Data Processing Agreement

1. Subject Matter 

As part of the provision of services under the General Terms of Use for the Langdock Platform (“Main Contract”), it is necessary for the Processor to process personal data for which the Controller acts as the data controller within the meaning of data protection regulations (“Controller Data”). This Agreement specifies the rights and obligations of the Parties under data protection law in connection with the processing of Controller Data for the performance of the Main Contract.

2. Scope of Data Processing

1. The Processor shall process Controller Data on behalf of and in accordance with the instructions of the Controller within the meaning of Art. 28 GDPR. The Controller shall remain the controller within the meaning of data protection law.
2. The details of the processing, in particular the categories of personal data and the purposes for which the Controller Data is processed on behalf of the Controller, are specified in Appendix 1. 

3. Instructions by the Controller 

1. The Processor shall process the Controller Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
2. The Controller’s instructions are defined in this Agreement. In addition, the Processor makes available to the Controller configuration options within the Langdock Platform through which the Controller may customize the processing of Controller Data within the scope of the Platform’s standard operation. Use of these configuration options constitutes a documented instruction within the meaning of this Agreement. Instructions going beyond the foregoing that require customization of the Processor’s standard service are only binding to the extent they have been agreed in writing and documented in the Main Contract or a separate amendment.
3. The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe applicable data protection law. 

4. Responsibility of the Controller

1. As between the Parties, the Controller is solely responsible for the lawfulness of the instructions issued and the lawfulness of the processing of Controller Data. Should any third party bring claims against the Processor in connection with the processing of Controller Data under this Agreement, the Controller shall indemnify the Processor against such claims to the extent they are based on the Controller’s breach of this Agreement or applicable law. 

2. Upon request, the Controller shall provide the Processor with reasonable assistance in fulfilling its data protection obligations, including by supplying information required for the Processor’s records of processing activities pursuant to Art. 30 (2) GDPR and by supporting the Processor in its cooperation with supervisory authorities or other public authorities.

5. Security of Processing

1. The Processor shall take appropriate technical and organizational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of the Controller Data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, to ensure a level of security for the Controller Data appropriate to the risk.

2. The Parties agree that the technical and organizational measures set out in Appendix 3 ensure an appropriate level of protection for the Controller Data at the time of conclusion of this Agreement. The Processor shall be permitted to change or adapt technical and organizational measures during the term of this Agreement as long as such measures continue to meet the statutory requirements and do not reduce the overall level of data protection set out in Appendix 3.

6. Requirements for Personnel

The Processor ensures that persons authorized to process the Controller Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Use of Sub-Processors

1. The Controller hereby grants the Processor general authorization to engage sub-processors with regard to the processing of Controller Data. The sub-processors engaged at the time of the conclusion of the Agreement are set out in Appendix 2.
2. The Processor shall inform the Controller of any intended changes with regard to the addition or replacement of sub-processors at least 14 days prior to the planned engagement of the new sub-processor. Notification shall be made by publication at https://trust.langdock.com/subprocessors and via email if the Controller has subscribed to email notifications on that page. The Controller is entitled to object in writing to the intended change within 14 days of publication of the change, provided that the objection is based on specific data protection grounds. If no objection is raised, the change shall be deemed approved. In the event of a timely and duly reasoned objection, the Parties shall attempt to reach a mutually agreeable solution. If no agreement is reached within 14 days of receipt of the objection, either Party shall be entitled to terminate the Main Contract and this Agreement with a notice period of 30 days.
3. The Processor shall contractually impose on sub-processors data protection obligations that correspond to the level of protection under this Agreement (Art. 28 (4) GDPR). Where a sub-processor processes Controller Data in a third country, the Processor shall ensure that an appropriate transfer mechanism ensuring an adequate level of protection within the meaning of Art. 44 et seq. GDPR is in place, such as by entering into standard contractual clauses pursuant to Art. 46 GDPR in accordance with the applicable template of the European Commission.
4. The Processor shall remain responsible to the Controller for the performance of the sub-processor’s obligations in accordance with its contract with the Processor.

8. International Data Transfers

1. The processing of Controller Data by the Processor shall generally take place within the European Union or a member state of the European Economic Area (EEA).

2. Any transfer of Controller Data by the Processor to a third country or international organization shall take place only on the basis of an instruction from the Controller (e.g., where the Controller actively enables an LLM with a server location outside the EU in the Langdock platform) and in accordance with Art. 44 et seq. GDPR.

3. Where Controller Data is transferred to or processed in a third country or international organization by the Processor or a sub-processor, the Processor shall ensure that an appropriate transfer mechanism ensuring an adequate level of protection within the meaning of Art. 44 et seq. GDPR is in place, such as by entering into standard contractual clauses pursuant to Art. 46 GDPR in accordance with the applicable template of the European Commission.

9. Data Subject Rights

1. Taking into account the nature of the processing and the information available, the Processor shall assist the Controller, by appropriate technical and organizational measures to the extent reasonable, to comply with the Controller’s obligation to respond to requests to exercise the rights of data subjects under the GDPR. For this purpose, the Processor shall make available to the Controller functionalities within the Langdock platform that enable the Controller to independently handle typical data subject requests.

2. The Controller hereby instructs the Processor to implement requests from data subjects to exercise their rights regarding (a) the rectification of account or profile data and (b) the deactivation or deletion of the user account and the data exclusively associated with that user account independently and without prior consultation with the Controller, where such requests are submitted directly to the Processor and the identity of the data subject has been verified by appropriate means (e.g., through the email address associated with the user account).

3. Where the Processor receives a request from a data subject to exercise the rights under the GDPR that is not handled by the Processor independently (in particular because it raises legal or factual questions or goes beyond the standard cases set out in paragraph 2), the Processor shall forward the request to the Controller without undue delay. Upon the Controller’s request, the Processor shall in such cases assist the Controller by appropriate technical and organizational measures, insofar as reasonably possible and necessary, in fulfilling the Controller’s obligations.

10. Notification and Support Obligations of the Processor

1. In the event of a personal data breach affecting Controller Data, the Processor shall notify the Controller thereof without undue delay after becoming aware of the breach. The notification shall be made on the basis of the information available to the Processor at the time of the notification; to the extent that further relevant information becomes available, the Processor shall provide such information to the Controller without undue delay.

2. Upon the Controller’s request, the Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in fulfilling any notification and communication obligations under the GDPR, insofar as such assistance is necessary and reasonable. The legal assessment as to whether and to what extent any notification or communication obligation exists shall remain the responsibility of the Controller.

3. Upon the Controller’s request, the Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller with any data protection impact assessments and prior consultations with supervisory authorities, insofar as such assistance is necessary and reasonable. To the extent that such assistance causes significant additional effort exceeding the assistance contractually owed, the Parties shall agree in advance on appropriate additional remuneration.

11. Data Deletion 

1. The Processor shall delete the Controller Data no later than 30 days after termination of the Main Contract, unless the Processor is subject to a legal obligation to retain the Controller Data for a longer period. The Processor shall confirm deletion of the Controller Data to the Controller upon request. 

2. During the term of the Main Contract and until deletion of the Controller Data pursuant to paragraph 1, the Controller shall have the option to export its Controller Data. Upon request, the Processor shall make available the export functions provided for this purpose.

3. Documentation that serves as proof of the proper processing of Controller Data in accordance with this Agreement or for complying with statutory retention obligations may be retained by the Processor after expiry of the Agreement.

12. Verifications and Audits 

1. The Processor shall provide the Controller, at the Controller’s request, with all information necessary and available to the Processor to verify compliance with its obligations under this Agreement and under Art. 28 GDPR. 
2. The Controller shall be entitled to review the Processor’s compliance with its obligations under this Agreement and under Art. 28 GDPR.
3. Compliance with the obligations under this Agreement and under Art. 28 GDPR shall, as a rule, be demonstrated by the provision of an appropriate and up-to-date attestation or report from an independent body or an audit report issued in connection with an IT security or data protection certification (e.g., ISO 27001, SOC 2 Type II).
4. To the extent that the Controller substantiates a specific and justified suspicion of a breach of the obligations under this Agreement or under Art. 28 GDPR, or if the evidence provided pursuant to paragraph 3 does not permit an adequate review in the specific case, the Controller shall be entitled to conduct inspections. Such inspections shall be carried out with due regard to the Processor’s legitimate interests and, where possible, primarily by way of written information or remote reviews.
5. Inspections shall only be permissible during the Processor’s normal business hours and upon reasonable prior notice and shall not unreasonably interfere with the Processor’s business operations.
6. The Processor shall be entitled to restrict the disclosure of information to the extent necessary to preserve the confidentiality of other customers’ data, security requirements, and legitimate trade and business secrets. If the Controller appoints a third party to carry out an inspection, such third party may not be a competitor of the Processor and must be bound in writing to confidentiality and non-disclosure prior to the inspection.

13. Liability

As between the Parties, the liability provisions of the Main Contract shall apply accordingly, including any exclusions and limitations of liability. The mandatory statutory liability provisions under Art. 82 GDPR shall remain unaffected.

14. Term and Termination

The term and termination of this Agreement shall be governed by the provisions on the term and termination of the Main Contract. Termination of the Main Contract shall automatically result in termination of this Agreement; this Agreement shall, however, remain in force until the deletion of the Controller Data has been completed. An individual termination of this Agreement is excluded. 

15. Final Provisions

1. Should individual provisions of this Agreement be or become invalid or contain a gap, the remaining provisions shall remain unaffected. The Parties shall replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.
2. Unless otherwise provided in this Agreement, the provisions of the Main Contract shall apply accordingly, in particular with regard to the governing law and jurisdiction. In the event of contradictions between this Agreement and other agreements between the Parties, in particular the Main Contract, the provisions of this Agreement shall take precedence.
3. Only the German version of this Agreement shall be legally binding. The English translation is provided for information purposes only.