Important Notice https://heydev.de/avv.php
Data Processor
1. Subject Matter and Duration
(1) This agreement is a framework agreement pursuant to Art. 28 GDPR and sets out the conditions for all current and future individual assignments for data processing.
(2) The specific assignment (type, scope, purpose of processing, data categories, data subjects) shall be commissioned by the Controller in text form (e-mail, ticket, chat) for each processing activity and accepted by the Data Processor through order confirmation or commencement of performance. The Controller is responsible for the completeness and lawfulness of this commissioning.
2. Obligations of the Data Processor
(1) The Data Processor shall process personal data exclusively on documented instructions from the Controller, unless required to process them by a legal obligation. Oral instructions (e.g., by telephone) shall be recorded by the Data Processor in text form (e.g., via confirmation e-mail) without delay for their own protection.
(2) The Data Processor shall treat all data in strict confidence and implement the technical and organizational measures (TOM) in accordance with Annex 1 to this agreement to ensure a level of protection appropriate to the risk.
(3) In the event of a personal data breach, the Data Processor shall notify the Controller without undue delay, but no later than within 48 hours after becoming aware of it.
(4) The Data Processor is entitled to engage further processors (subcontractors). The Controller hereby grants general written authorization for the use of the service providers specifically named in Annex 2. The Data Processor shall inform the Controller in advance of any intended change or the initial engagement of a further processor, specifying the name, registered office, activity, and data processed. The Controller may object to such engagement within a period of 5 working days after receipt of the information. In cases of urgent operational requirements (e.g., failure of a service provider), the Data Processor may also provide the information retrospectively. The Data Processor is responsible for the careful selection and monitoring of all further processors engaged by it.
(5) The liability of the Data Processor – notwithstanding the statutory liability pursuant to Art. 82 GDPR – is limited to the typical, foreseeable contractual damage. Furthermore, it is excluded for damages that do not result from the breach of cardinal obligations or from intent or gross negligence.
(6) The Data Processor shall assist the Controller in fulfilling its obligations pursuant to Art. 12-23 GDPR and Art. 32-36 GDPR.
3. Controller's Rights of Inspection
The Controller has the right to verify compliance with the agreed obligations by the Data Processor. To protect its trade secrets and minimize disruptions, the Data Processor shall primarily fulfill this obligation by providing current, meaningful documentation upon written request. The Controller may request an independent audit by a certified data protection expert appointed by the Controller, bearing the reasonable costs thereof, which shall be conducted after prior agreement on a date (at least 4 weeks in advance) and in compliance with operational processes and the legitimate confidentiality interests of the Data Processor. The Data Processor is obliged to cooperate in such an audit on the condition that it is reimbursed in advance with a reasonable lump sum for the expected loss of working time.
4. Termination of Processing and Deletion
Upon termination of the business relationship or at the request of the Controller, the Data Processor shall irreversibly delete all personal data or, at the request of the Controller, transfer them in a common format. This shall not apply insofar as statutory retention obligations prohibit deletion or the data are strictly necessary for the contractual provision of warranty or support services within the framework of the continuing business relationship.
5. Final Provisions
(1) This agreement is concluded on the basis of the Data Processor's General Terms and Conditions (GTC), insofar as they do not contradict the provisions of this DPA. The current GTC can be accessed at https://heydev.de/agb.php . In case of any conflict, the provisions of this DPA shall prevail.
(2) Amendments to this agreement require written form.
(3) Should any provision of this agreement be or become invalid, the validity of the remaining provisions shall remain unaffected.
(4) The place of jurisdiction is Düsseldorf.
Annex 1: Technical and Organizational Measures (TOM) pursuant to Art. 32 GDPR
The Data Processor ensures a level of protection appropriate to the risk through the following basic measures:
1. Confidentiality
Encryption of all local electronic data carriers that contain personal data or enable access to them, using current, strong encryption methods.
Access to all systems used for the processing is protected by authentication.
2. Integrity and Availability
Use of security mechanisms to secure the systems employed.
Appropriate precautions to protect work equipment against unauthorized access.
Annex 2: Authorized Subcontractors
Upon execution of this DPA, the Controller grants general consent for the use of the following subcontractors:
ALL-INKL.COM - Neue Medien Münnich (Germany)
Anthropic PBC (USA) [1]
Fixson Media GmbH (Germany)
GitHub, Inc. (USA) [1]
Google Ireland Limited (Ireland) / Google LLC (USA) [1]
Hetzner Online GmbH (Germany)
IONOS SE (Germany)
OpenAI, OpCo, LLC (USA) [1]
STRATO AG (Germany)
xAI Corp. (USA) [1]
A current list will be provided upon request. The Controller will be informed of changes to this list in accordance with Section 2.4.
[1] The transfer of data to the USA by the named providers is based on adequacy decisions of the EU Commission (EU-US Data Privacy Framework) or standard contractual clauses (SCCs).
