Data Processing Agreements

‍Version 2026-05 — effective 12 May 2026
‍
This Data Processing Agreement governs the processing of personal data by NoMaze GmbH on behalf of its customers in connection with the NoMaze Service, as required by Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679).

1. Subject Matter and Duration

This Data Processing Agreement ("DPA") forms part of the SaaS Agreement between NoMaze GmbH ("Processor" or "Company") and the Customer ("Controller"). It governs the Processor's processing of personal data on behalf of the Controller in connection with the Service. This DPA applies for the duration of the SaaS Agreement and any post-termination period during which the Processor retains personal data.

2. Nature and Purpose of Processing

The Processor processes personal data solely to provide the Service to the Controller, including hosting, computation, user authentication, support, and related operational activities. Processing takes place within the European Union / European Economic Area. The Processor shall not transfer personal data outside the EU/EEA without the Controller's prior written instructions and appropriate safeguards under Chapter V GDPR.

3. Types of Personal Data and Categories of Data Subjects

Personal data processed under this DPA is limited to information necessary to operate the Service, typically comprising the names, business email addresses, and account credentials of the Controller's Authorized Users. The Controller is responsible for ensuring that no special categories of personal data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR) are submitted to the Service unless expressly agreed in writing.

4. Controller's Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to third countries. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law.

5. Confidentiality

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security of Processing

The Processor shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including but not limited to encryption of personal data in transit and at rest, access controls based on the principle of least privilege, logging and monitoring of access, regular security testing, and incident response procedures. A summary of current measures is available to the Controller upon request.

7. Subprocessors

The Controller authorises the Processor to engage subprocessors necessary for hosting, infrastructure, authentication, and related operational functions. An up-to-date list of subprocessors is available to the Controller upon request. The Processor shall provide at least thirty (30) days' prior written notice of any intended change to subprocessors, during which the Controller may object on reasonable data protection grounds. The Processor remains fully liable to the Controller for the performance of its subprocessors' obligations.

8. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (rights of access, rectification, erasure, restriction, portability, and objection).

9. Personal Data Breach

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting the Controller's personal data. The notification shall include the information specified in Article 33(3) GDPR to the extent then known to the Processor, and shall be supplemented as further information becomes available.

10. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with the competent supervisory authority pursuant to Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to the Processor.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits shall be conducted on reasonable prior notice, during normal business hours, no more than once per calendar year (except in the event of a personal data breach or supervisory authority request), and in a manner that does not unduly disrupt the Processor's operations.

12. Return or Deletion of Personal Data

Upon termination of the SaaS Agreement, the Processor shall, at the Controller's election, return or delete all personal data processed on behalf of the Controller, in accordance with Section 10.4 of the SaaS Agreement. The Processor shall certify deletion in writing. Personal data persisting in standard backup systems shall remain subject to the confidentiality obligations of this DPA until overwritten in the ordinary backup rotation.

13. Liability

Liability under this DPA follows the terms of the SaaS Agreement, except where mandatory data protection law (including Article 82 GDPR) provides otherwise.

14. Order of Precedence

In the event of conflict between this DPA and any other provision of the SaaS Agreement, this DPA prevails with respect to the processing of personal data.