Data Processing Agreement (DPA)

between
 Client (“Client” / Controller)
 and
 Laboperator GmbH (“Contractor” / Processor)
 Address: Wittelsbacher Ring 8, 95444 Bayreuth, Germany

Table of Contents

  1. Subject Matter of the Contract
  2. Scope, Nature, Purpose of Processing, and Types of Data
  3. Technical and Organizational Measures
  4. Correction, Deletion, Blocking, Data Subject Rights
  5. Duties of the Contractor & Cooperation under GDPR
  6. Subcontracting (Sub-processors)
  7. Control Rights & Cooperation
  8. Breach Notification
  9. Obligations of the Client
  10. Deletion / Return of Data After Contract End
  11. Remuneration
  12. International Transfers & SCCs
  13. Miscellaneous / Final Provisions

Annex 1 – Data Categories, Data Subjects, Purpose
Annex 2 – Technical & Organizational Measures (TOMs)
Annex 3 – List of Sub-Processors with Addresses

1. Subject Matter of the Contract

1.1 The Contractor processes personal data on behalf of the Client for the purpose of providing the Laboperator Cloud Software Products under the Main Contract.
1.2 The contract duration is indefinite. It terminates automatically when the Main Contract ends.
 1.3 The right to terminate for cause remains.
 1.4 This DPA does not apply to free or trial versions of the Laboperator Software Products (unless otherwise agreed).
 1.5 Previous data processing agreements (if any) are terminated by mutual consent when this DPA enters into force.

2. Scope, Nature, Purpose of Processing, and Types of Data

2.1 The Contractor will process the personal data only for the purposes agreed in the Main Contract and as per Client instructions.
 2.2 The Contractor may create intermediate, temporary, or duplicate files for procedural or security reasons, but must not transform or otherwise misuse the data.
 2.3 Types of personal data are listed in Annex 1.B.
 2.4 Groups of data subjects are listed in Annex 1.C.
 2.5 Further details about processing (purpose, retention, etc.) are in the Main Contract and the privacy policy.

3. Technical and Organizational Measures (TOMs)

3.1 The Contractor commits to implementing appropriate technical and organizational measures, taking into account the risk, state of the art, implementation costs, and nature of the data processing (per GDPR Art. 32).
 3.2 The current TOMs are described in Annex 2.
 3.3 If the Contractor needs to change TOMs, any materially significant changes (i.e., impacting confidentiality, integrity, availability) will be coordinated with the Client. Minor changes (that don’t increase risk) may be made without prior coordination.

4. Correction, Deletion, Blocking, and Data Subject Rights

4.1 The Contractor will correct, delete, or block personal data according to the Client’s instructions.
 4.2 If a data subject contacts the Contractor directly to exercise GDPR rights (e.g. access, rectification), the Contractor will refer them to the Client, unless the Contractor is itself legally obligated as a controller.
 4.3 The Contractor will support the Client (to the extent reasonably possible) in responding to data subject requests: the Client will inform the Contractor in writing what support is needed and supply the required data for identification, etc.
 4.4 If the Contractor provides support, the Client shall reimburse for any reasonable fees, unless otherwise agreed.

5. Duties of the Contractor & GDPR Cooperation

5.1 Only personnel who are bound by confidentiality and trained in data protection may access the personal data.
 5.2 Those personnel shall act only on documented instructions from the Client, unless required otherwise by law.
 5.3 The Contractor shall assist the Client in fulfilling its obligations under GDPR Articles 32–36 (e.g., breach notification, risk assessments, DPIAs), insofar as this is reasonably possible.
 5.4 The Contractor complies with applicable law on the appointment of a Data Protection Officer (DPO), if required, and ensures separation of data processing tasks.

6. Subcontracting (Sub-processors)

6.1 The Contractor is allowed to use the sub-processors listed in Annex 3.
 6.2 Before contracting a sub-processor, the Contractor will assess its ability to comply with the requirements of this DPA and GDPR, especially re: TOMs.
 6.3 The Contractor requires subcontractors to confirm that they will fulfill equivalent data protection obligations (e.g., by contract, DPA).
 6.4 Ancillary service providers (e.g., purely administrative) are not considered sub-processors, but the Contractor will still ensure they take appropriate precautions to protect the data.
 6.5 If subcontractors perform maintenance on systems that process personal data (e.g., AWS or other), they must be bound under this DPA / by equivalent obligations.

7. Control Rights & Cooperation

7.1 The Client can check the Contractor’s compliance with data protection laws and this contract.
 7.2 The Contractor will provide information on request for that purpose.
 7.3 The Client may ask for an on-site audit in exceptional cases if there are justified concerns.
 7.4 The Contractor will provide prior cost estimates for audits.
 7.5 The Contractor will also cooperate in case of supervisory authority investigations (e.g. under GDPR Art. 58).

8. Breach Notification

8.1 The Contractor must notify the Client without undue delay of any personal data breach (or suspected breach), including:

  • description of the breach;
  • categories and number of data subjects and records affected;
  • contact persons for more information;
  • likely consequences;
  • measures taken or proposed to mitigate.
    2 The responsibility for notifying the supervisory authority and/or data subjects lies with the Client, but the Contractor will fully cooperate.

9. Obligations of the Client

9.1 The Client is solely responsible for the lawfulness of the data provision to the Contractor and for ensuring GDPR compliance (as the Controller).
 9.2 If data subjects make claims under GDPR (e.g., compensation), the Contractor will assist in defense, and the Client will indemnify the Contractor where appropriate.
 9.3 The Client must inform the Contractor of its DPO or data protection contact person.

10. Deletion / Return of Data After Contract End

10.1 Upon termination of the contract, the Contractor shall, per the Client’s instructions, either return all personal data (and copies) or delete it permanently, unless retention is required by law.

11. Remuneration

11.1 There is no separate fee for data processing—this is covered by the fees paid by the Client under the Main Contract.

12. International Transfers & Standard Contractual Clauses (SCCs)

12.1 Application of SCCs
 Where the Contractor or its sub-processors process personal data in non-EEA countries without an adequacy decision, the Parties agree to use the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914), which are incorporated by reference into this DPA.
 12.2 Applicable Module

  • Module 2 (Controller → Processor) governs transfers from the Client to the Contractor.
  • Module 3 (Processor → Sub-Processor) governs transfers from the Contractor to its non-EEA subprocessors.
    3 Annexes to SCCs
     The Parties agree:
  • Annex I (Description of the Transfer): uses the scope / categories as per this DPA (§2 and Annex 1)
  • Annex II (TOMs): the measures described in Annex 2 apply
  • Annex III (Sub-Processors): the subprocessors listed in Annex 3
    4 Supplementary Measures
     For transfers to “non-adequate” jurisdictions (e.g., US), the Contractor will implement additional safeguards (encryption, access controls, transparency re: government access, etc.) to comply with GDPR and relevant case law (e.g., Schrems II).
     12.5 Access by Public Authorities
     If the Contractor or a sub-processor receives a binding request from public authorities for data access, it will:
  • inform the Client, if not prohibited;
  • assess and, if possible, legally challenge the request;
  • minimize data disclosed.
    6 Suspension / Termination
     If the Contractor or its sub-processor can no longer comply with SCCs or supplementary measures, it will notify the Client immediately. The Client may suspend data transfers or terminate the relevant contract part.
     12.7 Precedence
     If there is any conflict between this DPA and the SCCs, the SCCs prevail for the international data transfer concerned.

 13. Miscellaneous / Final Provisions

13.1 This Agreement (with its Annexes) contains the entire understanding between the parties relating to data processing.
 13.2 Amendments require written form (e-mail or signed document).
 13.3 If one provision is invalid, the remaining provisions remain in force; the invalid provision should be replaced by a legally valid one that approximates the original meaning.
 13.4 Applicable law: German law
 13.5 Place of jurisdiction: Bayreuth, Germany.

Annex 1 – Data Categories, Subjects, Purpose

  1. Purpose / Nature
    • Hosting of Cloud Services (SaaS)
    • Support services
  2. Types of Personal Data
    • Name
    • Email
    • IP address
    • Usage data
    • User accounts
    • Other categories as needed
  3. Data Subjects
    • Employees
    • Freelancers
    • Customer
    • Business partners

Annex 2 – Technical & Organizational Measures (TOMs)

Data protection measures

The data protection measures implemented at Laboperator aim to ensure the availability of data, confidentiality, integrity and transparency of all auditability measures.

Measures for the encryption of personal data are implemented, which ensure an appropriate level of protection according to the current state of the art and the GDPR. All server systems, services and technical measures are designed for permanent load with regard to the associated data processing. In this way, we ensure that the availability of personal data can be restored reliably and quickly after a physical or technical incident. In addition, we use measures and technical procedures of permanent monitoring and evaluation to ensure the security of processing.

Furthermore, Laboperator’s business processes are based on the requirements of Art. 32 of the EU Data Protection Regulation (EU-GDPR).

Specification of the individual measures for protection against unauthorized acquisition of personal data

  1. Physical access control
    • Not Applicable

  2. System access control
    Measures to prevent the use of data processing systems by unauthorized persons:
    • Assignment of user rights
    • Creation of user profiles
    • Password procedures
    • Authentication with username / password
    • Assignment of user profiles to IT systems
    • Automatic locking
    • Individual user accounts for authorized users (not root)
    • Use of anti-virus software
    • Encryption of data carriers in laptops / notebooks

  3. Authorization control
    Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be unauthorized, read, copied, modified or removed during processing, use or after storage:
    • Demand-oriented design of an authorization concept and access rights, as well as their monitoring and logging.
    • Administration of rights by system administrator
    • Number of administrators reduced to the bare minimum
    • Password policy incl. password length, password change
    • Logging of accesses to applications, especially when entering, changing and deleting data
    • Encryption of data carriers
    • Job assignment and logging only in written form via ticket system
    • Automatic generation of log files, where technically possible and reasonable, as well as evaluation of these logs in case of suspicion.

  4. Transmission control
    Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to verify and determine to which entities personal data is intended to be transmitted by data transmission equipment:
    • No physical storage or transport of personal data
    • Logging of logins
    • Encryption and tunnel connections (SSL, VPN, opt.)

  5. Input control
    Measures to ensure that it is possible to verify retrospectively whether and by whom personal data have been entered, modified or removed in data processing systems:
    • Logging of commissioned database changes
    • Proof of commissioning and successful processing in the ticket system
    • Assignment of rights to enter, change and delete data on the basis of an authorization concept

  6. Order control
    Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the customer’s instructions:
    • Selection of the contractor under due diligence aspects (in particular with regard to data security)
    • Prior review and documentation of the security measures taken by the contractor
    • Written instructions to the contractor (e.g. by order processing agreement)
    • Contractor has appointed data protection officer
    • Ensuring the return/destruction of data after completion of the order
    • Obligation of employees to maintain data secrecy in accordance with § 5 BDSG
    • Control of data security precautions

  7. Availability control
    Measures to ensure that personal data is protected against accidental destruction or loss:
    • Creation of a backup & recovery concept
    • Testing of data recovery
    • Creating a disaster recovery plan
    • Keeping backup data in a secure, off-site location
    • Avoiding single point of failure as the fundamental concept of all infrastructure
    • Monitoring of infrastructure systems and deployments

  8. Separation requirement
    Measures to ensure that data collected for different purposes can be processed separately.
    • Separate development, test and production data processing
    • Logical client separation
    • Definition of database rights
    • Authorization concept with definition of access rights

Annex 3 – Approved Sub-Processors & Addresses

Sub-Processor

Registered / Headquarter Address (updated)

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy, L-1855 Luxembourg, Luxembourg Lobbyregister beim Deutschen Bundestag+2Companies In The UK+2

Replicated, Inc.

8605 Santa Monica Blvd, Suite 66909, West Hollywood, CA 90069, USA Bloomberg+2replicated.com+2

Carbone

130 La Sauvagère 85710 BELLEVIGNY

Essentim GmbH

Schragenhofstraße 35, Gebäudeabschnitt A, 80992 München
Deutschland

Atlassian Pty Ltd

Level 6, 341 George Street, Sydney, NSW 2000, Australia

1Password / AgileBits Inc.

4711 Yonge Street, 10th Floor, Toronto, ON M2N 6K8, Canada

GitHub, Inc.

88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA

Circle Internet Services, Inc.

201 Spear Street, Suite 1200, San Francisco, CA 94105, United States

HubSpot, Inc.

25 First Street, Cambridge, MA 02141, USA

Google LLC

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Microsoft Corporation

One Microsoft Way, Redmond, WA 98052, USA