Data Processing Agreement (DPA)

§ 1 Subject Matter and Contractual Relationship

(1) This DPA supplements the main contract concluded between the parties for the use of the platform (see Terms & Conditions) with respect to the processing of personal data. In the event of conflicts between this DPA and the main contract, this DPA prevails on data protection matters.

(2) "Controller" within the meaning of this DPA is the Customer named in the main contract. "Processor" is the Provider named in the main contract (Tobias Boehm Softwareentwicklung).

(3) This DPA enters into force upon conclusion of the main contract and the first processing of personal data via the platform, but no later than upon the Controller's express consent in text form.

§ 2 Definitions

The definitions set out in Art. 4 GDPR apply, in particular for "personal data", "processing", "controller", "processor", "data subject", "supervisory authority", and "personal data breach". In addition: "Platform" means the SaaS offering Begehung.pro described in the main contract; "Subprocessor" means any further processor within the meaning of Art. 28 paragraph 4 GDPR; "TOM" means technical and organizational measures within the meaning of Art. 32 GDPR.

§ 3 Subject, Duration, Nature and Purpose of Processing

(1) Subject: The provision of the SaaS services agreed in the main contract, including the capture, storage, analysis, and AI-supported generation of reports.

(2) Duration: Processing takes place for the term of the main contract plus the period for data return and deletion pursuant to § 11.

(3) Nature of processing: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, making available, alignment or combination, restriction, erasure, and destruction.

(4) Purpose: digital execution and documentation of inspections, AI-supported generation of reports, and provision of the related functions (mobile app, web app, export) in accordance with the main contract.

(5) Categories of personal data: master data of the Controller's staff (name, role, contact), image and audio recordings from inspection situations (with possibly identifiable persons), location data, notes with personal references, and – in individual cases – special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data in accident documentation). Categories of data subjects: the Controller's staff, staff of contractors or third-party companies, visitors, tenants, and other persons present on the inspected premises.

§ 4 Controller's Right to Issue Instructions

(1) The Processor processes personal data exclusively on documented instructions of the Controller, including with regard to transfers to third countries.

(2) The initial instruction is the processing in accordance with the main contract and § 3 of this DPA.

(3) Subsequent individual instructions must be issued in text form (an email to datenschutz@begehung.pro is sufficient). Oral instructions must be confirmed in text form without undue delay.

(4) If the Processor considers an instruction to be unlawful, it shall inform the Controller without undue delay; pending clarification, it may suspend the processing in question.

(5) The Processor uses AI methods exclusively as a tool to provide the services commissioned by the Controller. Any further use of the data – in particular for training, fine-tuning, or permanent improvement of the Processor's own or third-party AI models – does not take place.

§ 5 Subcontractors (Subprocessors)

(1) The Controller generally consents to the engagement of further processors (subprocessors) in accordance with Art. 28 paragraph 2 sentence 2 GDPR.

(2) The current list of engaged subprocessors is available at this overview and forms part of this DPA as Annex 1.

(3) The Processor will notify the Controller of intended changes to the subprocessors at least four weeks before they take effect, in text form. The Controller may object to the change in text form within four weeks of receipt for a legitimate reason (in particular GDPR concerns).

(4) In the event of a justified objection, the subprocessor in question will not be engaged. If this is not reasonable for the Processor, either party is entitled to terminate the main contract for cause as of the effective date of the change.

(5) The Processor binds each subprocessor in writing or electronic form to the same data protection obligations as those set out in this DPA. The Processor is liable for the conduct of its subprocessors as for its own (Art. 28 paragraph 4 sentence 2 GDPR).

(6) Pure telecommunications, postal, and logistics services and other ancillary services that do not constitute the actual data processing are not considered subprocessors within the meaning of this DPA.

§ 6 Confidentiality

(1) The Processor binds all persons involved in the processing in writing to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.

(2) The confidentiality obligation continues to apply beyond the end of the employment or working relationship.

(3) Upon request of the Controller, the Processor demonstrates the existence of these obligations in a suitable form, e.g., by submitting a sample declaration.

§ 7 Technical and Organizational Measures

(1) The Processor implements the technical and organizational measures (TOM) described in Annex 2 and adapts them to the state of the art.

(2) The Processor will notify the Controller in good time, in text form, of material changes to the TOM that might reduce the level of protection.

(3) The TOM ensure the protection objectives under Art. 32 GDPR: confidentiality, integrity, availability, and resilience of the systems, as well as the ability to restore quickly and a procedure for regular review.

§ 8 Assistance to the Controller

(1) The Processor forwards requests from data subjects (Art. 15 to 22 GDPR) to the Controller without undue delay and does not respond to them on its own authority.

(2) The Processor supports the Controller in fulfilling its obligations under Art. 12 to 22 GDPR through suitable technical and organizational measures, insofar as this is possible within the scope of the processing on behalf.

(3) The Processor further supports the Controller in carrying out data protection impact assessments (Art. 35 GDPR) and, where applicable, in prior consultations with the supervisory authority (Art. 36 GDPR), by providing the necessary information on the TOM and the engaged subprocessors.

(4) Insofar as the support effort goes beyond the provision of standard information, the Processor is entitled to charge reasonable remuneration based on time and effort; the Processor will inform the Controller in advance of activities likely to be subject to remuneration.

§ 9 Notification of Personal Data Breaches

(1) Upon becoming aware of a personal data breach within the meaning of Art. 4 No. 12 GDPR, the Processor will inform the Controller without undue delay – at the latest within 24 hours of becoming aware – in text form.

(2) The notification contains the information required by Art. 33 paragraph 3 GDPR (description of the incident, affected categories of data, likely consequences, measures taken and planned), to the extent available at the time of notification. Further findings are reported subsequently without undue delay.

(3) The obligation to notify the supervisory authority pursuant to Art. 33 paragraph 1 GDPR and to inform data subjects pursuant to Art. 34 GDPR rests with the Controller; the Processor supports by providing all information required for this purpose.

§ 10 Inspection and Audit Rights

(1) The Controller may verify the Processor's compliance with its contractual and statutory obligations.

(2) The primary means of evidence is an annually updated self-assessment by the Processor describing the TOM and, where available, certificates or audit reports from independent auditors (e.g., ISO 27001, BSI C5, SOC 2).

(3) An on-site inspection is permissible only if the evidence under paragraph 2 is insufficient. It must be announced with at least 30 days' notice, conducted with due regard for the Processor's business operations, and – to protect business secrets and the data of other customers – carried out by an independent auditor named by the Processor and bound to confidentiality.

(4) The Processor bears the costs of the initial self-assessment. The Controller bears the costs of additional audits unless a material breach by the Processor is confirmed.

§ 11 Return and Deletion of Data

(1) Upon termination of the processing, the Controller has the choice between return or deletion of the personal data (Art. 28 paragraph 3 lit. g GDPR).

(2) The choice must be communicated in text form within 30 days of the end of the contract. If no express choice is made, the Processor will delete the data after expiry of this period.

(3) Return takes place in a standardized, machine-readable format (PDF, DOCX, ZIP). Special formats may be provided by separate agreement at reasonable cost.

(4) Upon request, the Processor provides written confirmation of deletion.

(5) Insofar as statutory retention obligations preclude deletion, the affected data will be processed only on a restricted basis (blocked) and deleted after the retention obligations expire.

(6) Data in regular backups is overwritten in the course of the normal backup cycle; immediate deletion from backups is technically not reasonable. Such backup data is not reused.

§ 12 Liability

(1) The liability provisions of the T&C (§ 12) apply, including the clarification regarding GDPR fines in cases of intent or gross negligence arising from breaches of this DPA (§ 12 paragraph 6 T&C).

(2) The joint and several liability towards data subjects under Art. 82 GDPR is governed by the statutory provisions.

(3) The Processor maintains appropriate professional or commercial liability insurance. Key coverage details will be communicated upon request.

§ 13 Third-Country Transfers

(1) Personal data is processed exclusively within the European Union or the European Economic Area. All engaged subprocessors process within the EU/EEA; the relevant list is set out in Annex 1.

(2) Should a third-country transfer become necessary in an individual case, it will only take place on the basis of an EU Commission adequacy decision (Art. 45 GDPR), alternatively on the basis of EU Standard Contractual Clauses (Art. 46 paragraph 2 lit. c GDPR), if necessary supplemented by additional technical, organizational, or contractual measures in line with the requirements of the Schrems II case law.

(3) Third-country transfers are announced in advance in accordance with the rules of § 5; the Controller's right of objection applies accordingly.

§ 14 Final Provisions

(1) Amendments and supplements to this DPA must be in text form. This also applies to the cancellation of this text-form clause.

(2) Should individual provisions of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid provision shall be replaced by a provision that comes closest to the economic purpose of the invalid one.

(3) The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG). The exclusive place of jurisdiction is – to the extent legally permissible – the Processor's place of business.

(4) On all data protection matters, this DPA prevails over the provisions of the main contract.

(5) The German-language version of this DPA is authoritative. Translations are provided for ease of understanding only.

Annex 1: List of Subprocessors

This annex lists all subprocessors engaged by the Processor, including their registered office, processing purpose, and processing location. It is updated on a continuous basis; changes are announced in accordance with § 5.

The current version is available at the subprocessors overview and forms part of this DPA.

Annex 2: Technical and Organizational Measures (TOM)

The following technical and organizational measures ensure a level of protection appropriate to the risk within the meaning of Art. 32 GDPR. They are kept up to the state of the art and reviewed at least annually.

• Confidentiality

  Physical access control (controlled access to business premises, hosting in certified data centers within the EU); logical access control (two-factor authentication for administrators and privileged access; role-based permissions, need-to-know principle); use control (logging of security-relevant actions, encryption-at-rest of databases); separation control (logical multi-tenancy via customer IDs, separated test and production environments); encryption in transit (TLS 1.2 or higher) and at rest (AES-256).

• Integrity

  Input control through audit logs of security-relevant actions (creation, modification, deletion, export of inspections and reports); transmission and transport control via mandatory TLS connections, no unencrypted HTTP.

• Availability and Resilience

  Daily backups with at least 30 days of retention; annual restore test; hosting in the EU with – where available – redundant availability zones; availability target as defined in § 4 paragraph 1 of the T&C.

• Recoverability

  Defined Recovery Time Objective (RTO) ≤ 24 hours; Recovery Point Objective (RPO) ≤ 24 hours; documented recovery procedures.

• Procedures for Regular Review

  Annual TOM review; penetration tests prior to productive roll-out and after material architectural changes; continuous vulnerability scans (at least monthly); annual employee training on data protection and information security.

• Processor Control (Subprocessors)

  Careful selection of subprocessors; written processing agreements with every subprocessor; obligation to apply equivalent protective measures; regular compliance review.

While the platform is in a public beta or pre-launch phase, the foregoing TOM are intended as the target state. The actually applicable measures will be specified prior to the conclusion of productive contracts and documented in an updated version of this annex.