myStack Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Cloud Services Agreement (“Agreement”) between:

Processor

automate.website UG (haftungsbeschränkt)
Ulmenhof 5
15831 Blankenfelde-Mahlow
Germany
(“Processor”)

and

Controller

The Customer identified in the Agreement (“Controller”)

This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services provided under the Agreement.

The parties agree that:

• Controller acts as a Controller within the meaning of Article 4(7) GDPR.
• Processor acts as a Processor within the meaning of Article 4(8) GDPR.
• This DPA applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the myStack platform.

For the purposes of this DPA, the terms:

• Controller
• Processor
• Data Subject
• Personal Data
• Processing
• Personal Data Breach
• Supervisory Authority

shall have the meanings assigned to them under Regulation (EU) 2016/679 (GDPR).

“Data Protection Laws” means all applicable laws and regulations concerning privacy, data protection, and information security, including the GDPR.

The Processor provides the myStack cloud management and orchestration platform.

The Processor does not provide or operate the underlying compute, storage, networking, or data center infrastructure used by Customer workloads.

Customer workloads are deployed on infrastructure independently selected and contracted by the Controller.

Processing activities performed by the Processor may include:

• account administration;
• user authentication;
• role and permission management;
• platform operation;
• orchestration of services;
• configuration management;
• monitoring and alerting;
• support services;
• audit logging;
• maintenance of service metadata;
• API operations;
• platform security functions.

This DPA shall remain in effect for the duration of the Agreement and for any period during which the Processor processes Personal Data on behalf of the Controller.

The Processor shall process Personal Data solely for the purpose of:

• providing the myStack platform;
• authenticating users;
• operating platform functionality;
• provisioning and managing Customer-configured services;
• maintaining platform security;
• monitoring service health;
• providing support services;
• maintaining audit logs;
• complying with legal obligations.

The Processor does not determine where Customer workloads are deployed.

Deployment locations and infrastructure providers are selected and controlled solely by the Controller.

Depending on the Controller’s use of the Services, Personal Data may include:

• names;
• email addresses;
• usernames;
• user account information;
• authentication records;
• IP addresses;
• audit logs;
• platform activity logs;
• support communications;
• service configuration metadata;
• billing contact information.

The Processor does not intentionally require or request special categories of Personal Data as defined in Article 9 GDPR.

Data Subjects may include:

• employees of the Controller;
• contractors of the Controller;
• administrators of the Controller;
• authorized users of the Controller;
• customers of the Controller;
• end users of applications operated by the Controller.

The Processor shall process Personal Data only on documented instructions from the Controller unless otherwise required by applicable law.

The following constitute documented instructions:

• the Agreement;
• this DPA;
• Controller actions performed through the myStack platform;
• written instructions provided by the Controller.

Where the Processor believes an instruction violates applicable law, the Processor shall inform the Controller without undue delay.

The Processor shall ensure that all persons authorized to process Personal Data:

• are bound by confidentiality obligations; or
• are subject to appropriate statutory confidentiality duties.

Such obligations shall survive termination of employment or engagement.

The Processor shall implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including measures designed to ensure:

• confidentiality;
• integrity;
• availability; and
• resilience of processing systems.

Such measures may include:

• access controls;
• role-based permissions;
• authentication mechanisms;
• encryption of data in transit;
• secure logging;
• monitoring systems;
• vulnerability management;
• patch management;
• incident response procedures;
• secure administrative access controls.

Further details may be provided in the Processor’s Technical and Organizational Measures documentation (Annex I).

The Services enable the Controller to provision and manage resources on infrastructure platforms independently contracted by the Controller.

The Controller may choose to use third-party infrastructure providers, including but not limited to Hetzner Online GmbH.

Such infrastructure providers:

• are selected by the Controller;
• are contracted directly by the Controller;
• bill the Controller directly;
• process Personal Data under separate contractual arrangements with the Controller; and
• are not engaged by the Processor as Subprocessors.

Accordingly, third-party infrastructure providers selected by the Controller shall not be considered Subprocessors of the Processor.

The Controller remains solely responsible for:

• selecting infrastructure providers;
• selecting deployment regions;
• entering into required data processing agreements with such providers;
• ensuring compliance with applicable Data Protection Laws regarding such providers.

The Processor shall not be responsible for the privacy, security, availability, or regulatory compliance of infrastructure services provided directly to the Controller by third-party infrastructure providers.

The Processor shall not transfer Personal Data outside the European Economic Area unless:

• permitted by applicable law;
• required for provision of the Services;
• appropriate safeguards under GDPR are implemented.

Control Plane operational data maintained by the Processor shall be hosted exclusively in Germany.

The Controller may deploy workloads through supported third-party infrastructure providers in various geographic regions.

The Processor acts solely upon Controller instructions regarding such deployments.

The Controller acknowledges and agrees that the Controller bears sole responsibility for:

• selecting deployment regions;
• evaluating legal requirements;
• assessing international transfer implications;
• ensuring compliance with applicable Data Protection Laws.

The Processor shall not be responsible for data transfers resulting from infrastructure regions selected by the Controller.

Taking into account the nature of Processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in fulfilling obligations relating to:

• Data Subject rights;
• security obligations;
• Personal Data Breaches;
• Data Protection Impact Assessments;
• prior consultations with Supervisory Authorities.

The Processor may charge reasonable fees for substantial additional assistance.

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

To the extent available, the notification shall include:

• the nature of the breach;
• categories of affected data;
• likely consequences;
• mitigation measures undertaken or proposed.

If the Processor receives a request from a Data Subject concerning Personal Data processed on behalf of the Controller, the Processor shall:

• promptly inform the Controller; and
• not respond directly unless legally required.

Upon reasonable prior notice and not more than once annually, the Controller may request information reasonably necessary to demonstrate compliance with this DPA.

Where legally required, the Controller may conduct an audit or appoint an independent auditor, provided that:

• reasonable notice is given;
• confidentiality obligations are observed;
• business operations are not unreasonably disrupted.

The Processor may satisfy audit requests through the provision of documentation, certifications, reports, or other appropriate evidence.

Upon termination of the Agreement:

• the Controller may export available data during the retention period specified in the Agreement;
• the Processor shall delete Personal Data after expiration of applicable retention periods unless retention is required by law.

The Processor may retain information required:

• for legal compliance;
• accounting purposes;
• dispute resolution;
• security investigations.

Liability arising under this DPA shall be subject to the liability limitations contained in the Agreement except where prohibited by applicable law.

Nothing in this DPA excludes liability that cannot lawfully be limited under applicable law.

This DPA shall be governed by and construed in accordance with the laws of Germany.

In the event of any conflict between this DPA and the Agreement with respect to Personal Data Processing, this DPA shall prevail.

This Annex forms part of the Data Processing Agreement (“DPA”) between the Processor and the Customer (“Controller”).

1. Purpose

The Processor implements technical and organisational measures designed to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR.

The measures described herein reflect the current state of implementation and may be updated over time, provided that the overall level of protection is not materially reduced.

2. Physical Security

The myStack Control Plane is operated exclusively within infrastructure located in Germany.

Physical access to the infrastructure is protected through measures implemented by the respective hosting provider, including:

• controlled facility access;
• visitor management procedures;
• surveillance systems;
• intrusion detection systems;
• environmental monitoring;
• redundant power systems;
• fire protection systems.

The Processor does not maintain direct physical access to production systems unless operationally required.

3. Access Control

Access to production systems is restricted to authorized personnel only.

Measures include:

• unique user accounts;
• role-based access control (RBAC);
• least-privilege principles;
• strong password requirements;
• multi-factor authentication where supported;
• administrative access restrictions;
• periodic access reviews;
• immediate revocation of access upon termination of employment or engagement.

4. Authentication and Identity Management

The Processor maintains identity and access management procedures designed to prevent unauthorized access.

Measures include:

• encrypted credential storage;
• secure authentication mechanisms;
• session management controls;
• account lockout protections;
• logging of authentication events;
• monitoring of privileged account usage.

5. Network Security

Production environments are protected through network security controls.

Measures include:

• network segmentation;
• firewall controls;
• restricted administrative access;
• encrypted management channels;
• denial-of-service mitigation where available;
• monitoring of suspicious network activity.

6. Encryption

The Processor employs encryption mechanisms appropriate to the nature of the processed data.

Measures include:

Data in Transit

• HTTPS/TLS for web traffic;
• encrypted API communications;
• encrypted administrative connections.

Data at Rest

Where supported by underlying systems:

• encrypted storage systems;
• encrypted backups;
• encrypted secrets and credentials.

The Controller remains responsible for encryption of Customer workloads and data deployed through third-party infrastructure providers unless such functionality is explicitly provided by the Service.

7. Separation and Tenant Isolation

The Processor implements measures designed to prevent unauthorized access between customers.

Measures include:

• logical tenant separation;
• account-level isolation;
• permission-based access restrictions;
• service-level access controls.

8. Logging and Monitoring

Security-relevant activities are logged and monitored.

Measures include:

• authentication logging;
• audit trail generation;
• administrative action logging;
• service health monitoring;
• anomaly detection processes;
• log retention procedures.

Logs may be retained for operational, security, compliance, and troubleshooting purposes.

9. Availability and Resilience

The Processor implements measures intended to ensure service availability and resilience.

Measures may include:

• infrastructure redundancy where feasible;
• automated monitoring;
• health checks;
• service recovery procedures;
• backup mechanisms for platform data;
• documented incident response processes.

The Processor does not guarantee uninterrupted service availability.

The applicable SLA is defined separately in the Agreement.

10. Backup Protection

The Processor protects operational Control Plane data through appropriate backup mechanisms.

Measures may include:

• encrypted backups;
• restricted backup access;
• backup integrity checks;
• recovery testing where appropriate.

The Controller remains solely responsible for configuring backup frequency, retention, and recovery policies for Customer workloads deployed through third-party infrastructure providers.

11. Vulnerability Management

The Processor maintains procedures for identifying and addressing security vulnerabilities.

Measures include:

• software update processes;
• security patch management;
• vulnerability assessments;
• dependency updates;
• remediation procedures.

Security updates are applied within reasonable timeframes based on risk and operational considerations.

12. Change Management

Changes affecting production systems are managed through controlled processes.

Measures include:

• documented deployment procedures;
• version control systems;
• review processes;
• rollback capabilities where feasible;
• testing procedures prior to deployment.

13. Incident Management

The Processor maintains procedures for managing security incidents.

Measures include:

• incident detection procedures;
• incident classification;
• escalation procedures;
• investigation processes;
• corrective actions;
• post-incident reviews where appropriate.

Personal Data Breaches are handled in accordance with the DPA.

14. Business Continuity

The Processor maintains reasonable business continuity measures.

Measures may include:

• documented recovery procedures;
• backup restoration processes;
• operational continuity planning;
• monitoring and alerting systems.

15. Personnel Security

Personnel with access to production systems are subject to appropriate security requirements.

Measures include:

• confidentiality obligations;
• security awareness training;
• access restrictions;
• role-based authorization;
• disciplinary procedures for policy violations.

16. Vendor Management

The Processor evaluates third-party service providers used in connection with the operation of the myStack platform.

Where third-party providers process Personal Data on behalf of the Processor, appropriate contractual safeguards are implemented.

Infrastructure providers independently selected and contracted by the Controller are not considered subprocessors of the Processor.

17. Data Subject Rights Support

The Processor maintains procedures to assist the Controller in responding to requests relating to:

• access;
• rectification;
• erasure;
• restriction of processing;
• portability;
• objection rights.

Assistance is provided to the extent required under the DPA and applicable law.

18. Data Retention and Deletion

The Processor maintains procedures for the deletion of Personal Data when no longer required.

Measures include:

• deletion workflows;
• retention controls;
• account termination procedures;
• secure disposal practices.

Retention periods may be extended where required by law or legitimate operational necessity.

19. Security Governance

The Processor maintains internal policies and procedures addressing:

• information security;
• access management;
• incident management;
• data protection;
• operational security.

These policies may be reviewed and updated periodically.

20. Review and Updates

The Processor may update these Technical and Organisational Measures from time to time.

Any updates shall maintain a level of protection that is not materially less protective than the measures described herein.

Acceptance

These Technical and Organisational Measures form an integral part of the Data Processing Agreement between the parties.