Data Processing Agreement

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR

This Data Processing Agreement (hereinafter referred to as the “DPA”) is concluded in accordance with Article 28 of the GDPR between

Haro GbR

Daniel Hauck & Kathrin Roth

Friedhofstr. 21

71577 Großerlach, Germany

(hereinafter referred to as the “Processor”)

and

the respective Customer

who uses the services provided by Haro GbR and has accepted the General Terms and Conditions (GTC), including this DPA,

(hereinafter referred to as the “Controller”).

This DPA forms an integral part of the GTC and shall be deemed concluded between the Processor and the respective Controller upon acceptance of the GTC.

1) Subject and Duration of Processing

1.1 Subject of the Agreement

The Processor provides the Controller with a SaaS platform for the creation and provision of websites. In this context, the Processor processes personal data on behalf of the Controller.

1.2 Commencement and Duration of Agreement

This DPA enters into force upon the registration of the Customer on the platform. The processing of personal data begins upon the active use of SaaS services by the Controller.

If no paid subscription is concluded within the 14-day trial period, the processing automatically ends upon the deactivation of the Customer’s content.

1.3 Termination and Data Deletion

If no paid subscription is concluded, all stored customer data will be irreversibly deleted after a maximum of 6 months of inactivity, provided there are no statutory retention obligations.

If a paid subscription is concluded, the duration of data processing corresponds to the contractual term of the paid SaaS subscription.

1.4 Special Provision for Non-Profit Organizations

Non-profit organizations may use the SaaS services free of charge, provided they have received confirmation from the Processor. The processing of personal data for these organizations follows the same principles as for paying customers.

If the Processor terminates the free-of-charge offering, the standard deletion period of 6 months after inactivity applies, unless statutory retention obligations exist.

1.5 Electronic Consent

The agreement is accepted electronically by the Controller upon registration or within the customer account. This consent is documented by the system.

2) Nature and Purpose of Processing

2.1 Purpose of Processing

The Processor processes personal data exclusively for providing the SaaS platform and its associated functions. The purpose of processing is the technical provision of the platform, as well as the collection and storage of personal data on behalf of the Controller.

2.2 Types of Data Processed

• Contact information: Name, email address, telephone number
• Application data: If an application function is used
• IP addresses and technical access data: Browser, operating system
• Form submissions by website visitors

2.3 Categories of Data Subjects

• Customers of the Controller
• Website visitors
• Applicants (if applicable)

3) Obligations of the Controller

3.1 Lawfulness of Processing

The Controller is responsible for ensuring that the collection, processing, and use of personal data is lawful.

3.2 Information Obligations

The Controller ensures that data subjects are informed in accordance with Articles 13 and 14 GDPR.

3.3 Instructions

Instructions from the Controller must be given in text form. The Processor documents and stores these instructions.

3.4 Audits of the Processor

The Controller has the right to audit the Processor, particularly through inspections. Such audits must be announced reasonably in advance and must not disproportionately interfere with the Processor’s business operations.

4) Obligations of the Processor

4.1 Processing According to Instructions

The Processor processes personal data solely based on documented instructions from the Controller.

4.2 Technical and Organizational Measures (TOMs)

The Processor ensures appropriate measures to guarantee an adequate level of data protection, including:

• Data encryption
• Access controls
• Regular security reviews
• Privacy-friendly default settings
• Secure storage and deletion of data

4.3 Notification Obligation in Case of Data Breach

The Processor will inform the Controller immediately, and no later than 24 hours, upon becoming aware of a data breach. In the event of a data protection incident, the Processor will provide the Controller with all necessary information according to Art. 33 GDPR to enable reporting to the supervisory authority.

4.4 Confidentiality

The Processor ensures that all individuals involved in data processing are bound by confidentiality obligations.

4.5 Support of the Controller with Data Subject Requests

The Processor assists the Controller in fulfilling data subject rights according to Chapter III GDPR (Articles 12-23), including but not limited to:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

Requests from data subjects will be forwarded to the Controller without delay. Direct responses by the Processor to data subjects will only occur following documented instructions from the Controller.

5) Subcontracted processing

5.1 The Controller provides general consent to the use of additional sub-processors. The Processor shall notify the Controller in advance about any intended changes or additions of sub-processors. The Controller may object to new sub-processors within 14 days of notification.

5.2 The Processor concludes written agreements with all sub-processors in accordance with Article 28(4) GDPR, ensuring compliance with data protection regulations.

5.3 Currently engaged sub-processors:

• Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany (server hosting)
• Additional sub-processors are listed in the Processor’s Privacy Policy.

6) Deletion and Return of Data

6.1 Upon termination of the contractual relationship, all personal data of the Controller shall be deleted within a maximum of 90 days, unless statutory retention obligations require otherwise.

6.2 Before the end of this period, the Controller may request the return of their data in a structured, commonly used, and machine-readable format. After successful delivery, the data will be deleted by the Processor.

7) Liability

The parties are liable in accordance with statutory provisions, particularly under Article 82 GDPR, for damages incurred by a data subject resulting from processing activities not compliant with data protection regulations.

8) Final Provisions

8.1 If any provision of this Agreement is or becomes invalid, the validity of the remaining provisions remains unaffected. The invalid provision shall be replaced by a legally permissible provision that most closely reflects the purpose of the original provision.

8.2 Amendments to this Agreement require written form or electronic consent (e.g., via the SaaS platform). Such consent will be documented and stored.

8.3 This Agreement is governed by the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).