Data Processing Agreement (DPA) / Datenverarbeitungsvertrag

Last updated: 2025-04-11

1. Parties and Scope

This DPA is entered into by MABAAM Ltd. (as a data processor for the purposes of the customer's use of the software) and the customer (as data controller). For clarity, MABAAM processes personal data on behalf of the customer when providing the MABAAM service.

2. Art. 28 GDPR Compliance

MABAAM Ltd. acts as a processor in accordance with Art. 28 GDPR when processing personal data on behalf of its customers. MABAAM ensures that all personnel and sub-processors are bound by confidentiality obligations and adhere to the instructions of the controller.

3. Sub-Processors

The following sub-processors are engaged to process personal data on behalf of MABAAM. All sub-processors have entered into a written agreement with MABAAM that meets the requirements of Art. 28(4) GDPR.

• Hetzner Online GmbH (infrastructure, EU-only) – DPA available
• SendGrid (Twilio) (transactional email) – DPA available

MABAAM will notify customers of any changes to sub-processors (additions or replacements) at least 30 days in advance, providing an opportunity to object.

4. Data Subject Rights

MABAAM will assist the customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, etc.) within the statutory timeframes. Requests can be initiated via the GDPR request portal.

5. Audit Rights

The customer or an independent third-party auditor may audit MABAAM's compliance with this DPA (including sub-processors) upon reasonable notice and subject to confidentiality. MABAAM will provide access to relevant records and facilities. Audits may occur no more than once per calendar year unless a data breach or non-compliance is suspected.

6. Incident Reporting (72h Notification)

In the event of a personal data breach, MABAAM will notify the customer without undue delay and, in any case, within 72 hours of becoming aware of the breach. The notification will include: (i) a description of the breach, (ii) the categories and approximate number of data subjects affected, (iii) the likely consequences, and (iv) measures taken or proposed.

7. Data Localization (EU-Only)

All personal data processed under this DPA is stored and processed exclusively within the European Union (EU) or the European Economic Area (EEA). Specifically, infrastructure is hosted by Hetzner in Germany and Finland. No data is transferred to third countries. If a sub-processor outside the EU is ever required, MABAAM will ensure adequate safeguards (e.g., Standard Contractual Clauses) before any transfer.

8. Liability and Indemnification

Each party's liability under this DPA is subject to the liability limitation set forth in the main agreement (AGB). Neither party excludes liability for breaches of the GDPR or for intentional misconduct.