Version 1.2 – Status: October 2025

Data Processing Agreement according to Art. 28 GDPR

According to Art. 28 (3) GDPR, it is necessary for the contracting parties to regulate their data protection obligations through a data processing agreement in order to ensure legal certainty for the processing of personal data (hereinafter referred to as "Data") within the scope of the General Terms and Conditions (hereinafter referred to as "Main Contract"). The following Data Processing Agreement applies to activities related to the Main Contract in which employees of Conbool GmbH (hereinafter referred to as "Processor") or third parties commissioned by the Processor process Data on behalf of the Client. This agreement is based on the template provided by the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht). Note: This English translation is provided for convenience only. In case of discrepancies or disputes, the German version shall prevail as the legally binding version.

§ 1 Subject Matter and Duration of Data Processing

1. The subject matter of this Agreement are the rights and obligations of the parties applicable within the scope of the service provision according to the service description and Main Contract, insofar as data processing is carried out by the Processor as a processor for the Controller in accordance with Art. 28 GDPR. This includes all activities required to fulfil the order that constitute data processing by the Processor.
2. Processing shall generally take place within the EU or the EEA. If, exceptionally, a transfer to a third country is necessary, the Processor shall ensure suitable guarantees in accordance with Art. 44 et seq. GDPR, in particular through Standard Contractual Clauses, and shall take supplementary technical and organizational measures. Details and the respective involved processors are set out in Appendix 1.
3. The processing of Data begins with the conclusion of the Main Contract and continues for an indefinite period until the termination of this Data Processing Agreement or the Main Contract.
4. The Controller has the right to terminate the underlying Main Contract as well as this Data Processing Agreement at any time without notice if there is a serious breach by the Processor of data protection regulations or the provisions of this Agreement.

§ 2 Nature and Purpose of Processing, Types of Personal Data, and Categories of Data Subjects

Nature and Purpose of Processing (as defined in Article 4(2) GDPR):

1. Data processing includes all types of processing within the meaning of the GDPR for the fulfilment of the order.
2. The purpose of the processing is the provision of the agreed services from the Main Contract, in particular the provision of a SaaS-based E-Mail Security Gateway. Processing includes, among other things, the filtering and analysis of e-mails, the encryption, decryption, signing, and validation of e-mails, the provision of e-mails in a message portal for third parties, as well as the application of security policies to ensure the integrity and confidentiality of e-mail communication.
3. If the Controller uses their own MPKI (Managed Public Key Infrastructure), they remain the Controller within the meaning of Art. 4 No. 7 GDPR for identity verification, policies, application and approval processes, issuance, renewal, suspension, and revocation. The Processor exclusively provides technical interfaces and does not check policy content. Insofar as the Controller obtains certificate services via the Processor, the respective involved certification authorities regularly act as separate Controllers. Processing by certification authorities is subject to their CP and CPS. Decisions of the certification authorities are beyond the Processor's sphere of influence. Fees of the certification authorities shall be borne by the Controller. Reimbursement of already incurred CA fees is excluded unless the certification authority provides for a reimbursement.

Type of Data

• Personal master data (e.g., salutation, first and last name, address)
• Contract master data (e.g., contractual relationship, products/services)
• Communication data (e.g., telephone number, e-mail addresses, domains)
• Billing and payment data
• Third-party access data (e.g., IP address, timestamp, login token for message portal access)
• Metadata of e-mails (e.g., sender, recipient, subject lines)
• Content data of e-mails (e.g., text content, attachments)
• Certificate status data, OCSP and CRL queries, key material metadata, portal access logs
• Identity and verification data for certificate applications (e.g., ID data, commercial register excerpts, proof of representation)

Categories of Data Subjects according to definition of Art. 4 No. 1 GDPR

• All persons who use services from the Main Contract
• All persons about whom communication takes place
• E-mail senders and recipients
• External recipients authorized by the Controller
• Employees
• Customers
• Interested parties
• Business partners and suppliers
• Sales representatives
• Contact persons

§ 3 Responsibility and Processing of Documented Instructions

1. The Controller is solely responsible under this agreement for compliance with the legal provisions of data protection laws, particularly for the lawfulness of the transfer of Data to the Processor and the lawfulness of the data processing (as the "Controller" within the meaning of Article 4(7) GDPR). This also applies to the purposes and means of processing regulated in this agreement.
2. Instructions are initially defined by the Main Contract and may subsequently be amended, supplemented, or replaced by individual instructions provided by the Controller in written or text form (e.g., via email). Instructions not provided for in the contract will be treated as a request for a change in service and must be agreed upon jointly by the Controller and Processor. Oral instructions must be confirmed promptly in writing or text form by the Controller.
3. If implementing an instruction is unreasonable for the Processor, the Processor is entitled to terminate processing and cancel the contract extraordinarily. The Controller's obligation to pay ceases when services are discontinued by the Processor. Unreasonableness particularly exists if services are provided in an infrastructure shared by multiple Controllers/customers (shared services) and a change in processing for individual Controllers is not feasible or reasonable.
4. The Controller may terminate both the Main Contract and this agreement at any time if the Processor cannot or will not execute an instruction from the Controller or if the Processor unlawfully refuses to grant inspection rights to the Controller.

§ 4 Duties of the Processor

1. The Processor may only process Data covered by this agreement within the scope of the contract and in accordance with the Controller’s instructions, unless an exceptional case under Article 28(3)(a) GDPR applies and its requirements are met (e.g., investigations by law enforcement authorities). In such cases, the Processor shall inform the Controller of these legal requirements before processing, unless the relevant law prohibits such notification due to an overriding public interest.
2. The Processor shall immediately inform the Controller if it believes that an instruction violates applicable laws. The Processor may suspend implementation of the instruction until it is confirmed or amended by the Controller.
3. The Processor ensures that the Data provided for processing is not used for any other purpose, particularly not for its own purposes. Furthermore, the Processor ensures that all persons authorized to process personal Data are bound by confidentiality obligations, which continue even after termination of this agreement. This also applies to obligations under telecommunications secrecy (§ 3 TTDSG), social secrecy, and professional secrecy under § 203 StGB.
4. The Processor shall implement appropriate technical and organizational measures to adequately protect the Controller’s Data in compliance with Article 32 GDPR. These measures must ensure the confidentiality, integrity, availability, and resilience of systems and services related to processing on a continuous basis. The technical and organizational measures are documented by the Processor in Appendix 2 and made available to the Controller for review.
5. The Processor shall reasonably assist the Controller in fulfilling requests and claims from Data Subjects under Chapter III GDPR as well as in complying with obligations under Articles 33 to 36 GDPR. For this support, the Processor may request reasonable compensation unless the request arises from a breach of contract by the Processor.
6. The Processor shall promptly notify the Controller of any known breaches of personal Data protection involving the Controller’s Data. The Processor shall take necessary measures to secure the Data and mitigate potential adverse effects on affected individuals.
7. The Processor shall designate a contact person for data protection matters arising under this agreement.
8. The Processor shall rectify, delete, or restrict processing of personal Data from this agreement as instructed by the Controller.
9. Upon completion of processing services, the Processor shall either delete all personal Data or return it to the Controller at their discretion unless Union or Member State law requires storage of personal Data. If the Controller does not exercise this right of choice, deletion shall take place within 30 calendar days after the end of the contract. For data processed during a test phase, the following applies differently: deletion at the latest 72 hours after the end of the test. Log data will be deleted according to the Main Contract at the latest after 90 days.
10. The Processor shall provide technical means with which the Controller can make content temporarily available to authorized third parties (e.g. external recipients). Access is enabled exclusively at the instigation of the Controller. The Processor shall log these accesses and ensure that they are only possible with valid authorization (e.g. one-time link with expiration date). The lawfulness of the release and information of the data subjects is the responsibility of the Controller.

§ 5 Rights and Obligations of the Controller

1. The Controller is solely responsible for assessing the lawfulness of processing under Article 6(1) GDPR and for safeguarding the rights of Data Subjects in accordance with Articles 12 to 22 GDPR. Nevertheless, the Processor is obligated to promptly forward any such requests, insofar as they are clearly directed exclusively at the Controller. In fulfilling its obligations, the Processor follows the instructions of the Controller. The Processor shall not be held liable if a request from a Data Subject is not answered, answered incorrectly, or answered late by the Controller.
2. The Controller must promptly and comprehensively inform the Processor if it identifies errors or irregularities in the implementation of this agreement or in compliance with data protection regulations.
3. Upon termination of the contract, the Controller is obligated to delete any personal Data stored in the services before the end of the contract.
4. At the Processor's request, the Controller shall designate a contact person for data protection matters.
5. The Controller is obligated to treat all knowledge gained about trade secrets and data security measures of the Processor as confidential. This obligation remains in effect even after this agreement has been terminated.

§ 6 Authorized Persons of the Controller and Recipients of Instructions for the Processor

1. Authorized Persons of the Controller: The persons authorized to issue instructions on behalf of the Controller are those specified in the customer account's master data.
2. Recipients of Instructions for the Processor: All administrators of Conbool GmbH are designated as recipients of instructions.
3. Form of Instructions: Instructions from the Controller must be issued in writing or in text form via the agreed communication channels provided on the website. In urgent cases, instructions may be given by telephone but must be promptly confirmed in writing or text form.
4. Changes to Authorized Persons: In the event of a change or long-term unavailability of authorized persons, the contracting party must inform the other party without delay and, as a rule, in written or electronic form about successors or representatives.

§ 7 Additional Processors (Subcontractors)

1. The Controller generally permits the Processor to engage additional subcontractors in accordance with Article 28 GDPR for fulfilling contractual obligations. The Processor ensures that agreements with these third parties include sufficient provisions to guarantee appropriate data protection and information security measures. The Processor publishes the respective current list of processors in Appendix 1; changes will be communicated at least 14 days before use, the right to object according to No. 3 remains unaffected.
2. The currently engaged subcontractors are listed in Appendix 1. The Controller agrees to their use.
3. The Controller has the right to object to the engagement of a new subcontractor within 14 days after being notified, provided there is a valid reason for doing so.
4. In the event of an objection, the Processor may either provide the service without involving the proposed subcontractor or, if this is not feasible, terminate the affected service within a reasonable period (at least 14 days) after receiving the objection. In such cases, the Controller is no longer obligated to pay for services that have been discontinued.
5. The Processor commits to regularly reviewing subcontractors' compliance with data protection requirements and providing evidence to the Controller upon request.
6. When engaging additional processors, it is the Processor's responsibility to transfer its data protection obligations under this agreement to those subcontractors. The Processor ensures compliance with technical and organizational measures through regular monitoring.
7. Contracts with subcontractors must be concluded in written form, which may also include electronic formats (in accordance with Article 28(4) and (9) GDPR).

§ 8 Technical and Organizational Measures in Accordance with Article 32 GDPR

1. Within its area of responsibility, the Processor implements appropriate technical and organizational measures to ensure that processing complies with the requirements of the GDPR and guarantees the protection of the rights and freedoms of the Data Subjects. The Controller is responsible for implementing appropriate technical and organizational measures within its own area of responsibility in accordance with Article 32 GDPR, ensuring the confidentiality, integrity, availability, and resilience of systems and services related to processing over the long term.
2. The current technical and organizational measures are described in Appendix 2 and are binding as part of this Agreement. The Processor may adapt the measures, provided that the level of protection does not fall below the level required by Art. 32 GDPR; essential changes will be documented and made available to the Controller upon request.
3. The Processor conducts regular reviews of the effectiveness of its technical and organizational measures to ensure the security of processing in accordance with Article 32(1)(d) GDPR.
4. Over time, the Processor will adapt its implemented measures to account for developments in the state of technology and changes in risk levels. The Processor may modify its technical and organizational measures as long as this does not result in a level of protection below that required by Article 32 GDPR.

§ 9 Liability

1. Liability and claims for damages are governed by Article 82 GDPR.
2. In the event that a Data Subject asserts a claim for damages under Article 82 GDPR, the parties agree to support each other in clarifying the underlying facts and circumstances.
3. In the case of a data protection breach as defined in Article 33 GDPR, the Processor commits to: a. Informing the Controller immediately (no later than within 24 hours). b. Taking all necessary measures to contain the incident and prevent further violations. c. Supporting the Controller in notifying the competent supervisory authority.

§ 10 Miscellaneous

1. If the property or data of the Controller being processed is endangered by measures taken by third parties (e.g., seizure or confiscation), insolvency or settlement proceedings, or other events, the Processor must inform the Controller without delay.
2. Should any individual provisions of this agreement be invalid, this shall not affect the validity of the agreement as a whole.
3. The Processor reserves the right to amend this agreement if required by legal changes or to implement new technical standards. The Controller will be informed in writing at least four weeks before such amendments take effect and has the right to object within this period. In case of an objection by the Controller, the Processor has an extraordinary termination right.
4. The Controller accepts this agreement as part of the General Terms and Conditions (GTC) for the products they have booked. In case of conflicts, the provisions of this Data Processing Agreement take precedence over those of the Main Contract.
5. If significant changes occur regarding subcontractors or their data protection measures, the Processor will promptly inform the Controller and adapt this agreement accordingly.
6. German law applies.

Appendix 1 Additional Processors

1. IONOS SE

• Address: Elgendorfer Straße 7, 56410 Montabaur, Germany
• Description of Partial Service: Provision, operation, and maintenance of products, specifically: a. Operation, maintenance, and servicing of the products. b. Provision of the physical environment for operating the Conbool GmbH website and application. c. Operation of the platform and provision of dedicated and virtual servers as well as cloud solutions.

2. Supabase Inc.

• Address: 970 Toa Payoh North #07-04, Singapore
• Description of Partial Service: Backend database used for storing and processing service-relevant data as well as for user management and authentication.
• Data processing primarily takes place on servers within the European Union (e.g., Frankfurt am Main).
• Supabase ensures, through appropriate technical and organizational measures, that the confidentiality, integrity, and availability of processed personal data are maintained. These measures include, among other things the encryption of data during transmission and storage and access controls in accordance with GDPR requirements
• If a transfer to third countries is required, Supabase ensures that all data protection requirements under Articles 44 et seq. GDPR are met, particularly through the conclusion of Standard Contractual Clauses (SCCs).
• A corresponding Data Processing Agreement has been concluded with Supabase Inc.
• The Processor regularly reviews compliance with the contractually agreed data protection measures by Supabase, particularly regarding data transfers to third countries.

Appendix 2 Technical and Organizational Measures (TOMs)

1. Confidentiality

Measures to ensure that only authorized persons have access to personal data:

Physical Access Control at IONOS:

• Security gates and video surveillance in IONOS data centers (certified according to ISO 27001).
• Access only for authorized persons via electronic access controls (e.g., transponders, biometric scanners).
• Visitor registration and accompaniment by authorized personnel.
• Regular review and logging of access rights.

Digital Access Control

• Multi-factor authentication (MFA) for all administrative accesses.
• Strict password policies (regular changes, minimum complexity).
• VPN connections for remote access to internal systems.
• Encryption of mobile storage devices and endpoints.

Data Access Control

• Role-based permission concept based on the principle of least privilege ("need-to-know principle").
• Separation of application and administrative accesses.
• Email content is always processed in-stream. When using the message portal, temporary, encrypted storage takes place for display and optional release by the customer. Storage takes place exclusively at the instruction of the controller and is automatically deleted as soon as access has taken place or the release period has expired.
• Logging and monitoring of all access attempts to personal data.
• Access to personal data or metadata is restricted to authorized employees with role-based permissions.

Pseudonymization

• Pseudonymization of personal data wherever possible.

Data Encryption

• Encryption of all stored data.

Confidentiality Agreements:

• All employees are bound by confidentiality and data protection obligations in accordance with Article 28(3) GDPR.

2. Integrity

Measures to ensure the immutability and consistency of data:

Data Integrity:

• Use of checksums and hashing methods to validate data integrity.

Transfer Control:

• Encryption of all data transmissions using TLS 1.2 or higher.
• Use of secure communication protocols such as SFTP for data exchange.
• Documentation of all data transfers to subcontractors like Supabase.

Input Control:

• Protection of logs against manipulation through access restrictions and encryption.
• Individual user IDs to ensure traceability of changes.

3. Availability and Resilience

Measures to ensure the availability of systems and services:

Fault Tolerance:

• Use of highly available cloud infrastructures at IONOS with redundant servers.
• Failover systems to minimize downtime.
• Emergency plans for operations during technical disruptions.

Resilience:

• Load testing to verify system stability under peak loads.
• Scalable cloud infrastructure provided by Supabase and IONOS to dynamically respond to increased demands.

Monitoring:

• Continuous monitoring of system resources and automated alerts in case of anomalies.

4. Transparency

Measures to ensure traceability of processing activities:

Documentation:

• Maintenance of a record of processing activities in accordance with Article 30 GDPR.
• Regular Data Protection Impact Assessments (DPIAs) for new processing activities.

5. Data Protection by Design ("Privacy by Design")

Default Privacy Settings ("Privacy by Default"):

• Default settings for maximum data minimization in all services.

Data Minimization:

• Collection only of data necessary for the specific purpose.
• Automatic deletion of unnecessary data after defined retention periods.

6. Training and Awareness

Organizational measures to promote awareness of data protection:

• Regular training for all employees on data protection policies and IT security.
• Awareness campaigns on handling phishing attacks and social engineering.

7. Incident Response Management

Measures for handling security incidents:

• Documented process for detecting, reporting, and addressing data protection breaches.
• Notification to the Controller within 24 hours in the event of an incident, as required by Article 33 GDPR.
• Collaboration with external experts in cases of severe security incidents.

8. Organizational Measures

Measures to ensure clear responsibilities:

• Regular internal audits to verify compliance with data protection regulations.
• Continuous updates to security measures according to the state-of-the-art technology standards.
• Procedures for exercising Data Subject rights in accordance with Chapter III GDPR.