1. Subject Matter of the Processing
1.1. The Processor shall process the personal data of the data subjects referred to in Section 2 of Annex 1 (“data subjects”) for the purposes specified by the Controller. The processing shall be carried out on behalf of the Controller and within the scope of the activity(ies) described in Section 1 of Annex 1 to this Agreement.
1.2. This processing is based on the offer, order form, or individual contract (“Main Contract”) concluded on April 15, 2026. Any other data collected outside the scope of the defined function or processed in any other manner is expressly excluded from the Controller’s mandate.
2. Conditions for the Processing of Personal Data
2.1. The Processor shall process the personal data on behalf of the Controller as long as:
(i) the processing is necessary for the performance of the activities described and commissioned in Section 1 of Annex 1,
(ii) this agreement has not been terminated in accordance with Sections 5.2. through 5.4., or
(iii) this mandate or any part thereof has not been revoked by the controller.
3. Rights and obligations of the controller
3.1. The Controller is the controller within the meaning of Article 4(7) of the GDPR with respect to any information referred to in Section 2 of Annex 1 of this Agreement that relates to identified or identifiable natural persons within the meaning of Article 4(1) of the GDPR (“personal data”), which is provided to the Processor in the course of performing the activities specified in Section 1 of Annex 1.
3.2. The Controller has the right and the obligation to determine the purposes and means of the processing of personal data.
3.3. The Controller is responsible, among other things, for ensuring that there is a sufficient legal basis for the processing of personal data entrusted to the Processor.
4. Rights and Obligations of the Processor
4.1. General
4.1.1. The processor is a processor within the meaning of Article 4(8) of the GDPR with respect to personal data entrusted to it in connection with the performance of the activities specified in Section 1 of Annex 1. It must refrain from any actions that conflict with its role as a processor and is bound to diligently comply with its obligations under applicable law.
4.1.2. The Data Processor undertakes to document the processing of personal data in a verifiable manner in accordance with the provisions of the GDPR. In particular, it shall maintain a record of processing activities as required by Article 30(2) of the GDPR.
4.2. Binding on Instructions
4.2.1. The processor therefore undertakes to use personal data and processing results during the performance of the activities described in Section 1 of Annex 1 to this agreement exclusively within the scope of the controller’s documented instructions. The processor undertakes to return such personal data and processing results exclusively to the controller or to transfer them only upon the controller’s written instruction.
4.2.2. Subsequent instructions may be issued by the controller throughout the entire duration of the processing of personal data. These must always be documented and retained in writing, including electronically, in connection with this agreement. Likewise, any use of the personal data for the processor’s own purposes requires a written instruction. The processor must immediately inform the controller if, in the processor’s opinion, the controller’s instructions violate the GDPR or other applicable national data protection regulations.
4.2.3. The processor shall process personal data in accordance with the principle of data minimization pursuant to Article 5(1)(c) of the GDPR and therefore only to the extent necessary to perform the activities or applications specified in this agreement. The processor must therefore ensure, in particular, that personal data and other proprietary data of the processor or its clients are processed separately (“multi-client capability”).
4.3. Data confidentiality
4.3.1. The processor grants access rights to individuals only on a “need-to-know” basis. The Data Processor declares that it has obligated all persons entrusted with data processing to maintain data confidentiality in accordance with Article 28(3)(b) of the GDPR and Section 6 of the DSG prior to the commencement of their activities. In particular, the duty of confidentiality of persons entrusted with data processing remains in effect even after the termination of their activities and their departure from the Data Processor.
4.4. Security of Processing
4.4.1. The processor declares that it has implemented adequate security measures within the meaning of Article 32 of the GDPR to prevent data from being used improperly or becoming accessible to third parties without authorization. In this context, the controller confirms that the technical and organizational measures set forth in Annex 2 are suitable to ensure that processing is carried out in accordance with the requirements of the GDPR and that the protection of the data subject’s rights is guaranteed.
4.4.2. If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life, or sexual orientation, or data concerning criminal convictions and offenses, the processor shall implement specific technical and organizational restrictions and/or additional safeguards.
4.4.3. The processor ensures that all personal data is stored and processed exclusively on servers in Frankfurt (Digital Ocean). The data is not stored, processed, or transferred to the United States or other third countries outside the EU, provided that the processing is carried out by the processor itself. If sub-processors are used, the provisions of Section 4.4.6 regarding transfers to third countries shall apply to them. The processor shall ensure that an adequate level of protection is guaranteed even when sub-processors are used and that the infrastructure and data processing comply with the requirements of the GDPR.
4.4.4. If anonymization is required as part of the processing, the Data Processor shall perform it exclusively on its servers in Frankfurt. Anonymization is carried out using Microsoft Presidio, an open-source solution. The processing and execution of anonymization are conducted entirely independently of Microsoft and are not subject to data access by U.S. companies or authorities. All anonymized data remains on the data processor’s servers in Frankfurt.
4.4.5. The data controller hereby grants the data processor general written authorization pursuant to Article 28(2) of the GDPR to engage other companies to perform processing activities (“sub-processors”). These are listed in Appendix 3 and have been approved by the data controller. However, the processor must notify the controller of the intended engagement or replacement of a subprocessor in a timely manner so that the controller may, if necessary, prohibit this in accordance with Article 28(2) of the GDPR. The controller will, however, only prohibit such engagement for good cause. Furthermore, a contract must be concluded between the processor and the subprocessor in accordance with Article 28(4) of the GDPR, ensuring that the subprocessor assumes the same obligations that the processor is subject to under this agreement. If the sub-processor fails to fulfill its data protection obligations, the processor remains responsible to the controller for the fulfillment of the sub-processor’s obligations. The processor shall notify the controller if the sub-processor fails to fulfill its contractual obligations.
4.4.6. The processor may only engage subprocessors outside the EEA if (i) they are established in a third country that has an adequate level of data protection accepted by the European Commission via a decision (adequacy decision) or (ii) the EU Standard Contractual Clauses or contract templates issued by the EU Commission that are equivalent to them have been agreed upon with such subprocessors as appropriate safeguards within the meaning of Article 46(2)(c) and (d) of the GDPR. Appropriate safeguards also include, where necessary, the agreement of additional measures (“supplementary measures”) as well as, in any case, the conduct of a Transfer Impact Assessment.
4.5. Data Subject Rights
4.5.1. The processor shall ensure the technical and organizational measures necessary so that the controller complies, in particular, with the provisions of Articles 13 and 14 of the GDPR (duty to provide information), Article 15 of the GDPR (right of access), Articles 16 and 17 of the GDPR (right to rectification and erasure), Article 18 of the GDPR (right to restriction of processing), and Article 20 of the GDPR (right to data portability) with respect to a data subject at any time within the statutory time limits, and shall provide the controller with all information necessary for this purpose.
4.5.2. The processor shall inform the controller within a reasonable period of time of any request it has received from the data subject. It shall not respond to the request itself unless explicitly instructed to do so by the controller. The processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects to exercise their rights. In doing so, the processor shall follow the controller’s instructions.
4.6. Data Breaches
4.6.1. In the event of a personal data breach involving the data processed on behalf of the controller, the processor shall assist the controller in
a) promptly notifying the competent supervisory authority of the breach after the controller becomes aware of it, where relevant;
b) obtaining the information to be included in the controller’s notification pursuant to Article 33(3) of the GDPR;
c) complying with the obligation under Article 34 of the GDPR to notify the data subject without undue delay of the personal data breach if the breach is likely to result in a high risk to the rights and freedoms of natural persons.
4.6.2. The processor declares that it will inform the controller without undue delay if a data breach occurs. The notification must contain at least the following information:
a) a description of the nature of the breach (if possible, specifying the categories and approximate number of data subjects and the approximate number of data records affected);
b) contact details of a point of contact where further information regarding the personal data breach can be obtained;
c) the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.
If and to the extent that not all of this information can be provided at the same time, the initial notification shall contain the information available at that time, and further information shall be provided without undue delay as soon as it becomes available.
4.6.3. The Processor shall therefore ensure that the necessary technical and organizational measures are in place so that the Controller can fulfill its notification obligations under Articles 33 and 34 of the GDPR toward the supervisory authority and/or the data subject within the statutory time limit.
4.7. Data Erasure and Return
4.7.1. Upon termination of the activities under this Agreement, the Processor is obligated to hand over to the Controller all processing results and documents containing personal data and is not authorized to retain any personal data, documents, or parts or copies thereof. Accordingly, the processor must delete or destroy all personal data processed on behalf of the controller and certify this to the controller. Alternatively, based on a documented instruction from the controller, the processor may continue to store the personal data for the controller in a manner that protects it from unauthorized access.
4.8. Cooperation and Support
4.8.1. In connection with the activities or applications specified in this agreement, the processor shall cooperate with the competent authorities and the controller, in particular with regard to any notification or authorization procedures, as well as, in particular, with regard to any data protection impact assessments (Art. 35 GDPR) and prior consultations with the supervisory authority (Art. 36 GDPR).
4.8.2. If data of data subjects is processed in a third country that does not have a level of data protection recognized as adequate by the EU Commission through an adequacy decision,
the processor shall enter into standard contractual clauses with the controller in accordance with Article 46(2)(c) of the GDPR, which have been adopted by the European Commission pursuant to the examination procedure under Article 93(2) of the GDPR, to ensure appropriate safeguards, and shall agree—where necessary—on supplementary measures.
4.9. Inspection and Audit
4.9.1. The controller shall be granted the right to inspect and audit the data processing facilities at least once a year with respect to the processing of the personal data provided by the controller. The controller must give at least 90 days’ notice of such an audit, including the inspection, and must conduct it with the greatest possible consideration for the data processor’s business operations. When deciding on an inspection, the controller must take into account relevant certifications held by the processor.
4.9.2. The processor undertakes, in accordance with Article 28(3)(h) of the GDPR, to provide the controller with the information necessary to verify compliance with the obligations set forth in this agreement.
4.9.3. The parties shall make the results of audits available to the competent supervisory authority upon request.
5. Final Provisions
5.1. This Agreement is governed by the substantive laws of Austria, excluding conflict-of-laws provisions.
5.2. This agreement enters into force upon its signature by both parties and is concluded for the duration of the respective cooperation. In view of the nature and purpose of this agreement, the parties agree that any termination or expiration of the cooperation shall also result in the termination of this agreement and shall have similar effects. This does not apply to provisions whose content or nature indicates that they are intended to remain in effect even after the termination of this Agreement. The right to terminate the Agreement without notice for good cause remains unaffected.
5.3. If the Processor fails to fulfill its obligations under this Agreement, the Controller may instruct the Processor to suspend the processing of personal data until the Processor complies with the provisions of this Agreement or the contract is terminated. The Processor shall notify the Controller immediately if, for any reason, it is unable to comply with the provisions of this Agreement.
5.4. The processor is entitled to terminate the contract if the controller insists on the fulfillment of its instructions after having been notified by the processor that its instructions violate applicable legal requirements pursuant to Clause 4.2.2. In any case, any processing of personal data carried out on behalf of the Controller must cease immediately upon the termination taking effect.
5.5. Any amendments or additions to this Agreement must be made in writing, subject to the exceptions below, which may also be in electronic format. The Agreement, including its annexes, must be retained by both parties in writing, including electronically.
5.6. In the event of any conflict, the provisions of this Agreement or other prior agreements between the Controller and the Processor regarding the activities listed in Section 1, Annex 1 of this Agreement shall prevail.
