Data Processing Agreement

Effective date: February 2026

Data Processing Agreement (DPA) pursuant to Article 28 GDPR between the Controller (Customer) and mii ventures GmbH, Regerstraße 70a, 22761 Hamburg, Germany

Preamble

The Processor (mii ventures GmbH) provides the Controller with a cloud-based platform that unifies calendar, tasks, conversations, and notes ("Relorq").

This Data Processing Agreement (DPA) specifies the obligations of the parties as required under Article 28 of the General Data Protection Regulation (GDPR).

It governs all processing of personal data performed by the Processor on behalf of the Controller in connection with the Relorq service.

1. Subject Matter and Duration

1.1 Subject matter: Processing of personal data for the provision of the Relorq platform and related services on behalf of the Controller, including storage, transmission, and processing of calendar, task, contact, note, and usage data, and (where applicable) AI-assisted features such as suggestions or drafting.

1.2 Duration: This DPA is valid for the term of the main contract. After termination, the data deletion and return obligations under this Agreement continue to apply.

2. Nature of Processing, Data Categories, and Data Subjects

2.1 Nature of processing: Collection, storage, transmission, and logging of data processed in the platform, including calendar entries, tasks, contacts, notes, messages, and technical metadata necessary for the provision and operation of the service.

2.2 Categories of data processed:

• Name and contact details (e.g. email address, phone number where provided)
• Calendar, task, contact, and note content
• Messages and other content stored or created in the platform
• Usage data and technical metadata (e.g., timestamps, IP addresses, identifiers)

2.3 Data subjects:

• Users of the Controller (account holders and persons using the platform on the Controller's behalf)
• Data subjects whose personal data the Controller stores or processes in the platform (e.g. contacts, meeting participants)

2.4 No automated decision-making: The processing does not include automated decision-making within the meaning of Article 22 GDPR.

3. Instructions

3.1 The Processor shall process personal data only based on documented instructions from the Controller.

3.2 Instructions must be given in text form. Verbal instructions must be promptly confirmed in writing.

3.3 The Processor shall inform the Controller if it believes that an instruction infringes data protection law.

4. Technical and Organizational Measures (TOMs)

4.1 The Processor implements appropriate technical and organizational measures as required under Article 32 GDPR, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES 256)
• Role-Based Access Control (RBAC)
• Administrator-only access protected by Multi-Factor Authentication (MFA)
• Logging and auditing of system access
• Network segmentation, firewall protection, and hardened cloud environments
• Principle of least privilege for all user roles
• Regular security updates and system patching.

4.2 The Processor shall provide evidence of implemented measures upon request (e.g., internal security policies, ISO/SOC certificates of Sub-Processors, penetration test reports).

4.3 The Processor intends to implement formal information security certifications (e.g,. ISO 27001) in the medium term.

5. Confidentiality

5.1 The Processor ensures that all persons authorized to process personal data are subject to a confidentiality obligation.

5.2 The exact confidentiality requirements apply to all Sub-Processors engaged by the Processor.

6. Assistance Obligations

6.1 The Processor shall assist the Controller in fulfilling the rights of data subjects in accordance with Articles 15–22 GDPR.

6.2 The Processor shall also assist with data protection impact assessments (Article 35 GDPR) and prior consultations with supervisory authorities (Article 36 GDPR).

6.3 In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and no later than 24 hours after becoming aware of it, including details of the type, scope, consequences, and mitigation measures.

7. Sub-Processors

7.1 The Processor may engage Sub-Processors provided they are contractually bound to GDPR-equivalent data protection and security obligations.

7.2 An up-to-date list of Sub-Processors is publicly available here. This list specifies the provider, purpose, location, and legal basis of each data transfer. Full identification details (e.g., registered business addresses) are available from the Processor upon request.

7.3 International data transfers: Transfers to Sub-Processors outside the EU/EEA shall only occur based on appropriate safeguards under Articles 44 ff. GDPR:

• For US-based providers, transfers rely on the EU–US Data Privacy Framework (DPF).
• For providers not certified under the DPF transfers rely on the EU Standard Contractual Clauses (SCCs) combined with Transfer Impact Assessments (TIAs).
• Providers hosting exclusively within the EU or equivalent jurisdictions are not subject to cross-border transfer obligations.

7.4 The Processor shall notify the Controller of any intended changes to Sub-Processors at least 14 days in advance. The Controller may object to such changes on reasonable grounds of data protection.

8. Audit and Inspection Rights

8.1 The Controller has the right to verify compliance with this Agreement through audits or by requesting independent certification or audit reports.

8.2 Audits must be conducted during regular business hours with reasonable notice and in consideration of the Processor's confidentiality and security obligations.

8.3 The Processor may provide equivalent documentation (e.g., SOC 2 or ISO 27001 reports) instead of on-site inspections.

9. Data Deletion and Return

9.1 After completion of processing or upon request by the Controller, the Processor shall delete or return all personal data unless legal obligations require retention. Data may be returned in a commonly used format (e.g., CSV or JSON).

9.2 Rolling backups are automatically overwritten within 30 days; logs and system records are anonymized or deleted within 90 days.

9.3 The Controller may export its data at any time during the active contract period.

10. Liability

10.1 Liability is governed by the main contract (Terms of Service). Statutory rights under Article 82 GDPR remain unaffected.

10.2 The Processor is liable for the actions of its Sub-Processors as if for its own.

11. Final Provisions

11.1 Amendments and supplements to this DPA must be made in text form.

11.2 Should any provision of this DPA be invalid, the remaining provisions shall remain in effect.

11.3 This Agreement is governed by German law, and the exclusive place of jurisdiction is Hamburg, Germany.

11.4 This Agreement may be executed electronically. For this purpose, please contact support@relorq.com.