DPA Template

Data Processing Agreement (DPA)

pursuant to Art. 28 General Data Protection Regulation (GDPR)

between

Client

(hereinafter referred to as the “Controller”)

and

Inorms AI

AC Inorms GmbH, Nobelstrasse 3/5, 41189 Moenchengladbach, Deutschland. 

(hereinafter referred to as the “Processor”)

1. Subject Matter and Duration of Processing

(1) The Processor processes personal data on behalf of the Controller within the scope of the agreed services in the areas of:

• AI-powered automation
• AI agents
• Workflow automation
• Data processing systems
• Integrations and digital processes
• Software and system development

(2) The duration of processing shall be determined by the respective main agreement between the parties.

2. Nature and Purpose of Processing

The Processor shall process personal data exclusively for the purpose of providing the contractually agreed services.

Processing may include in particular:

• Storage
• Structuring
• Analysis
• Automation
• Transfer
• Provision
• Organization
• Processing through AI systems

The purposes of processing may include in particular:

• Process automation
• AI-supported assistance systems
• Document processing
• CRM integrations
• Communication automation
• Knowledge management
• Support and analytics processes

3. Categories of Data Subjects

The following categories of persons may in particular be affected by the processing:

• Customers
• Prospective clients
• Employees
• Suppliers
• Business partners
• Users of digital systems

4. Categories of Personal Data

Depending on the commissioned services, the following categories of personal data may in particular be processed:

• Master data
• Contact data
• Communication data
• Contract data
• Usage data
• Content data
• Documents
• Technical metadata

Special categories of personal data pursuant to Art. 9 GDPR shall only be processed where expressly agreed.

5. Controller’s Right to Issue Instructions

(1) The Processor shall process personal data exclusively on documented instructions from the Controller.

(2) Oral instructions must be confirmed immediately in writing or in text form.

6. Confidentiality

The Processor undertakes to:

• treat personal data confidentially,
• grant access only to authorized persons,
• obligate employees to confidentiality,
• implement appropriate technical and organizational measures.

7. Technical and Organizational Measures (TOMs)

The Processor shall implement appropriate technical and organizational measures in accordance with Art. 32 GDPR.

These include in particular:

• Access restrictions
• Role and authorization concepts
• Encryption
• Secure authentication
• Backup and recovery procedures
• Logging
• Network protection measures
• Secure hosting environments
• Regular security updates

The measures shall be implemented taking into account the current state of the art.

8. Use of Sub-processors

(1) The Controller generally agrees to the use of sub-processors, provided they are appropriately bound by data protection obligations.

(2) Possible sub-processors may in particular include:

• Hosting providers
• Cloud service providers
• Infrastructure providers
• AI model providers
• Technical integration services

(3) The Processor shall obligate sub-processors in accordance with the requirements of the GDPR.

9. International Data Transfers

Processing of personal data outside the European Union or the European Economic Area shall only take place in compliance with the legal requirements of the GDPR.

Where transfers to third countries occur, appropriate safeguards shall be implemented, in particular:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Additional technical protection measures

10. Assistance Obligations

The Processor shall reasonably support the Controller with:

• Data subject requests
• Data protection impact assessments
• Security incidents
• Reporting obligations to authorities
• Documentation and accountability obligations

11. Notification of Data Breaches

The Processor shall inform the Controller without undue delay of any known personal data breaches.

12. Deletion and Return of Data

Upon completion of processing activities or upon instruction by the Controller, the Processor shall delete or return all personal data unless statutory retention obligations apply.

13. Audit Rights

The Controller shall have the right to reasonably verify compliance with data protection requirements or have such compliance verified by third parties.

Audits must be conducted taking into account legitimate business and security interests.

14. Liability

Liability shall be governed by the statutory provisions of the GDPR and the contractual agreements between the parties.

15. Final Provisions

(1) Amendments and additions to this agreement must be made in text form.

(2) Should individual provisions of this agreement be or become invalid, the validity of the remaining provisions shall remain unaffected.

(3) German law shall apply.

Place, Date

Controller

Inorms AI / AC Inorms GmbH