DATA PROCESSING AGREEMENT ("DPA")

Preamble

This DPA supplements the framework agreement ("Agreement") between Logicc GmbH ("Logicc") and the Customer, which refers to this DPA (Logicc and the Customer together are the "Parties"). This DPA automatically enters into force upon conclusion of the Agreement and applies from the same date as the Agreement.

In the context of fulfilling the Agreement, Logicc processes the Personal Data provided by the Customer. The parties agree that Logicc processes such Personal Data on behalf of the Customer, either as a Processor if the Customer is the Controller, or as a Subprocessor if the Customer is itself a Processor. Therefore, this DPA applies if and to the extent that Logicc processes Personal Data for the Customer in the course of providing Services under the Agreement. The parties agree that this DPA replaces all existing data protection provisions that the parties have previously agreed in connection with the Services.

Definitions

"Customer Data" means all Personal Data uploaded in connection with the use of the Services and processed by Logicc on behalf of the Customer in the course of providing the Services.

"Controller" is the person or company that determines the purposes and means of Processing Personal Data.

"Processor" is the person or company that processes Personal Data on behalf of a Controller.

"Data Protection Laws" means all Data Protection Laws applicable to the Processing of Personal Data. For the EU and the EEA, this includes, in particular, the General Data Protection Regulation (GDPR) and the e-Privacy Directive 2002/58/EC, as well as the local laws of the member states on data protection.

"EEA" means the European Economic Area.

"EU" is the European Union.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" has the meaning specified in the GDPR and includes any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or otherwise making available, alignment or combination, restriction, or erasure of Personal Data.

"Security Incident" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

"Services" has the meaning set forth in the Agreement.

"SCC" means the standard contractual clauses for the transfer of Personal Data to third countries contained in the Annex to Commission Implementing Decision (EU) 2021/914 of June 4, 2021.

"Subprocessor" means any Processor engaged by Logicc to assist in the provision of the Services.

Subject matter of this DPA

This DPA sets out the rights and obligations of the parties in relation to the Processing of Customer Data by Logicc in connection with the provision of the Services.

For this purpose, the Customer hereby appoints Logicc as a Processor if the Customer acts as a Controller, or as a Subprocessor if the Customer itself acts as a Processor.

This DPA applies to all Customer Data as specified in Appendix 1 to which Logicc has access during the provision of the Services. This includes Customer Data provided to Logicc by the Customer for the provision of Services, Customer Data generated by Logicc during the provision of Services, or Customer Data to which Logicc gains access in other ways, e.g., directly from data subjects, in the course of providing Services. This DPA does not apply to data that is not considered Customer Data, including non-personal data provided by the Customer or data that is not processed as part of the Services.

Principle of processing on behalf of the Customer

Logicc takes appropriate technical and organizational measures to ensure that the Processing of Customer Data complies with the requirements of applicable Data Protection Laws and that the rights of data subjects are protected.

The Processing of Customer Data by Logicc and, where applicable, commissioned Subprocessors generally takes place within the EEA. Transfers of Customer Data to a third country outside the EEA only take place if Logicc ensures compliance with the requirements of applicable Data Protection Laws and if such transfers are supported by an appropriate legal basis, such as an adequacy decision, SCC, or other applicable safeguards.

The Customer is solely responsible for the legality of the Processing of Customer Data and for safeguarding the rights of the data subjects in the relationship between the parties. Should third parties assert claims against Logicc due to the Processing of Customer Data in accordance with this DPA, the Customer shall indemnify Logicc against such claims.

Customer's right to issue instructions

Customer Data covered by this DPA will only be processed in accordance with documented instructions from the Customer, including instructions for the transfer of Customer Data to a third country. If Logicc is required by applicable law to process Customer Data without such instructions, Logicc will inform the Customer of the legal obligation prior to Processing, unless such notification is prohibited by law for reasons of public interest.

The Customer's right to issue instructions regarding the nature, scope, and procedures for Processing Customer Data is limited to the scope specified in this DPA and in the Agreement. If Logicc agrees to any instructions beyond this scope, the Customer shall reimburse Logicc for the associated costs and expenses.

The Customer shall issue their instructions in writing, by email (in text form), or by using the functionalities of the Services.

Logicc may not use Customer Data for purposes other than the provision of the Services. This restriction does not apply to backup copies that are necessary to ensure proper Processing, or to data that is retained to comply with statutory retention obligations, or to anonymized or aggregated data that cannot be re-identified and is used exclusively for internal business purposes, such as analysis or service improvements.

Subprocessors

Logicc will not engage any Subprocessors without the prior written consent of the Customer, which may be given either as individual consent or as general consent.

The Customer hereby grants its consent to the engagement of the Subprocessors listed in Appendix 2 with effect from the date of this DPA.

The Customer hereby also gives its general consent to the commissioning of further Subprocessors. Logicc shall inform the Customer of any intended changes to the list of Subprocessors, including the addition or replacement of a Subprocessor, and shall give the Customer the opportunity to object to such changes. The Customer may object in writing within 15 days of notification for reasonable reasons, and the parties shall cooperate in good faith to resolve the objection.

If Logicc engages a Subprocessor to perform certain Processing activities on behalf of the Customer, Logicc shall impose on the Subprocessor the same data protection obligations as set out in this DPA. This shall be done by means of an agreement or other legally binding instrument in accordance with applicable Data Protection Laws, ensuring that the Subprocessor provides sufficient guarantees, in particular the implementation of appropriate technical and organizational measures to comply with the requirements of the GDPR and other applicable Data Protection Laws. The contracting parties clarify that it is sufficient if the level of protection offered by the Subprocessor corresponds to the level of protection provided for in this DPA.

If Logicc's engagement of Subprocessors is subject to Articles 44 et seq. GDPR, Logicc shall, where necessary, conclude the applicable SCC and ensure that its Subprocessors take appropriate technical and organizational measures to ensure compliance with applicable Data Protection Laws.

In the event that the SCC become invalid or are otherwise no longer recognized as a valid data transfer mechanism under the GDPR or other Data Protection Laws, Logicc may resort to any alternative guarantee permitted under Data Protection Laws, such as binding corporate rules (BCR) or other appropriate safeguards or exemptions permitted under Chapter V of the GDPR or equivalent Data Protection Laws.

If a Subprocessor fails to comply with its data protection obligations, Logicc shall be liable to the Customer.

The commissioning of a third party to provide ancillary services (e.g., telecommunications, maintenance, user support, cleaning, testing, or disposal of data carriers) does not constitute the commissioning of a Subprocessor. However, Logicc shall ensure that appropriate legal agreements are in place and control measures are taken to protect the security and confidentiality of Customer Data when third parties provide such ancillary services.

Customer's control rights

Logicc undertakes to provide, upon written request from the Customer and within a reasonable period of time, the information necessary to demonstrate compliance with the obligations under this DPA.

The Customer or an auditor appointed by the Customer may verify Logicc's compliance with this DPA. Such audits are limited to once per calendar year and must be announced in writing at least 60 days in advance. The audits shall be conducted during regular business hours and in a manner that causes as little disruption as possible to Logicc's operations.

Logicc can provide current test certificates, reports, or excerpts thereof from independent bodies (e.g., auditors, data protection officers, IT security departments, or data protection auditors) or suitable certifications from recognized IT security or data protection audits as proof of compliance with the GDPR. In this case, the Customer is not entitled to carry out additional checks.

The Customer shall compensate Logicc for all reasonable costs incurred in providing such information or facilitating checks, unless these checks reveal that Logicc is in material breach of its obligations under this DPA.

Confidentiality obligation

Logicc shall ensure that all persons authorized to process Customer Data within the scope of this DPA are bound to confidentiality, either by contractual obligations or by statutory confidentiality obligations.

Technical and organizational measures

Taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of the Processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects, both the Customer and Logicc shall take appropriate technical and organizational measures within their respective areas of responsibility to ensure a level of protection appropriate to the risk, in particular with regard to Security Incidents.

The technical and organizational measures taken by Logicc are listed in Appendix 3. The Customer confirms that these measures meet the requirements and ensure an appropriate level of protection for the Processing of Customer Data.

Logicc is entitled at any time to replace the technical and organizational measures with measures of equal or higher value, provided that these meet the requirements of this Section 8.

Logicc's information obligations

Logicc will inform the Customer immediately if Logicc becomes aware of a Security Incident.

The Customer shall reimburse Logicc for all reasonable expenses incurred in providing this information, unless the Security Incident is directly attributable to gross negligence or wilful misconduct on the part of Logicc.

Tasks to support the Customer

Taking into account the nature of the Processing and the resources reasonably available to Logicc, Logicc shall support the Customer with appropriate technical and organizational measures in fulfilling the Customer's obligations to respond to requests from data subjects and other obligations under Data Protection Laws.

Logicc will inform the Customer immediately if Logicc believes that an instruction given by the Customer violates Data Protection Laws.

The Customer shall reimburse Logicc for the reasonable costs incurred in providing the Services described in this Section 10, unless these Services are necessary to fulfill Logicc's legal obligations under Data Protection Laws.

Term

This DPA shall automatically enter into force upon conclusion of the Agreement and shall remain in force for at least the duration of the Agreement, unless otherwise specified.

Premature or other termination of the Agreement, for whatever reason, shall result in the automatic termination of this DPA. However, the provisions of this DPA shall remain in force to the extent necessary to ensure the proper completion of the Processing of Customer Data within the scope of this DPA in accordance with Data Protection Laws, in particular with regard to the deletion or return of Customer Data. Once such Processing has been completed, this DPA shall terminate without further notice.

Obligation to delete and return after termination

Upon termination of the Services, Logicc will either delete or return all Customer Data in accordance with the Customer's instructions. The Customer must inform Logicc of their choice within 30 days of the termination of Services. If no notification is received within this period, Logicc may delete the Customer Data unless further storage is required by applicable law. Storage and archiving obligations under applicable law remain unaffected by this. Logicc will confirm the deletion or return upon request by the Customer.

Data protection officer

Logicc will appoint a data protection officer if required by Data Protection Laws and, in this case, provide the Customer with the contact details of the data protection officer.

Remuneration

All Services provided by Logicc within the scope of this DPA is fully covered by the remuneration agreed in the Agreement, unless expressly stated otherwise in this DPA.

Insofar as Services within the scope of this DPA are designated as subject to remuneration, these Services shall be remunerated on a time and material basis at the rates agreed in the Agreement. If no remuneration rates have been agreed, Logicc's standard rates valid at the time of performance shall apply.

Liability

The liability provisions of the Agreement shall apply accordingly to this DPA.

Logicc cannot reclaim any administrative penalties or fines imposed directly on the Customer, unless they are attributable to a breach by Logicc of this DPA or Data Protection Laws. In such cases, Logicc's liability shall be limited to contributory negligence as determined by a final decision of a competent court or authority and shall be subject to the liability provisions of the Agreement.

Final provisions

This DPA is an integral part of the Agreement. In the event of a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail exclusively with regard to the Processing of Customer Data.

Logicc reserves the right to amend this DPA if necessary to reflect changes in applicable Data Protection Laws, regulatory requirements, or binding decisions by the competent supervisory authorities. Logicc will notify the Customer of such changes in writing or in text form (e.g., by email) at least 30 days in advance, unless an immediate change is required by law or regulation. If the Customer objects to such changes for legitimate reasons, the parties shall cooperate in good faith to find a solution acceptable to both sides. If the Customer objects to such changes and no mutually acceptable solution is reached within a reasonable period of time, the Customer may terminate the Agreement with regard to the Processing activities concerned by giving written notice.

Should any provision of this DPA be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions of this DPA. The same applies if and to the extent that a loophole appears in this DPA. In place of the invalid or unenforceable provision or to fill the gap, an appropriate provision shall apply which, as far as legally possible, comes closest to or corresponds to what the parties intended economically or would have intended according to the meaning and purpose of this DPA, had they considered this point.

In all other respects, the final provisions of the Agreement shall apply mutatis mutandis to this DPA.

Appendix 1: Details of Processing

Categories of data subjects

Users of the Services

Employees of the Customer

Persons to whom data entered by users relates

Types of Customer Data

Names, email addresses of users and employees of the Customer

Data entered by users

Scope and type of Processing

Communication content with LLMs

Documents and information that the Customer uploads and stores on the platform

Purpose of Processing

Provision of Services in accordance with the Customer's instructions

Appendix 2: Subprocessors

Name	Address	Task	Place of processing	Guarantee pursuant to Art. 44 et seq. GDPR
Microsoft Ireland Operations Limited	The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, Ireland	Provision of cloud infrastructure and LLM models via Azure OpenAI Service for processing user requests (input) and generating model responses (output)	Sweden
Hetzner Online GmbH	Industriestr. 25, 91710 Gunzenhausen, Germany	Provision of cloud infrastructure for hosting the platform	Germany (Hetzner data centers in Nuremberg/Falkenstein)
IONOS SE	Elgendorfer Str. 57, 56410 Montabaur, Germany	Provision of cloud infrastructure for processing user requests (input) and generating model responses (output)	Germany
Google Ireland Limited	Gordon House, Barrow Street, Dublin 4, Ireland	Provision of cloud infrastructure for processing user requests (input) and generating model responses (output)	EU
Amazon Web Services EMEA SARL	38 avenue John F. Kennedy, L-1855 Luxembourg	Provision of cloud infrastructure for processing user requests (input) and generating model responses (output)	EU
Cloudflare Inc.	101 Townsend Street, San Francisco, California 94107, United States	Provision of DDoS protection, web application firewall (WAF), and content delivery network (CDN)	Place of use is place of processing	Standard contractual clauses (SCC) pursuant to Art. 46 para. 2 lit. c GDPR and supplementary safeguards
Stripe Payments Europe, Limited (SPEL)	1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland	Processing and management of payment transactions	EU
Mistral AI SAS	15 rue des Halles, F-75001 Paris, France	Provision of cloud infrastructure for processing user requests (input) and generating model responses (output)	EU
AlphaAI Technologies Inc. dba Tavily	33 W 60th New York, NY 10023, USA	Provision of a web search function for AI applications to enrich responses with up-to-date information	United States	Standard contractual clauses (SCC) pursuant to Art. 46 para. 2 lit. c GDPR and supplementary safeguards
Clerk, Inc.	660 King Street, Unit 345, San Francisco, CA 94107, USA	Authentication and authorization of platform users	United States	EU-U.S. Data Privacy Framework (DPF) and standard contractual clauses (SCC) as fallback
Nebius B.V.	Schiphol Boulevard 165, 1118 BG Schiphol, Netherlands	Provision of cloud infrastructure and open-source LLM models for processing user requests (input) and generating model responses (output)	EU
OpenAI Ireland Ltd.	1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland	Provision of cloud infrastructure for processing user requests (input) and generating model responses (output)	EU

Appendix 3: Technical and organizational measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of Processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of data subjects, Logicc has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to maintain the security and confidentiality of Customer Data ("technical and organizational measures"). These measures include the following aspects:

Confidentiality

Access control

Logicc will take appropriate measures to reduce the risk of unauthorized persons gaining access to data processing systems used to process and use Customer Data. Access control measures may include, for example, automatic access control systems, the use of chip cards and transponders, access control by gatekeeper Services, and alarm systems. Servers, telecommunications equipment, network technology, and similar equipment can be protected, for example, by lockable server cabinets.

Technical measures:

Use of mechanical locking systems on all relevant doors to offices and server rooms.
Visitors are accompanied by employees.
There is a key management system that regulates the issuance and return of keys.
Careful selection of cleaning staff and other external service providers.

Organizational measures:

Access policy that clearly regulates access for employees, service providers, and visitors and limits it to the necessary minimum.
Maintaining a visitor log and recording all access to the server rooms.
Regular checking of access logs.

Access control

Logicc will take appropriate measures to prevent unauthorized use of data processing systems.

Technical measures:

Strict password policies (minimum length, complexity, regular changes).
Use of multi-factor authentication (MFA) wherever possible and appropriate.
Automatic locking of inactive sessions after a defined period of time.
VPN access for remote access to internal systems.
Management of user permissions.
Automatic desktop lock

Organizational measures:

IT security policy governing the secure handling of passwords, access data, and mobile devices.
Assign user accounts according to the principle of least privilege.
Regular security training for employees to raise awareness of phishing and other threats.
Creation of user profiles

Access control

Logicc will take appropriate measures to ensure that those authorized to use the data processing systems can only access the Personal Data to which they have access rights, and that Customer Data cannot be read, copied, modified, or removed without authorization during Processing, use, and after storage. To this end, Logicc takes the following precautions:

Technical measures:

Implementation of a differentiated authorization concept that restricts access to Customer Data to the minimum necessary.
Use of firewalls and intrusion detection/prevention systems.
Logging of all access to Customer Data in audit logs.
SSH-encrypted access
SSL encryption
Encryption of Customer Data at rest, in particular chats, files, and prompt templates, using strong, state-of-the-art encryption methods.

Organizational measures:

Policy for granting and revoking access rights based on the "need-to-know" principle.
Regular review of access authorizations and audit logs.
Special authorization for access to particularly sensitive data categories.
Minimum number of administrators

Separation control

Logicc will take appropriate measures to ensure that Customer Data collected for different purposes can be processed separately. To this end, Logicc takes the following precautions:

Technical measures:

Strict logical client separation within the central database through the use of row-level security (RLS) to ensure that each client can only access its own data rows.
Ensuring client separation at the application level to prevent access to other clients' data.
Separate environments for development, testing, and production.
A differentiated authorization concept that regulates access.

Organizational measures:

Guidelines for data classification and separate processing of data from different clients and for different purposes.
Regular monitoring of technical and organizational measures for data separation.
Control via authorization concept

Integrity

Transfer control

Logicc will take appropriate measures to reduce the risk of Customer Data being read, copied, modified, or removed without authorization during electronic transmission or during its transport or storage on data carriers. To this end, Logicc takes the following precautions:

Technical measures:

Consistent encryption of all transmission channels for Customer Data (e.g., TLS 1.3 for web applications, SFTP for file transfer, VPN for remote access).
Use of secure email encryption methods (e.g., S/MIME or PGP) where email communication is necessary.
Provision via encrypted connections such as sftp, https, and secure cloud stores.

Organizational measures:

Policy on the secure transfer and disclosure of Customer Data, which prohibits the use of insecure channels.
Raising employee awareness of the risks of insecure data transmission.
Clear rules on the use of cloud services and the transfer of data to third parties.
Overview of regular retrieval and transmission procedures.

Input control

Logicc will take appropriate measures to ensure that it is possible to subsequently check and determine whether and by whom Customer Data has been entered into data processing systems, modified, or removed. To this end, Logicc takes the following precautions:

Technical measures:

Comprehensive logging of all entries, changes, and deletions of Customer Data in tamper-proof audit logs.
Use of plausibility checks and validation rules during data entry.
Versioning of data records or timestamps for changes.
Manual or automatic control of protocols (according to strict internal guidelines)

Organizational measures:

Guidelines for logging and the dual control principle for critical data entries.
Regular evaluation of audit logs for irregularities.
Clear responsibilities for data entry and maintenance.
Assignment of rights to enter, change, and delete data based on an authorization concept

Availability and resilience

Logicc will take appropriate measures to ensure that Customer Data is protected against accidental destruction or loss. To this end, Logicc takes the following precautions:

Technical measures:

Hosting of the application and data in Hetzner's data centers, which are ISO 27001 certified.
Daily backups of all relevant data with a retention period of at least 7 days.
Regular testing of backup recoverability (at least once per quarter).
Use of uninterruptible power supply (UPS), air conditioning, fire protection, and hard disk mirroring (RAID) in Hetzner data centers.
Use of virus protection on the servers.
Contingency plan governing the restoration of systems in the event of a failure.
Backup monitoring and reporting to ensure that backups are performed successfully.
Recovery concept that describes the steps and responsibilities in the event of necessary data recovery.
Restoreability through automation tools to speed up the recovery process.
Control of the backup process through regular review of backup logs and reports.
Backup concept based on the criticality of the data and specific Customer requirements.
Regular data recovery tests (at least once per quarter) and logging of results.

Organizational measures:

Contingency plans for various failure scenarios (e.g., power failure, hardware defect, cyberattack) that are regularly updated and practiced.
Clear responsibilities and escalation paths in case of an emergency, including communication with Hetzner as the cloud provider.
Contractual agreements with Hetzner regarding guaranteed availability (SLAs), response times, and support services in an emergency.
Information security policy that also regulates requirements for availability and emergency operations.

Procedures for regular review, assessment, and evaluation.

Logicc implements procedures for regularly reviewing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of Processing.

Data protection management

An external data protection officer has been appointed. This officer is supported in the implementation of data protection measures within the company by the managing director and a dedicated employee who act as internal data protection coordinators.

Implementation of a data protection management system (DSMS) based on proven standards (e.g., ISO 27701, BSI IT-Grundschutz), adapted to the size and complexity of the company.

Regular internal reviews of data protection measures and processes, at least once a year.

Documentation and processing of Security Incidents in accordance with a defined internal process.

Regular training of employees on data protection, at least once a year.

Processes relating to information obligations in accordance with Articles 13 and 14 GDPR implemented.

Formalized procedure established for requests for information from data subjects.

Data protection checkpoints integrated into risk assessment where possible and appropriate.

Data protection impact assessments (DPIA) are carried out as necessary for new processing activities that are likely to pose a high risk.

Data protection aspects are part of the company's general risk management.

Incident response management

Implementation of an incident response plan for Security Incidents, covering the phases of detection, reporting, analysis, response, and follow-up.

Establishment of an incident response team to coordinate and handle Security Incidents.

Use of the Google Workspace firewall and regular updates

Use of the Google Workspace spam filter and regular updates

Use of the Google Workspace virus scanner and regular updates

Regular training of employees in dealing with Security Incidents and phishing attempts.

Documentation of Security Incidents via ticket system

Formal procedure for tracking Security Incidents

Documented process for detecting and reporting Security Incidents (also with regard to reporting obligations to the supervisory authority)

Formalized procedure for handling Security Incidents

Involvement of the CTO in Security Incidents