Legal document Legal document

Data Processing Agreement (DPA)

Version 2026-01-01 · Valid from 2026-01-01

Back to shop
This is a preview version (draft) of the Data Processing Agreement. The binding, personalized version is generated after login based on your billing profile.

Data Processing Agreement (DPA)

Effective date: 13 Jan 2026

between

(1) Customer / Controller

Name/Company: -

Address: -

Authorized representative: -

Email: -

and

(2) SoluForge / Processor

Benjamin Wenzel SoluForge (sole proprietorship)

Owner: Benjamin Wenzel

Kolonnenstrasse 8, 10827 Berlin, Germany

Email: privacy@soluforge.de

1. Subject matter, term, and documents

1.1 The subject of this Data Processing Agreement ("DPA") is the processing of personal data by the Processor in connection with the provision of the SaaS service "Craftifact".

This DPA is concluded pursuant to Art. 28 GDPR.

1.2 The term of the processing corresponds to the term of the main contract.

1.3 The annexes are part of this DPA:

  • Annex 1: Description of the processing
  • Annex 2: Technical and organizational measures (TOMs)
  • Annex 3: Subprocessors (subprocessor list) – Subprocessors

2. Processing only on instructions

2.1 The Processor processes personal data solely on documented instructions from the Controller, unless there is a legal obligation to process.

2.2 Instructions may be given in text form (e.g., email, ticket system).

2.3 The Processor shall inform the Controller without undue delay if it believes an instruction violates applicable data protection law.

3. Confidentiality

3.1 The Processor ensures that all persons involved in the processing are bound to confidentiality.

3.2 Access to personal data follows the need-to-know principle.

4. Security / TOMs (Art. 32 GDPR)

4.1 The Processor implements technical and organizational measures pursuant to Annex 2, reflecting the state of the art and considering the nature, scope, and purpose of the processing.

4.2 Changes to the TOMs are permitted provided the security level is not reduced.

5. Subprocessors

5.1 The Controller grants a general authorization for the use of the subprocessors listed in Annex 3.

5.2 The Processor informs the Controller at least 14 days prior to changes to the subprocessor list.

5.3 The Controller may object for good cause. If no mutual solution is possible and the use is necessary, the Controller may terminate the affected service component or the main contract for cause.

5.4 Subprocessors are contractually obligated to at least the obligations of this DPA.

5.5 Processing of personal data in third countries takes place only in compliance with Art. 44 et seq. GDPR, in particular on the basis of adequacy decisions or appropriate safeguards (e.g., EU Standard Contractual Clauses).

6. Assistance obligations

6.1 The Processor shall reasonably assist the Controller in responding to data subject requests (Arts. 12–23 GDPR).

6.2 Assistance with security obligations (Art. 32 GDPR), data protection impact assessments (Art. 35 GDPR), and consultations (Art. 36 GDPR) is provided to a reasonable extent.

6.3 Assistance beyond the contractual standard may be subject to separate remuneration.

6.4 The Processor is not entitled to respond to data subject requests independently and will forward them to the Controller without undue delay unless legally required to respond.

7. Notification of personal data breaches

7.1 The Processor will notify the Controller without undue delay of any known personal data breaches.

7.2 The notice shall include, as available, the nature of the breach, categories of data affected, possible consequences, and measures taken or recommended.

8. Deletion and return

8.1 After termination of the contract, the Processor will delete or return personal data according to the Controller's documented instructions, unless statutory retention obligations apply.

8.2 Practical export and deletion periods are governed by the main contract.

9. Evidence and audits

9.1 The Processor shall provide appropriate evidence (e.g., TOM description, subprocessor list).

9.2 Audits are permitted at most once per calendar year with at least 30 days' prior notice.

9.3 Document and remote audits take precedence. On-site audits only with justified cause.

9.4 Audits must not disproportionately impair operations.

9.5 Audits without justified cause are borne by the Controller.

10. Liability

The liability provisions of the main contract apply.

Statutory liability under Art. 82 GDPR remains unaffected.

11. Final provisions

11.1 Amendments to this DPA require text form.

11.2 German law applies. Jurisdiction is Berlin where legally permissible.

Annex 3 – Subprocessors

The then-current subprocessor list applies: Subprocessors.

Changes are made in accordance with Section 5 of this DPA.