ANNEX 1
DATA PROCESSING AGREEMENT

1. Scope of the DPA

   
   1.1 This Data Processing Agreement ("DPA") is concluded between the Provider and the Customer ("Parties"). The Provider is hereinafter referred to as the "Processor" and the Customer as the "Controller". In general, the Provider acts as Processor and the Customer as the Controller. In case the Customer is acting as a Data Processor, the Provider is acting as a Sub-Processor for the Customer. In such case, the rights and obligations agreed in this DPA shall apply mutatis mutandis to the Sub-Processor relationship, and the Customer shall ensure that an appropriate legal basis and authorization from the Controller exist.
   
   

   1.2 The Processor processes personal data on behalf of the Controller within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 - General Data Protection Regulation ("GDPR").

   
   

2. Defined terms
   
   

   The definitions from the GDPR apply accordingly in this DPA. Otherwise, the following definitions apply:
   "Data of the Controller" means all personal data that the Processor processes on behalf of the Controller on the basis of this DPA.
   "Data Protection Laws" means all laws and regulations, including the laws and binding regulations of the European Union, the European Economic Area and its Member States, Switzerland and the United Kingdom, which apply to personal data in the context of the DPA.
   "Third Country" means any country outside a country in which the data protection laws restrict the transfer of personal data to destinations outside that country, unless the data protection laws and the competent supervisory authorities of the country of origin have made an adequacy decision with regard to the data protection laws of the country of destination, so that the transfer of personal data to that country of destination is not restricted.
   "Business Days" means all weekdays, excluding Saturdays and Sundays, on which banks in Berlin are open for normal business.

   
   

3. Description of data processing
   
   

   The data processing on the basis of this DPA has the following scope:
   3.1 Categories of data subjects whose Personal Data is processed:
   The Processor may process the following categories of Personal Data on behalf of the Customer, depending on the Customer's use of the Service:
   - Identification data (e.g., name, surname, title, customer ID, user ID)
   - Contact data (e.g., address, telephone number, email address)
   - Account and authentication data (e.g., login credentials, encrypted passwords, security tokens)
   - Contract and billing data (e.g., invoicing address, payment details, bank account information, credit card numbers)
   - Usage and technical data (e.g., IP addresses, device identifiers, log files, time stamps, system usage statistics, API calls)
   - Communication data (e.g., emails, chat logs, uploaded documents or files, audio or video data)
   - Any other personal data that the Customer uploads to or processes through the services, including but not limited to special categories of personal data within the meaning of Art. 9 GDPR, if and to the extent the Customer chooses to process such data.
   
   

   3.2 Categories of personal data that are processed:
   Customer's employees, contractors, and users
   Customer's clients, customers, end users
   Suppliers, business partners, and other third parties whose data is uploaded or processed by the Customer
   Any other individuals whose personal data is included in the Customer's data sets

   
   3.3 Type, purposes and duration of data processing:
   The Processor provides infrastructure services (CPU/GPU computing, storage, networking, and related technical support). Within this scope, personal data may be subject to:
   - Collection and storage (by the Customer via the Processor's systems)
   - Organization, structuring, and hosting
   - Transmission and retrieval (via network access)
   - Execution of computational workloads (including AI/ML model training and inference)
   - Deletion and erasure upon termination or Customer's instruction
   
   

   The Processor processes personal data solely for the purpose of providing the contracted infrastructure and computing services to the Customer, including hosting, data storage, workload execution, troubleshooting, system optimization, billing, and security monitoring.
   Personal data is processed for the duration of the Contract with the Customer.
   Upon termination of the Contract, personal data will be either returned to the Customer or securely deleted, unless retention is required by applicable law.

   
   

4. Rights and obligations of the Controller

   
   4.1 The Controller is responsible for the lawfulness of the data processing and the protection of the rights of the data subjects.

   
   4.2 In the event that there is an obligation to inform third parties pursuant to Art. 33, 34 GDPR or any other statutory reporting obligation applicable to the Controller, the Controller is responsible for compliance with this obligation.

   
   

5. Instructions

   
   5.1 The Controller has the right to issue instructions to the Processor at any time regarding the type, scope and procedure of data processing. The instructions must be issued in text form (e.g. e-mail). The Controller is responsible for the legality of the instructions.

   
   5.2 The Parties may designate persons in text form who are authorised to issue or receive instructions. If these authorised persons change, the Parties shall inform each other of this in text form.

   
   5.3 Insofar as not insignificant changes to the contractually agreed data processing operations would be necessary due to an instruction from the Controller and additional expenses or costs arise for the Processor as a result, the Parties shall negotiate an appropriate increase in the contractually agreed remuneration. Should the Parties fail to agree on an adjustment of the remuneration within a reasonable period of time, both Parties shall be entitled to extraordinary termination of the contract without notice.

   
   5.4 The Processor shall inform the Controller immediately if, in its opinion, an instruction issued by the Controller violates legal regulations. The Processor is authorised to suspend the implementation of the instruction in question until it is confirmed or amended by the Controller.

   
   

6. Obligations of the Processor

   
   6.1 The Processor shall process personal data exclusively within the framework of the agreements made and/or in compliance with any supplementary instructions issued by the Controller. Exceptions to this are legal regulations that may oblige the Processor to process the data in a different way. In such a case, the Processor shall notify the Controller of these legal requirements prior to processing, unless the law in question prohibits such notification. The purpose, type and scope of data processing shall otherwise be governed exclusively by this DPA and/or the Controller's instructions.

   
   6.2 The Processor is obliged to notify the Controller immediately of any breach of data protection regulations or of the contractual agreements made and/or the instructions issued by the Controller that has occurred in the course of the processing of data by the Processor or other persons involved in the processing. The same applies to any breach of the protection of personal data.

   
   6.3 Taking into account the nature of the processing, the Processor shall, where possible, assist the Controller with appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests from data subjects to exercise their rights.

   
   6.4 In the event that a data subject asserts their rights against the Processor in accordance with Art. 12 - 23 GDPR, which obviously relate to the processing of data by the Controller, the Processor is authorised to inform the data subject that the Controller is responsible for the data processing. In this context, the Processor may provide the data subject with the contact details of the Controller.

   
   6.5 The Processor shall support the Controller in complying with the obligations set out in Art. 32-36 GDPR, taking into account the nature of the processing and the information available to the Controller.

   
   

7. Sub-processor

   
   7.1 The Controller consents to the Processor using sub-processors. The sub-processors currently engaged are available at:

   • Amazon Web Services EMEA SARL

   • Microsoft Ireland Operations Limited

   • Google Ireland Limited

   • Nebius B.V.

   • Datacrunch Oy

   The Processor shall inform the Controller before engaging or replacing sub-processors after the conclusion of this DPA.

   
   7.2 The Controller may object in writing to Processor's use of a new sub-Processor within ten (10) Business Days after notification. In such event, Processor shall use commercially reasonable efforts to provide Controller with a change to Processor's products and/or services or recommend a commercially reasonable change to Controller's configuration or use of Processor's products and/or services in order to avoid the processing of Personal Data by the objected-to new Sub-Processor without unduly burdening Controller. If the Processor is not able to make such changes within thirty (30) Business Days of the Controller's objection, either party may terminate the contract extraordinarily and without notice without forfeiting any contractual penalty. The Processor shall reimburse the Controller for any fees paid in advance on a pro rata basis.

   
   7.3 The Processor must conclude a data processing agreement with the sub-processor in accordance with Art. 28 (2) GDPR and essentially impose the same data protection obligations on the sub-processor that apply under this DPA.

   
   7.4 Services that the Processor utilises from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subcontracting relationships. These include, for example, cleaning services, pure telecommunication services with no specific connection to services provided by the Processor for the Controller, postal and courier services, transport services, security services. The Processor is nevertheless obliged to ensure that appropriate precautions and technical and organisational measures are taken to guarantee the protection of personal data, even in the case of ancillary services provided by third parties.

   
   

8. Place of data processing

   
   8.1 The Processor will process personal data primarily in member states of the European Union or the European Economic Area. Any transfer of data by the Processor to a Third Country shall take place exclusively on the basis of documented instructions from the Controller or to comply with a specific provision under Union law or the law of a Member State to which the Processor is subject and must comply with Chapter V of the GDPR.

   
   8.2 The Controller agrees to a Third Country transfer of personal data of the Controller if the Processor uses a sub-processor to carry out certain processing activities (on behalf of the Controller) and these processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR and the Processor and the sub-processor can ensure compliance with Chapter V of the GDPR, for example by concluding standard contractual clauses adopted by the Commission pursuant to Article 46(2) of the GDPR.

   
   

9. Documentation and Audits

   
   9.1 The Processor shall provide the Controller with all information necessary to demonstrate compliance with the data protection obligations of this DPA.

   
   9.2 At the request of the Controller, the Processor shall authorise and contribute to the monitoring of compliance with the data protection obligations of this DPA. When deciding whether to carry out an inspection, the Controller shall take into account relevant certifications or other evidence of the Processor.

   
   9.3 The Controller may carry out the inspection on the Processor's business premises during normal business hours after prior written notification with reasonable advance notice. The Controller shall not disproportionately disrupt the Processor's business operations as a result of the inspections. The inspections may be carried out by an independent auditor who is bound to secrecy. The auditor shall send a copy of the audit report to the Processor at the same time as to the Controller. If costs are incurred for carrying out the audit, these shall be borne by the Controller.

   
   9.4 When carrying out the checks, the confidentiality interests and data protection rights of the Processor and its customers must be taken into account. These must not be impaired by the exercise of the Controller's control rights. The Processor may make the performance of the inspection dependent on the signing of a confidentiality undertaking, whereby this must not make it impossible for the Controller to provide evidence of the inspection activities or their results to the competent supervisory authority or the data subjects if necessary.

   
   

10. Data security

    
    10.1 The Processor undertakes vis-à-vis the Controller to take appropriate technical and organisational measures to ensure the security of the Controller's personal data. This includes the protection of personal data against a breach of security which, whether unintentional or unlawful, results in the destruction, loss, alteration or unauthorised disclosure of, or access to, the data. In assessing the appropriate level of protection, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks presented to data subjects.

    
    10.2 The technical and organisational measures taken by the Processor are available upon request. The Parties agree that changes to the technical and organisational measures may be necessary to adapt to technical and legal circumstances. The Processor shall inform the Controller of any changes to the technical and organisational measures.

    
    10.3 The Processor shall only grant its personnel access to the Controller's personal data to the extent that this is absolutely necessary for the performance, administration and monitoring of the contract. The Processor shall oblige the persons authorised to process the personal data received to maintain confidentiality.

    
    

11. Return and deletion of data of the Controller

    
    After termination of the DPA, the Processor shall, at the choice of the Controller, erase all personal data processed on behalf of the Controller or return all personal data to the Controller and erase existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the deletion or return of the data, the Processor shall continue to ensure compliance with these clauses.

    
    

12. Term and termination

    
    12.1 The DPA begins with the conclusion of the Contract and ends with the termination of the Contract.

    
    12.2 The Controller may terminate this DPA and the contract at any time without notice in the event of a serious breach by the Processor of the applicable data protection regulations or of the obligations arising from this DPA.

    
    

13. Final provisions

    
    13.1 Insofar as legally or contractually obligatory acts of cooperation on the part of the Processor result in a disproportionate effort in relation to the contractually agreed remuneration, the Processor may demand reasonable compensation for this from the Controller.

    
    13.2 Should individual provisions of these DPA prove to be invalid or ineffective, the remaining provisions of these DPA shall remain unaffected. The invalid or ineffective provision shall be replaced by another valid provision that comes closest to the intention of the Parties.

    
    13.3 The law of the Federal Republic of Germany shall apply to the DPA.