Zu Content springen

Data Processing Agreement - AI

 

1) Scope of Application

1.1) In providing the services pursuant to the order form and Software-as -a-Service Agreement (hereinafter collectively referred to as the “Main Agreement”), Hivebuy (hereinafter the “Contractor”) processes personal data that the Customer (hereinafter the “Client”) has provided for the performance of the services and with respect to which the Client acts as the data controller under data protection law (“Client Data”).

1.2) This Data Processing Agreement (“DPA”) specifies the data protection obligations and rights of the parties in connection with the processing of Client Data processed by the Contractor for the Client under the Main Agreement.

 

2) Purpose, nature, and scope of processing

2.1) The Contractor shall process the Client’s data exclusively on behalf of and in accordance with the Client’s instructions, unless the Contractor is legally required to do so under the law of the European Union or a Member State. In such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. These instructions must be in writing or in text form. The Client shall confirm verbal instructions in writing or by email. All instructions must be documented by the parties.

2.2) Unless otherwise agreed in the main contract, the processing of Client data by the Contractor shall take place exclusively in the manner, scope, and for the purpose specified in Annex 1 to this Data Processing Agreement; the processing shall concern exclusively the types of personal data and categories of data subjects specified therein. If these processing procedures change due to a change in the Contractor’s contractual services, the Contractor shall inform the Client of this in advance.

2.3) This Data Processing Agreement shall enter into force upon the commencement of the Main Contract. The term and notice periods shall correspond to those of the Main Contract. In case of doubt, termination of the Main Contract shall apply.

2.4) The contractually agreed data processing shall take place exclusively in a Member State of the European Union. Any transfer to a third country requires the prior consent of the Client and may only take place if the specific requirements of Articles 44 et seq. of the GDPR are met.

The provisions regarding the use of additional processors in Section 5 of these General Terms and Conditions remain unaffected.

2.5) If the Contractor believes that an instruction from the Client violates legal regulations, it shall immediately inform the Client thereof in writing or in text form. The Contractor is entitled to suspend the execution of such an instruction until the Client confirms it in writing or text form.

2.6) Data processing also includes the use of the Contractor’s own information technology systems with artificial intelligence functions (hereinafter collectively “AI systems”) for the structuring, analysis, and categorization of the data provided by the Client. The use of AI systems is exclusively for the purpose of data processing within the meaning of Article 28 of the GDPR and solely for the provision of the contractually agreed services to the Client. No personal data of the Client will be used for training purposes.

 

3) Requirements for Personnel

3.1) The Contractor shall require all persons who process the Client’s data to maintain confidentiality, unless they are already subject to an appropriate legal duty of confidentiality.

 
4) Security of Processing

4.1) The Contractor shall implement all appropriate technical and organizational measures which, taking into account the state of the art, the costs of implementation, and—to the extent known to the Contractor – the nature, scope, context, and purposes of the processing of the Client’s data, as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects, to ensure a level of security appropriate to the risk for the Client’s data.

4.2) Prior to commencing the processing of the Client’s data, the Contractor shall, in particular, implement the technical and organizational measures specified in Annex 2 to these GTC and maintain them for the duration of the Main Contract, as well as ensure that the processing of the Client’s data is carried out in accordance with these measures.

4.3) Since technical and organizational measures are subject to technological progress, the Contractor is entitled and obligated to implement alternative, adequate measures to ensure that the security level of the measures specified in Annex 2 is not compromised. If the Contractor makes significant changes to the measures specified in Annex 2, it shall inform the Client of such changes in advance.

 

5) Use of Additional Data Processors

5.1) The Contractor shall use the additional data processors listed in Appendix 3 when processing the Client’s data. These are deemed approved upon conclusion of the Service Agreement.

5.2) The Contractor may engage additional processors to process the Client’s data subject to the following condition: The Contractor shall inform the Client in writing or in text form at least fifteen (15) business days prior to engaging the additional processor. Unless the Client objects within five (5) business days, such engagement shall be deemed approved.

5.3) If the Client objects to the use of an additional data processor, the Contractor is entitled, at its discretion, to continue providing the services without the relevant data processor or to terminate the main contract as well as these GTC at the time of the planned use of the data processor.

5.4) The Contractor must impose the same obligations on any additional data processor as the Contractor is obligated to the Client under this agreement.

5.5) The Contractor is obligated to select and engage only those additional processors that provide sufficient guarantees that appropriate technical and organizational measures will be implemented to ensure that the processing of the Client’s data complies with the requirements of the GDPR and these General Terms and Conditions.

6) Rights of Data Subjects

6.1) The Contractor shall take all reasonable technical and organizational measures to assist the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights.

6.2) In particular, the Contractor shall:

  • immediately inform the Client if a data subject contacts the Contractor directly with a request to exercise their rights regarding Client Data;
  • immediately provide the Client with all information in its possession regarding the processing of Client Data that the Client needs to respond to a data subject’s request and which the Client does not have at its disposal;
  • promptly rectify, erase, or restrict the processing of Client Data upon the Client’s instruction;
  • ensure that the Client can and does receive the Client Data processed within the Contractor’s area of responsibility in a structured, commonly used, and machine-readable format, to the extent that the data subject has a right to data portability with respect to the Client Data vis-à-vis the Client.

 

7) Other Obligations of the Contractor to Provide Assistance

7.1) The Contractor shall notify the Client immediately upon becoming aware of any breach of the protection of Client data, in particular incidents that result in the destruction, loss, alteration, or unauthorized disclosure of, or unauthorized access to, Client data.

7.2) In the event of any breach of the protection of Client Data, the Contractor is obligated to immediately take all necessary and reasonable measures to remedy the breach of the protection of Client Data and, where applicable, to mitigate its potential adverse effects.

7.3) If the Client is obligated to provide information regarding the processing of Client Data to a government agency or individual, or to otherwise cooperate with such entities, the Contractor is obligated to assist the Client in providing such information or fulfilling other obligations to cooperate.

7.4) The Contractor shall, taking into account the information available to it, assist the Client in complying with the obligations set forth in Article 32 of the GDPR.

7.5) In the event that the Client is required to notify the supervisory authorities and/or affected individuals pursuant to Articles 33 and 34 of the GDPR, the Contractor shall assist the Client, upon the Client’s request, in complying with these obligations. In particular, the Contractor is obligated to document all potential breaches of the protection of the Client’s data, including all related facts, in a manner that enables the Client to demonstrate compliance with any applicable legal reporting obligations.

7.6) The Contractor shall, to the extent reasonably practicable, assist the Client with any data protection impact assessments to be conducted by the Contractor and any subsequent consultations with the supervisory authorities pursuant to Articles 35 and 36 of the GDPR.

 

8) Data Deletion and Return

8.1) Upon the Client’s instruction, the Contractor shall, upon termination of the Main Contract, either completely delete all Client Data or return it to the Client and delete any existing copies, unless the Contractor is obligated under the law of the European Union or a Member State to continue storing the Client Data.

8.2) However, the Contractor is entitled to retain backup copies of the Client’s data for a period of three (3) months, provided that the deletion of the Client’s data from these backup copies is technically impossible or impossible in light of Article 32 of the GDPR. For this period, the rights and obligations of the parties under this AVV regarding the backup copies shall continue to apply.

8.3) Documentation serving as evidence of the lawful and proper processing of the Client’s data must be retained by the Contractor beyond the end of the contract in accordance with statutory retention periods.

9) Verification and Audits

9.1) The Contractor must ensure and regularly verify that the processing of the Client’s data complies with this Data Processing Agreement, including the scope of processing of the Client’s data specified in Annex 1, as well as the Client’s instructions.

9.2) The Client is entitled to verify the Contractor’s compliance with the provisions of these GTC, in particular the implementation of the technical and organizational measures set forth in Annex 2, either directly or through a qualified auditor bound by a duty of confidentiality, prior to the commencement of the processing of Client data and on a regular basis during the term of the Main Agreement; this includes through inspections. The Contractor shall facilitate such audits and shall cooperate with them by taking all appropriate and reasonable measures; this includes, among other things, granting the necessary access rights and providing all necessary information.

9.3) The audits and inspections shall, as far as possible, not hinder the Contractor in its normal business operations and shall not place an undue burden on the Contractor. In particular, inspections at the Contractor’s premises shall not take place more than once per calendar year without a specific reason and shall only occur during the Contractor’s normal business hours. The Client shall notify the Contractor of inspections in advance and in a timely manner in writing or in text form.

 

10) Final Provisions

10.1) In the event of conflicts between these GTC and the Main Contract that are relevant under data protection law, the provisions of these GTC shall prevail. In all other respects, the provisions of the Main Contract shall apply accordingly.

10.2) This Agreement does not establish any obligations on the part of the parties toward third parties (in particular toward data subjects) that go beyond the requirements of the GDPR.

 

Appendix 1 – Processing Activities

Purpose of data processing: Provision of the SaaS service in accordance with the provisions of the main contract

Nature and scope of data processing: Processing of account and usage data in connection with the provision of the SaaS service, hosting/storage, processing in connection with the provision of the SaaS service

Group of data subjects:

  • Customer (if a natural person)
  • Supplier (if a natural person)
  • Representatives and employees of the Customer
  • Representatives and employees of the Supplier

Type of data – Customer / Supplier:

  • Master data
  • Account and usage data
  • Bank account and payment data
  • Order data and documentation
  • Budget planning and data
  • Settlements between Customers and Suppliers
  •  

Representatives and employees:

  • Master data
  • Account and usage data

 

Appendix 2 – Technical and Organizational Measures

Organizational Controls:

  • Are there internal data processing policies and procedures, guidelines, work instructions, process descriptions, and regulations (e.g., for the programming, testing, and approval of processes related to the processing of personal data)?
  • Separation of tasks/functions between the IT department and other departments
  • Clear demarcation between areas of responsibility regarding data processing as a data controller and as a data processor
  • Operating instructions for employees regarding the processing of personal data
  • Definition of access permissions for employees and third parties, including the relevant documentation
  • Special security areas with their own access controls (“closed shops”)
  • With regard to activities as a processor: Written commitment by employees to maintain data confidentiality or a legal obligation of employees to maintain confidentiality pursuant to Art. 28(3)(b) GDPR
  • With regard to activities as a data processor: The processing of personal data takes place only upon documented instructions from the data controller, including the transfer of personal data to a third country or to an international organization
  • With regard to activities as a data processor: Upon request, all information necessary to demonstrate compliance with the GDPR can be provided to the data controller, even at short notice (within a maximum of 48 hours)

 

Access Control:

  • Only employees with the appropriate expertise have access to the data processing systems
  • Regulations for third parties (visitors, customers, cleaning staff, contractors, etc.)
  • Ensuring that all entrances to data processing facilities (rooms, offices, computer hardware, and related equipment) are lockable
  • Physical security of all areas where data storage media are located
  • Key management (key issuance, etc.)
  • Data access and user control
  • Processes for reviewing and approving programs
  • Granting access permissions only to specific individuals
  • User passwords for data and programs
  • Usernames and passwords (policies including password length and change requirements)
  • Automatic revocation of the user ID after multiple incorrect password entries
  • Protection of internal networks against unauthorized access (e.g., via firewalls)
  • Automatic logout of user IDs that have not been used for an extended period of time
  • Automatic screen lock after a specified period of time
  • Usernames and passwords on all devices

Data Transfer Control:

  • Use of document shredders or service providers (preferably with a data protection seal of approval)
  • Restriction of the use of external storage media (in particular USB drives, external hard drives, SD cards, and CD/DVD burners) through technical measures (e.g., software to control interfaces or complete deactivation of interfaces)
  • Electronic signature

Input control:

  • Electronic logging of data processing, particularly the entry, modification, and deletion of data (audit logs)
  • Assignment of rights to enter, modify, and delete data based on an authorization concept

Availability control:

  • Centralized procurement of hardware and software
  • Updating of the software in use (e.g., through updates, corrections, bug fixes, etc.)
  • Formal approval procedures for hardware, software, and IT processes
  • Server rooms are not located beneath sanitary facilities
  • Capacity of the IT system, even under (very) high load
  • Data mirroring

Separability:

  • Separation of production and test systems
  • Definition of database rights
  • Logical client separation (on the software side)
  • Evaluation

There is a procedure in place for the regular review, evaluation, and assessment of the effectiveness of the aforementioned technical and organizational aspects to ensure the security of processing. If so, please specify the frequency of the reviews: Every six months.



Appendix 3 – Additional Data Processors

 

Subcontractors

Purpose of Processing

Data Categories

Location of Processing

FusionAuth

Authentication and user management

Login credentials, email address, role information

EU

HubSpot

Customer communication & support (CRM)

Name, email address, communication content

EU

Sentry

Error analysis & performance monitoring

Metadata on user actions (e.g., browser, page views), pseudonymized IDs

EU (EU-Cluster)

Workato

Workflow automation (e.g., ERP integration)

Transaction data, personal metadata if applicable

EU/USA (depending on the target system)

AWS (Amazon Web Services)

Provision of cloud services and system hosting

All stored or processed personal data

EU

Twilio SendGrid

Provider of marketing and mailing services

Email address, email content (e.g., order confirmations)

EU

 

As of: April 15, 2026