DE·EN·FR Contact

Legal · As of May 8, 2026

Data Processing Agreement (DPA)

Template agreement pursuant to Art. 28 GDPR between the customer as the controller and arades GmbH as the processor — including a description of the processing, technical and organizational measures, and sub-processor list.

Note: This DPA is a template text and does not replace legal advice. Before productive use, a review by a lawyer specialized in IT and data protection law should be carried out, in particular with regard to the requirements of the GDPR as well as industry-specific requirements.

Contracting parties

[Full name of the customer]
[Address]
[Country]
— hereinafter referred to as "Controller" or "Client" —

and

arades GmbH
Lilistrasse 6
63067 Offenbach am Main
Germany
— hereinafter referred to as "Processor" or "arades" —

— together the "Parties" —

Preamble

The Parties have concluded one or more contracts for the provision of IT services, the provision of SaaS services, the resale of Microsoft licenses, and/or the creation of custom software (hereinafter the "Main Contract").

Within the framework of the Main Contract, arades processes personal data on behalf of the Controller. This Data Processing Agreement (hereinafter "DPA") specifies the data protection obligations of the Parties pursuant to Art. 28 GDPR.

In the event of contradictions between the Main Contract and this DPA, the provisions of this DPA shall prevail with regard to the processing of personal data.

§ 1 Subject matter and duration of the processing

(1) The subject matter of the processing of personal data is the provision of the services agreed in the Main Contract and the associated service descriptions, statements of work, or order confirmations.

(2) The details of the nature and purpose of the processing, type of personal data, and categories of data subjects are described in Annex 1 to this DPA.

(3) The duration of the processing corresponds to the term of the Main Contract, unless any further obligations result from the provisions of this DPA.

§ 2 Right of instruction of the Controller

(1) arades processes personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless arades is required to do so by Union law or the law of the Member States to which arades is subject.

(2) Oral instructions must be confirmed in text form without undue delay. Instructions are generally given and received by the contact persons designated by the Controller.

(3) If arades is of the opinion that an instruction of the Controller violates data protection provisions, arades shall inform the Controller without undue delay. arades is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

§ 3 Obligations of the Processor

(1) arades processes personal data exclusively within the scope of the agreements and according to the instructions of the Controller. If arades processes personal data for its own purposes, arades shall be considered the controller in this respect; this requires a separate legal basis.

(2) arades shall require the persons authorized to process the personal data to maintain confidentiality in writing or ensure that they are subject to an appropriate statutory duty of confidentiality. The confidentiality obligation shall continue after the termination of the activity.

(3) arades shall take all technical and organizational measures required under Art. 32 GDPR to ensure the security of processing. The measures in place at the time of the conclusion of the contract are described in Annex 2 to this DPA. arades is entitled to further develop these measures, provided that the level of protection is not undercut. Material changes shall be communicated to the Controller.

(4) Taking into account the nature of the processing and the information available to it, arades shall assist the Controller in complying with the obligations set out in Art. 32 to 36 GDPR (data security, notification of personal data breaches, data protection impact assessment, prior consultation).

(5) arades shall, with appropriate technical and organizational measures, assist the Controller in fulfilling requests from data subjects exercising their rights under Chapter III of the GDPR (in particular access, rectification, erasure, restriction of processing, data portability, objection). If a data subject contacts arades directly, arades shall forward this request to the Controller without undue delay.

(6) arades has appointed a data protection officer where there is a corresponding legal obligation. Contact details will be provided to the Controller upon request.

(7) arades shall maintain the records required under Art. 30(2) GDPR of all categories of processing activities carried out on behalf of the Controller.

§ 4 Notification of personal data breaches

(1) arades shall inform the Controller without undue delay, but no later than within 48 hours after becoming aware, of any personal data breach within the meaning of Art. 4 No. 12 GDPR.

(2) The notification shall, to the extent available at the time of notification, contain at least the following:

  • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the breach;
  • a description of the measures taken or proposed by arades to remedy the breach, including, where appropriate, measures to mitigate its possible adverse effects.

(3) Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

§ 5 Sub-processors

(1) The Controller hereby grants arades general written authorization to engage sub-processors. The sub-processors engaged at the time of the conclusion of the contract are listed in Annex 3 to this DPA.

(2) arades shall inform the Controller in advance in text form of any intended addition or replacement of sub-processors. The Controller may object to the addition or replacement within 14 days of receipt of the notification on justified grounds in text form.

(3) In the event of a justified objection, the Parties shall jointly seek an amicable solution. If no such solution is reached, arades is entitled to terminate the part of the Main Contract affected by the objection with reasonable notice.

(4) arades shall conclude a contract with each sub-processor that imposes substantially the same data protection obligations as set out in this DPA, in particular appropriate guarantees regarding technical and organizational measures.

(5) Ancillary services such as telecommunications services, postal services, transport services, maintenance and user services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems shall not be considered sub-processors within the meaning of this DPA.

§ 6 Third-country transfer

(1) Insofar as personal data is transferred to or processed in a country outside the European Union or the European Economic Area (third country), arades shall ensure that this is done only on the basis of the requirements of Art. 44 et seq. GDPR, in particular through:

  • an adequacy decision of the European Commission pursuant to Art. 45 GDPR; or
  • appropriate safeguards pursuant to Art. 46 GDPR, in particular the EU Standard Contractual Clauses in their currently applicable version; or
  • binding internal data protection rules pursuant to Art. 47 GDPR.

(2) For processing by Microsoft (e.g., Microsoft 365, Dynamics 365, Azure) as part of the CSP services or when using Microsoft cloud services to provide the contractual services, the respective Microsoft data protection provisions apply, in particular the Microsoft Products and Services Data Protection Addendum (DPA) as well as the EU Standard Contractual Clauses that Microsoft offers as an integral part of its contracts.

§ 7 Audit rights of the Controller

(1) arades shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

(2) The Controller is entitled to satisfy itself of compliance with the obligations under Art. 28 GDPR and this DPA. This may be done in particular by submission of suitable evidence, such as:

  • submission of current certifications or attestations (e.g., ISO/IEC 27001, BSI C5, SOC 2);
  • submission of a description of the technical and organizational measures taken pursuant to Annex 2;
  • submission of audit reports from recognized auditors.

(3) Insofar as the evidence referred to in paragraph 2 is not sufficient in individual cases, the Controller is entitled, after prior notification with reasonable notice (generally at least 30 calendar days) and during normal business hours, to carry out on-site inspections or to have them carried out by an independent auditor designated by the Controller, who is not in a competitive relationship with arades and who has previously been bound by confidentiality.

(4) On-site inspections shall be carried out in such a way that the business operations of arades are not disproportionately impaired. They should generally not take place more than once per calendar year, unless there is specific cause.

(5) The effort associated with audits shall be reimbursed by the Controller, provided that arades has made available to the Controller suitable evidence pursuant to paragraph 2. arades shall present the effort to the Controller transparently in advance.

§ 8 Termination, deletion, and return of data

(1) Upon termination of the provision of the processing services, arades shall, at the choice of the Controller, either delete or return all personal data and delete existing copies, unless there is an obligation to store the personal data under the law of the European Union or its Member States.

(2) A corresponding declaration of choice by the Controller must be made in text form within 30 calendar days of termination of the Main Contract. If no declaration of choice is made within this period, arades is entitled to delete the data.

(3) For the return of the data in a structured, commonly used, and machine-readable format, arades may demand reasonable compensation based on effort, provided that this requires additional effort beyond the standard export functions.

(4) The deletion shall also include all backup copies, insofar as this is technically possible and compatible with general retention periods. Data in backups will be overwritten in the course of the regular backup cycle.

(5) arades shall confirm the deletion to the Controller in text form upon request.

§ 9 Liability

(1) In the internal relationship between the Parties, the provisions of the Main Contract shall apply to liability for data protection violations, in particular the limitations of liability agreed therein, insofar as this is compatible with mandatory data protection provisions.

(2) In the external relationship vis-à-vis data subjects, Art. 82 GDPR shall apply. The Parties undertake to support each other to the extent that one Party is held liable due to a violation by the other Party and to create a corresponding internal compensation.

§ 10 Final provisions

(1) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected. In place of the invalid provision, the valid provision that comes closest to the purpose of the invalid provision shall be deemed agreed.

(2) Amendments and additions to this DPA, including its annexes, must be made in text form.

(3) The law of the Federal Republic of Germany shall apply. The place of jurisdiction is Frankfurt am Main, provided that the Controller is a merchant, a legal entity under public law, or a special fund under public law.

(4) This DPA enters into force upon signature by both Parties and ends automatically with the termination of the Main Contract, unless otherwise specified in this DPA or in the Main Contract. The obligations regulated in this DPA exist beyond the end of the contract, insofar as this is required by the nature of the matter.

Signatures

For the Controller:

_______________________________________
Place, Date

_______________________________________
Name, Function

_______________________________________
Signature

For arades GmbH:

_______________________________________
Place, Date

_______________________________________
Name, Function

_______________________________________
Signature

Annex 1: Description of the processing

1. Subject matter and purpose of the processing

The processing of personal data is carried out for the purpose of providing the services agreed in the Main Contract, in particular:

  • Advisory, configuration, implementation, customization, and support of Microsoft Dynamics 365, Microsoft Power Platform, and Microsoft 365;
  • Provision and operation of arades' own SaaS solutions;
  • Brokerage and resale of Microsoft subscriptions as part of the Microsoft Cloud Solution Provider program;
  • Creation and customization of individual software solutions;
  • Maintenance and troubleshooting on systems of the Controller.

2. Type of personal data

Within the scope of the processing — depending on the specific order and system environment of the Controller — in particular the following categories of personal data may be processed:

  • Master data (last name, first name, salutation, title, date of birth);
  • Contact data (address, email address, phone/mobile number);
  • Professional data (employer, position, department, personnel number);
  • Contract and contract billing data;
  • Communication data (email content, notes, conversation logs in CRM systems);
  • Usage data (login data, IP addresses, log files, activity logs);
  • Other personal data stored in the systems of the Controller to which arades has access in the course of providing services.

The processing of special categories of personal data pursuant to Art. 9 GDPR is not regularly envisaged. Should such data be part of the system environment of the Controller, the Controller is aware of this; arades processes such data only to the extent that it is unavoidable for the provision of the contractual services.

3. Categories of data subjects

The following categories of data subjects may be affected by the processing:

  • Employees, staff, and management of the Controller;
  • Customers, prospects, and business partners of the Controller;
  • Suppliers and service providers of the Controller;
  • Other persons whose data is stored in the systems of the Controller.

4. Duration of the processing

The processing takes place for the duration of the Main Contract. After termination, the data shall be treated in accordance with § 8 of this DPA.

Annex 2: Technical and organizational measures (TOMs)

arades takes the following technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. Insofar as processing takes place in cloud services of third parties (in particular Microsoft Azure, Microsoft 365), the TOMs of these providers supplement the measures of arades.

1. Confidentiality (Art. 32(1)(b) GDPR)

Access control (physical)

  • Business premises are secured by electronic access systems and/or locking systems;
  • Access to server rooms is restricted to a limited group of persons;
  • Visitors are received, documented, and accompanied in sensitive areas.

Access control (logical)

  • Authentication on IT systems using username and secure password;
  • Multi-factor authentication (MFA) for administrative access and cloud services;
  • Password policies (minimum length, complexity, regular change);
  • Automatic screen lock after inactivity;
  • Encryption of the hard drives of end devices.

Authorization control

  • Role- and rights-based authorization concept (need-to-know principle);
  • Separation of test, development, and production environments;
  • Logging of administrative access;
  • Regular review of authorizations.

Separation control

  • Logical separation of data of different tenants/customers;
  • Multi-tenant system architecture for SaaS solutions;
  • Separation of production and test data.

Pseudonymization

  • Pseudonymization is used, where possible and necessary for the provision of the service (e.g., for tests with anonymized or pseudonymized datasets).

2. Integrity (Art. 32(1)(b) GDPR)

Transfer control

  • Encrypted data transmission (TLS/SSL) when transmitted over public networks;
  • Secure remote access exclusively via VPN or comparable security mechanisms;
  • No transmission of personal data over unencrypted channels;
  • Documentation of data transfers.

Input control

  • Logging of inputs, changes, and deletions in production systems, insofar as technically reasonable and supported by the system;
  • Traceability of administrative activities;
  • Four-eyes principle for particularly critical changes.

3. Availability and resilience (Art. 32(1)(b) GDPR)

  • Regular data backups of arades' own systems;
  • Use of professional cloud infrastructures (in particular Microsoft Azure) with geo-redundant data storage;
  • Protection against malware through up-to-date anti-malware solutions;
  • Firewall and network security measures;
  • Uninterruptible power supply in critical areas via cloud providers;
  • Emergency and recovery plans.

4. Procedures for regular review, assessment, and evaluation (Art. 32(1)(d) GDPR)

  • Data protection management: training of employees on data protection and information security;
  • Obligation of employees to data secrecy and confidentiality;
  • Incident response process: established process for detection, assessment, and reporting of data protection breaches;
  • Regular review and updating of technical and organizational measures;
  • Carrying out data protection impact assessments where required (Art. 35 GDPR).

5. Order control

  • Contracts with sub-processors contain data protection clauses pursuant to Art. 28 GDPR;
  • Careful selection of sub-processors taking into account data protection compliance;
  • Regular review of the protective measures taken by sub-processors based on submitted evidence.

Note: This description of measures is exemplary and should be adjusted in the final version to the measures actually implemented at arades. Insofar as an ISMS certificate (e.g., ISO 27001) or a comparable attestation is available, this may additionally be referred to.

Annex 3: Sub-processors

At the time of the conclusion of the contract, the following sub-processors are engaged:

[This list must be completed before contract conclusion and adapted to the sub-processors actually engaged. For Microsoft services, reference is to be made to the current status of the Microsoft Data Processing Addendum (DPA) and the EU Data Boundary.]

As of: May 8, 2026 · Related documents: Privacy Policy · Terms · Imprint