Data Processing Agreement (DPA)

When, in the course of providing our services, we process personal data on behalf of and under the instructions of our customers, this is done on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. This page summarises the key contents; the binding agreement is concluded individually with each respective customer.

Subject Matter & Duration

The subject matter of the processing is the provision of the contractually agreed service (e.g. development, operation or security testing of systems). Processing takes place for the term of the underlying main contract. Upon termination, the data is, at the customer's choice, returned or deleted, unless a statutory retention obligation requires otherwise.

Nature, Purpose & Data Subjects

The nature and purpose of the processing as well as the categories of data subjects and data follow from the respective engagement and are specifically named in the DPA. Typically, this concerns the controller's employees, customers or users as well as master, contact and usage data.

Bound by Instructions

We process personal data solely on the documented instructions of the controller. If we are of the opinion that an instruction violates applicable data protection law, we will inform the controller without undue delay.

Confidentiality

All persons involved in the processing are obliged to maintain confidentiality and are trained accordingly. Processing outside the agreed purposes does not take place.

Technical & Organisational Measures (TOMs)

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. You can find an overview on the Data Security page.

Sub-processors

We engage sub-processors only in accordance with the DPA and with appropriate contractual guarantees. You can find an up-to-date overview under Subprocessors.

Assistance & Data Subject Rights

We assist the controller, to the extent possible, in responding to data subject requests, in reporting personal data breaches and in carrying out data protection impact assessments. If we become aware of breaches of the protection of personal data, we will inform the controller without undue delay.

Audit & Verification Rights

We make available to the controller the information necessary to demonstrate compliance and enable reviews within the contractually agreed scope.

Conclude a DPA

Do you need a data processing agreement for a collaboration? Contact us at info@reepasolutions.de — we will provide you with the draft agreement at short notice. You can find further information in our Trust Center and in our Privacy Policy.

Last updated: June 2026