Data Processing Agreement pursuant to Art. 28 (3) GDPR

1. Subject and Duration of the Agreement

1.1. Subject of the Agreement

The subject of the agreement arises from the order form or the contract between the parties regarding the performance of th following services by the contractor: provision of the Doorboost platform and online marketing services related to the Doorboost platform (hereinafter referred to as the main contract). If the contractor processes personal data on behalf of the client within the meaning of Art. 4 No. 2 and Art. 28 GDPR, this data processing agreement shall apply as a supplement.

1.2. Duration of the Agreement

The duration of this agreement (term) corresponds to the term of the main contract. If the main contract ends, this agreement also ends without the need for a specific or separate termination.

2. Specification of the Agreement’s Content

2.1. Scope, Nature, and Purpose

The scope, nature, and purpose of the processing of personal data by the contractor on behalf of the client include analyzing data provided by the client regarding existing or past customers, collecting information about potential or new customers, creating, placing, and optimizing online marketing campaigns on platforms such as Facebook, Google, and LinkedIn, and providing this information to the client, as well as to affiliated companies and business partners.

2.2. Type of Data

The subject of the collection, processing, and/or use of personal data includes the following data types/categories:

• Name and contact details

• Product interest

• IP address

• Timestamp

• Other data provided to the contractor by the client

2.3. Affected Individuals

The individuals affected by the processing of their personal data under this agreement include:

• Website visitors

• Customers/registered users

• Potential new customers on platforms such as Facebook, Instagram, or Google

• Business contacts

3. Authority of the Client / Location of Data Processing

3.1. The client alone is responsible for assessing the lawfulness of the processing in accordance with Article 6(1) GDPR and for safeguarding the rights of the data subjects as per Articles 12 to 22 GDPR.

3.2. The handling of data is carried out within the framework of the agreed terms and documented instructions of the client (cf. Article 28(3)(a) GDPR). Within the scope of the service description outlined in this agreement, the client retains the right to issue instructions regarding the nature, scope, and procedure of data processing, which may be specified through individual instructions. Changes to the subject of processing and procedural modifications must be mutually agreed upon and documented. Any additional efforts arising from such changes are to be compensated by the client. The contractor may only provide information to third parties or the data subjects with the prior written consent of the client.

3.3. Oral instructions from the client must be promptly confirmed in writing or via email (in text form). The contractor may not use the data for purposes other than those agreed upon, except for creating backup copies as necessary to ensure proper data processing and for complying with legal obligations, including retention requirements.

3.4. The contractor must inform the client in accordance with Article 28(3)(2) GDPR if it believes that an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the client.

3.5. The processing of the client’s data by the contractor occurs within the European Union and the United States of America. Any processing or transfer to another location requires the prior written consent of the client. In such cases, the contractor must ensure an adequate level of data protection at the location of data processing in accordance with applicable legal provisions and interpretations by courts and authorities, or, at the client’s discretion, enable the client to ensure adequate data protection.

4. Confidentiality

The contractor ensures that employees and other individuals acting on behalf of the contractor who are involved in processing personal data are prohibited from processing such data outside the scope of the client’s instructions.

5. Technical and Organizational Measures

5.1. The contractor shall organize its internal processes to comply with data protection requirements within its area of responsibility. It will implement appropriate technical and organizational measures to protect the personal data of the client, meeting the standards of Article 32 GDPR. These measures ensure the confidentiality, integrity, availability, and resilience of systems and services involved in data processing. The technical and organizational measures are detailed in Annex 1 of this agreement. The client acknowledges these measures and is responsible for ensuring that they provide an adequate level of protection for the risks associated with the data to be processed.

5.2. The technical and organizational measures are subject to technical advancements and further development. The contractor may implement alternative, appropriate measures, provided the security level of the agreed measures is not diminished. Significant changes must be documented.

6. Subcontracting

6.1. The use or replacement of subcontractors by the contractor is generally permitted. The client consents to the use of subcontractors as follows:

6.1.1. The client pre-approves the subcontractors listed in Annex 2 of this agreement.

6.1.2. The client consents to the engagement or replacement of additional subcontractors if the contractor notifies the client in writing (email is sufficient) before beginning data processing. The client may object to the engagement or change. If no objection is raised within seven days of notification, the consent is considered granted. The client acknowledges that in certain cases, the service cannot be provided without specific subcontractors. In such cases, either party may terminate the agreement without notice. If a significant data protection-related reason exists for the objection and no mutual resolution is possible, the client is granted a special termination right.

6.2. The contractor must ensure that agreements with subcontractors include comparable data protection obligations to those agreed upon in this contract, considering the nature and scope of data processing under the subcontract. Subcontractor agreements must be in written or electronic format.

6.3. Services obtained by the contractor from third parties as ancillary services (e.g., telecommunications, maintenance, cleaning, or disposal of data carriers) do not constitute subcontracting within this agreement.

7. Data Subject Rights

7.1. The contractor shall assist the client in fulfilling data subject requests and claims under Chapter III of the GDPR.

7.2. The contractor shall only disclose, rectify, delete, or restrict the processing of data on the client’s instructions. If a data subject directly contacts the contractor to request information, rectification, or deletion of their data or to restrict processing, the contractor shall forward the request to the client without delay.

8. Contractor’s Duty to Assist

8.1. The contractor shall support the client in complying with obligations under Articles 32 to 36 GDPR regarding data security, reporting data breaches, conducting data protection impact assessments, and prior consultations.

8.2. Regarding the client’s obligations under Articles 33 and 34 GDPR:

(i) The contractor must immediately notify the client of any personal data breaches.

(ii) The contractor shall assist the client as necessary to fulfill its reporting obligations under Articles 33 and 34 GDPR.

The contractor may only report data breaches on behalf of the client following explicit instructions per Section 3 of this agreement.

9. Additional Contractor Obligations

9.1. If required by law, the contractor shall appoint a data protection officer who shall operate in compliance with Articles 38 and 39 GDPR. The contact details of the data protection officer will be provided to the client upon request.

9.2. The contractor shall immediately inform the client of supervisory authority actions or investigations under Article 58 GDPR or investigations pursuant to Article 83 GDPR.

9.3. The contractor shall conduct regular reviews to ensure compliance with this agreement, particularly regarding necessary adjustments to measures and procedures.

10. Client’s Rights to Information and Audits

10.1. The client has the right to request information under Article 28(3)(h) GDPR to verify the contractor’s compliance with the agreed obligations and conduct audits in agreement with the contractor.

10.2. The contractor may demonstrate compliance through relevant documentation, such as audit reports or certifications (e.g., ISO 27001), or certifications approved by supervisory authorities.

10.3. This does not affect the client’s right to conduct on-site inspections, although the client shall consider whether such inspections are necessary after reviewing documentation.

10.4. The client may carry out spot checks, usually with prior notice, to verify the contractor’s compliance with this agreement. The contractor shall provide the necessary information and evidence upon request.

11. Data Deletion and Return of Data Carriers

Upon the client’s request and at the latest upon contract termination, the contractor shall either hand over all documents, processing results, and data, or delete them securely, subject to the client’s prior approval. Deletion shall also apply to test and reject materials, and a deletion protocol shall be provided upon request. Documents required to demonstrate proper data processing may be retained for applicable retention periods and handed over to the client upon termination.

12. Miscellaneous

12.1. Amendments, side agreements, and supplements to this Data Processing Agreement (DPA) and its annexes require a written agreement and an explicit reference that it constitutes an amendment or supplement to this DPA. This also applies to any waiver of this formal requirement. Unless otherwise specified in this DPA or the main contract, communication between the contractor and the client under this DPA (particularly regarding instructions and information sharing) shall at least be in text form (e.g., email).

12.2. This DPA obliges the contractor only to the extent necessary to fulfill legal obligations, particularly under Articles 28 et seq. GDPR, and does not impose additional obligations beyond those requirements.

12.3. The law of the Federal Republic of Germany applies.

13. Signature of the Client

Company:
Name:
Date:
Signature:

Appendix 1 to the Data Processing Agreement

Technical and Organizational Measures pursuant to Article 32 GDPR

The Contractor has implemented the following technical and organizational security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services:

1. Confidentiality

The Contractor has implemented the following technical and organizational security measures to ensure the confidentiality of processing systems and services in particular:

The Contractor processes all customer data on European and/or American server locations operated by industry-leading cloud service providers offering advanced measures to protect against unauthorized access to data processing facilities. These measures include:

• A multi-layered security model.

• Data centers are monitored.

• Access logs and activity records are maintained.

The Contractor takes appropriate measures to prevent unauthorized use of its data processing systems. This is achieved by:

• Requiring identification and password credentials to access user terminals.

• Enabling customers to define individual user accounts with specific permissions.

• Logging access to data content.

Employees of the Contractor who are authorized to use its data processing systems can only access personal data within the scope and to the extent covered by their specific access rights (authorization). Access rights and levels are particularly based on the function and role of the employees, employing the principles of least privilege and need-to-know to align access rights with defined responsibilities. This is achieved by:

• Employee policies.

• Effective and appropriate disciplinary measures against individuals who access personal data without authorization.

• Restricted access to personal data for authorized persons only.

2. Integrity

The Contractor has implemented the following technical and organizational security measures to ensure the integrity of processing systems and services in particular:

The Contractor takes appropriate measures to prevent personal data from being read, copied, altered, or deleted by unauthorized persons during transmission or transport of data carriers. This is achieved by:

• Avoiding the storage of personal data on non-password-protected portable storage media (e.g., USB sticks) for transport purposes.

The Contractor does not access customer content unless it is necessary to provide the selected products and professional services to the customer. The Contractor does not access customer content for any other purpose. Accordingly, the Contractor is unaware of the content that customers store on its systems and cannot differentiate between personal data and other content. Therefore, the Contractor treats all customer content equally. In this way, all customer content benefits from the same security measures, regardless of whether it contains personal data or not.

3. Availability

The Contractor has implemented the following technical and organizational security measures to ensure the availability of processing systems and services in particular:

The Contractor takes appropriate measures to ensure that personal data is protected against accidental destruction or loss. This is achieved by:

• Redundancy of the infrastructure.

• Policies regarding local (workstation) storage of personal data.

• Performing data backups.

4. Resilience

The Contractor has implemented the following technical and organizational security measures to ensure the resilience of processing systems and services in particular:

• The Contractor maintains policies to assess and control risks associated with implementing changes to its services.

• The Contractor maintains an inventory of all IT assets used for processing activities. In this context, the Contractor monitors the status and availability of processing activities.

• The Contractor regularly creates backups of systems containing personal data.

Approved Subcontractors:

1. Amazon Web Services, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210, USA

Service: Hosting

2. Calendly, LLC

Address: 271 17th Street NW, 10th Floor, Atlanta, Georgia, 30363, United States

Service: Calendar Function

3. cyclus.digital GmbH

Address: Pflasteräckerstraße 12, 70186 Stuttgart, Germany

Service: Content Management System

4. DATEV eG

Address: 90329 Nuremberg, Germany

Service: Accounting

5. Doorboost Inc.

Address: 137 Varick St, 2nd Floor, New York, NY 10013, USA

Service: Campaign Management

6. Facebook Ireland Ltd.

Address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Service: Campaign Management

7. Google Inc. / Alphabet Inc.

Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

Services:

• Google Cloud (Hosting)

• G-Suite Apps (Communication)

• Ads (Advertising Campaigns)

• Analytics (Reporting)

8. Jotform (hosted in EU)

Address: 111 Pine St, Suite 1815, San Francisco, CA 94111, USA

Service: Form Functionality

9. LINEAR ORBIT, INC.

Address: 440 N Barranca Ave #4242, Covina, CA 91723, USA

Service: Ticket Management

10. LinkedIn Ireland Unlimited Company

Address: Wilton Place, Dublin 2, Ireland

Service: Campaign Management

11. Mailchimp LLC

Address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA

Service: Email Distribution

12. monday.com Ltd.

Address: 6 Yitzhak Sadeh Street, Tel Aviv, 6777506, Israel

Service: Project Management

13. Onepage GmbH

Address: Neue Rothofstr. 13-19, 60313 Frankfurt am Main, Germany

Service: Content Management System

14. OpenAI OpCo, LLC

Address: 3180 18th Street, San Francisco, CA, United States

Service: Chatbot

15. Pipedrive OÜ

Address: Mustamäe tee 3a, 10615 Tallinn, Estonia

Services:

• Customer Management

• Project Management

• Email Distribution

16. Semrush

Address: 800 Boylston Street, Suite 2475, Boston, Massachusetts 02199, USA

Service: Campaign Management and Evaluation

17. Sendgrid

Address: 1801 California Street, Suite 500, Denver, CO 80202, USA

Service: Email Distribution

18. Slack Technologies, Inc.

Address: 500 Howard Street, San Francisco, CA 94105, United States

Service: Communication

19. Socialpilot

Address: 16192 Coastal Highway, Lewes, Delaware 19958, USA

Service: Social Media Marketing

20. Stripe

Address: 185 Berry Street, Suite 550, San Francisco, CA 94107, United States

Services:

• Payment Processing

• Billing

21. Webflow Inc.

Address: 398 11th Street, Floor 2, San Francisco, CA 94103, USA

Service: Content Management System

22. Zapier, Inc.

Address: 548 Market St. #62411, San Francisco, CA 94104-5401, USA

Service: Data Management