Data Processing Agreement

This DPA governs the processing of personal data by TeamIntel GmbH (Processor) on behalf of the Customer (Controller) in connection with the TeamIntel platform services.

The Processor shall process personal data only on documented instructions from the Controller, including transfers to third countries, unless required to do so by EU or Member State law.

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Respect conditions for engaging sub-processors
• Assist the Controller with data subject rights requests
• Assist with GDPR obligations (security, breach notification, DPIAs)
• Delete or return all personal data upon termination
• Make available information necessary to demonstrate compliance

The Processor shall not engage another processor without prior specific or general written authorization of the Controller. A current list of sub-processors is maintained and made available to the Controller. The Controller shall be notified of any intended changes to sub-processors with at least 30 days notice.

The Processor implements the following technical and organizational measures:

• AES-256 encryption of data at rest
• TLS 1.3 encryption of data in transit
• Role-based access control and principle of least privilege
• Multi-factor authentication for all administrative access
• Regular security audits and penetration testing
• SOC 2 Type II certified infrastructure
• Automated backup and disaster recovery procedures
• Network segmentation and intrusion detection systems

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests for exercising their rights under Chapter III of the GDPR, including access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly forward any data subject requests received directly to the Controller.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. The Controller may conduct audits, including inspections, with reasonable notice. The Processor shall contribute to and cooperate with such audits. Third-party audit reports (SOC 2, ISO 27001) may satisfy audit requirements.

Upon termination of data processing services, the Processor shall, at the choice of the Controller, delete or return all personal data and delete existing copies unless EU or Member State law requires storage of the personal data. Data shall be available for export for 90 days following termination.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of data protection obligations under GDPR to the extent such limitation is not permitted by applicable law.