Skip to content
Pulse Papershift Pulse Papershift Knowledge Hub

Data Processing Agreement

Version 2025-04-24

between Client “Service Package”

hereinafter referred to as CL (Client/Controller/Signatory)

and Papershift Pulse

hereinafter referred to as PR (Processor/Contractor)

1. Subject of the Agreement

(1) The PR processes all employee data of the CL, starting from recruitment through offboarding, based on Software as a Service (SaaS) applications for duty rosters, time tracking, absences, employment contracts, digital signing, reminders, HR processes, surveys, payroll, communication, digital personnel files, document management, employee development, feedback, whistleblowing, reporting & reports, forecasting, and benchmarking.

(2) The PR processes personal data for the CL as the controller according to Art. 4 No. 2 and Art. 28 DS-GVO based on this contract.

(3) The agreed service is provided exclusively in a member state of the European Union or in a contracting state of the European Economic Area Agreement. Any relocation of the service or parts of it to a third country requires prior approval from the controller and may only take place if the specific conditions of Art. 44 et seq. DS-GVO are met.

2. Duration of the Agreement

The duration of the agreement is determined by the term of the respective service packages for the SaaS service.

3. Type and Purpose of Processing, Nature of Personal Data, and Categories of Data Subjects

(1) Type of processing (as defined in Art. 4 No. 2 DS-GVO):

The processing is done by collecting, recording, organizing, arranging, storing, adapting, or altering data.

(2) Nature of personal data (as defined in Art. 4 No. 1, 13, 14, and 15 DS-GVO):

Personal data is processed, particularly within the framework of recruitment, HR processes, payroll, duty roster management, time tracking, digital personnel files, employment contracts, digital signatures, internal communication, questionnaire results, reporting & reports, forecasting, or benchmarking.

(3) Categories of data subjects (as defined in Art. 4 No. 1 DS-GVO):

Data relating to an identified or identifiable natural person is processed, especially name, date of birth, place of residence, occupation, education, and qualifications.

4. Rights and Obligations of the Controller and Instructions Authority

(1) The CL is solely responsible for assessing the lawfulness of processing under Art. 6(1) DS-GVO and for ensuring the rights of data subjects according to Art. 12 to 22 DS-GVO. However, the PR is obligated to forward any such requests, if they are clearly addressed solely to the CL, immediately to the CL.

(2) Changes in the processing subject or procedural changes must be jointly agreed between the CL and PR and documented in electronic format.

(3) The CL issues all orders, partial orders, and instructions in electronic documented form. Verbal instructions must be confirmed immediately in electronic documented form.

(4) The CL is entitled to regularly verify compliance with the technical and organizational measures taken by the PR and the obligations stipulated in this contract.

(5) The CL must promptly inform the PR if they detect any errors or irregularities in the review of the processing results.

(6) The CL is obliged to keep confidential any business secrets and data security measures of the PR obtained during the contract relationship. This obligation continues even after the termination of this contract.

5. CL’s Authorized Persons and PR’s Instruction Recipients

(1) CL’s authorized persons:

Managing Director/Authorized Signatory/Representative of CL

(2) PR’s instruction recipients:

Florian Suchan, Managing Director

Papershift GmbH

+49 721 50 95 79 69

[email protected]

(3) Channels to be used for instructions: [email protected]

6. Obligations of the PR

(1) The PR processes personal data exclusively within the framework of the agreed terms and following the instructions of the CL unless another processing is required by EU law, German law, or by the local data protection authority to which the PR is subject. In such a case, the PR must notify the CL of these legal requirements before processing, unless the respective law prohibits such a notification due to an important public interest (Art. 28(3) sentence 2 lit. a DS-GVO).

(2) The PR does not process the personal data provided for any other purposes, particularly not for its own purposes. Copies or duplicates of personal data are not made without the knowledge of the CL.

(3) The PR ensures that all agreed measures are properly implemented in the processing of personal data on behalf of the CL. It ensures that the data processed for the CL is strictly separated from other data holdings.

(4) The PR will conduct reviews in its area throughout the term of the service for the CL and document the results.

(5) The PR will assist the CL in fulfilling the rights of data subjects under Art. 12 to 22 DS-GVO, in creating records of processing activities, and in conducting necessary data protection impact assessments, as far as possible and as reasonably required (Art. 28(3) sentence 2 lit e and f DS-GVO).

(6) The PR will immediately inform the CL if an instruction from the CL appears to violate legal regulations (Art. 28(3) sentence 3 DS-GVO). The PR is entitled to suspend the execution of the corresponding instruction until it has been confirmed or amended by the CL after review.

(7) The PR must correct, delete, or restrict the processing of personal data from the order if instructed by the CL and if the PR has no legitimate interests to the contrary. Regardless of this, the PR must correct, delete, or restrict the processing of personal data if the CL’s instruction is based on a legitimate claim of the data subject under Art. 16, 17, and 18 DS-GVO.

(8) The PR may only provide information about personal data from the order to third parties or the data subject after prior instruction or approval by the CL.

(9) The PR agrees that the CL – generally after scheduling an appointment – is entitled to control compliance with data protection and data security regulations as well as the contractual obligations through reasonable inspections, including reviewing stored data, data processing programs, and conducting on-site inspections. The PR agrees to assist in these inspections as necessary.

(10) The PR commits to maintaining confidentiality in processing the CL’s personal data. This obligation remains after the termination of the contract.

(11) The PR ensures that its employees involved in the processing of personal data are familiar with the relevant data protection regulations before commencing their activities and that they are bound to confidentiality during their employment and after its termination (Art. 28(3) sentence 2 lit. b and Art. 29 DS-GVO). The PR monitors compliance with data protection regulations in its operations.

(12) The PR’s data protection officer is

Onur Turhan

DataCo GmbH

Dachauer Straße 65, 80335 Munich

+49 89 7400 45840

[email protected]

The CL will be notified immediately of any change of data protection officer.

7. PR’s Notification Obligations in Case of Processing Disruptions and Data Breach

The PR must immediately inform the CL of any disruptions, breaches of data protection regulations, or breaches of the agreements made, as well as any suspicion of data breaches or irregularities in the processing of personal data. This applies particularly with regard to any notification obligations of the CL under Art. 33 and 34 DS-GVO. The PR ensures that it provides appropriate support to the CL in fulfilling its obligations under Art. 33 and 34 DS-GVO (Art. 28(3) sentence 2 lit. f DS-GVO). Notifications under Art. 33 or 34 DS-GVO may only be made by the PR on behalf of the CL after prior instruction.

8. Subcontracting with Subcontractors (Art. 28(3) sentence 2 lit. d DS-GVO)

(1) The engagement of subcontractors to process CL’s data is permitted to the PR without individual approval from the CL. Each new subcontracting must be communicated to the CL by the PR before the data processing. The CL has the right to object to such subcontracting (Art. 28(2) DS-GVO).

(2) The PR must ensure that the agreed regulations between the CL and the PR also apply to subcontractors. The contract with the subcontractor must clearly define the responsibilities between the PR and the subcontractor. If multiple subcontractors are used, this applies to the responsibilities between these subcontractors. Specifically, the CL must have the right, if necessary, to conduct reasonable reviews and inspections, including on-site, at subcontractors or through third parties commissioned by the CL.

(3) The contract with the subcontractor must be in writing, which can also be in electronic format (Art. 28(4) and (9) DS-GVO).

(4) The PR must ensure compliance with the subcontractor’s obligations and document the results.

(5) The PR is liable to the CL for ensuring that the subcontractor complies with the data protection obligations imposed by the PR in accordance with this section of the contract.

(6) Currently, the following subcontractors are employed by the PR for the scope mentioned:

Alphabet, Inc. (Google)

Gmail, Calendar, Maps

Amazon Web Services, Inc.

Servers, Databases, Files, Cache

Birdsight (Qovery)

DevOps Automation

Cloudflare, Inc.

CDN, DNS

Hubspot Germany GmbH

CRM

New Relic, Inc.

Monitoring

OpenAI OpCo, LLC

Chat Assistant

Redis Ltd.

Cache

Stripe, Inc.

Online Payments, Invoicing

Twilio, Inc. (Sendgrid)

Email

Zoom Video Communications Inc.

Video Conferencing

The CL agrees to their engagement.

9. Technical and Organizational Measures (especially Art. 28(3) sentence 2 lit. c and e DS-GVO)

(1) General organizational measures

Measures that are suitable for creating data protection awareness. The following general organizational measures have been implemented by the contractor:

  • A data protection officer has been appointed.
  • Employees receive data protection training/instruction (Type of training: in-person training).
  • Data protection training is repeated.
  • Employees are bound to confidentiality regarding company/business secrets.
  • Employees are bound to data secrecy.
  • Employees sign a non-disclosure agreement.

(2) Pseudonymization / Encryption (Art. 32(1) lit. a DS-GVO)

Measures to ensure the protection of personal data by converting it into a pseudonymized form using auxiliary mechanisms or protecting it from unauthorized access with encryption according to the state of the art:

  • Data is stored on encrypted storage media and secured servers.
  • Strong encryption is used according to the state of the art (Bitlocker, FileVault).
  • Encrypted storage of personal data on mobile devices (notebooks, smartphones, USB sticks, etc.).
  • Mobile devices (especially laptops) are equipped with default hard disk encryption.
  • Data is encrypted during transfer to other areas or processors.
  • Database backups are AES-256 encrypted.

(3) Confidentiality (Art. 32(1) lit. b DS-GVO)

Measures to ensure the confidentiality of systems and services in the processing of personal data.

  • Appropriate access control to premises, buildings, and server rooms:
    • The area cannot be left unnoticed through multiple doors (emergency exits).
    • Careful selection of cleaning staff.
    • Locking system for the company premises/office rooms with:
      • Chip.
      • Chip handover is logged.
    • Visitor regulation is in place:
      • Visitors are permanently accompanied within the premises.
  • Appropriate media control:
    • Maintain an inventory list of all storage media in the infrastructure.
    • Regular checks to determine if the storage of personal data is necessary (extent and purpose).
    • Proper destruction/deletion of data/storage media/paper:
      • Physical deletion of storage media before reuse.
      • Proper destruction of paper (DIN 66399): Security level P-4.
  • Appropriate user management, as well as a dedicated user and permission concept:
    • Unique user identification.
    • Central user creation.
    • Assignment of user rights.
    • Creation of user profiles.
    • Initial password with mandatory change.
    • Password training.
    • Authentication with username/password.
    • Assignment of user profiles to IT systems.
    • Rights management by the system administrator.
    • The number of administrators is minimized to the “necessary” number.
  • Appropriate user control measures:
    • Only authorized persons and devices have access.
    • Users must authenticate themselves for network logins.
    • There is a secure WLAN (at least WPA2):
      • Use of a software firewall.
      • Regular checks of firewall settings.
      • Remote maintenance access is only enabled when necessary.
    • Accounts of former employees are deactivated without delay.
    • Use of private mobile devices (e.g., laptops, tablets, smartphones) is allowed, such as in the context of a Bring-Your-Own-Device policy.
  • Securing the transmission of personal data:
    • Type of data security between the client and the contractor: Encryption.
  • Measures for order control:
    • Selection of subcontractors based on due diligence (especially regarding data security):
      • Based on the agreement for data processing.
      • Based on other documents: Standard contractual clauses, Privacy Shield certification.
    • Contracts with service providers contain:
      • An agreement with each service provider according to Art. 28 DS-GVO.
      • Further subcontractors must be authorized.
      • The contractor has appointed a data protection officer.
  • Further measures for purpose limitation/separation principle:
    • Definition of database rights.

(4) Integrity (Art. 32(1) lit. b DS-GVO)

Measures to ensure the integrity of the processed personal data.

  • Remote maintenance access is only enabled when necessary.
  • Selection of subcontractors based on due diligence (especially regarding data security).
  • Measures to ensure separation.
    • Separation of production and test systems.
    • Definition of database rights.

(5) Availability (Art. 32(1) lit. b DS-GVO)

Measures and guarantees to protect personal data from destruction or loss.

  • Measures to ensure availability:
    • Creation of a backup and recovery plan.
    • Scope of the backup:
      • Databases.
      • File servers.
    • Type of backup:
      • Hard drive.
      • On another system.
  • Measures for restorability:
    • Emergency plans exist and are maintained.
    • Testing of data recovery, frequency: annually.
  • Availability control measures:
    • Uninterruptible power supply (UPS) is installed.
    • Air conditioning in server rooms.
    • Devices to monitor temperature and humidity in server rooms.
    • Backup storage:
      • At a secure, off-site location (type of data transfer: digital, encrypted).
    • Use of cloud services:
      • AWS.
      • Cloudflare.
      • Redis.

(6) System Resilience (Art. 32(1) lit. b DS-GVO)

Measures to ensure that IT systems function properly even under high load frequency (performance). The resilience of IT systems is essential for maintaining business continuity. In English, the term “resilience” is used, so here the terms resilience or robustness of the systems or services are meant.

Measures to ensure the resilience of systems and services:

  • Redundant WAN connections.
  • Sufficient storage system capacity.
  • Sufficient RAM capacity.
  • System monitoring.
  • Network monitoring.
  • Failure rate statistics.
  • Availability statistics.
  • Ticket system.
  • Service Level Agreements (SLAs) concluded with service providers.
  • Uninterruptible power supply (UPS) is installed.
  • Air conditioning in server rooms.
  • Devices to monitor temperature and humidity in server rooms.

(7) Continuous Processing (Art. 32(1) lit. b DS-GVO)

Measures to ensure continuous integrity of processing while also ensuring that processing does not exceed its intended duration.

  • System monitoring.
  • Network monitoring.
  • Data backup formats allow long-term retention and restoration.
  • Change management is in place; for example, updates are only installed after prior testing.

(8) Restorability (Art. 32(1) lit. c DS-GVO)

Measures to ensure that systems and services for processing personal data can be restored in the event of a malfunction.

  • Backup procedures are categorized and resourced.
  • Administrator availability is regulated (e.g., on-call duty).
  • Backup data centers are in place (hot site, warm site, cold site).
  • SLAs concluded with service providers.

(9) Storage Limitation (Art. 5(1) lit. e DS-GVO)

Ensuring that personal data is stored in a form that allows identification of data subjects only as long as necessary for the purposes for which they are processed; personal data may be stored longer, provided the personal data is processed exclusively for archival purposes in the public interest, for scientific and historical research purposes, or for statistical purposes in accordance with Article 89(1) subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and freedoms of the data subject (“storage limitation”). The following storage limitation measures have been implemented by the contractor:

  • Existence of a deletion concept (particularly for CRM and ERP systems).
  • Proof of data deletion via system logs.

(10) Regular Evaluation of Effectiveness (Art. 32(1) lit. d DS-GVO)

A procedure for regular review, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.

The following measures for regular evaluation of effectiveness are implemented by the contractor:

  • Evaluation of incidents.
  • Evaluation and implementation of improvement suggestions.
  • Review of management systems by management.
  • Review by the data protection officer (with report).

10. Obligations of the Processor after the End of the Assignment (Art. 28(3) sentence 2 lit. g DS-GVO)

At the end of the assignment, the PR must delete or destroy all data, documents, and generated processing or usage results that have come into its possession or the possession of subcontractors in connection with the order, or arrange for their deletion/destruction. The deletion/destruction must be confirmed to the CL upon request in electronic documented form with a date.

11. Liability

Liability is based on the statutory provisions (Art. 82 DS-GVO).

12. Miscellaneous

(1) Ancillary agreements generally require written form or electronic documented form.

(2) If any parts of this agreement are invalid, the validity of the remainder of the agreement shall not be affected.

In case of a conflict between the German and English versions of this text, only the German version shall be binding. The English version is for informational purposes only.