pursuant to Art. 28 (3) General Data Protection Regulation (GDPR)
Version 1.0; October 10th, 2025
1. Subject Matter and Duration of Processing 1.1 The subject matter of this Agreement is the rights and obligations of the Parties within the scope of the performance of services pursuant to the Service Description and General Terms and Conditions (hereinafter “Main Agreement”), insofar as the processing of personal data by cherryware GmbH (hereinafter “Processor”) as processor for the customer as controller (hereinafter “Controller”) pursuant to Art. 28 GDPR is concerned. This includes all activities performed by the Processor in fulfillment of the Agreement that constitute processing of personal data. This also applies if the Agreement does not expressly refer to this Data Processing Agreement. 1.2 The duration of processing is determined by the actual processing of the Controller’s personal data by the Processor. 1.3 The Processor is prohibited from any processing that deviates from or exceeds the provisions of this Agreement. This also applies to the use of anonymized data. 2. Nature and Purpose of Processing 2.1 The nature of processing includes all types of processing within the meaning of the GDPR necessary for the performance of the Main Agreement. 2.2 The purposes of processing are all purposes required to provide the contractual services (see also the Terms and Conditions), in particular in the areas of cloud services, hosting, Software as a Service (SaaS), and IT support. 3. Categories of Personal Data and Data Subjects 3.1 The categories of data processed are determined by the Controller through the choice of product, configuration, use of the services, and transmission of data. See Annex 1. 3.2 The categories of data subjects are determined by the Controller through the choice of product, configuration, use of the services, and transmission of data. See Annex 1. 4. Responsibility and Processing on Documented Instructions 4.1 The Controller shall be solely responsible under this Agreement for compliance with the statutory provisions of data protection law, in particular for the lawfulness of the disclosure of the data to the Processor and the lawfulness of the processing of the data (the “Controller” within the meaning of Art. 4 (7) GDPR). This also applies to the purposes and means of processing governed by this Agreement. 4.2 The scope and limits of the processing of personal data are defined by the Main Agreement. The Controller determines, through its use of the services and the nature of the data it enters, which personal data are processed and for which purposes (e. g., team planning / collaboration, resource scheduling, project management). The Processor provides the agreed services as standardized software and infrastructure, including the necessary technical and organizational measures. Individual instructions outside the scope of the Main Agreement are not foreseen and shall not be implemented, unless expressly agreed in a written contractual agreement duly signed by both Parties. 4.3 The contractually agreed persistent storage of data shall take place in a Member State of the European Union or in another state party to the Agreement on the European Economic Area. To provide high availability and performance of the services from various global regions, worldwide network infrastructure (e.g. cloud routing nodes) is being used, which can involve processing of data outside the EU/EEA, depending on the geographical location of the service request. In such cases, the Processor shall ensure compliance with the requirements of Art. 44 et seq. GDPR, in particular by relying on adequacy decisions of the European Commission or appropriate safeguards such as Standard Contractual Clauses. 4.4 If the Processor considers that an instruction of the Controller obviously infringes data protection law, the Processor shall immediately notify the Controller thereof. The Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller. 5. Rights of the Controller / Information and Assistance Obligations of the Processor 5.1 The Processor may process personal data of data subjects only on the basis of documented instructions from the Controller (see 4.2). The instructions are defined at the beginning by the Agreement. No binding to instructions applies where an exception under Art. 28 (3) (a) GDPR exists (obligation under Union or Member State law). This also applies to transfers of personal data to third countries or international organizations. Where processing is required contrary to an instruction, the Processor shall inform the Controller of that legal requirement prior to processing, unless the law prohibits such information on important grounds of public interest. The Processor shall notify the Controller without undue delay if it considers that an instruction infringes applicable law. The Processor may suspend execution until the instruction is confirmed or amended by the Controller. The Controller shall document the instructions and retain them for at least the duration of the contractual relationship. 5.2 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Chapter III GDPR. The Processor shall be entitled to charge reasonable fees for such assistance, unless the support became necessary due to a breach of law or contract by the Processor. The Processor will provide a cost estimate in advance. 5.3 Taking into account the nature of the processing and the information available to it, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR. 5.4 The Processor shall ensure that employees and other persons acting for the Processor who are involved in processing the Controller’s data are prohibited from processing the data outside the scope of instructions. The Processor further ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy. The obligation of confidentiality shall survive the termination of the contract. 5.5 The Processor shall notify the Controller without undue delay, but no later than within 72 hours, if it becomes aware of a personal data breach concerning the Controller’s personal data. Notifications shall contain at least the information specified in Art. 33 (3) GDPR. 5.6 Upon completion of the provision of processing services, the Processor shall, at the choice of the Controller, either delete all personal data or return them to the Controller, unless Union law or the law of a Member State requires storage of the personal data. If the Controller does not exercise this choice, deletion shall be deemed agreed. If the Controller chooses return, the Processor may charge reasonable fees. The Processor will provide a cost estimate in advance. 5.7 Where data subjects assert claims for damages under Art. 82 GDPR, the Processor shall support the Controller in defending such claims to the extent possible. The Processor may charge reasonable fees unless the claims result from a breach of law or contract by the Processor. 6. Obligations of the Controller 6.1 The Controller shall inform the Processor without undue delay and in full if it detects errors or irregularities in the performance of the contract with regard to data protection provisions. 6.2 In the event of termination, the Controller undertakes to delete those personal data stored in the services prior to termination of the Agreement. 6.3 At the request of the Processor, the Controller shall designate a contact person for data protection matters. 7. Requests from Data Subjects The Processor shall notify the Controller without undue delay of any request received from a data subject. The Processor shall not respond to the request itself unless it has been authorized to do so by the Controller. Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling the Controller’s obligation to respond to data subject requests. In fulfilling its obligations, the Processor shall follow the instructions of the Controller. The Processor shall not be liable if the request of a data subject is not answered, is answered incorrectly, or is not answered in time by the Controller. 8. Security of Processing pursuant to Art. 32 GDPR 8.1 The Processor shall implement appropriate technical and organizational measures within its area of responsibility to ensure that processing is carried out in accordance with the GDPR and to protect the rights and freedoms of data subjects. The Controller shall implement appropriate technical and organizational measures within its area of responsibility pursuant to Art. 32 GDPR to ensure the confidentiality, integrity, availability, and resilience of systems and services in connection with the processing on an ongoing basis. 8.2 The current technical and organizational measures of the Processor are set out in Annex 2. 8.3 The Processor shall operate a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of processing pursuant to Art. 32 (1) (d) GDPR. 8.4 The Processor shall adapt the measures over time to technical developments and risk situations. Changes to the measures remain reserved, provided that the level of protection pursuant to Art. 32 GDPR is not reduced. 9. Evidence and Audit 9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR. The Controller shall be entitled to conduct audits only on the basis of concrete indications or particular incidents within the meaning of Art. 33 (1) GDPR. 9.2 As evidence of compliance with the obligations laid down in Art. 28 GDPR, the Processor may in particular provide certifications or other appropriate evidence (e.g., documentation of technical and organizational measures, audit reports, or security concepts). 9.3 Where the Controller presents concrete indications giving rise to reasonable doubts that the aforementioned certification is sufficient or accurate, or where particular incidents under Art. 33 (1) GDPR in connection with the performance of data processing for the Controller justify this, the Controller may carry out inspections. Such inspections shall generally be conducted by way of remote audits (e. g., review of documentation). On-site inspections are only permissible if the Processor operates business premises that are suitable for such inspection; audits shall in any case be carried out during normal business hours without undue disruption of business operations, generally after prior written notice of at least 30 days. The purpose of the inspection right is to verify compliance with the obligations incumbent upon a processor under the GDPR and this Agreement. The Processor shall actively cooperate. 9.4 The Processor may charge reasonable fees for information and assistance, unless the audit was necessary due to a breach of law or contract by the Processor. The Processor will provide a cost estimate in advance. 10. Sub-processors 10.1 The Controller grants the Processor general authorization to engage further processors within the meaning of Art. 28 GDPR to fulfill the contract. 10.2 The sub-processors currently engaged are listed in Annex 3. The Controller consents to their use. 10.3 The Processor shall inform the Controller through the published list in Annex 3 if it intends to add or replace sub-processors. The Controller may object to such changes. 10.4 Objections may only be raised for justified reasons within 30 days after publication of the information. In case of objection, the Processor may, at its discretion, provide the services without the intended change or – if provision without the intended change is not feasible – discontinue the affected services within a reasonable period (at least 14 days) after receipt of the objection. Upon discontinuation of the services by the Processor, the Controller’s payment obligation shall cease. 10.5 Where the Processor engages sub-processors, the Processor shall impose on them the same data protection obligations as set out in this Agreement. The Processor shall in particular ensure by regular reviews that sub-processors comply with the agreed technical and organizational measures. 10.6 The Processor shall ensure that sub-processors are bound by the same data protection obligations as set out in this Agreement. 11. Liability and Damages 11.1 In the event of claims for damages by a data subject pursuant to Art. 82 GDPR, the Parties undertake to support each other and contribute to clarifying the underlying facts. 11.2 The liability provisions agreed between the Parties in the Main Agreement shall also apply to claims under this Data Processing Agreement and, in the internal relationship between the Parties, to claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise. 11.3 The Parties shall indemnify each other where one Party proves that it is not in any way responsible for the circumstance that caused the damage to a data subject. This shall also apply in the event of a fine imposed on one Party, with indemnification in proportion to the share of responsibility of the other Party for the infringement sanctioned by the fine. 12. Term / Amendment 12.1 This Agreement shall commence upon the Controller’s acceptance and shall remain in force for the term of the underlying Terms and Conditions governing the Controller’s use of the Processor’s software (including both free and paid versions). It shall automatically terminate upon termination or expiry of the Terms and Conditions, unless and until any processing of personal data on behalf of the Controller continues, in which case this Agreement shall apply until such processing has fully ceased. 12.2 The Processor may amend this Agreement at its reasonable discretion with appropriate notice. In particular, the Processor expressly reserves the right to unilaterally amend this Agreement where material legal changes relating to this Agreement occur. The Processor shall notify the Controller separately of the significance of the intended amendment and shall also grant the Controller a reasonable period to object. The Processor shall inform the Controller in the amendment notice that the amendment will take effect unless the Controller objects within the period. In the event of objection, the Processor shall have an extraordinary right of termination. 12.3 Upon renewal of the Controller’s subscription or annual license, the then-current version of this Data Processing Agreement as published by the Processor shall automatically apply, unless otherwise agreed in writing. The Processor shall make the current version of this Agreement available at all times via its website. 13. Miscellaneous 13.1 Should any provision of this Agreement be invalid, the validity of the remainder of the Agreement shall remain unaffected. 13.2 The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement shall be the registered office of the Processor, subject to any mandatory statutory jurisdiction. This Agreement is governed by the laws of the Federal Republic of Germany. 13.3 If the Controller’s data at the Processor is endangered by seizure, attachment, insolvency or composition proceedings, or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay. The Processor shall notify all relevant parties without undue delay that the sovereignty and ownership of the data lie exclusively with the Controller as the “Controller” within the meaning of the GDPR.