Data Processing Agreement (DPA) According to Art. 28(7) GDPR

Commission Implementing Decision (EU) 2021/915 of June 4, 2021, published June 7, 2021

SECTION I – Standard Contractual Clauses

Clause 1 – Purpose and Scope

  1. These standard contractual clauses (“Clauses”) are intended to ensure compliance with
    Option 1: Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council
    of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the
    free movement of such data (General Data Protection Regulation – GDPR).
  2. The controller and processor listed in this agreement – namely:

    Controller: The SaaS customer (user) who registers via email and selects a subdomain, thereby affirming
    authority to act on behalf of their organization;

    Processor: solvatio AG, Schürerstraße 5a, 97080 Würzburg, Germany –

    agree to these Clauses to ensure compliance with the applicable law.

  3. These Clauses apply to the processing of personal data as described in Annex II.
  4. Annexes I through IV are an integral part of these Clauses.
  5. These Clauses are without prejudice to the obligations to which the controller is subject under the GDPR.
  6. These Clauses alone do not ensure compliance with the requirements of Chapter V of the GDPR concerning international data transfers.

Clause 2 – Invariability of the Clauses

  1. The Parties undertake not to modify the Clauses, except for adding or updating information in the Annexes.
  2. This does not prevent the Parties from including the Clauses in a broader contract or from adding other clauses
    or additional safeguards, provided they do not directly or indirectly contradict the Clauses or detract from
    the fundamental rights or freedoms of data subjects.

Clause 3 – Interpretation

  1. Where terms used in these Clauses are defined in the GDPR, they shall have the same meaning as in that Regulation.
  2. These Clauses shall be interpreted in the light of the provisions of the GDPR.
  3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations under the GDPR or
    restricts the fundamental rights or freedoms of the data subjects.

Clause 4 – Hierarchy

In case of conflict between these Clauses and any other related agreements, these Clauses shall prevail.

Clause 5 – Accession Clause (Optional)

Not applicable under solvatio’s SaaS model. The agreement is concluded by the user via online registration
using email and subdomain selection, confirming their authority to represent their organization.

SECTION II – Obligations of the Parties

Clause 6 – Description of the Processing

The details of the processing operations, in particular the categories of personal data and the purposes for which
personal data is processed on behalf of the controller, are set out in Annex II. These arise automatically as part
of the user’s SaaS registration and service usage.

Clause 7 – Duties of the Parties

7.1 Instructions
  1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union law or the law of a Member State to which the processor is subject. In such a case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest. The controller may issue further instructions during the entire duration of the processing of personal data. These instructions must always be documented.
  2. The processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, Regulation (EU) 2018/1725, or other Union or Member State data protection provisions.
7.2 Purpose Limitation

The processor shall process the personal data only for the specific purpose(s) described in Annex II, unless further instructions are issued by the controller.

7.3 Duration of Processing

The processor shall process personal data only for the duration specified in Annex II.

7.4 Security of Processing
  1. The processor shall implement at least the technical and organizational measures specified in Annex III to ensure the security of personal data. This includes protecting data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“personal data breach”). When assessing the appropriate level of security, the parties shall take into account the state of the art, implementation costs, nature, scope, context, and purposes of the processing as well as the risks to the rights and freedoms of natural persons.
  2. The processor shall grant access to personal data undergoing processing only to members of its personnel who are strictly necessary for execution, management, and monitoring of the contract. The processor shall ensure that such persons are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.
7.5 Sensitive Data

If the processing involves special categories of personal data (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation, or data relating to criminal convictions and offenses), the processor shall apply specific restrictions and/or additional safeguards appropriate to the sensitivity of such data.

7.6 Documentation and Compliance
  1. The parties shall be able to demonstrate compliance with these Clauses.
  2. The processor shall promptly and adequately deal with inquiries from the controller about data processing under these Clauses.
  3. The processor shall make available to the controller all information necessary to demonstrate compliance with these Clauses and obligations under the GDPR. Upon request, the processor shall also allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the controller may take into account relevant certifications held by the processor.
  4. The controller may conduct the audit itself or mandate an independent auditor. Audits may include inspections at the processor’s premises and shall be subject to reasonable notice.
  5. The parties shall provide the competent supervisory authority(ies) with the information referred to in this clause, including the results of audits, upon request.
7.7 Use of Sub-processors
  1. OPTION 2: General Written Authorization:
    The processor has the general authorization from the controller to engage sub-processors listed in Annex IV. The processor shall inform the controller in writing at least [insert notice period] in advance of any intended changes to that list, thereby giving the controller sufficient time to object before the new sub-processor is engaged. The processor shall provide the controller with necessary information to exercise its right to object.
  2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract that imposes the same data protection obligations as set out in these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject.
  3. Upon request, the processor shall provide the controller with a copy of such a sub-processing agreement and subsequent amendments. To protect business secrets or other confidential information, including personal data, the processor may redact portions of the agreement before disclosure.
  4. The processor shall remain fully liable to the controller for the performance of the sub-processor’s obligations under its contract with the processor. The processor shall notify the controller if a sub-processor fails to fulfill its obligations.
  5. The processor shall agree with the sub-processor on a third-party beneficiary clause, ensuring that, in the event the processor ceases to exist in fact or law or becomes insolvent, the controller has the right to terminate the sub-processing agreement and instruct the sub-processor to delete or return the personal data.
7.8 International Data Transfers
  1. Any transfer of data to a third country or international organization by the processor shall be done only on the basis of documented instructions from the controller or to comply with a specific legal requirement under Union or Member State law, and shall be in accordance with Chapter V of the GDPR.
  2. The controller agrees that, where the processor uses a sub-processor to carry out specific processing activities involving data transfers under Chapter V of the GDPR, the processor and the sub-processor may use standard contractual clauses adopted by the Commission under Article 46(2) of the GDPR, provided the conditions for their use are met.

Clause 8 – Assistance to the Controller

  1. The processor shall promptly inform the controller of any request it has received from a data subject. The processor shall not respond to such a request itself unless it has been expressly authorized to do so by the controller.
  2. Taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
  3. In addition to its obligations under points (a) and (b), the processor shall, taking into account the nature of the processing and the information available to the processor, assist the controller in ensuring compliance with the following obligations:
    1. The obligation to carry out a data protection impact assessment (DPIA) when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
    2. The obligation to consult the competent supervisory authority/authorities prior to processing where a DPIA indicates that the processing would result in a high risk if the controller does not take measures to mitigate that risk;
    3. The obligation to ensure that personal data are accurate and up to date, including by informing the controller promptly if the processor becomes aware that data it is processing are inaccurate or outdated;
    4. The obligations under Article 32 GDPR (Security of processing) or, where applicable, under Articles 33, 36 to 38 of Regulation (EU) 2018/1725.
  4. The Parties shall set out in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller under this clause, as well as the scope and extent of such assistance.

Clause 9 – Notification of Personal Data Breaches

In the event of a personal data breach, the processor shall cooperate with and assist the controller to comply with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of processing and the information available to the processor.

9.1. Breach of personal data processed on behalf of the controller

In the event of a personal data breach concerning data processed by the processor on behalf of the controller, the processor shall assist the controller:

  1. in notifying the breach to the competent supervisory authority/authorities without undue delay after the controller has become aware of it, where applicable (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. in obtaining the following information, which, pursuant to [OPTION 1: Article 33(3) of Regulation (EU) 2016/679] or [OPTION 2: Article 34(3) of Regulation (EU) 2018/1725], shall be stated in the controller’s notification, and must include, at a minimum:
    1. the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the likely consequences of the personal data breach;
    3. the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

    If and insofar as it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available without undue delay.

  3. in complying with the obligation under [OPTION 1: Article 34 of Regulation (EU) 2016/679] or [OPTION 2: Article 35 of Regulation (EU) 2018/1725] to communicate the personal data breach to the data subject, when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2. Breach of personal data processed by the processor

In the event of a personal data breach concerning data processed by the processor itself, the processor shall notify the controller without undue delay after becoming aware of the breach. Such notification shall contain, at a minimum:

  1. a description of the nature of the personal data breach (including, where possible, the categories and approximate number of data subjects and personal data records concerned);
  2. the name and contact details of a contact point where more information can be obtained;
  3. the likely consequences of the personal data breach;
  4. the measures taken or proposed to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If and insofar as it is not possible to provide all this information at the same time, the initial notification shall contain the information then available, and further information shall be provided as it becomes available without undue delay.

The parties shall specify in Annex III all other information that the processor is required to provide to assist the controller in complying with its obligations under [OPTION 1: Articles 33 and 34 of Regulation (EU) 2016/679] or [OPTION 2: Articles 34 and 35 of Regulation (EU) 2018/1725].

SECTION III – FINAL PROVISIONS

Clause 10 – Non-compliance with the Clauses and Termination

  1. If the processor is in breach of its obligations under these Clauses, the controller may — without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725 — instruct the processor to suspend the processing of personal data until the processor complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with the Clauses, for whatever reason.
  2. The controller shall be entitled to terminate the portion of the contract relating to the processing of personal data under these Clauses if:
    1. The controller has instructed the processor to suspend the processing of personal data pursuant to point (a) and compliance with these Clauses is not restored within a reasonable time, and in any event within one month of suspension;
    2. The processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
    3. The processor fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  3. The processor shall be entitled to terminate the portion of the contract relating to the processing of personal data under these Clauses if, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1(b), the controller insists on compliance with the instructions.
  4. Upon termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or return all personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

Annex I
List of the Parties

Controller:

The Controller is the Customer (User) who has registered for the SaaS service provided by solvatio via the public signup process on the official website.

By completing the registration with a valid email address and selecting a custom subdomain, the Customer confirms that they are authorized to act on behalf of their organization and to enter into binding contractual agreements, including this Data Processing Agreement.

Processor:

Name: solvatio AG

Address: Schürerstrasse 5A, 97080 Würzburg, Germany

Contact Person (Data Protection):
The designated data protection officer is:

DataCo GmbH
Nymphenburger Str. 86
80636 Munich
Germany
+49 89 7400 45840
www.dataguard.de

Date of Agreement: The date of the User’s SaaS registration.

Annex II – Description of the Processing

Categories of data subjects whose personal data is processed

Users who register for the SaaS platform provided by solvatio AG by entering their business email address and selecting a subdomain. These users are considered representatives of the organizations they act on behalf of.

Categories of personal data processed

  • Business email address
  • Chosen subdomain
  • IP address and device metadata (for security and operational purposes)
  • Optional: Documents uploaded by the user to enhance AI assistant functionality

Sensitive data processed (if applicable) and applied restrictions or safeguards

No processing of special categories of personal data is intended. Users are contractually obligated to refrain from uploading any data that qualifies as sensitive under Art. 9 or Art. 10 of the GDPR. Any such data uploaded in violation of this obligation will be deleted, and appropriate safeguards—such as access restrictions and encryption—are in place to prevent misuse or unauthorized access.

Nature of the processing

Personal data is collected during account creation, stored securely, and used to provision access to the SaaS platform hosted by solvatio AG. Uploaded content is indexed and used to enhance the performance of the AI assistant within the user’s workspace. Metadata may be used for support, analytics, and security monitoring.

Purpose(s) for which the personal data is processed on behalf of the controller

  • Provision of a personalized SaaS workspace hosted on a subdomain
  • Enabling access to and use of conversational AI services
  • Storage and retrieval of documents uploaded by the controller
  • Ensuring platform security and operational stability

Duration of the processing

For the duration of the contractual relationship, unless otherwise required by applicable legal retention obligations. Data is deleted or anonymized upon termination of the service or at the request of the controller.

Where processing by (sub-)processors takes place, the subject matter, nature, and duration of the processing must also be specified.

solvatio AG may rely on sub-processors for infrastructure services, data hosting (e.g., Microsoft Azure), and technical support. The scope and duration of such processing align with the purposes stated above and are limited to what is necessary to operate the SaaS platform.

ANNEX III
Technical and Organisational Measures, Including to Ensure Data Security

EXPLANATION:
The technical and organisational measures must be described in concrete terms; a general description is not sufficient.

Description of the technical and organisational security measures implemented by solvatio as the Processor to ensure an adequate level of protection, considering the nature, scope, circumstances, and purposes of the processing as well as the risks to the rights and freedoms of natural persons. This includes, but is not limited to:

  • Measures for the pseudonymisation and encryption of personal data
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Measures to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing
  • Measures to identify and authorise users
  • Measures to protect data during transmission
  • Measures to protect data during storage
  • Measures to ensure the physical security of locations at which personal data are processed
  • Measures to ensure logging of events
  • Measures to ensure system configuration, including default configuration
  • Measures for internal IT and IT security governance and management
  • Measures for certification/assurance of processes and products
  • Measures to ensure data minimisation
  • Measures to ensure data accuracy
  • Measures to ensure limited data retention
  • Measures to ensure accountability
  • Measures to enable data portability and ensure data erasure

If data is transferred to (sub-)processors, the following specific technical and organisational measures must also be implemented by the (sub-)processor to assist the Controller in fulfilling their obligations under this agreement:

Description of the specific technical and organisational measures to be implemented by the Processor to support the Controller:

  • Enforcing strict access control and segregation of data per customer subdomain.
  • Use of encryption at rest and in transit, applying industry-standard protocols (e.g., TLS 1.2+, AES-256).
  • Maintenance of audit trails for user access and system activities.
  • Redundancy and high availability of infrastructure via Azure cloud hosting, with a 95% uptime target (for PRO accounts).
  • Regular internal security reviews and participation in third-party vulnerability assessments or certifications.
  • Support of user requests for deletion, correction, or export of their data via self-service tools or customer support.

ANNEX IV
List of Sub-processors

EXPLANATION:
This annex must be completed in the case of specific prior authorisation of sub-processors (Clause 7.7(a), Option 1). This list identifies sub-processors that the Processor is authorised to engage for processing personal data under this agreement.

Approved Sub-processor:

  1. Name: Microsoft Ireland Operations Limited
    Address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
    Contact Name, Role, and Contact Details:
    Microsoft Azure Customer Support
    https://azure.microsoft.com/en-us/support

    Description of the Processing:
    Microsoft Azure provides cloud infrastructure and platform services used by solvatio to host the SaaS product. This includes storage, compute, identity management, networking, and backup services. All data is stored and processed in the Azure data center region selected by the Customer (subject to availability), and Microsoft’s obligations as sub-processor are governed by their Data Processing Addendum (DPA) which meets the requirements of the GDPR.

    Division of responsibilities:
    solvatio remains the main Processor and is responsible for the configuration and operation of the SaaS service, including all application-level processing.
    – Microsoft acts only at the infrastructure level and has no access to customer content, except as required to operate the services securely and reliably.
    – Microsoft provides technical and organisational measures as described in its Trust Center: https://www.microsoft.com/en-us/trust-center