Data Processing Agreement

Last Updated: 8. December 2025

1. Scope of applicability 
   
   The following data processing agreement within the meaning of Art. 28 para. 3 General Data Protection Regulation (Datenschutz-Grundverordnung) (General Data Protection Regulation hereinafter “GDPR”) (hereinafter “DPA”) specifies the data protection obligations of Tideways GmbH (hereinafter “Processor”) as a data processor arising from the data processing for the customer (hereinafter “Controller”); Processor and Controller individually also referred to as a “Party” or collectively as “Parties”). The DPA shall apply to all activities in connection with the main agreement concluded between the Parties regarding the services of the Processor (hereinafter “Agreement”) in which employees of the Processor or persons engaged by the Processor process personal data (hereinafter “Data”) of the Controller.
   
2. Subject matter, duration and specification of the data processing 
   
   The subject matter of the DPA and the nature as well as the purpose of the processing, are defined in the Agreement and in the list in Annex 1. 
   
   The term of this DPA is based on the term of the Agreement, provided that no further obligations arise from the provisions of this DPA.
   
3. Area of application, place of data processing and responsibility 
   
   1. The Processor processes Data on behalf of the Controller. This includes activities that are specified in the Agreement and in the description in section 1. The Controller is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of the provision of Data to the Processor and for the lawfulness of the data processing within the meaning of Art. 4 no. 7 GDPR.
      
   2. The processing of Data, as a matter of principle, takes place in a member state of the European Union or in a signatory state to the agreement on the European Economic Area (EU/EEA). Any outsourcing of data processing or parts of data processing to a third country will only take place if the special requirements of Art. 44 et seqq. GDPR are met (e.g. adequacy decision of the EU Commission, standard contractual clauses, approved codes of conduct) and requires the prior consent of the Controller.
      
   3. The instructions are initially set out in the Agreement and may then be amended, supplemented or replaced by the Controller in writing (schriftlich) or in an electronic format (text form) submitted to the place designated by the Processor for individual instructions (hereinafter “Individual Instruction” or “Individual Instructions”). Individual Instructions not provided for in the Agreement shall be treated as a request for an amendment of the service. Oral Individual Instructions shall be confirmed in writing or in text form immediately by the Controller.
      
4. Processing subject to instructions and obligation of remonstrance 
   
   1. The Processor may only process Data within the scope of the DPA and the instructions of the Controller, unless an exception as defined in Art. 28 para. 3 lit. a GDPR applies.
      
   2. The Processor shall inform the Controller immediately if it believes that an instruction violates applicable laws (obligation of remonstrance). The Processor shall be entitled to suspend the implementation of the instruction until it has been confirmed or amended by the Controller.
      
5. Confidentiality/non-disclosure obligation
   
   1. The Processor ensures that employees involved in the processing of Data and other persons working for the Processor are prohibited from processing the Data outside the instruction. 
      
   2. Furthermore, the Processor ensures that the persons authorized to process the Data have committed themselves to confidentiality or are under an appropriate statutory obligation of non-disclosure.
      
   3. The Processor shall ensure that the persons authorized to process the Data only access to personal Data to the extent necessary (“Need to know“).
      
6. Technical and organisational measures in accordance with Art. 32 GDPR 
   
   1. The Processor shall organize the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection. The Processor shall take technical and organisational measures to ensure appropriate protection of the Controller’s Data that meet the requirements of the GDPR (Art. 32 GDPR). These technical and organisational measures are specified in the attached Annex 2.
      
   2. The Processor shall take technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis. 
      
   3. The Controller is aware of these technical and organisational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks posed by the Data being processed. 
      
   4. The Processor ensures that it will fulfil its obligations under Art. 32 para. 1 lit. d GDPR by implementing a process for regularly reviewing of the effectiveness of the technical and organisational measures to ensure the security of the processing. 
      
   5. Technical and organisational measures are subject to technical progress and further development. During the duration of this DPA, the Processor shall continuously adapt these measures to the requirements of the data processing and further develop them in line with technical progress. The security level of the technical and organisational measures specified in Annex 2 shall not fall short of.
      
   6. The Processor shall document in text form amendments to the technical and organisational measures that result in a significant deterioration of the ensured security level as a supplementary to Annex 2 and shall inform the Controller thereof in text form.
      
7. Support for the fulfilment of the Controller’s obligations
   
   1. The Processor shall inform the Controller immediately if it becomes aware of any violation of the protection of the Controller’s Data.
      
   2. The Processor will take the necessary measures to secure the Data and to reduce any possible adverse consequences for the data subjects and will consult with the Controller on this immediately.
      
   3. The Processor shall support the Controller in complying with the obligations set forth in Art. 32 to Art. 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
      
8. In the event of a claim against the Controller by a data subject regarding any claims under Art. 82 GDPR, the Processor shall support the Controller in the defence of the claim to the best of its ability.
   
   The Processor shall name the Controller a contact person for data protection issues arising in connection with the Agreement.
   
9. Obligation of the Controller
   
   The Controller shall inform the Processor immediately and in full if it discovers defects, errors or irregularities regarding data protection provisions in the results of the data processing.
   
10. Requests from data subjects 
    
    If a data subject contacts the Processor with requests for correction, deletion, or information, the Processor shall refer the data subject to the Controller, provided that an assignment to the Controller is possible according to the data subject. The Processor will forward the request of the data subject to the Controller in text form immediately. The Processor will support the Controller to the best of its ability. 
    
11. Options for verification and inspections 
    
    1. Upon request, the Processor shall provide the Controller with all necessary information and documents to demonstrate compliance with the obligations set out in Art. 28 GDPR and in this DPA, including any contracts with subcontractors. 
       
    2. Should in individual cases, inspections by the Controller or an auditor engaged by the Controller be necessary, these shall be carried out during normal business hours without disrupting operations, after notification and considering an appropriate lead time. The Processor shall be entitled to make these dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement with regard to the Data of other customers and on the technical and organisational measures in place. Should the auditor engaged by the Controller be in competition with the Processor, the Processor has the right to object against the auditor. The Processor shall be entitled to demand its usual remuneration for supporting in conducting an inspection. The effort of an inspection is for the Processor in principle limited to one day per calendar year.
       
    3. If a data protection supervisory authority or any other supervisory authority of the Controller carries out an inspection, section 11.2 shall in principle apply accordingly. The signing of a confidentiality agreement is not necessary if this supervisory authority is subject to professional or statutory confidentiality, where a violation is punishable under the German Criminal Code (Strafgesetzbuch).
       
12. Subcontractors
    
    1. The Processor shall be entitled to deploy the subcontractors listed in Annex 3 for the processing of Data on its behalf.
       
    2. The Processor shall carefully select the subcontractor and review it before engaging. In particular, the Processor shall check in advance and regularly during the duration of the DPA that the subcontractor has taken the necessary technical and organisational measures to protect the Data in accordance with Art. 32 GDPR. In case of a planned change of a subcontractor or a planned engagement of a further subcontractor, the Processor shall inform the Controller in text form in good time, but no later than four (4) weeks before the change respectively the new engagement (hereinafter “Information”). The Controller shall be entitled to object against the change or the new engagement of a subcontractor in text form, stating an explanation, within three (3) weeks of receipt of the Information. The objection can be withdrawn by the Controller in text form at any time. If the Controller does not object within three (3) weeks of receipt of the Information, this shall be deemed as a consent by the Controller to the change respectively the new engagement of the relevant subcontractor.
       
    3. If the Processor awards contracts to subcontractors, it is the responsibility of the Processor to transfer its data protection obligations under this DPA to the subcontractor. The Processor shall conclude a data processing agreement with the subcontractor that meets the requirements of Art. 28 GDPR. In addition, the Processor shall impose the same obligations for the protection of personal Data on the subcontractor as are specified between the Controller and the Processor. A copy of the data processing agreement shall be provided to the Controller upon request.
       
    4. The Processor may have the owed services be provided by subcontractors in whole or in part from a location outside the European Union/European Economic Area (EU/EEA) if the special requirements of Art. 44 et seqq. GDPR are met (e.g. adequacy decision by the EU Commission, standard contractual clauses, approved codes of conduct).
       
    5. Services that the Processor utilize from third parties as purely ancillary service in order to carry out its activity shall not be regarded as subcontractor within the meaning of this section 12. These include, for example, cleaning services, pure telecommunications services with no specific connection to services that the Processor provides for the Controller, as well as postal/transport services. Nevertheless, the Processor shall ensure that appropriate precautions and technical and organisational measures have been taken to ensure the protection of personal data, also in the case of ancillary services provided by third parties. The maintenance and servicing of IT system or applications constitutes a subcontracting relationship and data processing requiring consent within the meaning of Art. 28 GDPR if the maintenance and reviewing of such IT systems are concerned, that are used in connection with the provision of services for the Controller and personal Data can be accessed during maintenance that is processed on behalf of the Controller. 
       
13. Deletion and correction of personal data
    
    1. The Processor shall correct or delete the Data if the Controller so instructs and if there is no obligation under European Union law (Unionsrecht) or the law of the EU member states to store the Data. If it is not possible to delete the Data in a manner that complies with data protection requirements or to restrict data processing accordingly, the Processor shall destroy data storage and other materials in a manner that complies with data protection requirements on the basis of an Individual Instruction from the Controller or shall return these data carriers to the Controller. 
       
    2. The Processor shall delete all Data after the end of the DPA, unless there is an obligation to store the Data under union law or the law of the member states.
       
14. Liability 
    
    The Controller and the Processor are liable to data subjects in accordance with the regulation set out in Art. 82 GDPR.
    
15. Information obligations, order of priority, text form, choice of law 
    
    1. If the Data at the premises of the Processor are at risk due to attachment or seizure, due to insolvency or composition proceedings or other events or measures of third parties, the Processor shall inform the Controller of this immediately. The Processor shall inform all those responsible in this context immediately that the sovereignty and ownership of the Data lies exclusively with the Controller as the “controller” within the meaning of the GDPR.
       
    2. In the event of any contradictions between this DPA and the Agreement, the provisions of this DPA shall take precedence over the provisions of the Agreement. 
       
    3. This DPA is governed by German law, excluding the conflict of laws (Kollisionsrecht).
       
16. Amendment of this DPA
    
    1. The Processor reserves the right to amend this DPA unilaterally if this appears objectively justified. Amendments are objectively justified, for example:
       
       1. in the event of an extension or amendment of the services of the Processor,
       2. when there is a change in the legal or statutory environment ( (e.g., if applicable court declares a clause to be invalid) or
       3.  if the balance of the agreement existing at the time of the conclusion of the DPA is significantly disturbed by unforeseeable changes beyond Processor’s control. 
          
          A precondition for an amendment is always that it is reasonable for the Controller and does not adversely affect the Controller’s rights under the GDPR, including (but not limited to) right of instruction, right to audit and inspect, right to be informed and object to sub-processors, right to timely breach notification, right to require assistance with data subject rights, and right to require return or deletion of data.
          
    2. The Controller shall be notified of amendments of the DPA. Such amendments shall be deemed approved if the Controller has not objected to the validity of the amended DPA within four (4) weeks in writing or by e-mail to the Processor and the Processor has pointed out the legal consequences of an omitted objection. 
       
    3. Other amendments and additions to this DPA and to all its components that are not covered by section 16.1 must be made in writing (Schriftform). This also applies to the waiver of this formal requirement.
       
       The written form requirement under this DPA is also met if the Parties provide their signatures at least by means of electronic signatures within the meaning of Art. 3 no. 10 of the European eIDAS Regulation (i.e. data in electronic form that is connected or logically associated with other electronic data and that the signatory uses to sign); e.g. by DocuSign.

Annex 1

Nature and purpose of data processing 

In particular, the following data is part of the data processing:

Annex 2

Technical and organisational measures in accordance with Art. 32 GDPR 

The Processor has implemented the following technical and organisational measures:

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
   
   1. physical access control
      • Tideways implements among other things the following measures to prevent access of unauthorized persons to the data processing units, which are used to process or use data:
        • Production Environment in external Datacenter certified with ISO 27001 with BSI Basic Protection
        • Regular security trainings with employees
      • Harddrive encryption of employee laptops
        
   2. logical access control
      • Secure connections and technologies for authentication are implemented to control access to Tideways production systems, internal and external support tools.
        • Encryption techniques are used to secure user authentication and administration sessions. 
        • systems with access to personal identifiable data are secured with two factor authentication.
      • There is a formal process, to access or deny access to resources in our system. Different protections are implemented to allow secure and flexible access.
      • Access is granted based on a documented access control concept
        
   3. data access control
      Tideways implements among other things the following methods to guarantee that the users accessing personal data are only able to access data based on their assigned access roles and that processed data is not read, copied changed or deleted without authority:
      • access to personalized accounts based on a role concept
      • access protocols
        
   4. separation control
      Tideways implements among others the following measures to guarantee that data saved for different purposes are only processed separately:
      • Processing in production is performed on a separated network that is protected by logical and physical access control from other customers of our hosting provider.
      • Different databases are used for different purposes such as product, marketing, web analytics 
        
2. Integrity (Art. 32 para. 1 lit. b GDPR)
   
   1. data transfer control
      Tideways implements among other things the following measures to guarantee that data is not copied, changed or deleted by unauthorized persons during transfer:
      • Access to all systems is subject to access controls.
      • The handling of data storage mediums is formalized and regulated
      • Encryption of hard drives of employee machines
      • Encryption of external data storage mediums.
      • Seize and proper destruction of physical storage mediums through certified companies
        
   2. data entry control 
      • Tideways implements among other things the following measures to guarantee that additions, changes and deletions of data can be checked and verified after the fact.
      • For data entry control system- and application log files are stored to log administrative work
        
3. Availability and Resilience (Art. 32 para.1 lit. b GDPR)
   
   1. availability control
      • Our hosting provider SysEleven takes the following measures to guarantee availability of data and prevention of data loss:
        • Uninterrupted power supply
        • Partition of the datacenter into separate fire control sections and use of
          • early fire warning systems
          • fire alarm systems
          • fire extinction system and fire extinguishers
      • Automated Monitoring
      • Data backup plan
        • Regular backups of server contents 
        • Redundant setup for data processing systems by mirroring, replication and clustering
      • We implement additional measures to guarantee availability of data:
        • Monitoring
        • Data from other external systems are mirrored into the SysEleven datacenter
          
   2. quick restoration (Art. 32 para. 1 lit. c GDPR)
      Processes for regularly testing, assessing and evaluating (Art. 32 para. 1 lit. d GDPR) 
      
   3. data privacy management
      
   4. incident response management
      Tideways implements among other things an incident response management where each availability, confidentiallity or integrity incident is documented and discussed in the team and remedied for the future.
      
   5. data privacy friendly default settings (Art. 25 para. 2 GDPR)
      Tideways features that affect user or customer privacy are opt-in.
      
   6. control of Processing Instructions 
      • Tideways implements among other things the following measures to ensure that processing of data is only performed for instructed tasks
        • All employees are contractually obligated to follow data secrecy
        • Regular data privacy training and education 
      • Contractual rules with subcontractors
        All subcontractors selected by Tideways are GDPR compliant and data processing agreements are signed with them if necessary. 

Annex 3

Deployed subcontractors