Data Processing Agreement (DPA)

Preamble and parties

This Data Processing Agreement (“DPA”) specifies the data protection obligations of the parties in connection with the use of the VibeDeploy service. It applies insofar as the processor processes personal data on behalf of the controller in the course of providing the Service.

• Controller within the meaning of Art. 4(7) GDPR is the customer (user of the Service).
• Processor within the meaning of Art. 4(8) GDPR is DP – Media Consulting Cologne UG (haftungsbeschränkt), Santo-Tirso-Ring 69, 64823 Groß-Umstadt, Germany (brand “VibeDeploy”), contact: datenschutz@vibedeploy.dev.

This DPA takes effect upon conclusion of a paid plan or upon express acceptance and forms part of the usage agreement (Terms) concluded between the parties.

§ 1 Subject matter and duration

The subject matter of the processing is the hosting, building and operation of the app published by the controller via the Service, and the associated processing of personal data that the controller processes with its app. The duration of this DPA corresponds to the term of the usage agreement; it ends automatically upon its termination.

§ 2 Nature, scope and purpose; types of data; categories of data subjects

Purpose and nature of processing: provision of the hosting and operating services commissioned by the controller, in particular storage, transmission (serving), structured filing, processing in the build process and — depending on the plan — backup and deletion. The processor does not use the data for its own purposes.

Types of personal data: determined by the controller’s app; typically master data, contact data, content data, usage and metadata that the app’s end users provide or that arise when the app is operated. The processing of special categories of personal data (Art. 9 GDPR) is not the subject of this DPA unless separately agreed and secured with appropriate additional measures.

Categories of data subjects: the end users, visitors, customers or other persons whose data the controller processes with its app.

§ 3 The controller’s right to issue instructions

The processor processes the personal data only on documented instructions from the controller, including with regard to transfers to third countries, unless required to do otherwise by Union or Member State law (in which case it informs the controller before processing, unless the law prohibits this). The arrangements made (this DPA with its annexes and the settings the controller makes within the Service) constitute the initial instruction. Individual instructions must be addressed in text form to the contact address above. If the processor considers an instruction to be unlawful, it informs the controller without undue delay.

§ 4 Obligations of the processor

• Confidentiality: the processor uses only persons committed to confidentiality or under an appropriate statutory obligation of confidentiality.
• Data security: it takes the technical and organizational measures required under Art. 32 GDPR (see Annex 1).
• Assistance: it assists the controller, as far as possible, in fulfilling the controller’s obligations under Art. 32–36 GDPR (data security, notification duties, data protection impact assessment, prior consultation) and in responding to data subject requests (§ 7).
• Cooperation and information: it makes available to the controller the information necessary to demonstrate compliance (§ 10).
• No third-country transfer without a basis: processing outside the EU/EEA does not take place without the controller’s instruction and without appropriate safeguards under Chapter V GDPR. Processing generally takes place in Germany (see Annex 1 and Annex 2).

§ 5 Technical and organizational measures (TOMs)

The processor ensures the technical and organizational measures described in Annex 1. It may further develop these provided the level of protection is not reduced.

§ 6 Sub-processors

The controller grants the processor general authorization to engage further processors (sub-processors). The sub-processors engaged at the time of conclusion of the contract are listed in Annex 2. The processor will notify intended changes (engagement or replacement) in good time in text form or via the Service; the controller may object to a change for an important data protection reason within 14 days. The processor imposes essentially the same data protection obligations on each sub-processor as set out in this DPA.

§ 7 Assistance with data subject rights

The processor assists the controller with appropriate technical and organizational measures in responding to requests from data subjects exercising their rights (Art. 12–23 GDPR, in particular access, rectification, erasure, restriction, data portability and objection). If a data subject contacts the processor directly, the processor forwards the request to the controller without undue delay.

§ 8 Notification of personal data breaches

The processor notifies the controller of personal data breaches without undue delay after becoming aware of them. The notification contains at least the information required under Art. 33(3) GDPR, to the extent available, and supports the controller in its notification and communication duties (Art. 33, 34 GDPR).

§ 9 Deletion and return after termination

After the end of the provision of the processing services, the processor, at the controller’s choice, deletes or returns all personal data and deletes existing copies, unless storage is required under Union or Member State law. For operational reasons a short recovery period stated in the description of services may apply, after which final deletion takes place; routine backups are overwritten within the usual retention cycles.

§ 10 Evidence and audits

The processor makes available to the controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller. Audits take place upon reasonable prior notice, during normal business hours and without disproportionate disruption to operations; evidence may also be provided by suitable certifications, attestations or current audit reports.

§ 11 Liability

Liability is governed by Art. 82 GDPR and, in addition, by the liability provisions of the usage agreement (Terms § 13). In their relationship with each other, each party is responsible for complying with the obligations incumbent on it under the GDPR.

§ 12 Final provisions

In the event of contradictions between this DPA and other agreements of the parties, the provisions of this DPA prevail on data protection matters. German law applies. Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.

Annex 1 — Technical and organizational measures (Art. 32 GDPR)

• Data location / EU processing: processing and storage exclusively in data centers in Germany (Hetzner, Falkenstein); no third-country transfer without appropriate safeguards.
• Tenant separation: logical separation of data per user/app via server-side access filters; separate provision of apps.
• Access control: authentication via passwordless login links and time-limited session tokens; role/permission-based access; secrets are managed securely and not disclosed in logs or outputs.
• Encryption in transit: transport encryption (TLS/HTTPS, Let’s Encrypt certificates) for access to the Service and the apps.
• Input/publication control: automated security scan before go-live (detection of exposed access keys/open database rules); limiting and abuse protection (rate limits, caps, device identifier).
• Availability and recoverability: operational monitoring; depending on the plan, a managed database and regular backups; defined deletion and retention routines (TTL).
• Logging: security- and operations-relevant logs (audit/access logs) with limited retention.
• Organizational: confidentiality commitment of the persons engaged; need-to-know principle; orderly processes for incidents and data breaches.

Annex 2 — Sub-processors

Sub-processor	Service	Place of processing
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany	Hosting infrastructure, servers, storage, database, building & running apps	Germany (EU)

Other service providers we use to deliver the overall service (e.g. Resend for sending our transactional emails, Stripe for payment processing) process data for our own purposes or within the contractual relationship with you as a customer and are, in that respect, not sub-processors under this DPA. Details can be found in our Privacy Policy.