Data Processing Agreement (DPA)

Terms and Conditions (T&C) & Service Description
|
Data Processing Agreement (DPA)
|
Data protection (European Union)
|
Imprint

between
[Name of the Customer] – hereinafter referred to as the “Controller” pursuant to Art. 4 No. 7 GDPR –
and
insiba Engineering, Käthe-Kollwitz-Ring 83, 76676 Graben-Neudorf, Germany – hereinafter referred to as the “Processor” pursuant to Art. 4 No. 8 GDPR

I. Preamble

The parties are connected through the conclusion of the Terms and Conditions (T&C) valid at the time of contract conclusion regarding the use of the SaaS solution “eCommerce One”. Within the scope of this contractual relationship, the Processor processes personal data on behalf of the Controller.

This Data Processing Agreement specifies the data protection rights and obligations of the parties in accordance with Art. 28 GDPR. It regulates the nature, scope and purpose of the processing of personal data as well as the requirements for technical and organizational measures and the use of sub-processors.

This agreement supplements the Terms and Conditions (T&C) valid at the time of contract conclusion. In the event of contradictions, the provisions of this Data Processing Agreement shall prevail.

II. Scope

(1) This agreement applies to all activities of the Processor in which personal data of the Controller are processed.

(2) The Controller remains solely responsible for compliance with applicable data protection regulations.

(3) This agreement applies to all processing operations carried out within the use of the SaaS platform “eCommerce One”.

III. Subject, Nature, Purpose and Duration of Processing

(1) The subject of the processing is personal data processed in connection with the use of the eCommerce One platform, in particular in connection with order imports, customer and product management, document creation, shipping processing and automation functions.

(2) The nature of the processing includes in particular the collection, storage, organization, use, transfer, restriction or deletion of personal data.

(3) The purpose of the processing is the provision of the contractually agreed SaaS services.

(4) Processing begins with the activation of the customer account and ends with the complete deletion or return of the personal data after termination of the contractual relationship.

(5) Processing generally takes place within the European Union or the European Economic Area. Transfers to third countries only occur in compliance with Art. 44 et seq. GDPR.

IV. Obligations of the Processor

(1) The Processor processes personal data exclusively on documented instructions of the Controller.

(2) All persons authorized to process personal data are obliged to maintain confidentiality.

(3) The Processor implements appropriate technical and organizational measures in accordance with Art. 32 GDPR.

(4) The Processor supports the Controller in fulfilling data subject rights pursuant to Art. 12–23 GDPR.

(5) The Processor assists the Controller in complying with the obligations under Art. 32–36 GDPR.

(6) The Processor informs the Controller without delay if it believes that an instruction violates data protection regulations.

V. Obligations of the Controller

(1) The Controller is responsible for the lawfulness of the processing of personal data.

(2) The Controller ensures that it is authorized to process personal data.

(3) The Controller regularly reviews the technical and organizational measures implemented by the Processor.

(4) The Controller informs the Processor immediately of any detected data protection violations.

VI. Instructions

(1) Instructions must generally be issued in writing or in text form.

(2) The Processor is entitled to suspend the implementation of an instruction if it violates data protection law.

(3) Instructions outside the agreed scope of services shall be considered change requests.

VII. Technical and Organizational Measures (TOMs)

The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular measures ensuring the confidentiality, integrity, availability and resilience of systems as well as procedures for restoring the availability of personal data.

VIII. Audit Rights

(1) The Controller is entitled to verify compliance with this agreement.

(2) Suitable evidence may include certifications, audit reports by independent third parties or data protection audits.

(3) Audits must be announced in advance and must not disproportionately disrupt the Processor's business operations.

IX. Sub-processors

(1) The Controller grants general authorization for the engagement of sub-processors.

(2) The Processor contractually obliges sub-processors to comply with the GDPR.

(3) Changes regarding sub-processors will be communicated to the Controller.

X. Deletion and Return of Data

(1) After termination of the contractual relationship, personal data will be deleted or returned to the Controller upon request.

(2) Statutory retention obligations remain unaffected.

XI. Liability

The parties shall be liable in accordance with the statutory provisions of the GDPR, in particular Art. 82 GDPR.

Status: 02.03.2026