Data Processing Agreement

1. Preamble

This Data Processing Agreement ("DPA") specifies the data protection obligations of the Parties arising from the processing of personal data by the Processor on behalf of the Controller in connection with the main service agreement ("Main Agreement") for the use of the Vound Brand software. This DPA applies to all activities in which the Processor or its subcontractors come into contact with personal data of the Controller.

2. Subject Matter and Duration

2.1. Subject Matter: The subject matter of the processing is the execution of the following services: Provision of a SaaS platform for content generation and management, user administration, and AI-based processing.

2.2. Duration: The term of this DPA corresponds to the term of the Main Agreement. It ends automatically with the termination of the Main Agreement.

3. Nature and Purpose of Processing

The nature and purpose of the processing of personal data by the Processor is defined in the Main Agreement. This includes:

• Hosting and storage of data.
• Processing of text and media inputs via AI models.
• User management and authentication.
• Support and maintenance services.

4. Categories of Data and Data Subjects

4.1. Categories of Data:

• User account data (Name, Email, Password hashes, Role).
• Content data (Text inputs, Generated text, File uploads).
• Connection data (IP addresses, Logfiles).
• Billing data.

4.2. Categories of Data Subjects:

• Employees/Staff of the Controller.
• End-customers of the Controller (if Agency/Reseller model applies).
• Partners or suppliers of the Controller.

5. Rights and Obligations of the Controller

5.1. The Controller is responsible for compliance with the statutory provisions on data protection, in particular for the lawfulness of the data transfer to the Processor and the lawfulness of the data processing ("Controller" pursuant to Art. 4 No. 7 GDPR).

5.2. The Controller is entitled to issue instructions concerning the nature, scale, and method of data processing. Instructions can be given in writing or electronically.

6. Duties of the Processor

6.1. Processing on Instructions: The Processor shall process the personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject.

6.2. Confidentiality: The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Security: The Processor takes all measures required pursuant to Article 32 GDPR (Technical and Organizational Measures - TOMs) to ensure a level of security appropriate to the risk.

6.4. Subprocessors: The Controller grants the Processor general authorization to engage other processors (subprocessors). The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors. The same data protection obligations as set out in this DPA shall be imposed on that other processor.

6.5. Data Subject Rights: The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights.

6.6. Assistance: The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor.

6.7. Deletion/Return: At the choice of the Controller, the Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.

7. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Inspections may be conducted by the Controller or an auditor mandated by the Controller. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

8. International Transfers

Data processing takes place primarily within the EU/EEA. If data is transferred to a third country (e.g., USA via sub-processors like Stripe or OpenAI), the Processor ensures that the requirements of Art. 44 et seq. GDPR are met (e.g., through EU Standard Contractual Clauses or an Adequacy Decision).

9. Final Provisions

9.1. In case of contradictions between this DPA and other agreements between the Parties, this DPA shall prevail.

9.2. Amendments and supplements to this DPA must be made in writing.

9.3. This DPA is governed by German law. The place of jurisdiction is Pasewalk, Germany.

Annexes