Data Processing Agreement
This DPA pursuant to Art. 28 GDPR governs the processing of personal data by Syvera as a data processor.
1. Subject Matter and Duration
This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and Syvera GmbH, Musterstraße 1, 10115 Berlin ("Processor") and forms part of the Terms of Service or the main agreement between the parties.
The Processor processes personal data on behalf of the Controller in connection with the provision of the Syvera platform and related services (the "Services"). The term of this DPA corresponds to the term of the main agreement.
2. Instructions
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits this on grounds of public interest.
Instructions may be given in writing (including by email) or in another documented form. Verbal instructions shall be confirmed in writing without undue delay.
3. Details of Processing
Subject matter and nature of processing
Collection, storage, transmission, alteration, retrieval and deletion of personal data in connection with the use of the Syvera platform.
Purpose of processing
Provision of the contractually agreed software-as-a-service, in particular the Syvera Suite modules.
Types of personal data
Master data (name, address, contact details), usage data (log data, IP addresses), content data (data entered by the Controller into the platform) and other data categories as determined by the Controller.
Categories of data subjects
Employees, customers, prospects, suppliers and other individuals whose data the Controller enters into the Syvera platform.
4. Obligations of the Processor
- Process personal data only within the scope of this DPA and on the Controller's instructions
- Ensure confidentiality pursuant to Art. 28(3)(b) GDPR; bind all authorised persons to confidentiality
- Implement all required technical and organisational measures (TOMs) pursuant to Art. 32 GDPR
- Assist the Controller in fulfilling data subject rights under Art. 12–23 GDPR
- Assist the Controller in complying with obligations under Art. 32–36 GDPR (security, DPIA, prior consultation)
- Return or delete personal data upon termination of the agreement
- Make available all information necessary to demonstrate compliance with this DPA
- Allow and contribute to audits conducted by the Controller or a mandated auditor
5. Sub-processors
The Processor may engage sub-processors. The current list of sub-processors is available at syvera.com/subprocessors. The Controller hereby consents to the use of the sub-processors listed there.
The Processor shall notify the Controller of any intended changes regarding the addition or replacement of sub-processors with at least 30 days' notice, giving the Controller the opportunity to object to such changes.
The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by contract.
6. Technical and Organisational Measures
Measure
Description
Physical access control
Data centre access control via biometric security, CCTV, security personnel and electronic access logging.
System access control
Strong passwords, multi-factor authentication (MFA), automatic session timeouts, role-based access management.
Data access control
Need-to-know permissions model, regular access rights reviews, separation of development and production environments.
Transfer control
TLS 1.3 encryption for data in transit, VPN for internal systems, encrypted email communications.
Input control
Logging of data entries, modifications and deletions; tamper-proof audit logging with timestamps.
Order control
Careful selection of sub-processors, written contracts, regular reviews.
Availability control
Redundant infrastructure, automated daily backups, disaster recovery plan with RTO < 4h and RPO < 1h.
Separation requirement
Logical multi-tenancy, separate processing for different purposes, isolated test and production environments.
7. Personal Data Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay and in any event within 48 hours of becoming aware of it, by email to the contact address designated by the Controller.
The notification shall include at least: (i) a description of the nature of the breach, (ii) the categories and approximate number of data subjects concerned, (iii) the categories and approximate number of records concerned, (iv) the likely consequences, and (v) the measures taken or proposed.
8. Assistance with Data Subject Rights
The Processor shall assist the Controller through appropriate technical and organisational measures in fulfilling its obligation to respond to requests for the exercise of data subject rights under Art. 12–23 GDPR.
This includes in particular: right of access (Art. 15 GDPR), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20) and right to object (Art. 21 GDPR).
9. International Data Transfers
Data is processed within the European Economic Area (EEA) as a default. Where data transfers to third countries are necessary, they take place exclusively on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular the EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914).
Current data transfer safeguards and mechanisms are documented at syvera.com/data-transfers.
10. Return and Deletion of Data
Upon termination of the Services, the Processor shall make all personal data available to the Controller in a common format on request (data portability). Data remains exportable for 30 days after the end of the agreement.
After this period, the Processor shall securely and irrevocably delete all personal data, unless statutory retention obligations apply. Upon request, the Processor shall issue written confirmation of data deletion.
11. Liability
Each party shall be liable to the other party in accordance with applicable law for damages arising from a breach of this DPA. The liability provisions of the main agreement shall otherwise apply.
In relation to data subjects, Controller and Processor may be jointly liable pursuant to Art. 82 GDPR. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
12. Final Provisions
This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Berlin.
Should any provision of this DPA be invalid or unenforceable, this shall not affect the validity of the remaining provisions. The parties undertake to replace invalid provisions with valid provisions that come as close as possible to the economic purpose of the invalid provision.
In the event of any conflict between this DPA and the main agreement, this DPA shall prevail with respect to data protection matters.
Last updated: April 2026
Questions about the DPA?
For questions about data processing or if you require an individually tailored DPA, please contact our privacy team.