KI-Reife messen - Jetzt kostenlosen Selbsttest starten und Handlungsempfehlungen erhalten.

Demo buchen

Self Service Data Processing Agreement (DPA)

Datiert: 2025/10/01

1. Preamble

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement between Nuwacom S.à r.l. (20 rue des Peupliers, L-2328 Luxembourg) (“Nuwacom” or the “Processor”) and the customer identified in that agreement (“Customer” or the “Controller”).  

In providing the Services under the Agreement, Nuwacom may process personal data on behalf of the Customer in accordance with applicable data protection laws.  

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail.

2. Definitions 

Supervisory authority: An independent authority responsible for monitoring the application of data protection law. 

Applicable privacy law: Refers to the European General Data Protection Regulation 2016/679 (GDPR) and any applicable national data protection legislation, including in particular the Luxembourg Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en œuvre du règlement (UE) 2016/679 .

Personal data: Information relating to a directly or indirectly identifiable natural person. 

Sub-processors: A processor engaged by the Processor or its Affiliates to assist in the fulfilment of its obligations. Sub-processors may also include third parties or Affiliates of the Processor. 

Affiliate: Any legal entity that either exercises control over the Processor, is controlled by the Processor, or is under common control with the Processor. “Control” in this context means the direct or indirect ownership of more than 50% of the voting shares of a legal entity or the ability to otherwise exercise significant influence over the business policies or decisions of the legal entity. 

Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed by the (Sub-)Processor. 

Instructions: Written instructions from the Controller to the Processor for the processing of personal data, specifying how personal data is to be processed, including the transfer, type of processing, duration, purpose, type of personal data and categories of Data Subjects. Instructions must comply with the applicable data protection laws, in particular the GDPR, and must be issued in writing or in a documented electronic format. Changes or additions to these instructions also require a documented form. 

Controller, Data Subject, Processor, Processing: Terms with the meanings according to the GDPR. 

3. Scope of application, subject matter, purpose and duration of processing

3.1. The Agreement shall apply to the collection, processing and deletion of all personal data that is the subject of the Service Agreement or that arises in the course of its implementation or becomes known to the Processor. 

3.2. The subject matter and duration of the data processing as well as the scope, type and purpose of the intended processing of data are determined by the Service Agreement. 

3.3. The following types or categories of data are subject to processing by the Processor:

    • Professional contact or profile data (e.g. first and last name, e-mail address, position, department, location, as well as other required or voluntary profile information) 
    • Login data (e-mail address, password or data transmitted by the Controller via the SSO procedure (claims)) 
    • Content (other personal data transmitted to the Processor by Users of the Controller or contained in Controller’s data) 
    • Usage data (e.g. IP address, device properties, access times, user ID) 

3.4. Categories of Data Subjects: 

      • Employees of the Controller  
      • Third parties who have been authorised by the Controller (e.g. Affiliates, service providers, consultants or agencies) or whose data is contained in the content.

4. Responsibility and Authority to Issue Instructions

 

4.1. The Parties shall ensure compliance with data protection provisions. The Parties understand and agree that with regard to the processing of personal data, the Client is the Controller and the Contractor is the Processor. The Controller may at any time request the disclosure, rectification, adaptation, erasure or restriction of the processing of the data. 

4.2. In order to ensure the protection of the rights of the Data Subjects, the Processor shall forward requests to the Controller and provide reasonable and technically feasible help.

4.3. Where such assistance exceeds usual and reasonable effort, the Processor may charge the Controller for the costs incurred. 

4.4. The Processor may only process data within the framework of the Controller’s instructions, unless the law of the Union or of the Member State to which the Processor is subject obliges the Processor to do otherwise (e.g. investigations by law enforcement or state security authorities); in which case the Processor shall notify the Controller of these legal requirements prior to processing, unless the law in question prohibits such notification on grounds of important public interest (Art. 28(3)(2)(a) GDPR). 

4.5. The Processor must immediately inform the Controller if the Processor believes that an instruction violates data protection regulations. 

4.6. The Processor shall not use the data for any other purposes and in particular shall not be authorised to disclose it to third parties. Copies and duplicates shall not be created without the knowledge of the Controller, except for necessary backups. 

4.7. The Controller shall maintain a record of processing activities within the meaning of Art. 30(1) GDPR. The Processor shall provide the Controller with information to be included in the record at the Controller’s request. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with the requirements of Art. 30(2) GDPR. 

4.8. The processing of data on behalf of the Controller shall take place exclusively within the territory of the European Union. Processing in a country outside the territory referred to in sentence 1 is only permitted if it is ensured that the level of protection guaranteed by the GDPR is not undermined, taking into account the requirements of Chapter V of the GDPR, and requires the prior consent of the Controller. 

4.9. The Processor shall ensure that natural persons under the Processor’s authority who have access to data only process such data on the instructions of the Controller. The Controller shall grant the Processor consent to process the data outside the Processor’s premises (e.g. working from home, mobile working) on the basis of the processing situation determined at www.nuwacom.ai/trustcenter:

5. Compliance with Mandatory Legal Obligations by the Processor

5.1. The Processor shall ensure that the persons authorised to process the data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality and shall provide evidence of this to the Controller upon request. This also includes the information about the obligations to follow instructions and adhere to the purpose for which the data was collected that exist in this data processing relationship.

5.2. The Processor shall make available to the Controller the information necessary to demonstrate compliance with regard to the principles of proper data processing, including the implementation of the necessary Technical and Organisational Measures (Art. 5(2), Art. 24(1) GDPR). Such information may be provided through certifications, compliance reports, or other reasonable documentation that are available at www.nuwacom.ai/trustcenter.

5.3. The Processor shall appoint a data protection officer who shall perform the relevant duties in accordance with the statutory provisions. The contact details of the data protection officer are heyData GmbH, Schützenstr. 5, 10117 Berlin, datenschutz@heydata.eu.

6. Ensuring the Technical and Organisational Measures

6.1. The Parties agree that the Processor shall implement the technical and organisational measures described in the Trust Center at www.nuwacom.ai/trustcenter. 

6.2. These measures are deemed an integral part of this Agreement and may be updated by the Processor from time to time to reflect technical progress, provided that such updates do not reduce the overall level of security.

6.3. Technical and organisational measures are subject to technical progress. The Processor may implement alternative adequate measures, provided that such updates do not reduce the overall level of security of the Services.

6.4. The Processor shall make available to the Controller the information necessary to demonstrate compliance with this Agreement and Art. 28 GDPR. Such information may be provided through certificates, compliance reports, or other documentation issued by independent auditors or recognized certification bodies. 

6.5. The Processor may satisfy audit rights by providing such documentation. Physical inspections by the Controller are not permitted, except where required by law or supervisory authority.

6.6. The Processor shall provide the Controller with information necessary to demonstrate compliance with the provisions of this Agreement and the legal requirements. Such information may be provided by submitting a current certificate, reports from sufficiently qualified and independent bodies (e.g. auditors, independent data protection auditors), by compliance with approved codes of conduct pursuant to Art. 40 GDPR, certification pursuant to Art. 42 GDPR or an appropriate certification through an IT security or data protection audit (e.g. ISO 27001). On-site inspections are not permitted, except where required by law or supervisory authority.

6.7. The Processor shall also provide the Controller with all necessary information required for the audits mentioned in paragraph 4, as well as for an assessment of the impact of the planned processing activities on the protection of data (Data Protection Impact Assessment as per Art. 35 GDPR). The Processor shall take all necessary measures to ensure the security of the data and the security of processing, particularly taking into account the state of the art, as well as to mitigate any potential adverse effects on Data Subjects. 

6.8. The Processor shall provide reasonable assistance to the Controller, taking into account the nature of the processing and the information available to them, in the context of a prior consultation as per Art. 36 GDPR. 

6.9. The transfer of personal data to a third country (outside the EEA) may take place under the conditions specified in Articles 44 et seq. of the GDPR.

7. Notification of Breaches by the Processor

The Processor shall inform the Controller without undue delay after becoming aware of a personal data breach. This applies in particular with regard to the reporting obligation pursuant to Art. 33(2) GDPR, as well as to the corresponding obligations of the Controller pursuant to Art. 33 and Art. 34 GDPR. The Processor agrees to appropriately assist the Controller in fulfilling its obligations under Articles 33 and 34 GDPR where necessary. The Processor may only make notifications pursuant to Art. 33 or 34 GDPR on behalf of the Controller following prior instructions as per Section 4 of this agreement. 

Upon completion of the contractually agreed services or no later than upon termination of the Service Agreement, the Processor shall delete all documents, processing and usage results, as well as data sets (including any copies or reproductions thereof) that came into its possession in connection with the contractual relationship, in compliance with data protection regulations. A deletion log must be provided to the Controller upon request.

Data sets may be returned to the Controller via the provided export interfaces that enable the Controller to secure the data accordingly. The Controller shall ensure that the data records are backed up before the end of the service period if necessary, as later access is no longer possible due to automated deletion processes. Backup copies are deleted in accordance with data protection regulations no later than 90 days after termination of the Service Agreement.

The Processor may retain documentation that serves as proof of proper and contractual data processing, in accordance with applicable retention periods, even beyond the end of the contract.

8. Deletion and Return of Data

Data carriers and data records provided shall remain the property of the Controller. 

8.1. Upon completion of the contractually agreed services, or no later than upon termination of the service agreement, the Processor shall delete   all documents, processing and usage results, as well as data sets (including any copies or reproductions thereof) that came into its possession in connection with the contractual relationship, in compliance with data protection regulations. A deletion log must be provided to the Controller upon request. Data sets may be  returned to the Controller via the provided export interfaces that enable the Controller to secure the data accordingly. The Controller shall ensure that the data records are backed up before the end of the service period if necessary, as later access is no longer possible due to implemented automated deletion processes. Backup copies (backups) are deletedin accordance with data protection regulations no later than 90 days after termination of the service agreement. 

8.2. The Processor may retain documentation that serves as proof of proper and contractual data processing, in accordance with the applicable retention periods, even beyond the end of the contract.

9. Sub-Processors 

9.1. The Processor may engage additional processors (sub-processors). The basic requirements for the lawfulness of the processing shall remain unaffected. The current list of Sub-Processors is available at www.nuwacom.ai/trustcenter. The Controller consents to their engagement. Services provided by third parties that support the execution of the contract, such as telecommunications services, are not considered subcontractor services under this provision. However, the Processor is obligated to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Controller’s data, even when using outsourced ancillary services. 

9.2. If subcontractors are engaged by the Processor, the Processor must ensure that its contractual agreements with the subcontractor are structured to ensure that the level of data protection is at least equivalent to the agreement between the Controller and the Processor, and that all contractual and legal requirements are met. This is particularly important regarding the implementation of appropriate Technical and Organisational Measures to ensure a satisfactory level of processing security. 

9.3. Information about the categories of sub-processors engaged by the Processor and the nature of their data protection obligations is available at www.nuwacom.ai/trustcenter. This information constitutes the Controller’s right of access under this Agreement. The Processor may provide additional information about sub-processor obligations upon written request where required to demonstrate compliance with applicable law. 

9.4. If the subcontractor fails to meet its data protection obligations, the Processor shall be liable to the Controller for the subcontractor’s compliance with these obligations.

10. Final Provisions

10.1. This Agreement may be updated by the Processor from time to time. Updates will be communicated to the Controller via the Trust Center or other suitable means. Continued use of the Services after 30 days constitutes acceptance of the updated Agreement.

10.2. Instructions from the Controller are limited to the configuration options available within the Services. Such instructions are deemed to be issued by the Controller through its authorised account administrators. 

10.3. This agreement shall be governed by the laws of Luxembourg. . The place of jurisdiction is Luxembourg City. 

10.4. Any right of retention by the Processor regarding personal data processed on behalf of the Controller and the associated data carriers, provided they are owned by the Controller, is excluded. 

10.5. Should individual provisions of this agreement be invalid or unenforceable, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the intent pursued by the Parties with the invalid or unenforceable provision. The above provisions shall apply accordingly in the event that the agreement proves to be incomplete.