Test free of charge
Log in

Agreement on commissioned processing in accordance with Art. 28 GDPR

Version from 27.08.2025

The person responsible
Customer responsible for processing
(hereinafter referred to as the client)

The processor
Metasoul GmbH
Urstein South 15
5412 Puch near Hallein
Austria
(hereinafter referred to as the Contractor)

This Data Processing Agreement is an integral part of the Contractor's General Terms and Conditions or other contracts between the Client and the Contractor, which are available at https://metasoul.com/saas-vertrag/ are retrievable. It applies between the client and the contractor whenever the contractor processes personal data on behalf of the client when using its services.

1. BACKGROUND AND SPECIFICATION OF DATA PROCESSING

1.1 The Contractor is a company that offers the following services:

  • Operating a SaaS platform to support customers in meeting data protection requirements.

1.2 The Client is a company that plans to utilize the Contractor's services in the aforementioned areas.

1.3 This Data Processing Agreement sets out the conditions for the processing of personal data by the Contractor with the approval of the Client in accordance with the General Data Protection Regulation (GDPR). The Contractor acts as a processor within the meaning of the GDPR.

2. NATURE, PURPOSE, OBJECT AND LEGAL BASIS OF DATA PROCESSING

2.1 The Contractor's services are described in the relevant contracts concluded with the Client.

2.2 In the course of the provision of services, the Client shall provide the Contractor with the personal data required for the provision of services in the appropriate manner in each case. For example, by electronic or physical means, via discussions and analyses, the performance of other contractually regulated activities, verbally or via software tools.

2.3 Personal data may be processed in particular by organizing, arranging, storing and, if necessary, adapting or modifying, querying, linking, restricting, deleting, combining, copying, hiding, connecting, analyzing, reading, receiving, sending, updating, insofar as this is necessary for the provision of the agreed services.

2.4 The purpose of the processing is the contractually agreed provision of services to the client.

2.5 The contractor is not obliged to check the legality of the underlying data processing of the client.

3. PERSONAL DATA CONCERNED AND CATEGORY OF DATA SUBJECTS

3.1 As part of the agreed services, the personal data required for the provision of services may be processed. In particular, the following data may be processed:

  • Login data
  • Identification data
  • Contact details
  • Payment data
  • Invoice data
  • Data for error detection and error analysis
  • Data for the analysis of user behavior
  • Data provided as free text

3.2 The Client acknowledges that the Contractor has no influence on the categories of personal data processed as part of the provision of services. This applies in particular to the possible transfer of special categories of personal data (Art. 9 GDPR).

3.3 In principle, all categories of data subjects necessary for the provision of the agreed services are covered by the processing. In particular, this includes the following categories of data subjects:

  • Customers of the client
  • Service provider of the client
  • Employees of the client

3.4 Given the nature of the agreed services, the Client acknowledges that the Contractor is largely unable to review or maintain the list of categories of data subjects. Therefore, the Client undertakes to inform the Contractor of any necessary changes to the list of categories of data subjects.

3.5 The Contractor shall process the Client's personal data with regard to all data subjects listed above in accordance with the agreed services. If, due to changes to the list of categories of data subjects, changes to the agreed processing operations become necessary, the Client shall issue additional instructions to the Contractor accordingly.

4. CONDITIONS OF DATA PROCESSING

4.1 The Contractor undertakes to comply with all provisions of the GDPR during the entire provision of services.

4.2 The Contractor undertakes to process personal data only on written instructions in the form of a contract with the Client. Deviations from these instructions require the prior written consent of the client.

4.3 The Contractor processes the personal data in accordance with the principle of data minimization pursuant to Art. 5 para. 1 lit c GDPR and therefore only to the extent necessary to provide the agreed services.

4.4 Access to the client's personal data shall only be granted to those persons who require such access on the basis of contractual or statutory provisions.

4.5 All persons on the Contractor's side who have access to the Client's personal data shall be obliged to maintain confidentiality. In particular, the duty of confidentiality of the persons entrusted with data traffic shall remain in force even after termination of their activity and departure from the Contractor.

4.6 The Contractor is obliged to take and maintain all suitable, appropriate and state-of-the-art technical and organizational measures to ensure the availability, confidentiality and integrity of the personal data.

4.7 The Contractor shall support the Client in complying with its obligations under the GDPR, in particular with regard to the rights of data subjects.

4.8 Unless otherwise required by law, the Contractor shall inform the Client immediately if it receives information or notification from a data subject, the data protection supervisory authority or another authority or a third party and this information or notification is directly or indirectly related to the processing of personal data under this Data Processing Agreement.

4.9 In connection with the commissioned data processing, the Contractor shall support the Client - to the extent required by law - in drawing up and updating the record of processing activities, in carrying out the data protection impact assessment and, if necessary, in prior consultations with the data protection supervisory authority within the meaning of Art. 36 GDPR and shall provide all necessary details and information for this purpose. In addition, the Contractor shall maintain its own record of processing activities and, if necessary, carry out data protection impact assessments and appoint a data protection officer.

4.10 The Contractor shall inform the Client immediately, but at the latest within 24 hours, if the personal data provided to it has been used unlawfully and/or the data subjects are at risk of harm. The Contractor shall provide the Client with all necessary information so that the Client can fulfill its reporting obligations to the data subjects in accordance with data protection laws.

4.11 Any transfer of personal data by the Contractor to a third country or an international organization shall be in accordance with Union or national law and shall in particular comply with the provisions of the GDPR.

5. SUB-PROCESSORS

5.1 Depending on the contractually agreed service provision, a specific list of approved sub-processors will be included in the data processing.

5.2 Data may be transferred to third countries through the use of sub-processors. The Contractor shall ensure that the transfer of data to third countries is generally possible in compliance with the GDPR. The Client shall check whether the transfer of personal data to third countries in accordance with Articles 44-49 GDPR is feasible in the course of the individual use of the service offered by the Contractor in compliance with the GDPR.

5.3 The following sub-processors are approved by the Client and are involved in the provision of the contractually agreed services:

  • Hetzner Online GmbH, Industriestr. 25; 91710 Gunzenhausen, Germany - Application hosting
  • hundertzehn GmbH, In der Weid 15, 8122 Binz, Switzerland - Accounting
  • Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands - Payment processing
  • seriouscode GmbH, Siedlungsgasse 16, 2111 Kleinrötz, Austria - Analysis of user behavior
  • Functional Software, Inc, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA - Error detection and error analysis
  • Raintank, Inc. dba Grafana Labs, 165 Broadway 23rd Floor, New York, NY 10006, USA - Logging and monitoring

5.4 A contract must be concluded between the Contractor and the sub-processor in accordance with Art. 28 (4) GDPR. The subcontract must comply with the data protection provisions to the same extent as those agreed between the Client and the Contractor in this Agreement and the data processing may only be carried out for the purpose specified in the separately commissioned service.

5.5 The Contractor shall regularly check compliance with the data protection obligations of the sub-processors under this Data Processing Agreement. Should the Contractor become aware in the course of this review that the sub-processor does not or does not sufficiently fulfill the data protection obligations incumbent upon it under this Data Processing Agreement, it shall inform the Client thereof immediately and without being requested to do so.

5.6 Subcontracting to sub-processors or changing the existing sub-processors is permitted, provided that:

  • the contractor announces such subcontracting to sub-processors at least two weeks in advance in writing or in text form and
  • the client does not raise any objections to the planned outsourcing in writing or in text form by the time the data is transferred to the contractor.

In the event of an objection, the client and contractor will contact each other to resolve the conflict, whereby an extraordinary right of termination of the main agreement is agreed for both parties in the event that the conflict cannot be resolved.

6. INSPECTION AND COMPLIANCE

6.1 The Contractor shall permit the Client or its designated representatives to conduct audits and inspections to verify compliance with the provisions of this Data Processing Agreement. Such audits shall be conducted with reasonable advance notice and shall not unreasonably interfere with the Contractor's operations. The Client is aware that any inspections of sub-processors must be coordinated directly with these sub-processors and that the Contractor has no influence on the provisions applied.

6.2 All external auditors are subject to a confidentiality agreement.

6.3 The Contractor shall provide the Client with all necessary information and cooperate with the Client to demonstrate compliance with the GDPR.

7. TERM AND END OF CONTRACT

7.1 This Data Processing Agreement shall remain in force for the duration of the Data Processing Activities and shall terminate upon completion of the provision of the Services or as otherwise agreed by the Parties.

7.2 Upon termination of the Processor Agreement (or at any time prior thereto at the Client's request), the Processor shall, at the Client's discretion, either destroy the processed personal data (including any copies) itself or hand them over to the Client in their entirety, provided that this does not conflict with any statutory or contractual obligation to retain them. Until the data is deleted or returned, the Processor shall continue to ensure compliance with all requirements. If the Client does not comment on the procedure, the Processor shall destroy the data six months after termination of the agreement, subject to statutory or contractual obligations to retain the data.

7.3 The Contractor is equally obliged to arrange for the destruction or handover by any sub-processors.

8. FINAL PROVISIONS

8.1 Amendments and supplements to this Data Processing Agreement and all its components require a written agreement, which may also be in electronic form (text form), as well as the express indication that it is an amendment or supplement to this Data Processing Agreement. This also applies to the waiver of this formal requirement.

8.2 This Data Processing Agreement shall be governed by and construed in accordance with the laws in force in Austria. The place of jurisdiction is Salzburg.

8.3 Should individual provisions of this Processor Agreement be or become invalid or unenforceable, the remainder of the Processor Agreement shall remain unaffected. Such provisions shall be deemed to be replaced by valid and enforceable provisions that best achieve the economic purpose intended by the parties.

This order processing agreement was signed by the Metasoul AVV generator generated and provided.

PROTECT YOURSELF FROM FINES!

Start now and test with Metasoul how easy it is to fulfill data privacy compliance obligations.

Test free of charge

made in Austria 🇦🇹

GDPR compliant ✅

EU AI Act compliant 🇪🇺

NIS2 compliant 🌐

Secure by design 🔒

Metasoul

Industries

Help & Support

Legal matters