Data Processing Agreement (DPA)

Section 1: Scope and Definitions

This Data Processing Agreement (hereinafter "DPA") specifies the data protection obligations of the contracting parties in connection with the commissioned processing pursuant to Art. 28 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") under the main contract between the Controller and the Processor for the use of the Easy Mail Archive email archiving service.

The Controller (responsible party within the meaning of Art. 4(7) GDPR) is the customer who uses the Easy Mail Archive email archiving service.

The Processor (processor within the meaning of Art. 4(8) GDPR) is Martin Becker, Blockkamp 13, 29351 Eldingen, Germany.

Personal data means, in accordance with Art. 4(1) GDPR, any information relating to an identified or identifiable natural person.

Processing means, in accordance with Art. 4(2) GDPR, any operation or set of operations performed on personal data, whether or not by automated means.

An instruction is a documented directive issued by the Controller to the Processor regarding the handling of personal data in a specific manner.

Section 2: Subject Matter and Duration

The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller under the main contract (Terms of Service) for the use of the Easy Mail Archive email archiving service.

The term of this DPA corresponds to the term of the main contract. It terminates automatically upon termination of the main contract, without prejudice to obligations that survive the end of the contract.

Section 3: Nature and Purpose of Processing

The Processor operates a cloud-based email archiving service for the Controller. The purpose of processing is the legally compliant, audit-proof archiving of the Controller's emails in accordance with statutory retention obligations (in particular GoBD, Section 257 HGB, Section 147 AO) and the provision of search, export, and compliance functions.

The processing includes in particular:

• Receipt and storage of emails via SMTP interfaces
• Indexing and full-text search of archived emails
• Retention management including statutory retention periods
• Export and restoration of archived emails
• User management and access control for archive access
• Audit logging of all accesses and actions in the archive

Section 4: Types of Personal Data and Data Subjects

The following categories of personal data are processed in the course of email archiving:

• Email metadata (sender, recipient, date, subject, IP addresses, message IDs)
• Email content (message body and file attachments)
• User account data (name, email address, role, access credentials)
• Access and audit logs (timestamps, users, actions performed)

Categories of data subjects:

• Employees of the Controller whose email communications are archived
• External communication partners (customers, suppliers, business partners, and other third parties) who appear as senders or recipients in archived emails

Section 5: Obligations of the Processor

The Processor shall process personal data solely on the basis of documented instructions from the Controller pursuant to Art. 28(3)(a) GDPR, unless required to do so by Union law or the law of the Member State to which the Processor is subject.

The Processor undertakes in particular:

• To ensure that all persons authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of secrecy (Art. 28(3)(b) GDPR).
• To implement and maintain all technical and organizational measures required under Art. 32 GDPR. The specific measures are set out in Annex 2 to this DPA.
• To assist the Controller, insofar as possible, in fulfilling requests from data subjects exercising their rights under Art. 15 to 22 GDPR (Art. 28(3)(e) GDPR).
• To assist the Controller in complying with the notification obligations in the event of personal data breaches pursuant to Art. 33 and 34 GDPR (Art. 28(3)(f) GDPR).
• To assist the Controller in carrying out data protection impact assessments pursuant to Art. 35 GDPR and prior consultations pursuant to Art. 36 GDPR, where necessary (Art. 28(3)(f) GDPR).
• Upon termination of the commissioned processing, to delete or return all personal data at the Controller's choice (Art. 28(3)(g) GDPR).
• To make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and to allow for and contribute to audits, including inspections (Art. 28(3)(h) GDPR).
• To immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other data protection provisions of the Union or the Member States.

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Art. 30(2) GDPR.

The Processor shall appoint a data protection officer if required by Art. 37 GDPR or Section 38 BDSG.

Contact for data protection matters in connection with this DPA: [email protected].

The Processor shall ensure that employees involved in the processing of personal data receive regular data protection training.

The Processor shall not use the personal data processed on behalf of the Controller for its own purposes and shall not process them in a manner inconsistent with the Controller's instructions.

The Processor shall immediately inform the Controller if it becomes aware that personal data has been accessed by unauthorized persons or processed unlawfully.

Section 6: Obligations of the Controller

The Controller, as the responsible party, is responsible for the lawfulness of the processing of personal data in accordance with applicable data protection regulations. The Controller shall ensure in particular that the transmission of emails to the archiving service is based on a valid legal basis.

The Controller shall issue instructions in text form (Section 126b BGB). Oral instructions must be confirmed in text form without undue delay.

The Controller shall designate a contact person for data protection matters to the Processor.

Section 7: Right to Issue Instructions

The Processor shall process personal data exclusively in accordance with the Controller's documented instructions. The services agreed upon in this DPA and the main contract constitute documented instructions.

Instructions shall be issued in text form. Transmission by email satisfies the text form requirement.

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes data protection regulations. The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

Pending clarification by the Controller, the Processor may suspend the processing insofar as it is affected by the contested instruction.

Section 8: Confidentiality

The Processor shall ensure that all persons authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of secrecy (Art. 28(3)(b) GDPR).

The confidentiality obligation shall survive the termination of the contractual relationship.

The Processor shall ensure that only those employees who require access to the Controller's personal data for the performance of contractual obligations have such access (need-to-know principle).

Section 9: Technical and Organizational Measures

The Processor shall implement the technical and organizational measures required under Art. 32 GDPR to ensure a level of security appropriate to the risk. The specific measures are described in Annex 2 to this DPA.

The technical and organizational measures shall be adapted to the state of the art and regularly reviewed, assessed, and evaluated to ensure their effectiveness.

Section 10: Sub-Processing

The Controller hereby grants the Processor general written authorization to engage sub-processors pursuant to Art. 28(2) GDPR.

The Processor shall ensure that:

• Sub-processors are subject, by contract or other legal instrument, to the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees that appropriate technical and organizational measures are implemented so that the processing meets the requirements of the GDPR.
• Sub-processors implement appropriate technical and organizational measures pursuant to Art. 32 GDPR.
• The Processor shall be liable to the Controller for compliance with data protection obligations by sub-processors as if for its own actions.

The sub-processors engaged at the time of contract conclusion are listed in Annex 3 to this DPA.

The Processor shall inform the Controller in text form at least 30 days before any intended change regarding the addition or replacement of sub-processors.

The Controller may object to the change within 14 days of receipt of the notification on legitimate data protection grounds. If the objection cannot be resolved amicably, the Processor is entitled to terminate the main contract with reasonable notice.

Section 11: Rights of Data Subjects

The Processor shall assist the Controller, insofar as possible, with appropriate technical and organizational measures in fulfilling requests from data subjects exercising their rights under Art. 15 to 22 GDPR.

The email archiving service provides search and export functions that the Controller may use to respond to access requests under Art. 15 GDPR.

If a data subject contacts the Processor directly with a request to exercise their rights, the Processor shall forward the request to the Controller without undue delay.

Section 12: Notification Obligations in Case of Data Breaches

The Processor shall notify the Controller without undue delay of any breach of the security of personal data within the meaning of Art. 4(12) GDPR that relates to the commissioned processing.

The notification shall include at a minimum:

• A description of the nature of the personal data breach
• The categories and approximate number of data subjects and data records affected
• A description of the likely consequences of the breach
• A description of the measures taken or proposed by the Processor to address the breach and mitigate its effects

The Processor shall assist the Controller in fulfilling its notification obligations to the supervisory authority pursuant to Art. 33 GDPR and to the data subjects pursuant to Art. 34 GDPR.

The Processor shall document all personal data breaches, including the underlying facts, their effects, and the remedial measures taken, in accordance with Art. 33(5) GDPR.

Section 13: Audit Rights

The Controller has the right to carry out audits, including inspections, at the Processor's premises or to have them carried out by an appointed auditor (Art. 28(3)(h) GDPR).

On-site inspections shall be scheduled with reasonable advance notice, generally at least four weeks, and shall be conducted during normal business hours. The Processor may require that auditors are subject to a confidentiality agreement.

In lieu of an on-site inspection, the Processor may provide suitable certifications, audit reports from independent bodies, or equivalent evidence, provided they adequately serve the purpose of the audit.

The costs of the audit shall be borne by the Controller. The Processor shall bear its own personnel costs associated with participating in the audit.

Section 14: Deletion and Return

Upon termination of the main contract, the Controller shall have the opportunity to download all archived data via the service's export function within 30 days.

After expiry of the export period, the Processor shall irrevocably delete all personal data processed on commission.

The Processor shall document the deletion and, upon request, provide the Controller with written confirmation of the deletion carried out.

Section 15: Liability

The liability of the contracting parties is governed by Art. 82 GDPR.

Each party shall be liable for damages caused by processing that does not comply with the GDPR, to the extent that it has breached its own data protection obligations.

The Processor shall only be liable for damages caused by failure to comply with obligations specifically directed at processors under the GDPR (in particular Art. 28 and Art. 32 GDPR) or by acting outside of or contrary to the Controller's lawful instructions.

Section 16: Final Provisions

The laws of the Federal Republic of Germany shall apply.

Amendments and additions to this DPA require text form (Section 126b BGB). This also applies to the waiver of this text form requirement.

Should individual provisions of this DPA be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. The invalid provision shall be replaced by a valid provision that most closely reflects the economic purpose of the invalid provision.

This DPA is an integral part of the Terms of Service, available at /terms, and the Privacy Policy, available at /privacy.

The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Celle, provided the Controller is a merchant, a legal entity under public law, or a special fund under public law.

Annex 1: Description of Processing

The following details specify the commissioned processing pursuant to Sections 2 and 3 of this DPA.

Annex 2: Technical and Organizational Measures

The Processor implements the following technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk for personal data processed in the course of email archiving:

Access Control

Role-based access control (RBAC) with differentiated permission levels. Strict tenant-specific data separation. Optional multi-factor authentication (MFA). Automatic session management with configurable timeouts. Secure password storage using cryptographic hashing.

Encryption

AES-256-CBC encryption of all archived emails at rest (encryption at rest). Encrypted data transmission using TLS 1.2 or higher (encryption in transit). Separate encryption keys per tenant.

Availability

Hosting in the WITT AG data center in Germany. Redundant storage infrastructure. Regular automated backups. Continuous monitoring of system availability and performance.

Data Separation

Strict tenant-specific data separation through separate databases per tenant. Separate S3 storage areas per tenant. Logical isolation at the application level that prevents cross-tenant data access.

Pseudonymization

Use of internal, non-personal identifiers as primary keys. No use of personal data in system identifiers or storage paths.

Integrity

Audit-proof archive storage that prevents subsequent modification of archived emails. Checksum validation to ensure data integrity. Comprehensive audit logging of all accesses and changes.

Resilience and Recoverability

Regular automated backups. Tested recovery procedures. Redundant infrastructure to ensure business continuity.

Monitoring and Logging

Comprehensive audit logging of all user actions and system events. Access logs with timestamps, user identification, and actions performed. Anomaly detection for early identification of security-relevant incidents.

Annex 3: List of Sub-Processors

The Processor engages the following sub-processors at the time of contract conclusion: