Skip to main content

Data Processing Agreement

General

9 April 2026

Preliminary Remarks

In the course of providing services, it is necessary for Open Hippo GmbH, hereinafter referred to as the Contractor, to handle personal data for which the Client acts as the Controller within the meaning of applicable data protection law. This Data Processing Agreement specifies the obligations of the parties with respect to data protection. It applies to all activities connected with the contract in which employees of the Contractor or persons engaged by the Contractor process personal data ("Data") of the Client or at least have the possibility of accessing such data.

§ 1 Subject Matter, Duration and Specification of the Processing

(1) The subject matter and duration of the engagement are set out in the main contract. The term of this Agreement follows the term of the main contract.

(2) The nature and purpose of the intended processing of data are IT services in which access to personal data cannot be excluded.

(3) The types of personal data include master personal data such as gender, first name, surname, address, communication data (telephone, e-mail), contract data, contract billing and payment data, customer history, planning and control data, as well as inbound and outbound e-mails and other data, IT usage data (user IDs, passwords) that may be accessed in connection with the provision of the IT service.

(4) The categories of data subjects are employees, customers, prospects, service providers, suppliers or contact persons of the Client.

(5) The Contractor shall not use the personal data that comes to its knowledge for any purpose other than the contractual purpose specified. The Contractor may anonymise data and process and use it in anonymised form for its own purposes. The parties agree that anonymised or accordingly aggregated Client data shall no longer be considered data within the meaning of this Agreement.

(6) The processing of the Client's data by the Contractor shall, as a general rule, take place within the European Union or in another contracting state of the Agreement on the European Economic Area (EEA). The Contractor is nonetheless permitted to process Client data outside the EEA in compliance with the provisions of this Agreement, provided it informs the Client in advance of the location of the data processing and the requirements of Articles 44–48 GDPR are met or an exception under Article 49 GDPR applies.

§ 2 Client's Rights to Issue Instructions

(1) Persons authorised to issue instructions on behalf of the Client are the Client itself, the Client's legal representative and the IT Manager. Instructions issued by other persons must be confirmed by the authorised persons. The Client shall confirm verbal instructions immediately by e-mail.

(2) The Contractor shall notify the Client as promptly as possible if it considers that an instruction infringes data protection regulations. The Contractor is entitled to suspend execution of the relevant instruction until it has been confirmed or amended by the Client.

(3) The Contractor shall use the data exclusively in accordance with the Client's instructions as finally expressed in the provisions of this Agreement. Individual instructions that deviate from the arrangements in this Agreement or impose additional requirements require the prior consent of the Contractor.

§ 3 Client's Obligations

(1) The Client is responsible for the lawfulness of the processing of data and for safeguarding the rights of data subjects. Should third parties assert claims against the Contractor on the basis of the processing of data, the Client shall indemnify the Contractor against all such claims upon first demand.

(2) The Client is the owner of the data and the holder of all rights that may relate to the data.

(3) The Client is responsible for making data available to the Contractor in good time for the performance of the main contract and is responsible for the accuracy of the data. The Client shall notify the Contractor immediately and fully if it identifies errors or irregularities regarding data protection provisions or its instructions when reviewing the Contractor's results.

(4) The Client shall, upon request, provide the Contractor with the information specified in Article 30(2) GDPR to the extent that such information is not already available to the Contractor.

§ 4 Quality Assurance and Other Obligations of the Contractor

In addition to complying with the provisions of this Agreement, the Contractor has statutory obligations pursuant to Articles 28 to 33 GDPR; in this regard it ensures compliance with the following requirements in particular:

a) Written appointment of a Data Protection Officer where required by law. The DPO carries out activities in accordance with Articles 38 and 39 GDPR. Current contact details will be provided upon request.

b) Maintaining confidentiality in accordance with Article 28(3)(b), Articles 29 and 32(4) GDPR. The Contractor shall only deploy employees who have been bound to confidentiality and who have previously been familiarised with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may process such data only in accordance with the Client's instructions, including the authorisations granted in this Agreement, unless they are required by law to process such data.

c) Implementation of and compliance with all technical and organisational measures required for this engagement in accordance with Article 28(3)(c) and Article 32 GDPR.

d) The Client and the Contractor shall cooperate with the supervisory authority upon request in the performance of its tasks.

e) Immediate notification of the Client of any inspections and measures taken by the supervisory authority insofar as they relate to this engagement. This also applies where a competent authority investigates the Contractor in connection with an administrative or criminal matter relating to the processing of personal data in the course of the commissioned processing.

f) Where the Client is itself subject to a supervisory authority inspection, administrative or criminal proceedings, a data subject's or third party's liability claim, or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.

g) The Contractor shall regularly review internal processes and technical and organisational measures to ensure that processing within its area of responsibility complies with applicable data protection law and that the rights of data subjects are protected.

h) Demonstrability of the technical and organisational measures implemented vis-à-vis the Client within the scope of the Client's audit rights under this Agreement.

§ 5 Technical and Organisational Measures

(1) The Contractor shall document the technical and organisational measures required and presented prior to the award of the contract before processing begins, in particular with regard to the specific execution of the engagement, and shall make this documentation available to the Client for review upon request. Where a review or audit by the Client reveals a need for adjustment, this shall be implemented by mutual agreement.

(2) The Contractor shall establish security in accordance with Article 28(3)(c) and Article 32 GDPR, in particular in conjunction with Article 5(1) and (2) GDPR. The measures to be taken are measures to ensure data security and to provide a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of systems. The state of the art, the costs of implementation, the nature and purposes of the processing, and the varying likelihood and severity of risk to the rights and freedoms of natural persons within the meaning of Article 32(1) GDPR shall be taken into account.

(3) The technical and organisational measures are subject to technical progress and further development. The Contractor is therefore permitted to implement alternative adequate measures. The security level of the specified measures must not be reduced in doing so.

§ 6 Contractor's Notification Obligations in the Event of Breaches

(1) The Contractor shall assist the Client in complying with the obligations referred to in Articles 32 to 36 GDPR regarding the security of personal data, notification obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes, among other things:

a) Ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing and the projected likelihood and severity of a possible infringement through security vulnerabilities, and that enable immediate identification of relevant breach events;

b) The obligation to notify the Client of any personal data breach without undue delay;

c) The obligation to support the Client in fulfilling its duty to inform data subjects and to make all relevant information available to it without undue delay;

d) Supporting the Client in carrying out data protection impact assessments;

e) Supporting the Client in connection with prior consultations with the supervisory authority.

(2) The Contractor shall, to a reasonable and necessary extent, support the Client against reimbursement of the demonstrable costs and expenses incurred by the Contractor in connection with any data protection impact assessments to be carried out by the Client and any subsequent consultations with supervisory authorities pursuant to Articles 35 and 36 GDPR.

§ 7 Client's Audit Rights

(1) The Contractor shall ensure that the Client can satisfy itself that the Contractor is complying with its obligations under Article 28 GDPR. The Client shall in principle have the right, in coordination with the Contractor, to carry out inspections or to have them carried out by auditors to be named in individual cases. The Client has the right to satisfy itself of the Contractor's compliance with this Agreement at the location of the data processing by means of spot checks, which must be notified two weeks in advance.

(2) At the Contractor's option, evidence of compliance with the technical and organisational measures may be provided, instead of an on-site inspection, by submission of a suitable, current attestation, reports or report extracts from independent bodies (e.g. auditors, internal audit, Data Protection Officer, IT security department, data protection auditors or quality auditors) or a suitable certification from an IT security or data protection audit — e.g. in accordance with BSI baseline protection — ("audit report"), provided that the audit report enables the Client to satisfy itself in an appropriate manner that the technical and organisational measures are being complied with. If the Client raises justified doubts, based on actual evidence, that these audit reports or certifications are insufficient or incorrect, or if special incidents within the meaning of Article 33(1) GDPR in connection with the Contractor's commissioned processing for the Client so justify, the Client may carry out on-site inspections.

(3) The Contractor is entitled, at its own discretion and subject to the Client's statutory obligations, to withhold information that is sensitive with regard to the Contractor's business, or where disclosure would cause the Contractor to breach statutory or other contractual obligations. The Client is not entitled to access data or information about the Contractor's other clients, information regarding costs — unless these form the basis of reimbursable or pass-through expenses — quality review and contract management reports, or any other confidential data of the Contractor that is not directly relevant to the agreed audit purposes.

(4) The Client shall notify the Contractor in good time (at least two weeks in advance) of all circumstances relating to the conduct of the inspection. As a general rule, the Client may carry out one inspection per calendar year. This does not prejudice the Client's right to carry out additional inspections in the event of special incidents.

(5) The Contractor shall receive appropriate compensation from the Client if the nature and manner of an inspection disproportionately impairs the Contractor.

(6) If the Client engages a third party to carry out the inspection, the Client shall impose on the third party the same obligations in writing as the Client owes the Contractor under this Agreement. In addition, the Client shall oblige the third party to maintain confidentiality, unless the third party is subject to a professional duty of confidentiality. Upon request by the Contractor, the Client shall immediately provide it with the obligation agreements concluded with the third party. The Client may not engage any competitor of the Contractor to carry out the inspection.

§ 8 Sub-processing

(1) Sub-processing relationships within the meaning of this provision are services that relate directly to the provision of the main service. Not included are ancillary services used by the Contractor, such as telecommunications services, postal/transport services and user services, or the disposal of data media and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to also take appropriate and legally compliant contractual arrangements and control measures with respect to outsourced ancillary services in order to ensure the protection of the Client's data.

(2) The Contractor may only engage sub-processors (further processors) with the prior express written or documented consent of the Client. The Client consents to the engagement of the sub-processors listed in the Annex, subject to a contractual arrangement in accordance with Article 28(2)–(4) GDPR.

A change of existing sub-processors is permissible provided that:

  • the Contractor notifies the Client of such outsourcing to sub-processors in advance in writing or in text form with reasonable notice; and
  • the Client does not object in writing or in text form to the planned outsourcing before the data is transferred to the Contractor; and
  • a contractual arrangement in accordance with Article 28(2)–(4) GDPR is in place.

(3) The transfer of the Client's personal data to sub-processors and their initial activities are only permitted once all conditions for sub-processing are met. The data protection obligations under this Agreement must be passed on to all further processors.

§ 9 Rights of Data Subjects

(1) The rights of persons affected by data processing are to be asserted against the Client.

(2) Where a data subject contacts the Contractor directly regarding access, rectification, erasure or restriction of their data, the Contractor shall forward this request to the Client promptly.

(3) In the event that a data subject asserts their rights to rectification, erasure or restriction of data, or to information about the stored data, the purpose of storage, and the persons and locations to which data is regularly transferred, the Contractor shall support the Client in fulfilling these claims to a reasonable and necessary extent, provided the Client cannot fulfil the claims without the Contractor's involvement. The Contractor shall receive appropriate compensation from the Client for the effort involved in providing such assistance.

(4) The Contractor shall enable the Client to rectify, erase or restrict data, or shall carry out the rectification, restriction or erasure itself upon the Client's request, where and to the extent that this is impossible for the Client itself.

§ 10 Rectification, Restriction and Erasure of Data

(1) The Contractor may not rectify, erase or restrict the processing of data processed on a commissioned basis on its own initiative, but only upon documented instruction of the Client. Where a data subject contacts the Contractor directly in this regard, the Contractor shall forward the request to the Client without undue delay.

(2) Any deletion concept, ensuring the right to erasure, rectification, data portability and access are to be ensured directly by the Client.

§ 11 Deletion and Return of Personal Data

Upon completion of the processing services, the Contractor shall, at the Client's choice, either delete all personal data or return it to the Client, unless Union law or German law requires the storage of the personal data, or the service descriptions and the respective contractual arrangements provide otherwise.

§ 12 Relationship to the Main Contract

Where these terms contain no special provisions, the provisions of the main contract shall apply. In the event of contradictions between these terms and provisions of other agreements, in particular the main contract, the provisions of these terms shall take precedence.