Part A.
Standard Contractual Clauses
Module IV (Processor to Controller)
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter "entity/ies") transferring the personal data, as listed in Annex I.A. (hereinafter each "data exporter"), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each "data importer")
have agreed to these standard contractual clauses (hereinafter: "Clauses").
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- (ii) Clause 8.1 (b) and Clause 8.3(b);
- (iii) Clause 13;
- (iv) Clause 15.1(c), (d) and (e);
- (v) Clause 16(e);
- (vi) Clause 18
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
N/A
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.
8.2 Security of processing
(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter "personal data breach"). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.
Clause 9
Use of sub-processors
N/A
Clause 10
Data subject rights
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.
Clause 11
Redress
The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Clause 13
Supervision
N/A
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
N/A
Clause 15
Obligations of the data importer in case of access by public authorities
N/A
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- (ii) the data importer is in substantial or persistent breach of these Clauses; or
- (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Germany
Clause 18
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Osnabrück, Germany.
APPENDIX
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Droidrun GmbH
Address: Rheinstraße 82, 49090 Osnabrück, Germany
Contact person's name, position and contact details: Nikolaj Dueck, CPO, dataprotection@droidrun.com
Activities relevant to the data transferred under these Clauses: Transfer of personal data pursuant to the contract obligations to Data Importer as further described in the DPA.
Role (controller/processor): Processor
Signature: 
Data importer(s):
Name: As indicated in the registration and payment process
Address: As indicated in the registration and payment process
Contact person's name, position and contact details: As indicated in the registration and payment process
Activities relevant to the data transferred under these Clauses: Transfer of personal data to the Data Exporter to use the Data Exporter's services
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- In particular:
- o Customer's employees and authorized users (end-users)
- o Individuals whose personal data appears in applications automated by the Controller
- o Individuals whose data is included in task data supplied by the Controller
Categories of personal data transferred
- In particular:
- o Account data (name, e-mail address)
- o App credentials (stored in encrypted form)
- o Communication data
- o Billing and payment data (billing address, subscription plan, transaction history)
- o Task data (user prompts, workflow instructions, device and app configuration, agent steps, actions, screenshots/trajectories, LLM inference inputs and outputs, task results and artifacts)
- o Runtime logs and error data
- o Usage and analytics data (feature usage, session data, interaction patterns)
- o Technical metadata processed by sub-processors in the course of providing the Service (e.g., IP addresses, session tokens, device information)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous basis.
Nature of the processing
- Collection, use, storage and deletion of personal data
Purpose(s) of the data transfer and further processing
- Transfer to the Data Controller in accordance with contractual obligations, as outlined in the DPA, i.e., provision of Processor's services, in particular:
- o execution of workflows, agents, and tasks
- o operation of virtualized device environments
- o installation and automation of apps
- o processing of task data, logs, artifacts, and trajectories
- o AI inference processing via LLM providers
- o providing task history, debugging, and results
- o billing and subscription management
- o product analytics and service improvement
- o maintaining service reliability and security
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Only for as long as required by applicable statutory retention obligations.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- N/A
***
Part B.
Data Processing Agreement
of
Droidrun GmbH,
Rheinstraße 82, 49090 Osnabrück
and
Customer
Droidrun GmbH ("Processor") and Customer (hereinafter together the "Parties" and individually as "Party") enter into the following agreement on the processing of personal data (Data Processing Agreement, "DPA") by Processor on behalf of Customer in accordance with Art. 28 of Regulation (EU) 2016/679 (General Data Protection Regulation ("GDPR")).
1. PREAMBLE
The Processor offers a hosted mobile cloud platform to grant AI native control of mobile devices to automate workflows, scrape data, and run QA ("Service") in accordance with Processor's General Terms and Conditions ("Main Agreement").
As part of the execution of the Main Agreement the Customer (as the data controller) provides the Processor with personal data ("Customer's Personal Data"), which the Processor will process on behalf of the Customer.
Where this DPA uses terms that are defined in the GDPR, those terms shall have the meaning ascribed to them in the GDPR.
In parallel with this DPA, the Parties have entered into the EU Standard Contractual Clauses listed in Part A ("SCC"). The sole purpose of concluding this DPA is to ensure compliance with the additional requirements for data processing on behalf of a controller under the GDPR.
All communications between the Parties may be conducted in text form, including but not limited to e-mail.
2. Hierarchy
2.1. In the event of any contradiction or ambiguity between the terms and conditions of this DPA and the SCC agreed between the parties in Part A, the terms and conditions of the SCC shall prevail in their entirety.
2.2. This DPA shall only apply to the extent that it contains provisions that are not expressly regulated in the SCC and only to the extent that these provisions do not contradict or impair the effect of the SCC.
2.3. This DPA shall in no event be understood as a supplement, modification, or interpretation of the SCC.
3. Subject matter and scope of the DPA
3.1. The Processor shall process Customer's Personal Data on behalf of and in accordance with the instructions of the Customer (processing on behalf). The Customer remains data controller.
3.2. The scope, manner, and purpose of the processing of Customer's Personal Data by the Processor are set out in the Main Agreement and in Annex 1 to this DPA; the processing relates to the types of Customer's Personal Data and categories of data subjects specified therein. The Customer's Personal Data does not include special categories of Customer's Personal Data within the meaning of Art. 9 para. 1 GDPR.
3.3. The Processor reserves the right to anonymize and to use the Customer's Personal Data for the purpose of needs-based designing, developing, and optimizing the Service in compliance with GDPR.
3.4. The Parties conclude this DPA to specify the mutual rights and obligations under the GDPR. In case of doubt, the provisions of this DPA shall take precedence over the provisions of the Main Agreement as far as the processing of Customer's Personal Data is concerned.
3.5. The processing of Customer's Personal Data by the Processor shall in principle take place within the European Union or another contracting state of the European Economic Area ("EEA"). The Processor is nevertheless permitted to process Customer's Personal Data in accordance with the provisions of this DPA outside the EEA if the Processor informs the Customer in advance about the place of processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.
4. Obligations of the Customer
4.1. The Customer, as data controller, is solely responsible for assessing the lawfulness of the processing of Customer's Personal Data and for safeguarding the rights of data subjects in the relationship between the Parties.
4.2. On request, the Customer shall provide the Processor with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Processor itself.
4.3. If the Processor is required to provide information to a governmental body or person on the processing of Customer's Personal Data or to cooperate with these bodies in any other way, the Customer is obliged at first request to assist the Processor in providing such information and in fulfilling other cooperation obligations.
5. Right of instructions
5.1. The Processor may only process Customer's Personal Data within the framework of the Main Agreement, this DPA and in accordance with the instructions of the Customer. If the Processor is obliged to further processing of Customer's Personal Data by the law of the European Union or of the Member States which the Processor is subject to, the Processor shall inform the Customer about these legal requirements prior to processing, insofar as this is legally permitted.
5.2. The Customer's instructions are initially set out in the Main Agreement and this DPA and may subsequently be amended, supplemented, or replaced by the Customer in text form by specific instructions (individual instructions). The Customer is authorized to issue respective instructions at any time. This includes instructions regarding the rectification and erasure of Customer's Personal Data and the restriction of processing.
5.3. All instructions issued must be documented in text form by both the Customer and the Processor. Instructions that go beyond the service agreed in the Main Agreement are treated as a request for a change in service and are subject to the respective change management regime in the Main Agreement.
5.4. If the Processor is of the opinion that an instruction of the Customer violates this DPA or applicable data protection regulations, the Processor will inform the Customer immediately. The Processor is entitled to suspend the execution of the instruction in question until it is confirmed or changed by the Customer.
6. Protective measures of the Processor
6.1. In its area of responsibility, the Processor will design its internal organization in a way that meets the special requirements of applicable data protection laws. The Processor is obliged to take appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing of Customer's Personal Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects in accordance with Art. 32 GDPR, in particular the measures listed in Annex 2, and to maintain them for the term of this DPA.
6.2. The technical and organizational measures may be adapted to future technological developments. The adapted measures must at least match the security level of the measures agreed to in Annex 2.
6.3. Individuals employed by the Processor are prohibited from processing Customer's Personal Data without authorization. The Processor shall oblige all individuals engaged with the processing of Customer's Personal Data and fulfillment of this DPA accordingly and instruct them about the special data protection obligations arising from this DPA and the existing instruction and purpose limitation. The Processor shall commit all such individuals engaged in processing Customer's Personal Data to confidentiality with respect to the processing of Customer's Personal Data.
7. Requests and rights of data subjects
7.1. The Processor shall support the Customer to the extent reasonable and necessary with suitable technical and organizational measures in fulfilling the Customer's obligations pursuant to Art. 12 to 22 GDPR against reimbursement of additional expenses and costs incurred by the Processor as a result of this.
7.2. If a data subject asserts rights, such as the right to information, correction, or deletion of their personal data, directly against the Processor, the Processor will not respond independently, but will in a timely manner refer the data subject to the Customer and await the Customer's instructions.
8. Support and notification obligations of the Processor
8.1. The Processor shall assist the Customer with suitable technical and organizational measures in fulfilling the Customer's obligations pursuant to Art. 32 GDPR taking into account the nature of processing and the information available to the processor.
8.2. Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security of Customer's Personal Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in its area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations on Customer's request to the extent reasonable and necessary in return for reimbursement of additional expenses and costs incurred by the Processor as a result thereof.
8.3. The Processor shall assist the Customer to the extent reasonable and necessary in return for reimbursement of additional expenses and costs incurred by the Processor as a result thereof with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.
9. Control rights of the Customer
9.1. The Processor shall provide the Customer, at the latter's request, with all information required and available to the Processor to prove compliance with its obligations under this DPA.
9.2. The Customer shall be entitled to audit the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures; including inspections.
9.3. The Customer shall only carry out inspections to the extent necessary and against reimbursement of additional costs and expenses. Any inspections shall not disproportionately disrupt the Processor's operational processes. After timely advanced notification according to Section 9.4 of this DPA, the Customer is – in order to carry out inspections – entitled to access the business premises of the Processor in which Customer's Personal Data is processed within the usual business hours (Mondays to Fridays from 9 a.m. to 6 p.m. CE(S)T)) at its own expense, without disruption of the course of business and under strict secrecy of the Processor's business and trade secrets.
9.4. The Customer shall inform the Processor at least two weeks in advance of all circumstances in relation to the performance of the audit. The Customer may carry out one audit per calendar year. This rule does not apply to audits following a security incident meeting the requirements of Art. 33 GDPR or Art. 34 GDPR.
9.5. The Processor is entitled, at its own discretion and taking into account the legal obligations of the Customer, not to disclose information which are sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to gain access to data or information about the Processor's other customers, cost information, quality control and contract management reports, or any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.
9.6. If the Customer commissions a third party to carry out the audit, the Customer shall obligate the third party in writing the same way as the Customer is obliged vis-à-vis the Processor according to this Section of the DPA. In addition, the Customer shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Processor the Customer shall immediately submit a copy of the commitment agreement with the third party to the Processor. The Customer may not commission any of the Processor's competitors to carry out the audit.
9.7. The Customer shall document the results of the audits carried out or commissioned by the Customer and inform the Processor about their outcome. In the event of errors or irregularities that the Customer discovers during the audit, the Customer must inform the Processor immediately. If facts are discovered during the review which require changes to the ordered procedure in order to avoid such facts in the future, the Customer shall inform the Processor immediately of the necessary procedural changes.
9.8. At the discretion of the Processor, proof of compliance with the obligations under this DPA may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g., auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g., according to BSI-Grundschutz, if the audit report makes it possible for the Customer in an appropriate manner to convince itself about compliance with the contractual obligations, unless otherwise provided by applicable statutory laws.
10. Use of subprocessors
10.1. The Customer grants the Processor general authorization to engage further subprocessors with regard to the processing of Customer's Personal Data. The subprocessors listed in Annex 3 are authorized by the Customer. The Processor is authorized to establish further subcontracting relationships with subprocessors within the scope of its contractual obligations. The Processor is obliged to carefully select subprocessors according to their suitability and reliability.
10.2. The Processor shall notify the Customer of any intended changes in relation to the consultation or replacement of subprocessors. In individual cases, the Customer has the right to object to the engagement of a potential subprocessor. An objection may only be raised by the Customer for important reasons which have to be further clarified. Insofar as the Customer does not object in text form within 14 calendar days after receipt of the notification, its right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Main Agreement and this DPA with a notice period of three months.
10.3. The agreement between the Processor and the further subprocessor must impose the same obligations on the latter as those incumbent upon the Processor under this DPA. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this DPA.
10.4. Subject to compliance with the requirements of Section 3.5 of this DPA, the provisions of this Section shall also apply if a further subprocessor in a third country is involved. The Parties agree that in such case the requirements of Section 10.3 above are met if the applicable EU standard contractual clauses for the transfer of personal data to third countries are concluded with the further processor in the third country. The Customer declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.
10.5. The commissioning of third parties with services that are to be regarded as purely ancillary services by the Processor does not constitute a subprocessor relationship within the meaning of these provisions. This includes, for example, postal, transport and dispatch services, cleaning services, telecommunications services without specific reference to services that the Processor provides for the Customer and security services as well as other measures to ensure the confidentiality, availability, integrity and load capacity of the hardware and software of data processing systems. The Processor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.
11. Liability
11.1. The limitations of liability of the Main Agreement shall apply.
11.2. As far as third parties assert claims against the Processor which are caused by the Customer's culpable breach of this DPA or one of its obligations as the controller in terms of the GDPR, the Customer shall indemnify and hold the Processor harmless from these claims.
11.3. The Customer undertakes to indemnify the Processor against all possible fines imposed on the Processor corresponding to the Customer's part of responsibility for the infringement sanctioned by the fine.
12. Term and termination
12.1. The term of this DPA is based on the term of the Main Agreement unless circumstances of this DPA require otherwise.
12.2. The termination of this DPA shall be governed by the respective provisions of the Main Agreement. A termination of the Main Agreement automatically results in a cancellation of this DPA. An isolated termination of this DPA is excluded.
13. Deletion of Customer's Personal Data
After termination of the Main Agreement or at any time at the Customer's written request, the Processor will delete all Customer's Personal Data provided to the Processor, unless the Processor is obligated by law to further store the Customer's Personal Data.
14. Final provisions
14.1. In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.
14.2. The exclusive place of jurisdiction for all disputes arising from or in connection with the DPA is Osnabrück. The Processor is also entitled to sue at the Customer's place of business or another competent court.
14.3. The law of the Federal Republic of Germany is applicable.
Annexes to this DPA
- Annex 1: Description of data types and categories of data subjects
- Annex 2: Technical and organizational measures of the Processor
- Annex 3: Authorized subprocessors of the Processor
Annex 1: Description of the types of data and categories of data subjects
| Affected persons and group of persons | In particular:
|
| Type of data or data categories | In particular:
|
| Nature and purpose of processing | Nature of the processing:
Purpose of the processing:
|
Annex 2: Technical and organizational measures implemented by the Processor
§ 1 Confidentiality pursuant to Art. 32 para. 1 GDPR
(1) Admission control
Measures that are suitable for preventing unauthorized persons from gaining access to data processing systems with which Customer's Personal Data is processed or used:
| Technical measures | Organizational measures |
|---|---|
| Video surveillance of the entrances | Employee ID cards and visitor ID cards |
| Doors with exterior knob | |
| Access logging (Infisical) |
(2) Application access control
Measures that are suitable for preventing data processing systems from being used by non-authorized persons:
| Technical measures | Organizational measures |
|---|---|
| Login with username and password | Management of user authorizations |
| Password itself is secured by means of hash functions or similar | Allocation of user authorizations according to the need-to-know principle |
| Systemic obligation to comply with password guidelines | "Reset forgotten passwords" policy |
| Firewall | "Secure password" policy |
(3) Access control
Measures to ensure that persons authorized to use a data processing system can only access Customer's Personal Data subject to their access authorization and that Customer's Personal Data cannot be read, copied, modified or removed without authorization during processing, use and after storage:
| Technical measures | Organizational measures |
|---|---|
| Administrator access via jump-server | Use of authorization concepts |
| Authentication via IDP, SAML, 2.0, Oauth 2.0 | Deletion concept for data |
| Management of user rights by administrators | |
| Administrator activity with personalised account | |
| No role accounts |
(4) Separation control
Measures to ensure that Customer's Personal Data collected for different purposes is processed separately:
| Technical measures | Organizational measures |
|---|---|
| Separation of production and test environment | Control via authorization concept |
| E-mail encryption (end-to-end or transport-layer) | |
| Multi-Tenant capability of relevant applications | |
| Drive encryption | |
| Website encryption | |
| Logical client separation |
§ 2 Pseudonymization and encryption pursuant to Art. 32 para. 1 lit. a and Art. 25 para. 1 GDPR
Measures to ensure that Customer's Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that this information is kept separately and is subject to appropriate technical and organizational measures:
| Technical measures | Organizational measures |
|---|---|
| Internal instruction to anonymize/pseudonymize Customer's Personal Data once transferred or after expiry of the statutory deletion period |
§ 3 Confidentiality (employee instruction), Art. 32 para. 1 lit. b GDPR
Measures to ensure that employees are sufficiently made aware of applicable legal obligations:
| Technical measures | Organizational measures |
|---|---|
| Employees are committed to confidentiality, and to only process personal data in accordance with the GDPR |
§ 4 Integrity pursuant to Art. 32 para. 1 lit. b GDPR
(1) Transfer control
Measures to ensure that Customer's Personal Data cannot be read, copied, altered or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it is possible to check and establish to which bodies the transfer of Customer's Personal Data by means of data transmission facilities is envisaged:
| Technical measures | Organizational measures |
|---|---|
| Encrypted connections (data in transit) | |
| Encrypted storage (data at rest: hard drives/prints) | |
| Encryption complies at least with BSI TR-02102 | |
| Data loss prevention |
(2) Input control
Measures that ensure subsequent identification and verification of whether and by whom Customer's Personal Data is entered, modified or removed from data processing systems:
| Technical measures | Organizational measures |
|---|---|
| Manual or automatic control of the logs |
(3) Documentation control
| Technical measures | Organizational measures |
|---|---|
| Technical logging of input, changes and deletion | Documentation of the IT systems used and their system configuration |
| Technical and manual control of protocols | Authorization system for input, changes and deletion |
§ 5 Availability and resilience pursuant to Art. 32 para. 1 lit. b GDPR and ability to restore after a physical or technical incident pursuant to Art. 32 para. 1 lit. c GDPR
Measures to ensure that Customer's Personal Data is protected against accidental deletion or loss:
| Technical measures | Organizational measures |
|---|---|
| Backup recovery concept | |
| Backup recovery concept (in written) | |
| Control of the backup process | |
| Storage of backup media in a secure location outside the server room | |
| Development/testing of applications is fault-tolerant | |
| Change release process for regular updates and patches |
§ 6 Procedure for regular test, assessment and evaluation pursuant to Art. 32 para. 1 lit. d GDPR
(1) Data protection management
Measures to regularly review, assess and evaluate the effectiveness of the technical and organizational measures:
| Technical measures | Organizational measures |
|---|---|
| The effectiveness of the technical protective measures is reviewed at least once a year |
(2) Incident response management
Measures to support the response to security breaches:
| Technical measures | Organizational measures |
|---|---|
| Use of firewalls and regular updates | Documented process for recognizing and reporting security incidents/data breaches (also with regard to the obligation to report to supervisory authorities) |
| DMZ (Demilitarized Zone) |
§ 7 Subordinates only have access to Customer's Personal Data on the instructions of the controller pursuant to Art. 32 para. 4 GDPR
Measures to ensure that subordinate natural persons who have access to Customer's Personal Data only process it on the instructions of the controller:
| Technical measures | Organizational measures |
|---|---|
| Prohibition to process Customer's Personal Data outside the instruction | |
| Access to Customer's Personal Data is only granted if it is necessary for the agreed purposes |
§ 8 Data protection-friendly default settings Art. 25 para. 2 GDPR
Measures to ensure that, by default, only Customer's Personal Data required for the specific purpose is processed:
| Technical measures | Organizational measures |
|---|---|
| No more Customer's Personal Data is collected than necessary for the respective purpose | Deletion concept for Customer's Personal Data |
| Simple exercise of the data subject's right of objection through technical measures | |
| Determination of Customer's Personal Data in the event of requests for information is supported by technical measures |
§ 9 Sub-processors (commissioning of third parties), Art. 28 GDPR
Measures to ensure that Customer's Personal Data processed on behalf of the processor is only processed in accordance with the processor's instructions:
| Technical measures | Organizational measures |
|---|---|
| Prior review and documentation of the safety measures taken by the sub-processor | |
| Selection of the sub-processor under due diligence aspects (especially with regard to data protection and security) | |
| Conclusion of the necessary data processing agreements or EU standard contractual clauses | |
| Written instructions to the sub-processor | |
| Sub-processor is bound by instructions | |
| Obligation of the sub-processor's employees to maintain data confidentiality | |
| Obligation for the sub-processor to appoint a DPO if there is an obligation to appoint one | |
| Agreement of effective control rights towards the sub-processor | |
| Regulation on the deployment of further sub-processors | |
| Ensuring the destruction of Customer's Personal Data after completion of the order | |
| Regulations on maintenance (esp. remote maintenance) | |
| In the case of long-term cooperation: Ongoing review of the sub-processor and its level of protection |
§ 10 Use of AI models
Measures to ensure the secure, ethical, and reliable development and deployment of AI models.
| Technical measures | Organizational measures |
|---|---|
| Limitation of the collection and processing of personal data to what is strictly necessary for the AI model's purpose | Implementation of criteria for the selection of AI models and providers (including legal, ethical, and security considerations) |
Annex 3: Authorized subprocessors of the Processor
The following companies are authorized subprocessors within the meaning of Section 10.1 of this DPA:
| Provider and seat | Tool/Service | Purpose of processing |
|---|---|---|
| PostHog, Inc. | Analytics & Data Pipeline | Product analytics and task performance monitoring |
| Infisical, Inc. | Secret Manager | Secure storage and management of credentials for automated app logins |
| Google Cloud EMEA Limited | Cloud Provider | Providing cloud infrastructure for hosting and operating the Service |
| Cloudflare, Inc. | DNS & CDN Provider | DNS management and domain protection |
| Autumn Labs | Subscription Management | Managing subscription plans, entitlements, and billing logic |
| Stripe, Inc. | Payment Processing | Processing payments and managing invoices |
| OpenAI, L.L.C. | LLM API | Providing AI inference services for task execution and agent reasoning (GPT models) |
| Anthropic, PBC | LLM API | Providing AI inference services for task execution and agent reasoning (Claude models) |
| Google LLC | LLM API | Providing AI inference services for task execution and agent reasoning (Gemini models) |
| OpenRouter, Inc. | LLM API Gateway | Routing AI inference requests to additional LLM providers for task execution and agent reasoning. OpenRouter may engage further sub-processors as listed in their privacy documentation. |
| Bright Data Ltd. | Proxy Provider | Providing proxy infrastructure for internet access on emulated mobile devices (optional) |
