Skip to Content

Data Processing Agreement (DPA)

pursuant to Art. 28 General Data Protection Regulation (GDPR)

between

IT-Direkt GmbH

Aroser Allee 66, 13407 Berlin, Germany

(hereinafter "Processor")

and

the customer as defined in the service agreement

(hereinafter "Controller")

§ 1 Subject Matter and Duration of Processing

  1. 1.1 This Data Processing Agreement (hereinafter "DPA") governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the digital services and portal provided by the Processor.
  2. 1.2 The subject matter of the processing is the storage, processing, and automated use of personal data belonging to the Controller and persons designated by the Controller, which the Processor processes on behalf of and in accordance with the instructions of the Controller for the purpose of providing the agreed services. This includes in particular access credentials for external interfaces, the transmission of messages, and the logging of access and system events.
  3. 1.3 The term of this DPA corresponds to the term of the underlying service agreement. It terminates automatically upon termination of the main agreement, unless separate deletion obligations remain in force.

§ 2 Nature, Purpose, and Scope of Processing

  1. 2.1 Nature of processing: Collection, storage, encrypted retention, automated retrieval, transmission, message delivery, and logging.
  2. 2.2 Purpose of processing:
    1. 2.2.1 Server hosting and operation of the digital services provided by the Processor;
    2. 2.2.2 Data storage, in particular encrypted storage of access credentials;
    3. 2.2.3 Transmission of messages to users and contacts of the Controller (email, WhatsApp);
    4. 2.2.4 Creation and storage of access logs for the operation and security of the services;
    5. 2.2.5 Data backup to ensure the availability of the services.
  3. 2.3 Specific processing steps (by way of example):
    1. 2.3.1 Receipt and encrypted storage of access credentials (username, password, token) for external interfaces;
    2. 2.3.2 Automated retrieval and use of access credentials for authentication against third-party services;
    3. 2.3.3 Sending of emails and WhatsApp messages on behalf of the Controller via the provided infrastructure;
    4. 2.3.4 Automated logging of access events, system events, and errors for operational and security purposes;
    5. 2.3.5 Regular backup of stored data on the hosting infrastructure.
  4. 2.4 Processing is carried out exclusively within the scope of and in accordance with the Controller's instructions. The Processor does not process data for its own purposes.

§ 3 Categories of Personal Data and Data Subjects

  1. 3.1 The following categories of personal data are processed:
    1. 3.1.1 Access credentials (username, password) for third-party interfaces (stored in encrypted form);
    2. 3.1.2 Authentication tokens derived therefrom;
    3. 3.1.3 Access logs (IP addresses, timestamps, system events);
    4. 3.1.4 Communication data in connection with message delivery via email and WhatsApp (e.g. email addresses, phone numbers, message content).
  2. 3.2 Data subjects are employees, authorised representatives, or other named individuals of the Controller, as well as the Controller's customers and contacts, insofar as their data is processed in connection with the services.
  3. 3.3 Special categories of personal data within the meaning of Art. 9 GDPR are not processed, unless the Controller explicitly and in writing instructs the Processor to do so. In such cases, additional protective measures shall be agreed separately.

§ 4 Obligations of the Processor

  1. 4.1 The Processor shall process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR).
  2. 4.2 The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
  3. 4.3 The Processor shall implement all technical and organisational measures required under Art. 32 GDPR (see § 7 of this DPA).
  4. 4.4 The Processor shall assist the Controller, insofar as possible, in responding to requests from data subjects (Art. 28(3)(e) GDPR).
  5. 4.5 The Processor shall make available all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (Art. 28(3)(h) GDPR). A minimum notice period of 14 business days applies for audits.
  6. 4.6 In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and no later than 24 hours after becoming aware of the breach (Art. 33 GDPR).

§ 5 Obligations of the Controller

  1. 5.1 The Controller is solely responsible for the lawfulness of the processing of personal data.
  2. 5.2 The Controller shall ensure that an appropriate legal basis pursuant to Art. 6 GDPR exists for the sending of messages (email, WhatsApp) to recipients (e.g. consent or performance of a contract).
  3. 5.3 The Controller shall notify the Processor without undue delay if access credentials are changed or deactivated at a third-party provider, so that outdated credentials can be deleted.
  4. 5.4 The Controller is solely responsible for ensuring that access to external third-party interfaces is lawful; in particular, the Controller shall ensure that the relevant third-party provider's terms of service permit use by the Processor.

§ 6 Sub-processing

  1. 6.1 The Processor may engage sub-processors. The Controller hereby grants general authorisation for the engagement of sub-processors pursuant to Art. 28(2) GDPR.
  2. 6.2 Aktuell eingesetzte Unterauftragsverarbeiter sind in der jeweils aktuellen Liste unter https://desk.it-direkt.de/subavv abrufbar. Der Auftragsverarbeiter informiert den Verantwortlichen über geplante Änderungen (Hinzufügen oder Ersetzen von Unterauftragsverarbeitern) mit einer Vorankündigungsfrist von mindestens 14 Tagen per E-Mail. Der Verantwortliche hat das Recht, Änderungen zu widersprechen.
  3. 6.3 All sub-processors shall be contractually bound to the same data protection obligations as set out in this DPA.
  4. 6.4 External third-party providers whose interfaces (APIs) the Controller makes available or enables for use within the services (e.g. machine interfaces, ERP systems, industry-specific platforms) are not sub-processors within the meaning of this DPA. They act as independent controllers pursuant to Art. 4(7) GDPR. The Controller is solely responsible for the lawfulness of any data transfers to such providers and for compliance with their respective terms of service.

§ 7 Technical and Organisational Measures (TOMs)

The Processor shall implement the following measures pursuant to Art. 32 GDPR:

7.1 Confidentiality

  1. 7.1.1 Encrypted storage of all access credentials (minimum AES-256); no plaintext access by employees;
  2. 7.1.2 Use of a dedicated secrets management solution (e.g. Azure Key Vault or equivalent);
  3. 7.1.3 Role-based access control (need-to-know principle);
  4. 7.1.4 Access to credentials exclusively by automated services (service accounts), not by individual users.

7.2 Integrity

  1. 7.2.1 Exclusive transmission via TLS 1.2 or higher (HTTPS);
  2. 7.2.2 No storage of credentials or message content in log files, error reports, or monitoring systems;
  3. 7.2.3 Automated monitoring for unauthorised access.

7.3 Availability

  1. 7.3.1 Regular backup of configuration and user data;
  2. 7.3.2 Documented recovery procedure.

7.4 Resilience

  1. 7.4.1 Token lifetime is minimised; no persistent caching;
  2. 7.4.2 Credentials and communication data are stored in isolation per customer.

7.5 Verifiability

  1. 7.5.1 Access to credentials and message delivery operations are audited and logged (access log);
  2. 7.5.2 Regular internal review of TOMs (at least annually).

§ 8 Deletion and Return of Data

  1. 8.1 Upon termination of the main agreement, or upon instruction by the Controller, the Processor shall irrevocably and verifiably delete all stored personal data (credentials, tokens, communication data, log data).
  2. 8.2 Upon request by the Controller, the Processor shall provide written confirmation of deletion.
  3. 8.3 Statutory retention obligations (e.g. under commercial or tax law) remain unaffected. Where log data is subject to such obligations, it shall be retained securely and deleted upon expiry of the applicable retention period.

§ 9 Liability

  1. 9.1 The Processor and the Controller shall be liable to data subjects in accordance with Art. 82 GDPR.
  2. 9.2 As between the parties: where damage has been caused by an instruction of the Controller, the Controller shall bear liability. Where damage has been caused by a breach of this DPA by the Processor, the Processor shall bear liability.
  3. 9.3 The Processor's liability is limited to foreseeable, typical contractual damage, to the extent permitted by law.

§ 10 Final Provisions

  1. 10.1 This DPA is governed by the laws of the Federal Republic of Germany. The place of jurisdiction is Berlin, Germany.
  2. 10.2 Amendments to this DPA require the text form. The Processor is entitled to update this DPA with a notice period of 30 days. If the Controller does not object within this period, the updated version shall be deemed accepted.
  3. 10.3 Should any provision of this DPA be invalid, this shall not affect the validity of the remaining provisions.
  4. 10.4 This DPA supersedes all prior agreements on data processing between the parties.

Stand: April 2026 | IT-Direkt GmbH, Aroser Allee 66, 13407 Berlin | datenschutz@it-direkt.de