Data Processing Agreement

Agreement on commissioned data processing pursuant to Art. 28 GDPR

Note: This is a convenience translation. In case of discrepancies, the German version shall prevail.

Version 1.0 — As of: March 2026

between the customer of the Aldric platform (hereinafter "Controller" or "Client") and

CONPORT Services GmbH
Alte Benninghofer Str. 24
44263 Dortmund, Germany
Managing Director: Benjamin Schowe
District Court Dortmund HRB 34231
(hereinafter "Processor" or "Contractor")

— collectively the "Parties"

This Data Processing Agreement (hereinafter "DPA") is an integral part of the Terms of Service and is concluded insofar as the Processor processes personal data on behalf of the Controller in the course of providing the SaaS platform "Aldric".

§ 1 Subject Matter and Duration of Processing

1.1 Subject Matter

The Processor processes personal data on behalf of the Controller in the course of providing the SaaS platform "Aldric" as described in the Service Description. The processing includes the storage, organization, provision, and deletion of data entered by the Controller through the platform.

1.2 Duration

The duration of processing corresponds to the term of the main agreement (Terms of Service § 3). Upon termination of the agreement, data shall be handled in accordance with § 8 of this DPA.

§ 2 Nature and Purpose of Processing

2.1 Nature of Processing

The processing includes the following activities:

  • Collection, recording, and storage of data via the platform interface and APIs
  • Organization and structuring in tenant-specific databases
  • Provision and retrieval by authorized users of the Controller
  • Transmission through exports (PDF, CSV, JSON) upon instruction by the Controller
  • Deletion and destruction in accordance with the platform's deletion policies or upon instruction
  • Backup through automated backup processes

2.2 Purpose of Processing

The purpose of processing is the provision of the contractually agreed compliance management functions, in particular:

  • Maintaining the Record of Processing Activities (Art. 30 GDPR)
  • Conducting Data Protection Impact Assessments (Art. 35 GDPR)
  • Managing Data Subject Access Requests (Art. 15-22 GDPR)
  • Documentation of technical and organizational measures
  • Management of contracts, policies, and training
  • Risk assessments and audit management
  • Whistleblower reports (German Whistleblower Protection Act — HinSchG)

§ 3 Types of Personal Data and Categories of Data Subjects

3.1 Categories of Personal Data

The specific data categories processed depend on the Controller's use of the platform. Typically, the following categories are processed:

  • Master data: Name, first name, title, position, department
  • Contact data: Email address, phone number, business address
  • Contract data: Subject matter of contracts, terms, responsibilities
  • Usage data: Login times, access history, audit trail
  • Communication data: Comments, notes, email correspondence within the system
  • Risk assessment data: Risk evaluations, measures, responsibilities
  • Report data: Whistleblower reports (potentially anonymized), facts, processing status

Note: Special categories of personal data (Art. 9 GDPR) should generally not be processed through the platform. If the Controller nevertheless enters such data, the Controller is solely responsible for the lawfulness of such processing.

3.2 Categories of Data Subjects

  • Employees and representatives of the Controller (platform users)
  • Contact persons at contractual partners and service providers of the Controller
  • Data subjects whose data is documented in processing activities
  • Whistleblowers and persons affected by reports (whistleblowing module)
  • Training participants

§ 4 Obligations of the Processor

4.1 Instruction-Bound Processing

The Processor shall process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR). Instructions may be given in writing, in text form, or through the configuration of the platform.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes data protection provisions (Art. 28(3) sentence 3 GDPR). The Processor shall be entitled to suspend the execution of such an instruction until it is confirmed or modified by the Controller.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

4.3 Security of Processing

The Processor shall implement the technical and organizational measures required under Art. 32 GDPR to ensure a level of security appropriate to the risk. The current measures are described in Annex 1 (TOM).

4.4 Assistance Obligations

The Processor shall assist the Controller, taking into account the nature of processing:

  • In responding to requests from data subjects (Art. 15-22 GDPR) — the platform provides a DSAR module for this purpose
  • In ensuring compliance with obligations under Art. 32-36 GDPR (security, breach notification, data protection impact assessments)
  • In conducting data protection impact assessments (Art. 35 GDPR) — the platform provides a DPIA module for this purpose

§ 5 Sub-Processing

5.1 Approved Sub-Processors

The Controller hereby grants the Processor general written authorization to engage further processors (sub-processors) (Art. 28(2) GDPR). The sub-processors approved at the time of contract conclusion are listed in Annex 2.

5.2 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. The Controller may object to such changes within 14 days of notification. If the Controller raises a justified objection, the Parties shall seek an amicable solution. If this is not possible, the Controller shall have a special right of termination effective as of the date of the planned change.

5.3 Contractual Safeguards

The Processor shall ensure that each sub-processor is subject to the same data protection obligations as set out in this DPA (Art. 28(4) GDPR). The Processor shall be liable to the Controller for the sub-processor's compliance with its obligations.

§ 6 Rights of Data Subjects

The Processor shall assist the Controller in fulfilling its obligations towards data subjects. If a data subject addresses requests pursuant to Art. 15-22 GDPR directly to the Processor, the Processor shall forward the request to the Controller without undue delay.

The platform provides technical support through:

  • DSAR Module: Management of data subject requests with deadline monitoring
  • Export functions: Data disclosure in machine-readable format (JSON, CSV)
  • Deletion functions: Targeted deletion of individual records
  • Audit trail: Complete documentation of all processing operations

§ 7 Notification of Personal Data Breaches

The Processor shall notify the Controller of any personal data breach without undue delay, and in any event within 24 hours of becoming aware of it (Art. 33(2) GDPR).

The notification shall include at least:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and data records concerned
  • The name and contact details of the data protection officer or other point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address and mitigate the breach

The notification shall be sent to the contact address provided by the Controller. The Processor shall document all breaches including all related facts, effects, and remedial actions taken.

§ 8 Return and Deletion of Data

Upon termination of the main agreement, the Processor shall make all processed personal data available to the Controller in a common, machine-readable format (data export).

The Controller shall have 30 days after contract termination to download its data through the platform's export functions (Terms of Service § 13). After this period, the Processor shall irrevocably delete all personal data of the Controller, unless statutory retention obligations apply.

Deletion shall be confirmed to the Controller in writing upon request. Backups shall be overwritten within 90 days after contract termination through the regular backup rotation cycle.

§ 9 Demonstration of Compliance and Audits

9.1 Evidence

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR).

9.2 On-Site Audits

The Controller may conduct on-site audits upon prior notification with a notice period of at least 20 business days, either directly or through an independent auditor. The Processor shall support such audits to a reasonable extent. The costs of the audit shall be borne by the Controller.

9.3 Certifications

The Processor may also demonstrate compliance by presenting current certifications (e.g., ISO 27001) or audit reports from independent third parties.

§ 10 Data Transfers to Third Countries

The processing of personal data shall generally take place exclusively within the European Union or the European Economic Area (EU/EEA).

A transfer to third countries shall only take place if:

  • An adequacy decision by the European Commission exists (Art. 45 GDPR), or
  • Appropriate safeguards pursuant to Art. 46 GDPR are in place (in particular Standard Contractual Clauses), or
  • The Controller has explicitly instructed the transfer

Current status: Stripe, Inc. (USA) processes payment data on the basis of the EU-US Data Privacy Framework (adequacy decision of July 10, 2023) as well as additional Standard Contractual Clauses.

Annex 1: Technical and Organizational Measures (TOM)

The Processor implements the following technical and organizational measures pursuant to Art. 32 GDPR to protect personal data:

A1.1 Physical Access Control

  • Hosting provider's data center with physical access control (security airlock, video surveillance, 24/7 security)
  • ISO 27001-certified data center within the EU

A1.2 System Access Control

  • Authentication via Keycloak (OpenID Connect/JWT)
  • Support for Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
  • Password policies: minimum length, complexity requirements, expiration periods configurable
  • Automatic session timeouts
  • Brute-force protection with rate limiting

A1.3 Data Access Control

  • Row-Level Security (RLS): Strict tenant isolation at database level — each tenant can only access its own data
  • Role-Based Access Control (RBAC): Fine-grained permissions at module, function, and record level
  • Principle of least privilege
  • Administrative access only through secured, logged connections

A1.4 Separation Control

  • Multi-tenant architecture with strict data separation via tenant_id on all tables
  • Row-Level Security (RLS) at database level enforces tenant isolation independently of application logic
  • Separate development, testing, and production environments

A1.5 Pseudonymization and Encryption

  • Transport encryption: TLS 1.2+ for all connections
  • Encryption at rest: AES-256 at storage level
  • Database connections via encrypted channels
  • Password hashing with bcrypt/Argon2

A1.6 Integrity

  • Audit trail: Complete, tamper-proof logging of all security-relevant actions
  • Hash chains: Chained hashes for manipulation detection in audit logs
  • Input validation on all API endpoints (class-validator)
  • Prepared statements and parameterization against SQL injection

A1.7 Availability and Resilience

  • Automated daily backups with encrypted storage
  • Backup retention: 30 days (daily), 12 months (monthly)
  • Disaster recovery plan with defined RTO/RPO
  • Monitoring and alerting for all critical system components
  • Availability target: 99.5% p.a. (as per SLA)

A1.8 Recoverability

  • Regular testing of backup restoration
  • Documented recovery procedures
  • Point-in-time recovery for database data

A1.9 Procedures for Regular Review

  • Regular review of TOM effectiveness
  • Vulnerability assessments and security updates
  • Documented incident response procedures
  • Training and awareness for all employees

Annex 2: Approved Sub-Processors

The following sub-processors are approved at the time of contract conclusion:

Sub-Processor Purpose Location / Data Processing Safeguards
Stripe, Inc. Payment processing (subscriptions, invoices) USA / EU EU-US Data Privacy Framework, Standard Contractual Clauses
Plausible Insights OU Website analytics (anonymized, no personal data) Estonia / EU (Hetzner, DE) EU-based, no personal data processed
[Hosting provider — to be added] Server infrastructure and data storage [To be added] / EU [To be added]
[Email service provider — to be added] Transactional emails (notifications, password reset) [To be added] [To be added]

Note: The current list of sub-processors is available upon request and any changes will be communicated in accordance with § 5.2 of this DPA. Hosting provider and email service provider will be added before production launch.

Annex 3: Authorized Representatives

Authorized representatives of the Controller:

Persons registered as administrators in the customer account are authorized to issue instructions under this DPA. Instructions may be issued through the platform configuration, by email to datenschutz@conport.services, or in text form.

Authorized recipients of the Processor:

CONPORT Services GmbH
Data Protection
Email: datenschutz@conport.services

This Data Processing Agreement shall enter into force upon conclusion of the main agreement and shall terminate automatically upon its termination, without prejudice to the continuing obligations under § 8 (deletion) and § 4.2 (confidentiality).