Data Processing Agreement (DPA)

1.1 The Processor provides the Controller with services related to the use of the "Herz-Kilometer" platform (web admin, website and mobile apps) as Software-as-a-Service ("Services").

1.2 The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller within the scope of the Services.

1.3 The duration of this DPA corresponds to the term of the main contract (e.g. subscription) plus any contractually agreed transition/export periods pursuant to Section 10.

2.1 Nature of processing (depending on use): Collection, recording, organization, structuring, storage, adaptation/alteration, retrieval, consultation, use, disclosure (to sub-processors), alignment, restriction, erasure/destruction.

2.2 Purposes of processing:

• Provision and operation of the Herz-Kilometer platform
• Management of companies, roles, memberships and access (join codes/invitations)
• Recording/display/aggregation of activity and kilometer data of participants (e.g. via app/integrations)
• Calculation and display of package progress/metrics (reporting/exports)
• Communication/security (system emails, support, abuse/security prevention)
• Logging/error analysis and technical maintenance (logs)

2.3 No change of purpose: The Processor does not process data for its own purposes but exclusively for the provision of Services, unless permitted by law (e.g. IT security, abuse prevention) or expressly agreed.

3.1 Data subjects:

• Employees/participants of the Controller (including invited users)
• Administrators/contacts of the Controller
• Other user groups added by the Controller (e.g. team leads)

3.2 Categories of personal data (depending on use/integration):

• Master data: Name/display name, email, user ID, company assignment, role
• Auth/account data: Login/token information (technical), verification status
• Activity/movement data: Kilometers, activity timestamp, duration, activity metadata (e.g. activity type) from connected services
• Usage data: App/web usage, interactions, technical events
• Device/technical data: IP address, device info, log data, crash/error data
• Communication data: Support requests, system notifications

3.3 Special categories (Art. 9 GDPR): If activity data qualifies as health data in individual cases, processing is carried out exclusively on instruction of the Controller and with enhanced protective measures according to Annex 1. The Controller ensures the required legal basis.

4.1 The Processor processes personal data exclusively based on documented instructions from the Controller, unless there is a legal obligation to process. In this case, the Processor informs the Controller, if legally permissible.

4.2 Instructions may be issued in text form (e.g. email). The Processor may refuse instructions that, in its opinion, violate data protection law; it informs the Controller immediately.

4.3 The Controller remains responsible for the lawfulness of processing, compliance with information obligations, legal bases (especially for special categories under Art. 9 GDPR), and issuing lawful instructions.

5.1 The Processor undertakes to obligate all persons processing personal data to confidentiality.

5.2 The Processor implements and maintains appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR as per Annex 1.

5.3 The Processor assists the Controller where possible with:

• Ensuring data subject rights (Section 7)
• Data security, data protection impact assessment (DPIA) and prior consultation (Section 8)
• Notification of data breaches (Section 9)

5.4 The Processor maintains a record of processing activities where legally required.

6.1 The Controller grants the Processor general authorization to engage sub-processors listed in Annex 2 or added pursuant to Section 6.2.

6.2 The Processor informs the Controller of intended changes (additions/replacements) to sub-processors at least 14 days before they take effect (e.g. via email or admin dashboard). The Controller may object for important reasons. If the Processor cannot provide the service without the new sub-processor, the Controller may terminate the affected service or main contract extraordinarily.

6.3 The Processor concludes contracts with sub-processors pursuant to Art. 28 GDPR containing at least the obligations set out in this DPA.

6.4 Third-party data sources (e.g. Strava/Garmin/Polar/Suunto/Apple Health): Where participants connect data from external services, these are typically independent controllers of the third-party provider. They are not automatically sub-processors of the Processor. The Processor processes the received data on behalf of the Controller.

7.1 The Processor assists the Controller to a reasonable extent with requests from data subjects (access, rectification, erasure, restriction, portability, objection) relating to data processed on behalf.

7.2 The Processor does not respond to data subject requests itself, except:

• on instruction of the Controller, or
• where legally permissible/required.

7.3 The Controller remains responsible for legal assessment and timely fulfillment.

9.1 The Processor informs the Controller without undue delay upon becoming aware of a personal data breach during commissioned processing.

9.2 The notification contains where possible:

• Description of the nature of the breach
• Affected data categories and groups of persons
• Likely consequences
• Measures taken/recommended

9.3 The Processor assists the Controller in fulfilling notification and communication obligations.

10.1 After termination of the main contract, the Processor only processes data for settlement, data return/export and deletion pursuant to this section.

10.2 Choice: After contract end, the Controller may request return (export) or erasure of the processed personal data within 30 days, unless statutory retention obligations prevent this.

10.3 Return/export: Upon request, the Processor provides the data in a structured, commonly used, machine-readable format or enables equivalent export functions.

10.4 Erasure: If no return is requested, or after return has been completed, the Processor deletes the data unless statutory retention obligations or legitimate security/evidence requirements prevent this (e.g. accounting records, security logs to an appropriate extent). Backups are overwritten as part of the regular backup cycle.

10.5 The Processor documents deletion upon request to a reasonable extent.

11.1 The Controller is entitled to verify compliance with this DPA. The Processor provides suitable evidence (e.g. TOM description, sub-processor list, security concepts, certificates/reports where available).

11.2 On-site audits are only permissible for justified cause, with reasonable notice and considering trade/business secrets and security requirements. The Processor may refer audits to third-party reports where appropriate.

11.3 The Controller bears audit costs unless the audit was required due to proven material breach by the Processor.

13.1 Where sub-processors or their subcontractors process data outside the EEA, the Processor ensures appropriate safeguards (e.g. EU Standard Contractual Clauses, adequacy decision) and documents these upon request.

13.2 The Controller acknowledges that use of certain tools/providers may involve third-country processing; details are provided in Annex 2 and respective provider information.

14.1 The liability provisions of the main contract/Terms apply. In relation to the Controller, the Processor is liable for breaches of this DPA in accordance with statutory provisions and main contract agreements.

14.2 Any liability provisions under Art. 82 GDPR remain unaffected.

15.1 In case of conflicts between this DPA and the main contract, this DPA takes precedence regarding data protection obligations.

15.2 Amendments and additions to this DPA require text form.

15.3 German law applies. Place of jurisdiction is, where permissible, the Processor's registered office.

15.4 This DPA is concluded in text form. Electronic acceptance during registration (including storage of timestamp, accepting user ID and version) fulfills the form requirement under Art. 28(9) GDPR.