Data Processing Agreement (DPA)



Rheinsberger Str. 76/77

10115 Berlin

- hereinafter referred to as "Processor" -


their customer specified in the Order Form

- hereinafter referred to as the "Customer" or “Controller”-

- Processor and Controller together also referred to as the Parties -

Last updated June 30, 2023

§ 1 Preamble

The Parties have entered into a contract for the provision of the MAINTENY Software (the "Contract"). Within the scope of the agreed services, it is necessary for the Processor to process personal data for which the Controller is responsible under data protection law. In order to specify the resulting rights and obligations in accordance with the requirements of the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and on the repeal of Directive 95/46/EC - General Data Protection Regulation (GDPR) (Datenschutzgrundverordnung, DSGVO), and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the parties conclude the following data processing agreement ("DPA"), which complies with the requirements of Art. 28 GDPR.

§ 2 Scope, Extent and Term

  1. This DPA applies to the collection, processing and deletion of all personal data (hereinafter referred to as "Data") processed by the Processor on behalf of the Controller. The processing of Data by the Processor on behalf of the Controller will be carried out exclusively in the manner, to the extent and for the purpose specified in Annex 1 to this DPA.
  2. The term and termination provisions of the Contract apply to the term and termination of this DPA. The termination of the Contract automatically results in termination of this DPA. An isolated termination of this DPA is excluded.

§ 3 Responsibility and Authority to issue Instructions

  1.  The parties are responsible for compliance with the provisions of data protection law. The Controller may at any time request the return, correction, adjustment, deletion and restriction of the processing of the Data.
  2. The Processor processes the Data on behalf of and according to the instructions of the Controller within the meaning of Art. 28 GDPR (processing on behalf). The Controller remains the Data Controller within the meaning of data protection law (Art. 4 (7) GDPR).
  3. In order to ensure the protection of the rights of the Data subjects, the Processor shall provide appropriate support to the Controller, in particular by ensuring appropriate technical and organizational measures. Insofar as a Data subject contacts the Processor directly for the purpose of asserting a Data subject right, the Processor shall forward this request to the Controller without delay. 
  4. The Processor may process Data exclusively within the scope of the Controller's instructions, unless it is required to do so by Union law or the law of the Member State to which the Processor is subject (e.g., investigations by law enforcement or state protection authorities); in such a case, the Processor shall notify the Controller of these legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest (Art. 28 (3) sentence 2 lit. a GDPR). The instructions of the Controller are in principle conclusively regulated and documented in the provisions of this DPA. Individual instructions that deviate from the provisions of this DPA or impose additional requirements require the consent of the Processor and must be documented. Any additional costs incurred by the Processor as a result will be borne by the Controller.
  5. The Processor shall inform the Controller immediately if it is of the opinion that an instruction violates Data protection regulations. The Processor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller. 
  6. Changes to the object of processing with procedural changes must be jointly agreed and documented. The Processor is not entitled to use the Data for any other purposes and is in particular not be entitled to disclose it to third parties. Copies and duplicates must not be made without the knowledge of the Controller.
  7. The Processor reserves the right to anonymize or aggregate the Data in such a way that it is no longer possible to identify individual Data subjects and to use it in this form for the purpose of demand-oriented design, development and optimization as well as for the provision of the services agreed upon in accordance with the Contract. The Parties agree that anonymized Data and Data aggregated in accordance with the above requirements will not be considered Data within the meaning of this DPA processed on behalf of the Controller.
  8. The Controller shall keep the register of processing activities within the meaning of Art. 30 (1) of the GDPR. The Processor shall provide the Controller with information for inclusion in the directory upon the Controller's request. The Processor shall keep a register of all categories of processing activities carried out on behalf of the Controller in accordance with the requirements of Art. 30 (2) of the GDPR.
  9. To the extent that Processing under this DPA takes place outside the territory of the European Union/European Economic Area, the Parties shall ensure that the level of protection guaranteed by the GDPR is not undermined, taking into account the requirements of Chapter V of the GDPR. To this end, the Parties hereby agree on the binding applicability of the European Commission's Standard Contractual Clauses for international transfers ("SCC"), Module 3 (Processor-to-Processor). In the event of a conflict between the provisions of this DPA and the provisions of the SCC, the latter prevails and remains unaffected.
  10. The Processor shall ensure that natural persons subordinate to him who have access to Data process them only on the instructions of the Controller.

§ 4 Legal Obligations of the Controller

  1. The Controller is solely responsible for the permissibility of the Data processing and for safeguarding the rights of the Data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Data pursuant to this DPA, the Controller shall indemnify the Processor against all such claims upon first request.
  2. The Controller is responsible for providing the Processor with Data in a timely manner for the provision of services under the Contract and is responsible for the quality of the Data. The Controller shall inform the Processor immediately and completely if, during the examination of the Processor's results, he finds errors or irregularities in relation to the data protection regulations or its instructions.
  3. The Controller shall provide the Processor, upon request, with the information referred to in Art. 30 (2) of the GDPR to the extent that it is not available to the Processor himself.
  4. If the Processor is obliged to provide information to a government agency or person in connection with the processing of Data or to cooperate with such agencies in any other way, the Controller is obliged, upon first request, to assist the Processor in providing such information and in fulfilling any other obligations to cooperate

§ 5 Legal Obligations of the Processor

  1. The Processor shall ensure that the persons authorized to process the Data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality.
  2. The Parties shall support each other in proving and documenting the accountability incumbent upon them with regard to the principles of proper Data processing, including the implementation of the necessary technical and organizational measures (Art. 5 (2), Art. 24 (1) GDPR). The Processor shall provide the Controller with relevant information in this regard as required.
  3. The Processor shall inform the Controller without undue delay of inspections and measures by the supervisory authorities or if a supervisory authority inquires, investigates or otherwise makes inquiries of the Processor within the scope of its competence.

§ 6 Technical-Organizational Measures

  1. The Parties agree on the specific technical and organizational security measures set forth in the Annex 2 ("Technical-Organizational Measures" incl. Subcontractors) to this DPA. The Annex is an integral part of this DPA.
  2. Technical and organizational measures are subject to technical progress. In this respect, the Processor is permitted to implement alternative adequate measures in accordance with the statutory provisions and the provisions of this DPA. Significant changes must be documented.
  3. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the provisions of this DPA and the legal requirements. In particular, it will enable audits/inspections carried out by the Controller or another auditor commissioned by the Controller and support their implementation. In this context, proof of the implementation of such measures, which do not only relate to the specific order, can also be provided by submitting a current audit certificate, reports from sufficiently qualified and independent bodies (e.g. auditors, independent data protection auditors), by complying with approved codes of conduct in accordance with Art. 40 of the GDPR, a certification in accordance with Art. 42 of the GDPR or a suitable certification by IT security or data protection audit (e.g. in accordance with BSI-Grundschutz). The Processor undertakes to inform the Controller without undue delay of any form of cancellation or material change of the aforementioned evidence.
  4. The Controller is entitled to enter the business premises of the Processor in which Data are processed during normal business hours after timely advance notice (generally two weeks in advance) at its own expense, without disrupting business operations and in strict compliance with the business and trade secrets of the Processor, in order to carry out checks to satisfy itself of the adequacy of the measures taken to comply with the statutory provisions or the technical and organizational requirements necessary for the performance of this DPA.
  5. The Controller shall inform the Processor in due time (usually two weeks in advance) about all circumstances related to the performance of the audit. The Ordering Party may conduct one audit per calendar year. Further audits will be carried out against reimbursement of the costs and after consultation with the Processor.
  6. If the Controller commissions a third party to carry out the audit, it shall oblige this third party in writing in the same way as the Controller is obliged to the Processor under this DPA. In addition, the Controller shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional duty of confidentiality. Upon request of the Processor, the Controller shall immediately submit to the Processor the commitment agreements with the third party. The Controller may not commission a competitor of the Processor to perform the audit.
  7. The Processor shall, in consultation with the Controller, take all necessary measures to safeguard the Data or the security of the processing, in particular also taking into account the state of the art, as well as to mitigate any possible adverse consequences for data subjects.

§ 7 Notification in the event of a breach by the Processor

The Processor shall inform the Controller immediately in the event of serious disruptions to its operations, suspected violations of this DPA as well as statutory data protection provisions, breaches of such provisions or other irregularities in the processing of the Controller's Data. This applies in particular with regard to the notification obligation pursuant to Art. 33 (2) of the GDPR as well as corresponding obligations of the Controller pursuant to Art. 33 and Art. 34 of the GDPR. The Processor assures to adequately support the Controller in its obligations pursuant to Art. 33 and 34 of the GDPR, if necessary. The Processor may only carry out notifications for the Controller pursuant to Art. 33 or 34 of the GDPR after prior instruction of this DPA.

§ 8 Deletion and return of Data

  1. Data carriers and data records handed over remain the property of the person responsible.
  2. After completion of the contractually agreed services or earlier upon request by the Controller, but no later than upon termination of the service agreement, the Processor shall hand over to the Controller all documents, processing and usage results created and data files (as well as copies or reproductions made thereof) that come into its possession and that are related to the contractual relationship, or shall destroy them in accordance with data protection laws after obtaining the Controller's prior consent. The same applies to test and reject material. A deletion protocol must be submitted to the person responsible upon request. 
  3. The Processor may retain documentation that serves as evidence of data processing in accordance with the order and in the proper manner in accordance with the respective retention periods until the end thereof, even beyond the end of the contract. For the Data stored according to sentence 1, the obligations according to § 3 apply after the end of the retention period.
  4. A right of retention is excluded.

§ 9 Subcontractors

  1. The Processor may generally use other processors (subcontractors) without the prior consent of the Controller, provided that the Processor takes reasonable measures to protect the confidentiality of the Data. The current subcontractors used for the performance of this DPA and agreed between the Parties are detailed in Annex 2. If the Processor engages new subcontractors to process Data under this DPA, it shall inform the Controller of the intended change or replacement of subcontractors. In individual cases, the Controller may object to such changes within 14 days of the relevant notification, and such objection must not be unreasonably withheld. The new subcontractor may commence processing after the expiration of the 14-day period or with the prior approval of the Controller. For the purposes of this provision, subcontracted services will not be deemed to be services that the Processor acquires from third parties as ancillary services in support of the performance of this DPA, e.g. telecommunications services.
  2. If subcontractors are engaged by the Processor, the Processor shall ensure that its contractual arrangements with the subcontractor are such that the level of data protection at least corresponds to the agreement between the Controller and the Processor and that all contractual and legal requirements are complied with; this applies in particular also with regard to the use of appropriate technical and organizational measures to ensure an adequate level of security of the processing. 
  3. Subject to compliance with the requirements of Section 3 (9) of this DPA, the provisions of Section 9 of this DPA also applies if another Processor in a third country is involved. The Controller hereby authorizes the Processor to enter into an agreement with another Processor on behalf of the Controller based on the SCC. The Controller declares its willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to this extent.

§ 10 Data Protection Control

The Processor undertakes to grant the management of the Controller (or its data protection officer, as applicable) as well as the competent supervisory authority access at any time during normal business hours for the purpose of fulfilling their respective legally assigned tasks in connection with this Order. The Processor shall instruct its employees to cooperate with the aforementioned, in particular to answer their questions truthfully and completely. The obligations of confidentiality and rights to refuse to testify under the law remain unaffected.

§ 11 Liability

  1. The exclusions and limitations of liability under the Contract apply to the Processor's liability under this DPA. Insofar as third parties assert claims against the Processor based on the fact that the Controller has culpably violated this DPA or a data protection obligation relating to it as Controller, the Controller shall indemnify the Processor against these claims upon first request.
  2. The Controller undertakes to indemnify the Processor, upon first request, against all possible fines imposed on the Processor corresponding to its share of responsibility for the infringement sanctioned by the fine.

§ 12 Final Provisions

  1. German law is applicable to this DPA.
  2. The place of jurisdiction for all disputes arising from or in connection with this DPA is Berlin, Germany.
  3. Should individual provisions of this DPA be invalid or unenforceable, this does not affect the validity of the remaining provisions. 

Annex 1: Purpose, nature and scope of data processing; type of data and categories of data subjects

Personal dataType of dataPurpose of their processingCircle of affected persons
NamePersonal master dataEmployee managementCustomer employees
First namePersonal master dataEmployee managementEmployees of the customer
AddressPersonal master dataEmployee managementEmployees of the customer
Job title/ functionPersonal master dataEmployee managementCustomer employees
Company affiliationPersonal master dataEmployee managementEmployees of the customer
Personnel numberPersonal master dataEmployee managementCustomer employees
UsernamePersonal master dataEmployee managementCustomer employees
PasswordPersonal master dataEmployee managementCustomer employees
Photo URLPersonal master dataEmployee managementCustomer employees
Working hoursPersonal master dataEmployee managementCustomer employees
Phone numberCommunication dataEmployee managementEmployees of the customer
Email addressCommunication dataEmployee managementEmployees of the customer
IP addressCommunication dataEmployee managementEmployees of the customer

 Annex 2: Technical-organizational measures according to Art. 32 GDPR

1. Pseudonymization (Art. 32 (2) (a) GDPR)

Measures to guarantee that Data are processed in such a way that they can no longer be assigned to a specific data subject without the use of additional information.

Technical Measures

  • Use of state-of-the-art transformation methods
  • Generation and management (including distribution, storage, use, deletion) of secret parameters (keys and salt values) to be protected by state of the art technology.
  • Use of "salt values“

Organizational Measures

  • Restriction of access to salt values and keys limited to an absolute minimum of trusted users (need-to-know principle)
  • Data protection-compliant deletion of pseudonymized data after the purpose of processing has ceased to exist 
  • Pseudonymization before permissible statistical evaluation
  • Internal password management in the team with restrictive rules based on role

2. Encryption (Art. 32 (2) (a) GDPR)

Technical Measures

  • Encryption of the company website ("Data in motion") - HTTPS
  • Encryption of data carriers in laptops / notebooks ("Data at Rest")
  • E-mail encryption ("Data in motion"), see under 6. (TLS encryption)

Organizational Measures

  • Encryption Management Solution 

3. Confidentiality - Access Control (Art. 32 (2) (b) GDPR)

Measures to prevent unauthorized persons from accessing data processing facilities and systems in which Data are processed or used.

Technical Measures

  • Securing the building, windows and doors
  • Security locks

Organizational Measures

  • Key regulation (key issue etc.)
  • Personal control at the gatekeeper / reception
  • Careful selection of cleaning personnel

4. Confidentiality - Control of Access (Art. 32 (2) (b) GDPR)

Measures suitable for preventing data processing systems from being used by unauthorized persons.

Technical Measures

  • Authentication with username / password
  • Use of anti-virus software
  • Deployment firewalls with VPN technology 

Organizational Measures

  • Password assignment / password rules
  • Insofar as an employee leaves the company, access rights are immediately blocked
  • Regular review of authorizations (once a year)
  • Screen lock for workstations during inactivity

5. Confidentiality - Access Control (Art. 32 (2) (b) GDPR)

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal Data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

Technical measures

  • Use of document shredders or service providers (if possible with data protection seal of approval)
  • Physical deletion of data carriers before reuse
  • Proper destruction of data carriers (DIN 66399)
  • Logging the destruction of data

Organizational measures

  • Number of administrators reduced to the "bare minimum
  • Password policy incl. password length, password change 

6. Confidentiality - Disclosure Control (Art. 32 (2) (b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and determine to which entities personal data is intended to be transmitted by data transmission equipment.

Technical Measures

  • Email encryption with TLS (Transport Layer Security)
  • Email encryption with S/MIME 
  • Establishment of dedicated lines or VPN tunnels

Organizational Measures

  • During physical transport: secure transport containers/packaging
  • Documentation of the recipients of Data and the time spans of the planned transfer or agreed deletion periods
  • Create an overview of regular retrieval and transmission operations

7. Confidentiality - Separation Control (Art. 32 (2) (b) GDPR)

Measures to ensure that Data collected for different purposes can be processed separately.

Technical Measures

  • For pseudonymized data: Separation of the attribution file and storage on a separate, secured IT system.
  • Separation of productive and test system
  • separate databases

Organizational Measures

  • Creation of an authorization concept
  • Logical client separation (on the software side)
  • Setting database rights

8. Integrity - Input Control (Art. 32 (2) (b) GDPR)

Measures to ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into data processing systems, modified or removed.

Technical Measures

  • Logging of the entry, modification and deletion of Data

Organizational Measures

  • Traceability of input, modification and deletion of Data through individual user names (not user groups)

9. Availability - Availability control (Art. 32 (2) (b) GDPR)

Measures that guarantee that personal Data is protected against accidental destruction or loss.

Technical Measures

  • Fire extinguishers in server rooms
  • Air conditioning in server rooms
  • Fire and smoke detection systems
  • Devices for monitoring temperature and humidity in server rooms
  • Uninterruptible power supply (UPS)
  • Protective socket strips in server rooms

Organizational Measures

  • Alarm message in case of unauthorized access to server rooms
  • Creation of a backup & recovery concept
  • Keeping data backup in a secure, off-site location
  • In flood zones: Server rooms above the water line
  • Creation of an emergency plan
  • Server rooms not under sanitary facilities

10. Availability - Order Control (Art. 32 (2) (b) GDPR)

Measures that guarantee that Data processed on behalf of the Controller are only processed in accordance with the documented instructions of the Controller.

  • Selection of the contractor under due diligence aspects (especially with regard to data security)

List of approved contractors (subcontractors of the Processor processing Data):

CompanyServicePurpose of their processingCompany locationData storage location
Amazon Web Services EMEA SARL.Amazon Web ServicesStorage of all customer Data (encrypted) and hosting of all primary services and computing requirements of Mainteny.LuxembourgFrankfurt, Germany
Twilio Germany GmbHTwilioMake automated phone calls (for maintenance emergencies) and send SMS notifications to our customers' phone numbersGermanyFrankfurt, Germany
OneSignal Inc.OneSignalSend push notifications to your customers via Mainteny mobile appsUSAEU/EEA (Ireland)
Google Cloud EMEA Limited Google CloudDisplay of locations/addresses in the map view in our web and mobile applicationsIrelandFrankfurt, Germany
Routific Solutions Inc.RoutificCreation of automatic shipping routes for service orders (Routific receives ONLY the coordinates of the order without context). No PII is shared.CanadaUSA
Pusher LimitedChannelsSending push notifications to our web users via WebSocket connections.United KingdomEU/EEA (Ireland)
CARBONEIO SASCarbone APIGenerate PDF documents within the Mainteny applicationFranceFrance
Mainteny ASMaintenyProcessing within the group of companiesNorwayEU/EEA
List of approved contractors

11. Resilience (Art. 32 (2) (b) GDPR)

Measures to ensure the resilience of the systems and services, which ensure that the systems and services are designed in such a way that even selective high loads or high continuous processing loads remain feasible.

  • Test of storage, access and line capacities

12. Restoration of Availability (Art. 32 (2) (c) GDPR)

Measures to guarantee that the availability of and access to Data can be restored quickly in the event of a physical or technical incident.

Technical Measures

  • Redundancy by hosting the server + DB in several isolated availability zones
  • Cloud services

Organizational Measures

  • Backup concept: Automated backup of the database by AWS
  • Testing data recovery Testing data recovery

13. Data protection management (Art. 32 para. 2 lit. d GDPR)

Measures to guarantee a procedure for regular monitoring, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

Organizational Measures

  • Development of a safety concept