Data Processing Agreement (DPA)

Note: This DPA is a template and does not replace legal advice. Before productive use, it should be reviewed by an attorney specialized in IT and data protection law, in particular regarding the requirements of the GDPR and any industry-specific requirements.

Contracting parties

[Full name of the customer]
[Address]
[Country]
— hereinafter "Controller" or "Client" —

and

arades GmbH
Lilistraße 6
63067 Offenbach am Main
Germany
— hereinafter "Processor" or "arades" —

— together the "Parties" —

Preamble

The Parties have concluded one or more contracts for the provision of IT services, the supply of SaaS services, the resale of Microsoft licenses and/or the development of custom software (hereinafter "Main Contract").

Within the scope of the Main Contract, arades processes personal data on behalf of the Controller. This Data Processing Agreement (hereinafter "DPA") concretizes the data-protection obligations of the Parties per Art. 28 GDPR.

In the event of conflicts between the Main Contract and this DPA, the provisions of this DPA shall prevail in relation to the processing of personal data.

§ 1 Subject matter and duration of the processing

(1) The subject matter of the processing of personal data is the provision of the services agreed in the Main Contract and the associated statements of work, service descriptions or order confirmations.

(2) Details of the type and purpose of the processing, the type of personal data and the categories of data subjects are described in Annex 1 to this DPA.

(3) The duration of the processing corresponds to the term of the Main Contract, unless this DPA imposes obligations that extend beyond it.

§ 2 Right to issue instructions of the Controller

(1) arades processes personal data exclusively on the documented instructions of the Controller, including with regard to transfers of personal data to third countries or international organizations, unless arades is required to do so by Union or Member-State law to which arades is subject.

(2) Oral instructions must be confirmed in text form without delay. Instructions are generally given and received by the contact persons designated by the Controller.

(3) If arades takes the view that an instruction of the Controller violates data-protection law, arades shall notify the Controller without delay. arades is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.

§ 3 Obligations of the Processor

(1) arades processes personal data exclusively within the scope of the agreements and on the instructions of the Controller. If arades processes personal data for its own purposes, arades shall to that extent be regarded as the controller in its own right; this requires a separate legal basis.

(2) arades obliges the persons authorized to process the personal data to confidentiality in writing, or ensures that they are subject to an appropriate statutory duty of confidentiality. The confidentiality obligation continues to apply after the activity has ended.

(3) arades shall take all technical and organizational measures required under Art. 32 GDPR to ensure the security of the processing. The measures in place at the time of conclusion of the contract are described in Annex 2 to this DPA. arades is entitled to further develop these measures, provided that the level of protection is not undermined. Material changes shall be communicated to the Controller.

(4) arades shall support the Controller, taking into account the nature of the processing and the information available to arades, in complying with the obligations set out in Articles 32 to 36 GDPR (data security, notification of personal data breaches, data protection impact assessment, prior consultation).

(5) arades shall support the Controller with appropriate technical and organizational measures in fulfilling requests from data subjects to exercise their rights pursuant to Chapter III of the GDPR (in particular access, rectification, erasure, restriction of processing, data portability, objection). If a data subject contacts arades directly, arades shall forward this request to the Controller without delay.

(6) arades has appointed a Data Protection Officer where a corresponding statutory obligation exists. Contact details will be provided to the Controller on request.

(7) arades shall maintain the records required under Art. 30(2) GDPR of all categories of processing activities carried out on behalf of the Controller.

§ 4 Notification of data breaches

(1) arades shall inform the Controller without delay, and in any case within 48 hours of becoming aware, of any breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR.

(2) The notification shall, as far as available at the time of notification, contain at least:

• a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the personal data records concerned;
• the name and contact details of the Data Protection Officer or another point of contact for further information;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed by arades to address the breach and, where applicable, measures to mitigate possible adverse effects.

(3) Where it is not possible to provide the required information at the same time, it shall be provided in stages without further undue delay.

§ 5 Sub-processors

(1) The Controller hereby grants arades a general written authorization to engage sub-processors. The sub-processors engaged at the time of conclusion of the contract are listed in Annex 3 to this DPA.

(2) arades shall inform the Controller in advance in text form of any intended engagement of additional sub-processors or replacement of existing ones. The Controller may object to the engagement or replacement within 14 days of receipt of the notification, in text form, for justified reasons.

(3) In the event of a justified objection, the Parties shall jointly seek an amicable solution. If no such solution is reached, arades is entitled to terminate the part of the Main Contract affected by the objection with reasonable notice.

(4) arades concludes a contract with each sub-processor that imposes essentially the same data-protection obligations on the sub-processor as those set out in this DPA, in particular appropriate guarantees concerning the technical and organizational measures.

(5) Ancillary services such as telecommunications services, postal services, transport services, maintenance and user support, or the disposal of data carriers, and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data-processing systems, are not considered sub-processors within the meaning of this DPA.

§ 6 Third-country transfer

(1) To the extent that personal data is transferred to a country outside the European Union or the European Economic Area (third country) or processed there, arades ensures that this only takes place on the basis of the requirements of Art. 44 et seq. GDPR, in particular through:

• an adequacy decision of the European Commission per Art. 45 GDPR; or
• appropriate safeguards per Art. 46 GDPR, in particular the EU Standard Contractual Clauses in their current version; or
• binding internal data-protection rules per Art. 47 GDPR.

(2) For processing by Microsoft (e.g. Microsoft 365, Dynamics 365, Azure) under CSP services or when using Microsoft cloud services to deliver the contractual services, the respective Microsoft data-protection terms apply, in particular the Microsoft Products and Services Data Protection Addendum (DPA) and the EU Standard Contractual Clauses that Microsoft offers as an integral part of its contracts.

§ 7 Audit rights of the Controller

(1) arades shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

(2) The Controller is entitled to verify compliance with the obligations under Art. 28 GDPR and this DPA. This may in particular be done by submitting suitable evidence, such as:

• current certifications or attestations (e.g. ISO/IEC 27001, BSI C5, SOC 2);
• a description of the technical and organizational measures in place per Annex 2;
• audit reports from recognized auditors.

(3) Where the evidence referred to in paragraph 2 is not sufficient in an individual case, the Controller is entitled, after prior notice with reasonable notice (as a rule at least 30 calendar days) and during normal business hours, to carry out on-site audits, or have them carried out by an independent auditor named by the Controller, who is not in a competitive relationship with arades and who has been previously bound to confidentiality.

(4) On-site audits shall be conducted in such a way that arades's business operations are not disproportionately impaired. They shall as a rule not take place more than once per calendar year, unless there is a specific cause.

(5) The expense associated with audits shall be reimbursed by the Controller, provided arades has made appropriate evidence per paragraph 2 available to the Controller. arades will present the expense transparently to the Controller in advance.

§ 8 Termination, deletion and return of data

(1) After the provision of the processing services has ended, arades shall, at the Controller's choice, either delete all personal data or return it and delete existing copies, unless storage of the personal data is required under Union or Member-State law.

(2) A corresponding choice by the Controller must be made within 30 calendar days of the termination of the Main Contract in text form. If no choice is made within this period, arades is entitled to delete the data.

(3) For the return of the data in a structured, commonly used and machine-readable format, arades may charge a reasonable fee based on effort, provided this requires effort beyond the standard export functions.

(4) Deletion also covers all backup copies, as far as this is technically possible and compatible with general retention periods. Data in backups will be overwritten as part of the regular backup cycle.

(5) arades confirms the completion of the deletion to the Controller in text form upon request.

§ 9 Liability

(1) In the internal relationship between the Parties, the provisions of the Main Contract apply to liability for data-protection violations, in particular the limitations of liability agreed there, to the extent compatible with mandatory data-protection law.

(2) In the external relationship vis-à-vis data subjects, Art. 82 GDPR applies. The Parties undertake to support each other to the extent that one Party is held liable due to a breach by the other Party, and to provide a corresponding internal compensation.

§ 10 Final provisions

(1) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected. In place of the invalid provision, the valid arrangement that comes closest to the purpose of the invalid provision shall be deemed agreed.

(2) Amendments and additions to this DPA, including its annexes, require text form.

(3) The law of the Federal Republic of Germany shall apply. The place of jurisdiction is Frankfurt am Main, provided the Controller is a merchant, a legal entity under public law, or a special fund under public law.

(4) This DPA enters into force upon signature by both Parties and ends automatically with the termination of the Main Contract, unless this DPA or the Main Contract provides otherwise. The obligations regulated in this DPA continue beyond the end of the contract to the extent this is required by the nature of the matter.

Signatures

Annex 1: Description of the processing

1. Subject matter and purpose of the processing

The processing of personal data is carried out for the purpose of providing the services agreed in the Main Contract, in particular:

• advisory, configuration, implementation, customization and support of Microsoft Dynamics 365, Microsoft Power Platform and Microsoft 365;
• provision and operation of arades's own SaaS solutions;
• resale and brokerage of Microsoft subscriptions under the Microsoft Cloud Solution Provider program;
• creation and customization of individual software solutions;
• maintenance and troubleshooting on systems of the Controller.

2. Type of personal data

Within the scope of the processing, depending on the specific engagement and the system environment of the Controller, the following categories of personal data may in particular be processed:

• master data (last name, first name, salutation, title, date of birth);
• contact data (address, email address, phone/mobile number);
• professional data (employer, position, department, personnel number);
• contract and contract-billing data;
• communication data (email content, notes, conversation logs in CRM systems);
• usage data (login data, IP addresses, log files, activity logs);
• other personal data stored in the systems of the Controller to which arades obtains access in the course of providing the services.

The processing of special categories of personal data per Art. 9 GDPR is not regularly envisaged. Should such data be part of the Controller's system environment, this is known to the Controller; arades processes such data only insofar as it is unavoidable for the provision of the contractual services.

3. Categories of data subjects

The following categories of data subjects may be affected by the processing:

• employees, staff and management of the Controller;
• customers, prospects and business partners of the Controller;
• suppliers and service providers of the Controller;
• other persons whose data is stored in the systems of the Controller.

4. Duration of the processing

The processing takes place for the duration of the Main Contract. After termination, the data is handled per § 8 of this DPA.

Annex 2: Technical and organizational measures (TOM)

arades implements the following technical and organizational measures per Art. 32 GDPR to ensure a level of protection appropriate to the risk. To the extent that processing takes place in third-party cloud services (in particular Microsoft Azure, Microsoft 365), the TOM of those providers supplement arades's measures.

1. Confidentiality (Art. 32(1)(b) GDPR)

Physical access control

• business premises are secured by electronic access systems or locking systems;
• access to server rooms is restricted to a limited group of people;
• visitors are received, documented and accompanied in sensitive areas.

System access control

• authentication on IT systems via username and secure password;
• multi-factor authentication (MFA) for administrative access and cloud services;
• password policies (minimum length, complexity, regular rotation);
• automatic screen lock after inactivity;
• encryption of end-device hard drives.

Data access control

• role- and rights-based authorization concept (need-to-know principle);
• separation of test, development and production environments;
• logging of administrative access;
• regular review of authorizations.

Separation control

• logical separation of data of different tenants/customers;
• multi-tenant system architecture for SaaS solutions;
• separation of production and test data.

Pseudonymization

• pseudonymization is used where possible and necessary for the provision of the service (e.g. for tests with anonymized or pseudonymized data sets).

2. Integrity (Art. 32(1)(b) GDPR)

Transfer control

• encrypted data transmission (TLS/SSL) for transfers over public networks;
• secure remote access exclusively via VPN or comparable security mechanisms;
• no transmission of personal data over unencrypted channels;
• documentation of data transfers.

Input control

• logging of entries, changes and deletions in production systems, as far as technically reasonable and supported by the system;
• traceability of administrative activities;
• four-eyes principle for particularly critical changes.

3. Availability and resilience (Art. 32(1)(b) GDPR)

• regular data backup of arades's own systems;
• use of professional cloud infrastructures (in particular Microsoft Azure) with geo-redundant data storage;
• protection against malware through up-to-date anti-malware solutions;
• firewall and network-security measures;
• uninterruptible power supply in critical areas via cloud providers;
• contingency and recovery plans.

4. Procedure for regular review, assessment and evaluation (Art. 32(1)(d) GDPR)

• data-protection management: training of employees on data protection and information security;
• commitment of employees to data secrecy and confidentiality;
• incident-response process: established process for detection, assessment and notification of data-protection violations;
• regular review and update of technical and organizational measures;
• conduct of data protection impact assessments where required (Art. 35 GDPR).

5. Engagement control

• contracts with sub-processors contain data-protection clauses per Art. 28 GDPR;
• careful selection of sub-processors with regard to data-protection compliance;
• regular review of the protective measures taken at the sub-processors on the basis of submitted evidence.

Note: This description of measures is exemplary and should be adapted in the final version to the measures actually implemented at arades. If an ISMS certificate (e.g. ISO 27001) or comparable attestation is available, it can additionally be referenced.

Annex 3: Sub-processors

At the time of conclusion of the contract, the following sub-processors are engaged:

[This list must be completed before signing the contract and adapted to the sub-processors actually engaged. For Microsoft services, reference must be made to the current version of the Microsoft Data Processing Addendum (DPA) and the EU Data Boundary.]

As of: May 8, 2026 · Related documents: Privacy policy · Terms · Imprint