i-net software GmbH
Leipziger Platz 16
10117 Berlin, Germany
Concluded between
<Client>
hereinafter referred to as the "Controller" or "Client",
and
i-net software GmbH, Leipziger Platz 16, D-10117 Berlin,
hereinafter referred to as the "Processor" or "Contractor", as follows:
(1) This data processing agreement supplements the ongoing business relationship and ends when that relationship ends. The right to extraordinary termination for good cause remains unaffected.
(2) The subject matter of this data processing agreement is the performance of the following tasks:
Support for one or more software products of i-net software GmbH licensed by the Client:
A separate product selection is not required; the decisive factor is which software products are licensed within the ongoing business relationship.
(3) The following categories of personal data are processed:
(4) The following categories of data subjects are affected by the processing:
(1) The Contractor processes personal data on behalf of and only on documented instructions from the Client, unless the Contractor is required to do so by Union law or the law of a Member State to which it is subject. In such a case, the Contractor shall inform the Client of those legal requirements before processing begins, unless the relevant law prohibits such information on important grounds of public interest. This includes activities specified in the agreement and, where applicable, in a separate service description.
The Client and the Contractor are each independently responsible for complying with applicable data protection law.
The Client remains solely responsible for assessing the lawfulness of the transfer of data to the Contractor and for assessing the lawfulness of the data processing itself as the "Controller" within the meaning of Art. 4 No. 7 GDPR.
(2) Instructions are generally defined by an ongoing support and maintenance agreement and may subsequently be changed, supplemented, or replaced by the Client through individual instructions in the course of ticket communication.
(1) The Contractor may process personal data that is the subject matter of the assignment only within the scope of the assignment and the instructions of the Client, unless an exception within the meaning of Art. 28(3)(a) GDPR applies and its requirements are met.
(2) The Contractor shall inform the Client if, in its opinion, an instruction of the Client infringes the GDPR or other data protection provisions of the Union or the Member States. The Contractor may suspend implementation of the instruction until it has been confirmed or amended by the Client. The Contractor is not obliged to carry out a comprehensive legal review. The Client bears any additional costs incurred by the Contractor as a result of an additional or deviating instruction, unless the instruction is required to comply with applicable legal requirements.
(3) The Processor shall maintain a record of processing activities for this processing in accordance with Art. 30 GDPR.
(4) The Processor declares that all persons entrusted with data processing have been bound to confidentiality before commencing their activities or are subject to an appropriate statutory duty of confidentiality. In particular, this duty of confidentiality remains in force even after their activity has ended and after they have left the Processor.
(5) The Contractor shall implement technical and organizational measures (TOMs) for the appropriate protection of the Client's personal data that meet the requirements of Art. 32 GDPR. In particular, the Contractor shall implement TOMs, taking into account the risk to the rights and freedoms of data subjects, that permanently ensure the confidentiality, integrity, availability, and resilience of the systems and services related to the processing.
(6) The contracting parties have agreed on the TOMs described in Annex 2 of this agreement. This list is also provided via a permanently accessible link in the data protection section of the Contractor's website.
(7) The contracting parties agree that implementation of the described TOMs ensures an appropriate level of protection in accordance with the GDPR and provides sufficient guarantees to protect the rights of data subjects. The assessment of the appropriate level of protection takes due account of the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to data subjects. The Contractor is therefore permitted to implement alternative adequate measures. Such measures, as well as changes and additions, must be documented by the Contractor and disclosed to the Client upon request. The security level of the measures listed in Annex 2 at the time of contract conclusion may not be undercut.
(8) Taking into account the nature of the processing, the Contractor shall assist the Client, where possible, with suitable TOMs in fulfilling requests and claims of data subjects pursuant to Chapter III GDPR.
If a corresponding request is directed to the Processor and it becomes apparent that the applicant mistakenly believes the Processor to be the controller of the data application operated by it, the Processor shall forward the request to the Controller without undue delay and inform the applicant accordingly.
(9) Taking into account the nature of the processing and the information available to it, the Contractor shall assist the Client in complying with the obligations set out in Arts. 32 to 36 GDPR.
(10) The Contractor shall inform the Client without undue delay if it becomes aware of breaches of the protection of the Client's personal data in such a way that the Client can comply with its statutory obligations, in particular under Arts. 33 and 34 GDPR, both with regard to scope and timing.
A notification of a personal data breach must contain at least:
Where and insofar as the information cannot be provided at the same time, it may be provided in stages without undue further delay.
(11) The Controller shall have the right to inspect and audit the data processing facilities with regard to the processing of the data provided by it, including by third parties commissioned by it. The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this agreement and to enable and contribute to reviews, including inspections.
(12) After the end of the assignment, the Contractor shall return or delete all data, data carriers, and documents originating from the Client or to be made available to it, at the Client's request, unless there is a statutory retention obligation. If statutory or contractual retention periods apply, the data will be blocked until the end of the retention period and then deleted. The Contractor shall confirm deletion to the Client upon request.
(1) All data processing activities are carried out exclusively within the EU or the EEA.
(1) The Contractor may engage sub-processors.
The subcontractors listed in Annex 1 to this agreement are deemed approved.
A sub-processor relationship requiring approval exists if the Contractor commissions subcontractors with the processing of personal data agreed in the contract. The Contractor shall conclude agreements with these subcontractors to the extent required in order to ensure appropriate data protection and information security measures.
If the sub-processor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for compliance with the obligations of the sub-processor.
(2) The Contractor may use additional subcontractors only under the following conditions:
The Client grants the Contractor general authorization to use subcontractors. The Contractor shall inform the Client in writing or by email before engaging or replacing a subcontractor. The Client may object to the engagement or replacement within an appropriate period of at least 14 calendar days for important data protection reasons. If no objection is made within this period, consent shall be deemed granted.
In emergency situations, e.g. in the event of an urgent security risk or the unforeseen failure of a subcontractor, the Contractor may also engage or replace a subcontractor without observing the above period. In such a case, the Contractor shall inform the Client of the change without undue delay.
(3) The Contractor shall provide the Client with an up-to-date list of all subcontractors used. This list is attached as Annex 1 to the agreement and is also provided via a permanently accessible link in the data protection section of the Contractor's website.
(1) If the Client's data at the Contractor is jeopardized by seizure or confiscation, insolvency or settlement proceedings, or by other events or measures taken by third parties, the Contractor shall inform the Client without undue delay. The Contractor shall immediately inform all persons responsible in this connection that control over the data lies exclusively with the Client as the "Controller" within the meaning of the GDPR.
(2) Amendments and additions to this agreement and all of its components, including any assurances given by the Contractor, require a written agreement, which may also be made in an electronic format (text form), and an express indication that this constitutes an amendment or supplement to these terms. This also applies to any waiver of this formal requirement.
(3) In the event of contradictions, the provisions of this agreement shall take precedence over the provisions of the underlying contract. Should individual parts of this agreement be invalid, this shall not affect the validity of the agreement in all other respects.
The contracting parties agree and permit the respective other contracting party to use information from this agreement for the purpose of defending against third-party claims and for the purpose of proving that the respective contracting party is in no way responsible for the circumstance by which damage occurred.
(4) German law shall apply and the place of jurisdiction shall be Berlin.
This contract version may be concluded either electronically using the provided form or in text form on the basis of this version.
When concluding electronically via the form, the submitting person declares that they are authorized to make this declaration on behalf of the customer organization and agree to the contractual terms above. For this purpose, the Contractor documents and stores the time of conclusion, the customer organization, the submitted contract data, the confirmations made, the acting person, and the contract version on which the conclusion is based.
This contract version may be used as a PDF for conclusion in text form.
| Name and address | Description of partial services | Location of data processing |
|---|---|---|
| Hetzner Online GmbH, Industriestr. 25, D-91710 Gunzenhausen | • Cloud server | Data center in Germany |
| ↳ | • Managed server | |
| ↳ | • Web hosting | |
| ↳ | Relevant applications: | |
| ↳ | • i-net HelpDesk server | |
| ↳ | • i-net HelpDesk database | |
| ↳ | • mail server | |
| ↳ | • CRM system | |
| IONOS SE, Elgendorfer Str. 57, D-56410 Montabaur | • AI Model Hub (GDPR compliant) | Data center in Germany |
| ↳ | • LLM hosting (GDPR compliant) | |
| ↳ | Relevant applications: | |
| ↳ | • AI interfaces of i-net HelpDesk |
The Contractor implements the following technical and organizational measures for data security within the meaning of Art. 32 GDPR:
Measures suitable for preventing unauthorized persons from gaining access to data processing facilities in which personal data are processed or used. These measures expressly also apply to activities in the home office or in coworking spaces, etc.
The Contractor ensures that its office and business premises are generally closed outside office and business hours.
Key management is restrictive (no issuance to interns, external service providers, etc.) and is logged.
Visitors are logged in the CRM system (customers) or calendar (others). Excluded are relatives of employees, suppliers, messengers, or long-term service providers (tax advisors, etc.).
During office and business hours, it is ensured that visitors or other third parties cannot move around alone in rooms where they could gain access to personal data.
Cleaning staff are carefully selected in advance.
Measures suitable for preventing unauthorized use of data processing systems.
To gain access to IT systems, the Contractor and its employees must have the appropriate authorization. For this purpose, user profiles are created and corresponding user permissions are assigned by one or more administrators.
Tiered password management using certified systems with high security standards through end-to-end encryption (AES 256 bit), zero-knowledge architecture, open-source transparency, compliance with SOC 2 Type II and SOC 3 certifications, and GDPR compliance.
Passwords must be at least 8 characters long, must not be taken from any dictionary or similar source, and must contain at least one number or one special character.
Passwords for administrative accounts must not be stored for convenience (browser, network shares, etc.).
Administrative accounts must not be used for day-to-day work.
Systems must be configured so that software can be installed only with administrative accounts.
Passwords for internal accounts must not be recycled for internet accounts.
Remote access to the Contractor's IT systems for remote maintenance is currently carried out via licensed remote maintenance software (GoToMeeting), including the use of end-to-end SSL (Secure Sockets Layer) and AES-128-HMAC-SHA1 (Advanced Encryption Standard) encryption.
All servers and client systems used in the performance of services for the Client are protected by firewalls and anti-virus software that are maintained and supplied with current updates and patches.
VPN technology is used where required, e.g. for home office activities.
Measures ensuring that persons authorized to use a data processing system can access only the data subject to their access authorization and that personal data cannot be read, copied, changed, or removed without authorization during processing, use, and after storage.
Permissions for the Contractor's IT systems and applications are granted according to the need-to-know principle. Accordingly, only those persons receive access rights to data, databases, or applications who maintain these data, applications, or databases, use them to provide the agreed services, or are active in development.
Digitally signed HelpDesk software is used.
The destruction of data carriers and paper is carried out by a service provider that guarantees destruction in accordance with DIN 66399. Destruction is logged.
Measures ensuring that it can subsequently be checked whether and by whom data were changed or removed.
The Contractor shall document entries, changes, or deletions of personal data carried out on behalf of the Client in an appropriate manner, unless it is ensured that the respective IT system itself logs the corresponding activities.
On the Contractor's side, entries, changes, and deletions of relevant data are logged in the leading ticket system.
Traceability of the entry, change, and deletion of relevant data by means of individual user names (not user groups) is ensured.
Forms from which data have been transferred into automated processing are retained.
Rights to enter, change, and delete data are assigned on the basis of an authorization concept.
Measures ensuring that personal data cannot be read, copied, changed, or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it can be checked and determined to which points personal data are intended to be transferred by data transmission facilities.
Any transfer of personal data processed on behalf of the Client may take place only to the extent agreed with the Client.
The use of private data carriers by the Contractor in connection with data processing for the Client is prohibited.
VPN tunnels are used for relevant scenarios.
For physical transport, transport personnel and vehicles as well as secure transport containers/packaging are carefully selected.
PGP encryption in email communication via i-net HelpDesk can optionally be used.
Measures ensuring that personal data processed on behalf of the Client can be processed only in accordance with the Client's instructions.
Sub-processors are commissioned only within the framework of the data processing agreement.
All employees receive process-related instruction and commitment with regard to data protection.
Data are destroyed or returned after the end of the assignment as described in the main contract text.
Measures ensuring that data collected for different purposes can be processed separately.
Insofar as the Contractor receives personal data from the Client in connection with the processing on behalf of the Client, it will process such data separately from data of other customers (e.g. separate ticket records in the HelpDesk system, no cross-customer remote sessions, etc.).
Test and production systems with relation to the Client's personal data are kept separate.
Measures ensuring that personal data are protected against accidental destruction or loss.
A backup and recovery concept as well as an emergency plan are in place.
Data recovery tests are carried out on a cyclical basis.
Backups are stored at a secure off-site location.
Measures ensuring that a long-term collaboration between Client and Contractor is maintained in line with the GDPR.
Through policies and/or instructions to employees, the Contractor contributes to ensuring that personal data are processed in a manner compliant with the GDPR.
This includes in particular a regular review of the effectiveness of the measures taken to protect personal data and, where appropriate, their adaptation.
It is in particular ensured that data protection incidents are recognized by all employees and reported to the Client without undue delay if they concern data processed within the scope of processing carried out on behalf of the Client.
It is ensured that only GDPR-compliant AI providers or portals are used.
The TOMs of the sub-processors listed in Annex 1 are available via the following links (status 2026-04-17):
Status of this contract version: 2026-04-20