Data Processing Agreement (DPA)

for the use of the cloud service „PortiQ start“ pursuant to Art. 28 GDPR

Parties

Controller: the customer who uses PortiQ start (hereinafter the „Controller“) – identified with their data in the online ordering process or in the customer account.

Processor: SecCommerce Informationssysteme GmbH, Otto-Wels-Straße 49, 22297 Hamburg – Germany (hereinafter „SecCommerce“ or the „Processor“).

Preamble

The parties have concluded an agreement for the provision of services by the Processor. In providing its services, the Processor processes personal data on behalf of the Controller; at the very least, this cannot be ruled out. With this data processing agreement, the parties wish to establish the legal basis for the data processing by the Processor and, in particular, to specify the obligations of the Processor in this connection.

§ 1 Subject Matter of the Contract

1.1 There is a contract between the parties for the use of the cloud service PortiQ start (hereinafter the „Service Agreement“).

1.2 In the course of performing the Service Agreement, the Processor processes personal data for the Controller. This constitutes processing on behalf of the Controller pursuant to Art. 28 GDPR.

1.3 The nature of the data processing, the type of personal data concerned, and the categories of data subjects are set out in Appendix A. That appendix also contains information on the subject matter of the engagement and on the purpose of the processing.

1.4 The further details of the rights and obligations of both parties within the scope of processing on behalf of the Controller are governed by this contract.

1.5 Free trial month: The free trial use of PortiQ start within the scope of a free trial month also qualifies as a Service Agreement within the meaning of this DPA, insofar as the Provider processes personal data on behalf of the customer in this context.

§ 2 Definitions

2.1 The General Data Protection Regulation („GDPR“) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, including the corrigenda to the General Data Protection Regulation published by the EU on 19 April 2018. For terms used for which Art. 4 GDPR provides a definition, that statutory definition applies in the version in force at the time the contract is concluded.

2.2 Particularly sensitive personal data are, on the one hand, special categories of personal data pursuant to Art. 9 GDPR revealing the racial and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, genetic data pursuant to Art. 4(13) GDPR, biometric data pursuant to Art. 4(14) GDPR, health data pursuant to Art. 4(15) GDPR, as well as data concerning the sex life or sexual orientation of a natural person. Also included are personal data pursuant to Art. 10 GDPR relating to criminal convictions and offenses or related security measures.

§ 3 Rights, Obligations, and Instruction Authority of the Controller

3.1 The controller for the data processing is responsible for assessing the lawfulness of the processing, in particular pursuant to Art. 6(1) GDPR, as well as for safeguarding the rights of data subjects under Art. 12 to 22 GDPR. Nevertheless, the Processor is obliged to forward to the Controller without undue delay all requests, insofar as they are evidently addressed exclusively to the Controller or concern a data protection obligation of the Controller.

3.2 Changes to the subject matter of the processing and changes to the processing procedures are to be agreed jointly between the Controller and the Processor and laid down in writing or in a documented electronic format (for example, e-mail), taking into account the Service Agreement.

3.3 The Controller issues all orders, partial orders, and instructions in writing or in a documented electronic format. Oral instructions are valid; the Controller will endeavor to confirm them within a reasonable period in writing or in a documented electronic format.

3.4 The Controller is entitled to satisfy itself, in an appropriate manner, of the Processor’s compliance with the technical and organizational measures in place and with the obligations laid down in this contract, before the commencement of the Processor’s activity and thereafter at regular intervals. The Processor will cooperate with audits to the extent necessary. The Processor also agrees that the Controller may commission third parties to carry out audits.

3.5 The Controller will endeavor to inform the Processor within a reasonable time if it identifies errors or irregularities in any review of the processing results.

§ 4 Persons Authorized to Issue / Receive Instructions; Breach of Statutory Provisions

4.1 The persons authorized to issue instructions on behalf of the Controller are the authorized representatives of the Controller stored in the online ordering process or in the customer account.

4.2 Recipient of instructions at the Processor: Falk Goossens; telephone: +49 (40) 53052-0; e-mail: datenschutz@seccommerce.com.

4.3 In the event of a change or longer-term unavailability of the persons authorized to issue instructions, the successors or representatives shall be communicated to the other party without undue delay and in writing or in a documented electronic format.

4.4 The Processor will immediately draw the Controller’s attention if, in its opinion, an instruction issued by the Controller violates statutory provisions (Art. 28(3) sentence 3 GDPR). The Processor is entitled to suspend the implementation of the relevant instruction until the validity of the instruction is confirmed or the instruction is amended by the Controller.

§ 5 Obligations of the Processor

5.1 The Processor processes personal data exclusively within the scope of the contractual agreements made and in accordance with the Controller’s instructions, unless it is required to carry out other processing by Union law or by the law of its home country (for example, in the case of investigations by law enforcement or state security authorities); in such a case, the Processor informs the Controller of these legal requirements before processing, unless that law prohibits such information on important grounds of public interest (Art. 28(3) sentence 2 lit. a GDPR).

5.2 The Processor does not use the personal data made available for processing for any other purposes, in particular not for its own purposes. Copies or duplicates of the personal data are not created without the Controller’s knowledge, unless this is necessary for the provision of the Processor’s services under the Service Agreement.

5.3 The Processor warrants that the data processed for the Controller are kept strictly separate from other data sets. This also applies to the receipt and dispatch of data, including on data carriers.

5.4 The Processor shall cooperate to the extent necessary and shall, as far as possible, appropriately support the Controller in fulfilling the rights of data subjects under Art. 12 to 22 GDPR, in maintaining the records of processing activities pursuant to Art. 30 GDPR, in any data protection impact assessments of the Controller that may be required pursuant to Art. 35 GDPR, and in complying with the Controller’s obligations referred to in Articles 32 and 36 GDPR (Art. 28(3) sentence 2 lit. e and f GDPR). The Processor shall, upon request, forward the information required for this purpose without undue delay to the Controller’s person authorized to issue instructions pursuant to § 4.1 of this contract.

5.5 The Processor may provide information about personal data from the processing relationship to third parties or to the data subject only on prior instruction or with the consent of the Controller. This applies accordingly to any exercise of data subjects’ rights at the Processor, for example the rectification and erasure of data.

5.6 The Processor shall inform the Controller without undue delay, in writing or in electronically documented form, of disruptions, breaches by the Processor or by persons employed by it of data protection provisions of the relevant laws, of this contract, or of the Service Agreement, as well as of any mere suspicion of such breaches. This applies in particular with regard to any notification and communication obligations of the Controller pursuant to Art. 33 and Art. 34 GDPR. The Processor warrants that it will, where necessary, support the Controller without undue delay and to a reasonable extent in fulfilling its obligations pursuant to Art. 33 and Art. 34 GDPR (Art. 28(3) sentence 2 lit. f GDPR). The Processor may carry out notifications pursuant to Art. 33 or Art. 34 GDPR for the Controller only on prior instruction from a person authorized to issue instructions pursuant to § 4 of this contract.

§ 6 Further Data Protection Measures at the Processor, Home Office

6.1 The following data protection officer has been appointed at the Processor: Falk Goossens; telephone: +49 (40) 53052-0; e-mail: datenschutz@seccommerce.com. A change of the data protection officer is to be communicated to the Controller without undue delay.

6.2 The Processor maintains a record of processing activities pursuant to Art. 30(2) GDPR.

6.3 The Processor confirms that it is aware of the data protection provisions of the GDPR and the BDSG [German Federal Data Protection Act] relevant to the processing on behalf of the Controller.

6.4 Processing of personal data outside the Processor’s business premises (standard mobile workplaces, e.g., teleworking, working from home, home office, mobile working) is consented to under the following conditions:

• The standard mobile workplaces are operated within the scope of a data protection concept internally approved by the Processor. The Processor’s employees are equipped with both technical equipment and corresponding instructions for action.
• No local processing of data takes place on the workstation PC outside the business premises.
• Access to the Processor’s administration environment takes place securely via VPN and similar means. Access to and processing of personal data take place within the scope of and under the instructions of the Controller or the controller.

In the processing of personal data whose protection requirement is classified as correspondingly high in line with the Standard Data Protection Model or BSI IT-Grundschutz, teleworking and mobile working are not permitted. The processing on behalf of the Controller is carried out, in principle, within the European Union or within the European Economic Area pursuant to § 7 of this agreement. This includes (remote) maintenance and other remote access within the scope of the processing on behalf of the Controller.

6.5 The Processor warrants that, before commencing their activity, it has familiarized the employees engaged in carrying out data processing under the Service Agreement and under this contract with the data protection provisions relevant to them and has appropriately bound them to confidentiality for the duration of their activity and after the termination of the employment relationship (Art. 28(3) sentence 2 lit. b and Art. 29 GDPR). The Processor monitors compliance with the data protection provisions within its area of responsibility.

6.6 The Processor warrants that it will cooperate with the supervisory authority at all times, insofar as this is part of performing the Service Agreement or this contract.

§ 7 Data Processing Inside and Outside the European Union / the European Economic Area

7.1 The data processing in accordance with the Service Agreement and this contract is carried out exclusively in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area.

7.2 Any relocation of processing operations or of partial work relating thereto to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are met (for example, an adequacy decision of the European Commission, standard data protection clauses, or approved codes of conduct, etc.) and the Controller’s prior consent in written or electronically documented form is available.

7.3 If the current standard contractual clauses of the EU Commission – cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 – are provided as the transfer instrument for the transfer of personal data to an insecure third country, these are to be attached by the Processor as a further appendix to this agreement if it exports the personal data. The Processor determines the respective module as well as any further additional measures intended to ensure an adequate level of data protection and coordinates these with the Controller.

7.4 The Processor provides the Controller without undue delay with all necessary information so that the Controller or the controller for the processing of personal data can review the lawfulness of the transfer of personal data to an insecure third country.

§ 8 Sub-processing Relationships

(1) The engagement of sub-contractors as further processors is only permitted if the Controller has consented in advance.

(2) A sub-contracting relationship requiring consent exists where the Processor engages further processors with all or part of the service agreed in the contract. The Processor will conclude agreements with these third parties to the extent necessary in order to ensure appropriate data protection and information security measures. The Controller consents to the Processor engaging sub-processors. Before engaging or replacing sub-processors, the Processor informs the Controller. The Controller may object to the change – within a reasonable period – for good cause – vis-à-vis the office designated by the Controller. If no objection is made within the period, consent to the change is deemed to have been given. If there is an important data protection ground, and insofar as a mutually agreeable solution between the parties is not possible, the Controller is granted a special right of termination.

(3) If the Processor places orders with sub-contractors, it is incumbent on the Processor to transfer its data protection obligations under this contract to the sub-contractor.

§ 9 Technical and Organizational Measures pursuant to Art. 32 GDPR

9.1 The Processor ensures a level of protection appropriate to the data processing under the Service Agreement in accordance with Art. 32(1) GDPR, cf. Art. 28(3) sentence 2 lit. c GDPR. The specific technical and organizational measures are set out in Appendix C to this contract.

9.2 The Processor warrants that the measures recorded in Appendix C are appropriate and effective and are maintained at all times. Changes to these measures constitute an amendment to this contract and are only permissible in compliance with the corresponding requirements.

9.3 The measures are to be adapted during the term of this contract to the applicable legal requirements and the state of the art. The Processor updates Appendix C accordingly and thereby communicates the changes to the Controller.

§ 10 Liability of the Processor

The Controller and the Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR.

§ 11 Duration and Termination of this Contract

11.1 The term of this contract is determined by the term of the Service Agreement.

11.2 Duration in the case of a free trial month: In the case of a free trial month, this DPA begins with the provision of the trial account and ends upon termination of the trial month, unless a separate paid contract for the continued use of PortiQ start is concluded. If use is converted into a paid contract by separate order, this DPA continues to apply without interruption for the remaining term of the Service Agreement.

§ 12 Data Deletion

The Processor deletes all personal data stored by the Controller no later than 12 months after the end of the contract, unless statutory retention periods exist. The Controller has the option to delete data independently at any time beforehand.

§ 13 Final Provisions

13.1 Amendments and supplements to this contract and its appendices must be made in writing. This also applies to the waiver of this written form requirement.

13.2 The place of jurisdiction for all disputes between the parties arising from or in connection with this contract is Hamburg.

13.3 Should individual provisions of this contract be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected thereby. The invalid or unenforceable provision shall be replaced by the valid and enforceable provision that comes closest to the data protection and economic purpose pursued by this agreement. The foregoing provisions apply accordingly in the event that this contract proves to be incomplete.

---

Appendix A – Categories of Data and Data Subjects

Subject Matter of the Engagement

The Processor operates a signature solution as Software as a Service. The signature solution is an application with which, in conjunction with the trust services of D-Trust, digital signatures and seals can be made available within the scope of a workflow or also directly.

Nature and Purpose of the Processing

Purpose of the processing:

• Operation and administration of the signature server (in particular user management, updates & upgrades, and organization of hosting in the external data center), which is operated for several end customers of D-Trust.
• Technical separation of the individual end-customer views of D-Trust (tenant separation).
• Dispatch of one-time login codes (OTP) via websms, insofar as SMS-TOTP is used.
• Support for users of the Controller and users of end customers of the Controller.
• Billing to the Controller.
• Setup, provision, administration, and termination of trial accounts within the scope of a free trial month.

Data Subjects

• Users and former users of the Controller and of end customers of the Controller who are or were users of the signature server.
• Technical contacts and users of the Controller and its end customers in support cases.
• Third parties whose data are contained in the data to be signed or on the documents to be signed.

Type of Data Processed

The data processed are those that the Controller or end customers of the Controller make available to the Processor for the operation and administration of the signature server and in the respective support case. The Controller or the Controller’s end customers and the Processor coordinate in each case which data are necessary for this and limit themselves to what is necessary to solve the specific problem. These may include, among others:

• Certificate data
• Contact information (e-mail, telephone)
• Log files
• Status information by e-mail
• IP address of the client
• Exceptionally, where the problem cannot be reproduced by the Processor in any other way: data to be signed
• Signing authorizations
• Roles
• Organizational affiliations

Processing of Particularly Sensitive Personal Data

The data processed are those that the Controller or the Controller’s end customers or their users upload in the website provided by the signature server. The Controller or the Controller’s end customers alone decide in each case what type of data is involved.

---

Appendix B – List of Engaged Sub-processors

Within the scope of the data processing agreement, the Processor uses the following sub-contractors / sub-processors to fulfill its obligations:

• ScaleUp Technologies GmbH & Co. KG, Süderstr. 198, 20537 Hamburg – Partial service: data center – Place of performance: Hamburg / Berlin.
• IONOS SE, Elgendorfer Str. 57, 56410 Montabaur – Partial service: data center – Place of performance: Berlin / Frankfurt.
• LINK Mobility Austria GmbH, Brauquartier 5/13, 8055 Graz, Austria – Partial service: dispatch of one-time login codes (OTP) via SMS through the provider websms – Place of performance: EU / EEA.

---

Appendix C1 (SecCommerce) – Technical and Organizational Measures

pursuant to Art. 32, 28(3) sentence 2 lit. c GDPR – user management, updates, and upgrades by SecCommerce.

§ 1 Confidentiality (Art. 32(1) lit. b GDPR)

1.1 Physical Access Control

• Keys to the office only for employees of SecCommerce Informationssysteme GmbH.
• Keys to server rooms only for those employees who require access.
• Alarm system.
• Logging and accompanying of visitors.

1.2 System Access Control

• Employees’ computers have a secure password.
• Employees install security updates without undue delay.
• Employees’ computers lock automatically on inactivity.
• Source code is stored on the employees’ computers on an encrypted partition.
• Login to servers encrypted with SSH and only for those employees who require access.
• Security lock for the office door.
• Use of two-factor authentication for some systems.
• Use of firewalls.

1.3 Data Access Control

• Access to all systems is granted only to those employees who require it.
• On the systems, access rights are assigned for user groups, so that only those employees who require access to certain data receive it.
• Limitation of the number of system administrators to a necessary minimum.

1.4 Separation Control

• Separation between development, test, and production systems.
• A test system is available for every production system.
• Where possible, developers use test data and not real data from production customer systems for tests. Should real customer data be required in exceptional cases, these are stored separately from the test data and deleted after the test.

§ 2 Integrity (Art. 32(1) lit. b GDPR)

2.1 Transfer Control

• Data are transmitted only in encrypted form, e.g., via SSH or in S/MIME-encrypted e-mails.
• Data are passed on only to authorized third parties (authorities) within the framework of statutory requirements.

2.2 Input Control

• Logging by means of access logs.
• Traceability of input, modification, and deletion of data through individual user names.

§ 3 Availability and Resilience; Data Protection Management

3.1 Availability Control

• Daily backups of all relevant servers.
• Regular testing of data recovery.
• Use of firewalls.
• Smoke detectors.
• Fire extinguishers in server rooms.

3.2 Procedure for Review, Assessment, and Evaluation of Effectiveness

• Processing on behalf of a controller within the meaning of Art. 28 GDPR is, as a rule, handled or commissioned within a corresponding contractual basis. The contractual basis contains provisions on the audit options of the distribution partner.

§ 4 Engagement Control

• Data processing agreement with suppliers, including the group of persons authorized to issue and receive instructions.
• Written instructions.

---

Appendix C2 (IONOS) – Technical and Organizational Measures

pursuant to Art. 32, 28(3) sentence 2 lit. c GDPR – hosting by sub-contractor „IONOS SE“ (external data center).

The technical and organizational measures can be retrieved here: IONOS – Technical and Organizational Measures (TOM).

---

Appendix C3 (ScaleUp) – Technical and Organizational Measures

pursuant to Art. 32, 28(3) sentence 2 lit. c GDPR – hosting by sub-contractor „ScaleUp“ (external data center).

§ 1 Confidentiality (Art. 32(1) lit. b GDPR)

1.1 Physical Access Control

• The data centers are divided into different security zones – beginning with the lowest security zone (outdoor areas, parking lot, reception area) with the largest number of persons authorized to enter, up to the highest security zone (utility rooms for power supply and telecommunications connections, colocation area) with the smallest number of persons authorized to enter.
• At significant access doors, electronic card readers, PIN input devices, or biometric recognition systems are installed, at which the persons authorized to enter must legitimize themselves with their personal identification token.
• Access is monitored by central security control centers – for the purpose of alarm verification, initiation and execution of intervention measures, and storage and logging of all security-relevant events.
• The access doors have integrated electrical, fail-safe locking in compliance with applicable escape route regulations. In an emergency or hazardous situation, exit via the panic-bar functions is possible at all times; in doing so, alarm messages are triggered, visualized, and recorded.
• Security-relevant messages, alarm events, and incidents can be reported, visualized, recorded, and stored (complete documentation and subsequent verification).
• Persons authorized to enter (customers, suppliers, employees) can only enter the rooms for which they have a personally stored access profile; sub-areas and individual server cabinets are additionally secured.
• External persons without permanent access authorization generally have no access, unless they have been legitimized on a one-time basis for a special reason (e.g., maintenance work, audit, accompanied tour).
• Access may be made dependent on the presentation of a valid official proof of identity (identity card, passport, driver’s license).

1.2 System Access Control

• Access to technical systems and applications is secured by individual user names and passwords. SSH keys are used for administrator access to server systems.
• The approval of user accounts and SSH keys is carried out by the management, with subsequent release by the Chief Operations Officer (COO).

1.3 Data Access Control

• Access authorizations are granted using a role-based authorization system according to the „need-to-know“ and „need-to-do“ principle. Access is logged using the means of the respective application.

1.4 Separation Control

• Use of dedicated servers and/or virtualization to separate systems and applications of different engagements.
• Use of a dedicated and/or virtualized storage solution for the physical and/or logical separation of data sets of different engagements.
• Depending on the engagement, systems and applications are designed for purpose-bound, tenant-separated processing; separate test and production systems are possible.
• The exact configuration is determined by the Controller on a case-by-case basis.

§ 2 Integrity (Art. 32(1) lit. b GDPR)

2.1 Transfer Control

• Depending on the engagement, access takes place via encrypted data connections or by means of Virtual Private Networks (VPN). Different technical implementations in line with the state of the art are used, such as AES-256 encryption, the use of certificates, and similar.
• The exact configuration is determined by the Controller on a case-by-case basis.

2.2 Input Control

• Inputs, changes, and deletions are logged using the means of the respective application. The logs are archived depending on their content and/or statutory provisions, or deleted after the purpose has been fulfilled.

§ 3 Availability and Resilience; Data Protection Management

3.1 Availability Control

• The data centers are equipped with redundant UPS systems and diesel generators, whose operational readiness is ensured by recurring monthly tests.
• Systems and applications are protected by multi-level physical and technical measures against accidental or malicious destruction or loss; additional protection by, among others, firewalls, backup, antivirus, and antispam software.
• Depending on the engagement, distributed system operation and backup take place at several data center locations.
• The exact configuration is determined by the Controller on a case-by-case basis.

3.2 Procedure for Review, Assessment, and Evaluation of Effectiveness

• Data protection management and data protection concept.
• Review of internal processes by the data protection officer.
• Continuous improvement through the „Plan-Do-Check-Act“ cycle.
• Review and documentation of legal bases as well as strict purpose limitation.
• Defined processes for involving the data protection officer and approval procedures for changes.
• Incident response management with defined processes and responsibilities as well as internal reporting of anomalies.
• Data protection-friendly default settings (Art. 25(2) GDPR).

§ 4 Engagement Control

• Clear contract drafting.
• Formalized engagement management.
• Strict selection of service providers.
• Regular review of service providers for compliance with the contracts and with the agreed measures for data protection management and data security.

---

Appendix C4 (LINK Mobility) – Technical and Organizational Measures

pursuant to Art. 32, 28(3) sentence 2 lit. c GDPR – dispatch of one-time login codes (OTP) via SMS by sub-contractor LINK Mobility.

§ 1 Confidentiality (Art. 32(1) lit. b GDPR)

1.1 Physical Access Control

• Alarm system.
• Logging of visitors.
• Personnel check at the porter.
• Chip cards for the access system.
• Video surveillance.
• Obligation to wear authorization badges.

1.2 System Access Control

• Assignment of user rights.
• Password assignment based on a password policy.
• Authentication by means of user name and password.
• Enclosure locking on the server racks.
• User profiles.
• Use of VPN technology.
• Security locks.
• Personnel check at the porter; obligation to wear authorization badges.
• Partial use of smartphone administration services (Android).
• Use of antivirus software and firewalls.

1.3 Data Access Control

• Limitation of the number of system administrators to a necessary minimum.
• Password policy (password length).

1.4 Separation Control

• Definition of database rights.
• Logical software-side tenant separation.
• Separation of development, test, and production systems.

1.5 Recoverability

• Backups.
• Recovery concept.

§ 2 Integrity (Art. 32(1) lit. b GDPR)

2.1 Transfer Control

• Setup of leased lines and VPN tunnels.
• Physical transports of hardware are carried out with personal accompaniment by qualified in-house personnel.
• Transport takes place in secure transport containers.
• Data are passed on only to authorized third parties (authorities) within the framework of statutory requirements.

2.2 Input Control

• Logging by means of access logs.
• Traceability of input, modification, and deletion of data through individual user names.

§ 3 Availability and Resilience; Data Protection Management

3.1 Availability Control

• Uninterruptible power supply (UPS).
• Fire and smoke detection systems.
• Fire extinguishers in server rooms.
• Alerting in the event of unauthorized access.
• Testing of data recovery.
• Air conditioning in server rooms.
• Backups including recovery concept.
• Emergency plans.
• Server rooms are not located beneath sanitary facilities.
• Protective sockets in server rooms.

§ 4 Engagement Control

• Data processing agreement with suppliers, including the group of persons authorized to issue and receive instructions.
• Written instructions.

---

Version: 08.06.2026