Data Processing Agreement (DPA)

Pursuant to Art. 28 GDPR.

Already a Sliplane customer? You can sign your own DPA and download the signed copy directly from your team's Compliance tab.

This page is the public reference copy of the Data Processing Agreement entered into between you (the Controller) and Sliplane, Lukas Mauser, Freienwalder Str. 3, 13359 Berlin (the Processor).

1. Subject, Term, Processed Personal Data, and Categories of Data Subjects

Subject

The subject of this DPA is the commissioning of the Processor by the Controller and the issuing of instructions regarding the processing of personal data. The processing carried out by the Processor is strictly limited to the activities required to fulfill the underlying main contract.

Term

The term of this DPA corresponds to that of the main contract.

Categories of Personal Data

The categories of personal data processed are:

Master data
Communication data (e.g., phone, email)
Contract data
Log data

Categories of Data Subjects

The collected and processed personal data relates to:

Customers & prospects of the Controller
Employees & staff of the Controller
Suppliers of the Controller

2. Data Transfer Abroad

(1) The Processor only transfers personalized data in compliance with Articles 45 et seq. GDPR. The Processor ensures that the transfer is carried out securely and with appropriate safeguards according to the current state of the art.

(2) The Processor undertakes not to transfer personal data to servers outside the EEA without the prior written approval of the Controller, unless the products purchased under the main contract are located outside the EEA and their use requires processing outside the EEA.

3. Technical and Organizational Measures

(1) Before signing this DPA, the Processor undertakes to implement all required technical and organizational security measures and to provide the Controller with a document describing these measures in detail (Annex 1), with specific reference to this agreement.

(2) The Processor guarantees that it has implemented all security measures required by Art. 28(3)(c) and Art. 32 GDPR, especially in connection with Art. 5(1) and (2) GDPR. These measures must ensure data security and an appropriate level of protection regarding confidentiality, integrity, availability, and resilience of systems. According to Art. 32(1) GDPR, the adequacy of the security measures must take into account: compliance with current state of the art, implementation costs, the nature, scope, and purpose of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons.

(3) Technical and organizational measures are subject to technological progress and development. The Processor may adopt alternative suitable measures that meet current standards, provided that the security level is not reduced. Significant changes must be documented.

4. Rights of Data Subjects

(1) The Processor agrees to cooperate fully, to the extent reasonably possible, to support the Controller in responding to requests from data subjects exercising their rights.

(2) In particular, the Processor undertakes to:

(i) immediately forward to the Controller any request from a data subject to exercise their rights, and

(ii) where possible and appropriate, enable the Controller to design and implement technical and organizational measures necessary to comply with such requests.

(3) While the Controller remains responsible for responding to requests, the Processor may be tasked with handling specific requests, provided these do not impose an unreasonable burden and the Controller issues detailed written instructions.

5. Additional Obligations of the Processor

In addition to compliance with this DPA, the Processor agrees to meet all legal requirements set out in Articles 28–33 GDPR. In particular, the Processor guarantees compliance with:

Data Protection Officer (DPO)

The current DPO is: Lukas Mauser, Freienwalder Str. 3, 13359 Berlin, support@sliplane.io.

The Processor will promptly inform the Controller of any change to the DPO.

Confidentiality

Processing under this DPA may only be carried out by persons (e.g., employees, agents, staff) who have been informed about proper data handling and contractually committed to confidentiality under Art. 28(3)(b) and Art. 32 GDPR. The Processor and any person acting under its authority who has access to personal data may only process such data on instructions from the Controller, unless legally required otherwise.

Technical and Organizational Measures

The Processor shall implement and comply with all appropriate measures under Art. 32 GDPR. It will regularly monitor internal processes and security measures to ensure compliance with data protection law and protection of data subjects' rights. The Controller shall be given the ability to verify these measures within the Controller's audit rights under Section 7.

Cooperation with Supervisory Authorities

The Controller and Processor shall cooperate with supervisory authorities upon request. The Controller shall be promptly informed of any inspections or measures taken by a supervisory authority in relation to this DPA. If investigations are initiated against the Processor, the Processor will make all efforts to support the Controller.

6. Sub-Processors

(1) The Controller authorizes the Processor to subcontract parts of the processing to sub-processors. Such sub-processors must be contractually bound by the same obligations as set out in this DPA in accordance with Art. 28(4) GDPR.

(2) At the time of signing, the Processor engages the following sub-processors under such terms:

#	Sub-Processor	Address/Country	Delegated Activity
1	Hetzner Online GmbH	Industriestr. 25, 91710 Gunzenhausen, Germany	Hosting of Sliplane and customer infrastructure in the EEA
2	Impossible Cloud GmbH	Friesenweg 12, 22763 Hamburg, Germany	Encrypted offsite backups of customer data
3	BunnyWay d.o.o.	Dunajska cesta 165, 1000 Ljubljana, Slovenia	DDoS protection of Sliplane infrastructure
4	DataCamp Limited	9 Coldbath Square, London, United Kingdom	Hosting of servers outside of the EEA
5	Latitude.sh	Rua Cubatão, 929, São Paulo, SP, 04013-043, Brazil	Hosting of servers outside of the EEA

(3) Personal data may only be transferred to sub-processors once all requirements of (1) are met.

(4) The Processor shall maintain an updated list of sub-processors and notify the Controller of changes, allowing the Controller to object. In case of objection, the Processor may terminate the contract with immediate effect.

(5) The Processor remains fully responsible and liable for sub-processors' activities.

(6) If a sub-processor operates outside the EU/EEA, the Processor must ensure compliance with the provisions on international transfers as per Section 2 of this DPA.

7. Audits

(1) The Controller has the right to conduct audits or appoint an auditor to do so, assessing compliance with this DPA based on sample checks, for which the Processor will be notified in advance.

(2) The Processor will provide the Controller with necessary information and proof of implementation of security measures.

(3) Proof may include:

adherence to approved codes of conduct (Art. 40 GDPR)
certification under an approved scheme (Art. 42 GDPR)
current audit certificates or reports by independent bodies
certifications from IT security or data protection auditors

(4) The Processor may charge the Controller a reasonable fee for audits.

8. Support of the Controller

(1) The Processor will assist the Controller with obligations under Articles 32–36 GDPR, including:

ensuring appropriate security through measures considering processing risks
ensuring immediate detection of breaches
promptly reporting breaches to the Controller
assisting in responding to data subject requests

(2) The Processor may charge a reasonable fee for support services not included in the service description or not caused by its own errors.

9. Instructions by the Controller

(1) The Processor may only process data per the Controller's documented instructions, unless required by law.

(2) If the Controller requests changes that may cause GDPR violations, the Processor must inform the Controller immediately and may refrain from executing them.

10. Liability

(1) Each party shall indemnify the other for damages or expenses arising from its own culpable breach of this DPA, including breaches by legal representatives, subcontractors, employees, or agents. Each party also indemnifies the other against third-party claims arising from such breaches.

(2) Art. 82 GDPR remains unaffected.

11. Deletion and Return of Personal Data

(1) The Processor may not create copies of data without the Controller's knowledge and approval, except for necessary backups or where retention is legally required.

(2) Upon termination, the Processor must either delete or return all personal data to the Controller in compliance with GDPR, unless further storage is legally required.

(3) The Processor may retain information needed to demonstrate lawful processing beyond contract termination.

(4) Such documentation will be retained as per applicable laws. The Processor may hand over documentation to the Controller, releasing itself from retention obligations.

12. Place of Jurisdiction

The parties agree that the competent court at the Processor's place of business in Berlin, Wedding, shall have jurisdiction.

Securing internal admin systems

regular security updates
expert use of protection tools (firewalls, encryption)
access control to admin systems
regular backups at a physically separate, independent location
infrastructure monitoring
no physical access to infrastructure
DDoS protection
GDPR-compliant deletion of data after termination

Securing customer servers

regular security updates
expert use of protection tools (firewalls, encryption)
infrastructure monitoring
access control to infrastructure
no physical access to infrastructure
updates and security of provided software remain Controller's responsibility
GDPR-compliant deletion of data after termination
if contracted: regular backups at a physically separate, independent location