This is a courtesy translation. Only the German version is legally binding. View the German version →

Legal

Data ProcessingAgreement.

Pursuant to Art. 28 GDPR · As of: 06/2026 · Standard DPA of Eywora GmbH.

1. Parties

Processor: signundsinn GmbH, Jean-Paul-Richter-Str. 3, 81369 München (provider of the Eywora platform).

Controller: The customer who has entered into a contract for the use of the Eywora platform.

2. Subject matter and duration of processing

The subject matter of the processing is the data arising in the context of the Eywora platform, in particular product and catalogue data as well as any personal data contained therein (e.g. in product descriptions, customer reviews).

The duration of the processing corresponds to the term of the main contract for the use of the Eywora platform.

3. Nature of data and categories of data subjects

Categories of data: product data, catalogue information, search-query logs (anonymised), and where applicable data provided by users in product reviews or search queries.

Categories of data subjects: end customers of the Controller, insofar as personal data are contained in the catalogue or log data.

Eywora does not collect any data on the Controller's end customers beyond this.

4. Controller's right to issue instructions

The Processor processes personal data exclusively on documented instructions from the Controller. Oral instructions must be confirmed in text form without undue delay.

Should the Processor consider that an instruction violates applicable data protection law, it shall inform the Controller without undue delay.

5. Technical and organisational measures (TOMs)

The Processor takes all necessary technical and organisational measures pursuant to Art. 32 GDPR. These include in particular:

  • Physical access control: data centre in Germany with documented physical access control, video surveillance, multi-stage authentication.
  • System access control: user management with individual accounts, password policy, 2-factor authentication for admin accounts.
  • Data access control: role-based permissions, least-privilege principle, audit logs for privileged actions.
  • Separation control: tenant separation at the database level, no commingling of customer data.
  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest.
  • Availability control: daily backups, geo-redundant mirroring within Germany, disaster-recovery plan.
  • Integrity control: checksums for data integrity, signed audit logs.
  • Order control: written instructions, documented processing activities.

Detailed TOM documentation is made available on request.

6. Use of sub-processors

The Processor uses sub-processors to provide its services. The Controller grants general written authorisation for this.

Current list of sub-processors (in Germany or the EU):

  • Data centre operator for hosting (Germany)
  • E-mail delivery service provider (EU, GDPR-compliant)
  • Monitoring service for availability monitoring (EU)

Changes to this list will be communicated to the Controller in text form at least 30 days before they take effect. The Controller may object within 14 days.

7. Support with data subject rights

The Processor supports the Controller in fulfilling the rights of data subjects (Art. 12-22 GDPR), in particular access, rectification, erasure and data portability. Requests are generally processed within 5 business days.

8. Notification of data breaches

In the event of a personal data breach, the Processor notifies the Controller without undue delay, and at the latest within 24 hours of becoming aware. The notification contains all information the Controller needs to make its own notification to the supervisory authority.

9. Audits and evidence

The Processor enables the Controller to verify compliance with the agreed measures. This may take place by:

  • Submission of current certificates (e.g. ISO 27001)
  • Written information on technical and organisational measures
  • On-site audit upon prior notification with a reasonable notice period

10. Termination and return of data

Upon termination of the main contract, all data held by the Processor will be deleted in full within 30 days or, at the Controller's request, returned in a structured, machine-readable format.

Deletion is confirmed in writing upon request.

11. Liability

The parties are liable in accordance with the requirements of Art. 82 GDPR. Internally, the liability provisions of the main contract apply.

12. Final provisions

This DPA forms part of the main contract for the use of the Eywora platform. In the event of conflicts between this DPA and the main contract, the provisions of this DPA take precedence on matters of data protection.

Amendments and supplements must be in writing. The law of the Federal Republic of Germany applies.

Do you need the DPA signed? We will make the DPA available to you as a signable PDF on request. Write to kontakt@signundsinn.de.