Data Processing Agreement (DPA)

§ 2 – Definitions

2.1. “Personal Data” means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).

2.2. “Processing” means any operation or set of operations performed on personal data, whether or not by automated means (Art. 4(2) GDPR), including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure or destruction.

2.3. “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4(7) GDPR). Under this DPA, the Controller is the user of the DPP Hero platform.

2.4. “Processor” means the natural or legal person which processes personal data on behalf of the Controller (Art. 4(8) GDPR). Under this DPA, the Processor is DPP Hero.

2.5. “Sub-processor” means another processor engaged by the Processor to carry out specific processing activities on behalf of the Controller.

2.6. “Data Subject” means the identified or identifiable natural person whose personal data is processed (Art. 4(1) GDPR).

2.7. “Instruction” means a directive issued by the Controller to the Processor regarding a specific manner of processing personal data. Instructions shall generally be issued in text form; oral instructions must be confirmed in text form without undue delay.

§ 3 – Subject Matter and Duration of Processing

3.1. The subject matter of the data processing is the processing of personal data by the Processor in connection with the provision and operation of the SaaS platform DPP Hero pursuant to the Main Agreement.

3.2. Processing begins upon the effective date of the Main Agreement (registration and use of the platform) and ends upon the complete termination of the Main Agreement and the final deletion or return of all personal data pursuant to § 16 of this DPA.

3.3. The term of this DPA corresponds to the term of the Main Agreement. This DPA shall automatically terminate upon termination of the Main Agreement, without prejudice to obligations that, by their nature, survive termination (in particular deletion obligations and confidentiality obligations).

§ 4 – Nature and Purpose of Processing

4.1. The Processor shall process personal data solely for the purpose of fulfilling the Main Agreement, in particular:

(a) Platform Provision: Operation, maintenance and development of the SaaS platform DPP Hero, including database hosting, application hosting and provision of the user interface;

(b) User Account Management: Registration, authentication, session management and administration of user accounts;

(c) Product Data Processing: Storage, processing, display and export of product data entered by the Controller, including any personal data contained therein (e.g. contact persons, supplier data);

(d) Document Management: Storage and provision of documents uploaded by the Controller;

(e) Publication: Making published product data available via publicly accessible URLs at the Controller's request;

(f) Communication: Sending transactional emails (e.g. registration confirmations, password resets, notifications);

(g) Payment Processing: Processing of subscription payments and invoice generation;

(h) Security: Protection of the platform against unauthorized access, misuse, bot attacks and DDoS attacks.

4.2. Processing of personal data for other purposes is not permitted and shall not take place unless the Controller has expressly consented thereto in text form or the Processor is obliged to do so under Union or Member State law (Art. 28(3)(a) GDPR).

§ 5 – Types of Personal Data

5.1. The following types of personal data are processed:

(a) User Account Data: Email address, name, password (hashed), language preference, timezone, two-factor authentication data (TOTP seeds);

(b) Organisation Data: Company name, business address, VAT ID, country, website, phone number;

(c) Contact Data in Product Data: Names, email addresses, phone numbers and addresses of the Controller's contact persons (e.g. product passport contacts, safety officers);

(d) Supplier Data in Product Data: Names, company names, addresses, email addresses and contact details of suppliers and business partners, insofar as entered as part of the product data;

(e) Technical Usage Data: IP addresses, browser information, access times, device information, session data;

(f) Payment Data: Billing address, payment method (metadata, no complete credit card numbers), subscription status, transaction history;

(g) Communication Data: Email addresses and contents of transactional emails;

(h) Share Link Data: Email addresses and product data submitted by third parties (e.g. suppliers) via share links, insofar as they contain personal data.

5.2. The processing of special categories of personal data within the meaning of Art. 9 GDPR is not subject of this DPA. The Controller shall not enter such data into the platform. Should the Controller nonetheless enter special categories of personal data, the Controller bears sole data protection responsibility therefor.

§ 6 – Categories of Data Subjects

6.1. The following categories of data subjects are affected:

(a) Users of the Controller: Employees, authorised representatives and other persons authorised by the Controller to use the platform;

(b) Contact Persons of the Controller: Contact persons, safety officers and other contacts named in the product data;

(c) Suppliers and Business Partners: Natural persons at suppliers, sub-suppliers and other business partners whose contact data is entered into the product data;

(d) Share Link Recipients: Natural persons to whom the Controller sends share links for data entry;

(e) Other Data Subjects: Natural persons whose personal data the Controller enters into product data or documents during platform use.

§ 7 – Obligations and Rights of the Controller

7.1. The Controller is responsible for compliance with data protection provisions, in particular for the lawfulness of data processing and the protection of the rights of data subjects (Art. 24 GDPR).

7.2. The Controller determines the nature, scope and purpose of the processing of personal data within the framework of the Main Agreement and this DPA. The Controller issues instructions to the Processor in accordance with § 9.

7.3. The Controller shall ensure that:

(a) a suitable legal basis exists for the processing of personal data (in particular Art. 6(1) GDPR);

(b) data subjects are duly informed about the data processing (Art. 13, 14 GDPR), in particular about the involvement of DPP Hero as Processor and the use of sub-processors;

(c) consent of data subjects is obtained where required as a legal basis;

(d) personal data entered into the platform is accurate and up to date;

(e) no special categories of personal data within the meaning of Art. 9 GDPR are entered into the platform.

7.4. The Controller shall inform the Processor without undue delay if errors or irregularities in the processing of personal data are discovered.

§ 8 – Obligations of the Processor

8.1. The Processor shall process personal data only on documented instructions from the Controller in accordance with § 9, unless required to do so by Union or Member State law; in such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest (Art. 28(3)(a) GDPR).

8.2. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

8.3. The Processor shall implement all technical and organisational measures required under Art. 32 GDPR to protect personal data. The measures in place at the time of contract conclusion are documented in Appendix 1 to this DPA.

8.4. The Processor shall engage sub-processors only under the conditions set out in § 12.

8.5. The Processor shall assist the Controller in fulfilling obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor (Art. 28(3)(e), (f) GDPR). Details are set out in § 14.

8.6. After the end of the provision of processing services, the Processor shall delete all personal data and delete existing copies, unless Union or Member State law requires storage (Art. 28(3)(g) GDPR). Details are set out in § 16.

8.7. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and shall allow for and contribute to audits (Art. 28(3)(h) GDPR). Details are set out in § 13.

8.8. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions (Art. 28(3) subpara. 2 GDPR).

§ 9 – Instructions

9.1. The Processor shall process personal data solely in accordance with the documented instructions of the Controller. The Main Agreement (including the Terms and Conditions) and this DPA constitute the basic instructions.

9.2. Instructions shall generally be issued in text form (email to privacy@dpphero.com). Oral instructions are permitted in exceptional cases and must be confirmed by the Controller in text form without undue delay. The Processor shall document all instructions received.

9.3. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes data protection provisions. The Processor shall be entitled to suspend the execution of such instruction until the Controller confirms or amends it.

9.4. The Processor shall not use personal data for its own purposes and shall not disclose the data to third parties unless the Controller has consented thereto in text form or the Processor is legally obliged to do so.

§ 10 – Confidentiality

10.1. The Processor shall ensure that all persons with access to personal data of the Controller are bound by confidentiality obligations. This applies to employees, freelancers and other auxiliary persons.

10.2. The confidentiality obligation shall continue to apply after termination of the respective activity and this DPA.

10.3. The Processor shall ensure that persons entrusted with the processing of personal data have been instructed in the relevant data protection provisions and informed about the specific data protection requirements under this DPA. Appropriate training shall be conducted and documented at reasonable intervals.

§ 11 – Technical and Organisational Measures (TOMs)

11.1. The Processor shall implement and maintain the necessary technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk for the personal data of the Controller. The measures shall take into account the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

11.2. The technical and organisational measures in place at the time of contract conclusion are described in detail in Appendix 1 to this DPA.

11.3. The Processor shall be entitled to adapt and develop the technical and organisational measures during the term of the agreement, provided that the contractually agreed level of protection is not reduced. The Processor shall notify the Controller of material changes in text form.

11.4. Upon request by the Controller, the Processor shall provide a current overview of the technical and organisational measures in place.

§ 12 – Sub-processing

12.1. The Controller hereby grants the Processor general written authorisation to engage sub-processors pursuant to Art. 28(2) GDPR. The sub-processors approved at the time of contract conclusion are listed in Appendix 2.

12.2. The Processor shall inform the Controller before any intended addition or replacement of a sub-processor in text form (email to the email address on file for the Controller). The notification shall include the sub-processor's name, registered office, processing purpose and server location.

12.3. The Controller may object to the addition or replacement of a sub-processor within fourteen (14) days of receipt of the notification on substantive, data protection-related grounds in text form. If no objection is raised within this period, authorisation shall be deemed granted.

12.4. If the Controller objects to the engagement of a sub-processor, the parties shall endeavour to reach an amicable solution. If no agreement can be reached, either party shall be entitled to terminate the Main Agreement and this DPA with thirty (30) days' notice to the end of the month.

12.5. The Processor shall conclude a contract with each sub-processor imposing at least the same data protection obligations as laid down in this DPA (Art. 28(4) GDPR). In particular, the sub-processor must implement sufficient technical and organisational measures to ensure that processing meets the requirements of the GDPR.

12.6. The Processor shall remain fully liable to the Controller for the fulfilment of the sub-processor's obligations. Where a sub-processor fails to fulfil its data protection obligations, the Processor shall be liable to the Controller for the sub-processor's compliance (Art. 28(4) sentence 2 GDPR).

12.7. Third Country Transfers. Where sub-processors process personal data in third countries (outside the EEA), the Processor shall ensure an adequate level of data protection through appropriate safeguards, in particular:

(a) an adequacy decision of the European Commission pursuant to Art. 45 GDPR (in particular the EU-U.S. Data Privacy Framework);

(b) Standard Contractual Clauses of the European Commission pursuant to Art. 46(2)(c) GDPR;

(c) supplementary measures in accordance with the recommendations of the European Data Protection Board (EDPB), where required.

§ 13 – Audit Rights of the Controller

13.1. The Controller shall be entitled to verify compliance by the Processor with the provisions of this DPA and applicable data protection laws. The Processor shall provide the Controller with all necessary information upon request (Art. 28(3)(h) GDPR).

13.2. The Controller may conduct audits, including inspections, or have them conducted by an auditor commissioned by the Controller and accepted by the Processor. The Processor may refuse consent to an auditor only for important reasons (in particular: competitor, lack of expertise, lack of confidentiality commitment). On-site inspections are permitted subject to:

(a) at least fourteen (14) business days' prior written notice;

(b) conduct during regular business hours;

(c) no disproportionate disruption of the Processor's business operations;

(d) preservation of confidentiality (in particular regarding data of other customers of the Processor).

13.3. The Processor may also fulfil the Controller's audit rights by:

(a) providing a current certificate, report or report excerpt from an independent body (e.g. auditor, data protection auditor, IT security auditor);

(b) presenting current audit reports or SOC reports of its sub-processors;

(c) making available the technical and organisational measures documented in Appendix 1 in their current version.

13.4. The costs of the audit shall be borne by the Controller unless the audit was prompted by a breach of this DPA by the Processor. The Processor shall be entitled to charge reasonable hourly compensation for support services during on-site inspections that go beyond the mere provision of documents.

§ 14 – Assistance Obligations

14.1. The Processor shall assist the Controller, taking into account the nature of processing and by appropriate technical and organisational measures, insofar as possible, in fulfilling requests from data subjects to exercise their rights under Chapter III GDPR (Art. 28(3)(e) GDPR), in particular:

(a) Right of access (Art. 15 GDPR): Provision of information required for responses;

(b) Right to rectification (Art. 16 GDPR): Rectification of inaccurate data upon instruction by the Controller;

(c) Right to erasure (Art. 17 GDPR): Deletion of personal data upon instruction by the Controller, unless statutory retention obligations apply;

(d) Right to restriction of processing (Art. 18 GDPR): Restriction of processing upon instruction by the Controller;

(e) Right to data portability (Art. 20 GDPR): Provision of data in a structured, commonly used and machine-readable format (in particular JSON export).

14.2. If a data subject addresses a request to exercise their rights directly to the Processor, the Processor shall forward the request to the Controller without undue delay. The Processor shall not respond to the request independently unless expressly instructed to do so by the Controller.

14.3. The Processor shall assist the Controller, taking into account the nature of processing and the information available to the Processor, in ensuring compliance with:

(a) Art. 32 GDPR (security of processing);

(b) Art. 33, 34 GDPR (notification and communication of personal data breaches; cf. § 15);

(c) Art. 35 GDPR (data protection impact assessment);

(d) Art. 36 GDPR (prior consultation with the supervisory authority).

14.4. The Processor shall be entitled to charge reasonable compensation for assistance services under § 14.1 and § 14.3 that exceed the usual scope or cause unreasonable effort.

§ 15 – Notification of Personal Data Breaches

15.1. The Processor shall notify the Controller of any personal data breach (Art. 4(12) GDPR) affecting personal data processed on behalf of the Controller without undue delay after becoming aware thereof, generally within twenty-four (24) hours (Art. 33(2) GDPR).

15.2. The notification shall include at least the following information, insofar as available at the time of notification:

(a) a description of the nature of the personal data breach, where possible including the categories and approximate number of data subjects and data records concerned;

(b) the name and contact details of the Processor's contact person for inquiries;

(c) a description of the likely consequences of the breach;

(d) a description of the measures taken or proposed by the Processor to address the breach and mitigate its possible adverse effects.

15.3. Where the information cannot be provided simultaneously, the Processor shall provide it in phases without undue further delay (Art. 33(4) GDPR by analogy).

15.4. The Processor shall document all personal data breaches including all related facts, effects and remedial measures taken. Documentation shall be made available to the Controller upon request.

15.5. The Processor shall assist the Controller in fulfilling notification obligations to the supervisory authority (Art. 33 GDPR) and in notifying data subjects (Art. 34 GDPR) where required.

15.6. Notifications shall be sent to the Controller by email to the email address on file in the user account. Dashboard notifications may be provided additionally. The Controller shall ensure that the email address on file is current and reachable at all times.

§ 16 – Deletion and Return of Data

16.1. Upon termination of the Main Agreement, the Processor shall delete all personal data processed on behalf of the Controller after expiry of the retention period specified in the Main Agreement (currently thirty (30) calendar days after contract end, cf. § 9.6 of the Terms and Conditions), unless Union or Member State law requires continued storage.

16.2. The Controller is obligated to back up its data via the export functions provided in the platform (in particular JSON export, PDF export) before expiry of the retention period pursuant to § 16.1. The Processor shall give the Controller timely notice of the impending deletion.

16.3. Upon instruction by the Controller, the Processor shall return personal data before deletion in a structured, commonly used and machine-readable format (JSON), insofar as technically feasible.

16.4. Deletion shall encompass all copies of personal data, including backup copies, insofar as deletion is technically feasible and reasonable. Where backup copies cannot be immediately deleted due to technical constraints (e.g. automated backup cycles), they shall be deleted in the course of the regular backup rotation cycle. The protective obligations of this DPA shall continue to apply until final deletion.

16.5. The Processor shall confirm to the Controller upon request the complete deletion of personal data in text form.

16.6. Statutory retention obligations (in particular under § 147 of the German Fiscal Code (AO) and § 257 of the German Commercial Code (HGB)) shall remain unaffected. In such cases, the relevant data shall be blocked for the duration of the statutory retention period and deleted upon its expiry.

§ 17 – Liability

17.1. The liability of the parties in connection with this DPA shall be governed by the provisions of the GDPR, in particular Art. 82 GDPR, and the liability provisions of the Main Agreement (Terms and Conditions), unless this DPA contains deviating provisions.

17.2. Each party shall be liable to data subjects for the entire damage caused by processing that infringes the GDPR (Art. 82(1) GDPR). The Processor shall be liable only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the lawful instructions of the Controller (Art. 82(2) GDPR).

17.3. Where a party has paid full compensation for the entire damage suffered, that party shall be entitled to claim back from the other party that part of the compensation corresponding to their part of responsibility for the damage (Art. 82(5) GDPR).

17.4. The liability limitations of the Main Agreement (in particular § 18 of the Terms and Conditions) shall apply supplementarily, insofar as they do not conflict with mandatory liability provisions of the GDPR. Mandatory claims of data subjects under Art. 82 GDPR cannot be contractually limited.

§ 18 – Term and Termination

18.1. This DPA shall enter into force upon conclusion of the Main Agreement (registration and use of the platform) and shall remain in force for the duration of the Main Agreement.

18.2. Separate termination of this DPA is not possible. Termination of the Main Agreement shall automatically include termination of this DPA.

18.3. Obligations contained in this DPA that, by their nature, survive termination shall remain unaffected. This applies in particular to deletion obligations (§ 16), confidentiality obligations (§ 10) and liability provisions (§ 17).

18.4. The right to extraordinary termination of the Main Agreement for good cause shall remain unaffected. Good cause for extraordinary termination by the Controller shall exist in particular where the Processor repeatedly or materially fails to comply with its obligations under this DPA or the GDPR.

§ 19 – Final Provisions

19.1. Amendments and supplements to this DPA shall require text form. This shall also apply to the waiver of this text form requirement.

19.2. Should any provision of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by a valid provision that most closely approximates the economic purpose of the original provision and meets the requirements of the GDPR.

19.3. This DPA shall be governed by the laws of the Federal Republic of Germany. The jurisdiction provisions of the Main Agreement (§ 27 of the Terms and Conditions) shall apply accordingly.

19.4. In case of discrepancies between language versions of this DPA, the German version shall prevail.

19.5. The Controller may contact DPP Hero for data protection-related inquiries (in particular access, deletion, rectification, DPA questions) at the following address:

Appendix 1 – Technical and Organisational Measures (TOMs)

The following technical and organisational measures pursuant to Art. 32 GDPR are implemented by the Processor at the time of contract conclusion. The measures are continuously reviewed and adapted to the state of the art.

1. Physical Access Control

DPP Hero operates as a cloud-only SaaS platform. No personal data is processed on physical on-premises servers. Physical access control is ensured by the infrastructure sub-processors:

• Supabase/AWS (EU region Frankfurt): ISO 27001, SOC 2 Type II certified data centres with biometric access, 24/7 surveillance, multi-zone security;

• Vercel (EU region Frankfurt): Enterprise-grade infrastructure with physical security controls;

• Access to data centre facilities is restricted to authorised personnel of the respective sub-processors.

2. System Access Control

Measures to prevent unauthorised use of the data processing systems:

• Password policies: Minimum 8 characters; passwords are stored exclusively as bcrypt hashes; DPP Hero has no access to plaintext passwords;

• Two-factor authentication (2FA): Optional TOTP-based second factor for user accounts;

• Session management: JWT-based access tokens (approx. 1 hour validity) with refresh tokens (approx. 7 days validity); automatic session expiry;

• Brute-force protection: IP-based rate limiting for authentication endpoints (login, registration, password reset);

• Bot protection: Cloudflare Turnstile for automated access detection;

• Administrative access: Restricted to the Processor's management; access to Supabase Dashboard and Vercel Dashboard via individually secured accounts with 2FA.

3. Data Access Control

Measures to ensure that authorised users can only access the data they are entitled to:

• Role-Based Access Control (RBAC): Differentiation between user roles (owner, member);

• Row Level Security (RLS): Database-level access control through PostgreSQL policies; every query is automatically filtered by organisation_id;

• Principle of least privilege: Users can only access data belonging to their own organisation;

• API key management: Supabase Service Role Key and Anon Key are strictly separated; Service Role Key is used exclusively server-side.

4. Separation Control

Measures to ensure that data collected for different purposes is processed separately:

• Logical tenant isolation: All data records are associated with an organisation_id; RLS policies enforce strict data separation at the database level;

• Purpose limitation: Personal data is processed exclusively for the purposes set out in this DPA;

• Separate environments: Development, staging and production environments are logically separated.

5. Pseudonymisation and Encryption

Measures for pseudonymisation and encryption of personal data:

• Transport encryption: All data transfers between client and server are encrypted via TLS 1.2 or higher;

• Encryption at rest: Database and file storage are encrypted with AES-256 at rest (AWS/Supabase);

• Password hashing: bcrypt with appropriate cost factor;

• Integrity verification: HMAC-SHA256 for digital signing of product data;

• Pseudonymisation: UUIDs as primary identifiers instead of natural keys; user references in audit trails are pseudonymised upon account deletion.

6. Availability Control

Measures to ensure that personal data is protected against accidental destruction or loss:

• Automated backups: Daily backups of the database by Supabase with Point-in-Time Recovery (PITR);

• Redundancy: Infrastructure sub-processors provide redundant storage and failover mechanisms;

• Monitoring: System monitoring for availability and performance;

• DDoS protection: Cloudflare-based protection against distributed denial-of-service attacks.

7. Resilience

Measures to ensure the ability of systems to withstand disruptions:

• Auto-scaling: Serverless architecture (Vercel) with automatic resource scaling;

• Edge distribution: Static content delivery via global CDN for high availability;

• Rate limiting: Protection against overload through configurable request limits.

8. Recoverability

Measures to ensure the ability to restore personal data in the event of a physical or technical incident:

• Point-in-Time Recovery (PITR): Database can be restored to any point in time within the retention period;

• Daily backups: Automated daily database backups;

• Emergency procedures: Documented incident response procedures for data loss scenarios;

• Deployment rollback: Ability to revert application deployments to previous versions.

9. Procedures for Regular Review, Assessment and Evaluation

Measures to ensure ongoing effectiveness of the technical and organisational measures:

• Annual review: Technical and organisational measures are reviewed and updated at least annually;

• Sub-processor monitoring: Regular review of sub-processor certifications and compliance (SOC 2 Type II, ISO 27001);

• Vulnerability management: Regular dependency updates and security patches;

• Data protection management: Internal processes for handling data subject requests, data breaches and data protection impact assessments.

Appendix 2 – Approved Sub-processors

The following sub-processors are approved by the Controller at the time of contract conclusion (as of March 2026):

Third Country Transfers. Supabase, Inc., Vercel, Inc., Stripe, Inc., Resend, Inc. and Cloudflare, Inc. are headquartered in the United States of America. An adequate level of data protection is ensured through the following safeguards:

(a) EU-U.S. Data Privacy Framework: All US-based sub-processors are certified under the EU-U.S. Data Privacy Framework pursuant to the adequacy decision of the European Commission of 10 July 2023 (Art. 45 GDPR);

(b) Standard Contractual Clauses (SCCs): Data Processing Agreements with Standard Contractual Clauses of the European Commission pursuant to Art. 46(2)(c) GDPR have been concluded as an additional safeguard;

(c) EU data processing: Core data processing (database, authentication, file storage) takes place in the EU region Frankfurt (aws eu-central-1). Serverless functions are executed in the EU region Frankfurt. Email delivery is processed through Resend's EU infrastructure (Ireland, aws eu-west-1). Payment data of EU customers is processed by Stripe Payments Europe, Limited in Dublin, Ireland.

sevDesk GmbH is based in Germany. No data transfer to third countries takes place in this regard.