🤝 Data Processing Agreement (DPA)

Template pursuant to Art. 28 GDPR
Data Processor: Robert Strecher / RSTCode, Hitzendorf, Styria, Austria
Last Updated: March 2024

Note: This DPA is a template. Please fill in the fields marked with [PLACEHOLDER] and sign the document. Send a signed copy to kontakt@rstcode.at.

Parties

Data Processor (DP):
Robert Strecher / RSTCode
Hitzendorf, Styria, Austria
Email: kontakt@rstcode.at
(hereinafter "Data Processor")

Controller (C):

Please fill in: Company name: _______________________________________________
Address: ___________________________________________________
Represented by: ___________________________________________
Email: ____________________________________________________
(hereinafter "Controller")

Art. 1 – Subject Matter and Duration

This agreement governs the rights and obligations of the Controller and the Data Processor in connection with the processing of personal data within the scope of providing the AI Chat Widget as a SaaS service (main contract: Terms of Service between the parties).

This DPA runs parallel to the main contract (Terms of Service) and expires automatically upon its termination.

Art. 2 – Nature and Purpose of Processing

The Data Processor processes the following data on behalf of the Controller:

Category	Type of Data	Purpose
Chat metadata	Session IDs, timestamps, message length (without content)	Operation and statistics of the chat widget
Chat content	Text of user messages (only for live transmission to AI API)	AI-powered responses to inquiries
Uploaded documents	Documents uploaded by the Controller to the admin panel	Knowledge base for the AI agent

Data subjects: Visitors of the Controller's website(s) who use the chat widget.

Art. 3 – Instructions

The Data Processor processes personal data exclusively according to the Controller's documented instructions. The Terms of Service and this DPA constitute the documented instructions.

If the Data Processor believes that an instruction violates the GDPR or other data protection regulations, it shall immediately inform the Controller. In this case, the Data Processor is entitled to suspend the execution of the relevant instruction until clarification.

Art. 4 – Confidentiality

The Data Processor ensures that all persons involved in the processing have been bound to confidentiality or are subject to appropriate statutory obligations of secrecy.

Art. 5 – Technical and Organizational Measures (TOMs)

The Data Processor implements the following measures pursuant to Art. 32 GDPR:

Pseudonymization/Anonymization: Session IDs are randomly generated and not directly identifiable
Encryption: All data transmissions via TLS/HTTPS; database access secured by access controls
Confidentiality: Access to production systems only for authorized personnel
Integrity: Regular security updates, no unsecured endpoints
Availability: Hosting at ALL-INKL (Germany) with redundancy and backup
Resilience: Monitoring, automated error notifications
Data minimization: Chat content is not permanently stored

Art. 6 – Sub-Processors

The Data Processor may engage the following sub-processors:

Sub-Processor	Location	Service	Safeguard
ALL-INKL.COM neue Medien Münnich	Germany (EU)	Web hosting, data storage	DPA, EU hosting
Anthropic PBC	San Francisco, USA	AI processing (Claude API)	Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR

The Controller hereby consents to the engagement of the above sub-processors. In the event of planned changes or additions to sub-processors, the Controller will be notified with 14 days' notice and has the right to object.

Art. 7 – Assistance to the Controller

The Data Processor assists the Controller in fulfilling its obligations towards data subjects (access, deletion, rectification, restriction) as far as possible, in particular by:

Providing a deletion mechanism for stored data upon request
Providing information about processed data upon request by the Controller

Art. 8 – Notification of Data Breaches

The Data Processor shall notify the Controller of personal data breaches immediately, within 24 hours of becoming aware.

The notification shall be by email and contain at least:

Nature of the breach
Categories of data and estimated number of affected persons
Description of likely consequences
Measures taken and proposed remediation

Note for the Controller: The Controller is obligated to report data breaches within 72 hours to the competent supervisory authority (DSB Austria: dsb.gv.at).

Art. 9 – Deletion and Return After Contract Termination

After termination of the main contract, all personal data of the Controller will be irreversibly deleted within 30 days, unless statutory retention obligations exist.

The Controller may request a complete data backup prior to termination.

The Data Processor will confirm deletion in writing upon request.

Art. 10 – Audit Rights

The Controller has the right to verify compliance with data protection requirements and this DPA by the Data Processor. Audits must be announced with 14 days' notice and conducted during normal business hours.

Art. 11 – Final Provisions

Amendments and supplements to this DPA require written form. Austrian law applies.

Signatures

Both parties declare that they have read and understood this DPA and agree to its content.

Data Processor

Robert Strecher / RSTCode
Hitzendorf, Styria, Austria

Location, Date: ___________________

Controller

Company name: _______________
Location, Date: _______________