Data Processing Agreement (DPA) // Tallence

This Data Processing Agreement (“DPA”) governs the processing of personal data between Tallence AG, Neue Gröningerstr. 13, 20457 Hamburg (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the use of the AWS Compliance Snapshot Tool (“Service”).

1. Subject Matter and Duration of Processing

The Processor processes personal data on behalf of the Controller for the purpose of providing the contractually agreed services.

The duration of processing is determined by the term of the respective agreement between the parties.

2. Nature and Purpose of Processing

The processing includes in particular the collection, storage, organisation, analysis, transmission and erasure of personal data.

The processing is carried out exclusively for the purpose of:

Providing the agreed services
Technical execution and ensuring the operation
Ensuring IT security and system stability
Communication in connection with the provision of services

3. Categories of Personal Data

Depending on the use of the services, the following categories of personal data may in particular be processed:

Master data: e.g. name, company
Contact data: e.g. email address
Usage data: e.g. interactions, access data
Authentication data: e.g. access credentials, session information
Communication data: e.g. communication content and metadata
Other data: data provided by the Controller in the course of use

4. Categories of Data Subjects

The following groups of persons may in particular be affected by the processing:

Employees and users of the Controller
Customers or business partners of the Controller
Other data subjects in the context of the use of the services

5. Binding Instructions

The Processor shall process personal data exclusively on the basis of documented instructions from the Controller, unless the Processor is required to do so by legal provisions.

Instructions may be issued by the Controller or by authorised persons designated by the Controller.

Instructions shall generally be issued in text form (e.g. email).

If the Processor considers an instruction to be unlawful, the Processor shall immediately notify the Controller thereof.

6. Place of Processing

Processing shall generally take place within the European Union (EU) or the European Economic Area (EEA).

Processing in third countries shall only take place in compliance with the requirements of Art. 44 et seq. GDPR.

7. Obligations of the Processor

The Processor undertakes to:

process personal data exclusively on the basis of documented instructions from the Controller, unless required to do so by Union or Member State law
ensure that persons authorised to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality
implement appropriate technical and organisational measures pursuant to Art. 32 GDPR
assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor
at the choice of the Controller, delete or return all personal data after the end of processing, unless statutory retention obligations apply
make available to the Controller all information necessary to demonstrate compliance with legal requirements and to allow for audits

8. Sub-Processors

The Processor engages the following sub-processors:

Amazon Web Services (AWS): Cloud infrastructure hosting (EU region: eu-central-1, Frankfurt). AWS processes data in accordance with the AWS Data Processing Addendum.
HubSpot: CRM and marketing automation. HubSpot processes contact data (email, name, company, job title) and marketing communication preferences in accordance with the HubSpot Data Processing Agreement.

The Processor reserves the right to change the sub-processors engaged or to engage additional sub-processors. The Controller will be informed of any such changes and has the right to object thereto for good cause.

9. Assistance to the Controller

The Processor shall assist the Controller, taking into account the nature of processing and the information available to the Processor, in complying with data protection obligations.

This includes in particular assistance with the exercise of the rights of data subjects pursuant to Art. 12 to 23 GDPR, with the implementation of obligations regarding the security of processing and the notification of personal data breaches pursuant to Art. 32 to 36 GDPR, and, where necessary, with the conduct of data protection impact assessments.

Assistance shall be provided to a reasonable extent and taking into account the information available to the Processor.

10. Notification of Personal Data Breaches

The Processor shall inform the Controller without undue delay, and no later than within 72 hours after becoming aware, of any breaches of the protection of personal data.

The notification shall contain all available information pursuant to Art. 33 GDPR, in particular a description of the nature of the breach, the data and categories of persons affected, and the measures taken or planned.

The Processor shall assist the Controller in fulfilling any notification and communication obligations and shall document the relevant incidents.

11. Audit and Inspection Rights

The Controller is entitled to verify the Processor’s compliance with data protection requirements.

The Processor shall, upon request, provide appropriate evidence, in particular documentation, certifications or current audit reports.

In addition, the Controller may, to a reasonable extent, conduct audits or have audits conducted by appointed third parties, insofar as this is possible on the basis of the information and evidence provided.

Insofar as audits go beyond the provision of evidence, they may be carried out after prior coordination and against reimbursement of the Processor’s reasonable expenses.

The Processor shall ensure that corresponding audit and inspection rights also exist with respect to the sub-processors engaged.

12. Data Deletion and Return

Upon termination of processing, personal data shall be deleted or returned at the choice of the Controller, unless statutory retention obligations apply.

13. Technical and Organisational Measures

The Processor shall implement appropriate technical and organisational measures pursuant to Art. 32 GDPR. The measures shall serve in particular to ensure the confidentiality, integrity, availability and resilience of the systems.

The Processor shall, upon request, provide the Controller with further information on the technical and organisational measures.

The Processor is entitled to adapt or further develop the technical and organisational measures, provided that the overall level of protection of the processing is not impaired.

14. International Data Transfers

Where personal data is transferred to third countries, the Processor shall ensure appropriate safeguards pursuant to Art. 44 et seq. GDPR, in particular:

Standard Contractual Clauses (SCC)
Adequacy decisions
Other appropriate safeguards where applicable

15. Confidentiality

The Processor shall ensure that all persons authorised to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality.

Both parties undertake to treat all information obtained in the course of this agreement, in particular personal data, as confidential and to use it only for the contractually agreed purposes.

The obligation of confidentiality shall continue to apply beyond the termination of this agreement.

16. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Federal Republic of Germany.

The place of jurisdiction shall be – to the extent permissible – Hamburg.

17. Final Provisions

Should individual provisions of this DPA be invalid, the validity of the remaining provisions shall remain unaffected.

18. Contact

Tallence AG
Neue Gröningerstr. 13
20457 Hamburg

Email: info@tallence.com

For data protection enquiries, the Controller may contact datenschutz@tallence.com.