antegma-logo@2x

Datenverarbeitungsvertrag (DPA)

Between:
Controller: Customer
Processor: antegma GmbH, Germany

1. Subject Matter & Duration

  • This DPA governs the processing of personal data by antegma GmbH in connection with integrations and applications provided to the Controller.

  • Duration: valid as long as the main service agreement is active.

2. Nature & Purpose of Processing

  • Purpose: provision, maintenance, and improvement of integrations between third-party applications (e.g. Hootsuite, Adobe, Canto, Microsoft, etc.).

  • Processing activities: hosting, storage, transmission, and technical handling of personal data.

3. Types of Data & Categories of Data Subjects

  • Types of data: user IDs, login credentials, usage logs, content metadata, communication data (depending on the integration).

  • Categories of data subjects: Controller’s employees, customers, social media users, partners.

4. Obligations of Processor (antegma GmbH)

  • Process data only on documented instructions from the Controller.

  • Ensure confidentiality of personnel.

  • Implement appropriate technical and organizational measures (TOMs) (Annex 1).

  • Assist Controller with data subject rights (Art. 15–22 GDPR).

  • Support Controller in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIA).

  • Delete or return all personal data after contract end.

  • Make audit reports available (upon request, subject to reasonable notice).

Controller authorizes Processor to use the following subprocessors:

  • Controller authorizes Processor to use the following subprocessors.

    • Microsoft Ireland Operations Ltd. – Microsoft Azure (hosting in Amsterdam, Netherlands, Europe West region).

  • Processor will inform Controller in advance of changes to the subprocessor list.

6. International Data Transfers

  • Data is hosted in the EU (Amsterdam, Netherlands).

  • If subprocessors transfer data outside the EU/EEA, Processor ensures appropriate safeguards (e.g. Standard Contractual Clauses, adequacy decisions).

7. Controller Obligations

  • Ensure lawful basis for processing.

  • Provide Processor with necessary instructions.

  • Maintain records of processing activities.

8. Liability

  • Each party is liable according to GDPR and applicable law.

  • Joint liability where applicable under Art. 82 GDPR.

9. Governing Law & Jurisdiction

  • This DPA is governed by German law.

  • Jurisdiction: Freiburg im Breisgau

Annex 1: Technical & Organizational Measures (TOMs)

  • Data encryption at rest and in transit.

  • Role-based access control, least privilege principle.

  • Multi-factor authentication for administrators.

  • Regular backups and disaster recovery plans.

  • Logging and monitoring of access.

  • Security patch management.

Annex 2: Subprocessor List

  • Microsoft Azure (Europe West – Amsterdam).