Data Processing Agreement (DPA)

1.1 The purpose of these standard contractual clauses (the "Clauses") is to ensure compliance with Article 28(3) and (4) GDPR.

1.2 These Clauses apply to the processing of personal data as specified in Annex I.

1.3 Annexes I to III form an integral part of the Clauses.

1.4 These Clauses are without prejudice to obligations to which the Controller is subject under the GDPR.

1.5 These Clauses do not by themselves ensure compliance with obligations related to international transfers under Chapter V GDPR.

2.1 The parties undertake not to modify the Clauses, except for adding or updating information in the Annexes.

2.2 The parties may include these Clauses in a broader contract or add other clauses provided they do not contradict the Clauses or reduce protections for data subjects.

3.1 Terms defined in the GDPR have the same meaning in these Clauses.

3.2 These Clauses shall be interpreted in light of the GDPR.

3.3 These Clauses shall not be interpreted in a way that prejudices data subjects' rights.

In case of conflict between these Clauses and other parts of the Agreement regarding data processing, these Clauses prevail.

[Reserved]

Details of processing operations, categories of personal data, and purposes are set out in Annex I.

7.1 Instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required by applicable Union or Member State law. The Processor shall inform the Controller of such legal requirement unless prohibited by law. Subsequent instructions shall be documented. The Processor shall inform the Controller if instructions infringe the GDPR.

7.2 Purpose limitation

The Processor shall process personal data only for the purposes set out in Annex I, unless further instructed by the Controller.

7.3 Duration of processing

Processing shall occur for the duration specified in Annex I (including post-termination processing strictly necessary to comply with deletion/return obligations and agreed retention, where applicable).

7.4 Security of processing

The Processor shall implement at least the technical and organisational measures ("TOMs") specified in Annex II to ensure security, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (personal data breach).

Access to personal data is limited to personnel who require it to perform, manage, or support the services and who are bound by confidentiality.

7.5 Sensitive data

The parties agree that the services are not intended to process special categories of personal data under Article 9 GDPR or data relating to criminal convictions/offences under Article 10 GDPR. The Controller shall not provide such data to the Processor unless explicitly agreed in writing and subject to appropriate safeguards.

7.6 Documentation and compliance

7.7 Use of sub-processors

7.8 International transfers

Where processing involves a transfer of personal data under Chapter V GDPR, the parties shall ensure such transfer is covered by a valid transfer mechanism (e.g., adequacy decision, SCCs) and supplementary measures where required. The Controller agrees that the Processor may use SCCs with relevant sub-processors to ensure compliance with Chapter V GDPR, where conditions are met.

8.1 The Processor shall promptly notify the Controller of any data subject request received and shall not respond unless authorised.

8.2 The Processor shall assist the Controller with data subject rights requests taking into account the nature of processing and the information available to the Processor.

8.3 The Processor shall also assist the Controller with DPIAs and prior consultation where required, and with Article 32 obligations, to the extent applicable and reasonable.

8.4 The scope of assistance and practical process is described in Annex II (and/or support procedures).

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of it and provide reasonably available information to support the Controller's obligations under Articles 33 and 34 GDPR.

10.1 If the Processor is in breach of these Clauses, the Controller may instruct the Processor to suspend processing until compliance is restored or the Agreement is terminated.

10.2 The Controller may terminate the Agreement to the extent it concerns processing under these Clauses in case of substantial or persistent breach.

10.3 The Processor may terminate if the Controller insists on unlawful instructions after being informed.

10.4 Deletion or return at end of provision of services

Following termination or expiry of the Agreement, the Processor shall, at the Controller's choice, delete or return personal data processed on behalf of the Controller and delete existing copies unless retention is required by Union or Member State law.

Retention note (8returns default): Unless otherwise agreed in writing, the Processor will retain Controller data for up to 2 years after contract expiration, then delete or anonymise it. The Controller may instruct the Processor to delete earlier at any time (subject to legal holds/exceptions permitted by law). The Processor will document completion of deletion upon request.

10.5 Governing law and venue

This DPA is governed by the laws of Germany. Venue: Berlin, Germany.

The Processor is authorised to use the sub-processors listed below for the purposes described in Annex I. The list is maintained and updated, with advance notice of changes.

Initial list:

Public subprocessor list option: The Processor may publish and maintain a current list of sub-processors at a Trust Center/URL and treat that list as Annex III, provided Controllers receive change notifications per Clause 7.7.