Data Processing Addendum

1. Definitions and Interpretation

This Data Processing Addendum ("DPA") forms part of the Terms of Service between helpful bits GmbH ("Processor") and the Customer ("Controller") for the use of Vibe Manager services.

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service
• "Processing" has the meaning given in the GDPR
• "Data Protection Laws" means GDPR and any other applicable data protection legislation
• "Sub-processor" means any third party engaged by Processor to process Personal Data

2. Processing of Personal Data

2.1 Processor's Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures per Article 32 GDPR
• Assist the Controller in responding to data subject rights requests
• Delete or return all Personal Data at the end of the service provision
• Make available all information necessary to demonstrate compliance

2.2 Details of Processing

3. Sub-processors

3.1 Authorized Sub-processors

Controller consents to the Sub-processors listed at vibemanager.app/legal/eu/subprocessors

3.2 New Sub-processors

Processor shall notify Controller at least 30 days before engaging any new Sub-processor. Controller may object within 14 days of notification. If Controller reasonably objects, the parties will work in good faith to resolve the objection.

4. Security Measures

Processor implements and maintains the following security measures:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Security incident response procedures
• Employee training on data protection

5. International Transfers

For transfers of Personal Data outside the EEA, Processor shall ensure appropriate safeguards through:

• EU Standard Contractual Clauses (Module 2: Controller to Processor)
• Supplementary measures as recommended by the EDPB
• Transfer impact assessments where required

The EU Standard Contractual Clauses are incorporated by reference and form part of this DPA.

6. Data Breach Notification

Processor shall notify Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach. The notification shall include:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information

7. Audit Rights

Controller may conduct audits, including inspections, to verify Processor's compliance with this DPA. Processor shall provide reasonable cooperation. Audits shall be conducted with reasonable notice and shall not unreasonably interfere with Processor's business operations.

8. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations set forth in the Agreement. Each party shall indemnify the other against losses arising from its breach of Data Protection Laws.

9. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination, Processor shall, at Controller's option, delete or return all Personal Data and delete existing copies unless retention is required by law.

10. Governing Law

This DPA shall be governed by the laws of Germany.