systems:
Clear responsibilities for deletions
Instruction to employees to delete data only after consultation
Availability and resilience (Art. 32 para. 1 lit. b GDPR)
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:
Regular backups
Creation of a backup & recovery concept
Control of the backup process
Storage of data backups at a secure, off-site location
Separation of operating systems and data
Hosting (at least of the most important data) with a professional host
Procedure for regular review, assessment, and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
5.1. Data Protection Management
The following measures shall ensure that an organization meets the fundamental data protection requirements:
Use of the heyData platform for data protection management
Appointment of the Data Protection Officer heyData
Commitment of employees to data confidentialitys
Regular training of employees in data protection
Maintaining an overview of processing activities (Art. 30 GDPR)
5.2. Incident Response Management
The following measures are intended to ensure that reporting processes are triggered in the event of data protection violations:
Reporting process for data breaches according to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
Reporting process for data breaches according to Art. 4 No. 12 GDPR to the affected individuals (Art. 34 GDPR)
Involvement of the data protection officer in security incidents and data breaches
Use of firewalls
5.3. Privacy-friendly default settings (Art. 25 Para. 2 GDPR)
The following implemented measures comply with the requirements of the "Privacy by design" and "Privacy by default" principles:
Training of employees in "Privacy by design" and "Privacy by default"
No more personal data is collected than is necessary for the respective purpose.
5.4. Order Control
The following measures ensure that personal data can only be processed in accordance with instructions:
Written instructions to the contractor or instructions in text form (e.g. through a data processing agreement)
Ensuring the destruction of data after the completion of the contract, e.g. by requesting corresponding confirmations
Confirmation from contractors that they commit their own employees to confidentiality (typically in the data processing agreement)
Careful selection of contractors (particularly with regard to data security)
Ensuring the destruction of data after the completion of the contract, e.g. by requesting corresponding confirmations
Appendix 4 – Current Subcontractors
Name
Function
Server location
Microsoft Ireland Operations, Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
Operation of the GPT models and DALL-E
EU
Perplexity AI, Inc., at 575 Market Street San Francisco, CA 94105, USA
Operation of the models Perplexity & Codellama
USA
Mistral AI SAS, 15 Halles Street 75001, Paris, France
Operation of the Mistral models
EU (Sweden)
Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA
Operation of the Claude models
USA
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland
Operation of the Gemini models
EU
OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland
Operation of the GPT models and DALL-E
USA
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen
Hosting of the platform
EU
LogRocket Inc., 87 Summer St, Boston, MA 02110, USA
Error tracking
USA
Functional Software, Inc., 132 Hawthorne Street San Francisco, CA 94107, USA (Sentry)
Monitoring of applications and for error tracking
USA
Formbricks GmbH, Kuhnkestr. 6, 24118 Kiel, Germany
Customer support and troubleshooting
EU
