Data Processing Agreement (DPA)

The German version of this Data Processing Agreement is the legally binding document. This English translation is provided for convenience. In the event of any discrepancy, the German version shall prevail.

1. Parties

The Processor is GD Green Dopamine GmbH, Seehügelweg 1f, 9500 Villach, Austria (VAT No.: ATU78344267). The Controller is the Client named in the applicable Order Form. The Client is the controller within the meaning of Art. 4(7) GDPR; the Service Provider processes personal data exclusively on behalf of and under the instruction of the Client.

2. Subject Matter, Purpose and Duration

Processing is carried out in the context of the managed service "FinOptory for SAP RISE" in accordance with the Service Description. The Service Provider operates a SaaS platform for the contractual and commercial management of SAP RISE agreements. Processing encompasses the storage and administration of user accounts, the processing of contact data of persons involved in contracts, the analysis and preparation of contract documents (which may contain personal data), the logging of user activities for audit and verification purposes, and the AI-assisted analysis of contract content to support decision-making. Processing takes place for the duration of the underlying contractual relationship; the provisions of Section 8 apply after termination.

3. Data Categories and Data Subjects

Data processed includes master data (first and last name, business email address), contact data (business telephone number, where provided), organisational data (company affiliation, department, function/role), usage data (login timestamps, actions performed on the platform in the audit log), and personal data contained in contract documents uploaded by the Client. Data subjects are employees and representatives of the Client with platform access, contact persons in the context of the managed SAP RISE agreements, and natural persons named in contract documents.

4. Instructions and Confidentiality

The Service Provider processes personal data exclusively on the basis of documented instructions from the Client. The purposes set out in this DPA and the Service Description constitute instructions; further instructions must be in writing (email suffices). If the Service Provider is of the opinion that an instruction infringes data protection law, it shall inform the Client without delay and is entitled to suspend execution pending clarification. The Service Provider ensures that all persons entrusted with processing are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.

5. Technical and Organisational Measures

The Service Provider implements and maintains the following measures for the duration of the processing.

Access control. Authentication is via email/password or Single Sign-On (Azure Entra ID). Multi-factor authentication (MFA) is mandatory for all users. Access is managed through a role-based permission model (Owner, Admin, Member, Viewer); sessions are automatically terminated after inactivity.

Tenant separation. Each Client receives its own tenant with full logical data separation at the database level (tenant ID). Row-Level Security (RLS) is active on all data-holding tables; access within a tenant is additionally restricted by contract.

Encryption. All connections are transport-encrypted using TLS 1.2 or higher. Data at rest in the database and file storage is encrypted using AES-256. Uploaded contract documents are stored in a separate, encrypted storage.

Logging. All data-protection-relevant activities are comprehensively recorded in the audit log. Each entry includes the user, the action performed, the timestamp and the affected entity.

Availability. The platform operates on professional cloud infrastructure with automatic scaling. Regular backups, monitoring and alerting ensure the availability and resilience of the system. The Service Provider regularly reviews the effectiveness of these measures and updates them in line with the state of the art.

6. Sub-Processors

The Client grants general authorisation for the engagement of the following sub-processors:

The Service Provider shall inform the Client at least 30 days before the planned engagement of a new sub-processor or the replacement of an existing one in text form. The Client may object within 14 days of receipt of the notification on important data protection grounds; if the parties cannot reach a mutually agreeable solution, the Client shall have the right to terminate the contract for cause. The Service Provider ensures through contractual arrangements that sub-processors comply with the data protection obligations of this DPA to an equivalent standard.

7. Third-Country Transfers

Where personal data is transferred to third countries, the Service Provider ensures an adequate level of data protection, in particular through EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 and, where applicable, through adequacy decisions of the European Commission. The Service Provider shall inform the Client if it becomes aware of circumstances that could jeopardise the agreed level of protection.

8. Deletion and Return

Upon termination of the contractual relationship, the Service Provider shall delete all personal data processed on behalf of the Client. The Client may request an export of all data in a commonly used format within four (4) weeks of the end of the contract. After this period has elapsed or following a completed export, all data will be irreversibly deleted; the Service Provider shall confirm this in writing upon request. Statutory retention obligations remain unaffected, and affected data will be blocked until the relevant retention period has expired.

9. Assistance and Notification Obligations

The Service Provider shall assist the Client through appropriate technical and organisational measures in fulfilling requests from data subjects (Arts. 15-22 GDPR). Requests received directly by the Service Provider will be forwarded to the Client without delay. Personal data breaches will be reported to the Client without undue delay, and at the latest within 48 hours of becoming aware, including the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Where a data protection impact assessment (Art. 35 GDPR) is required, the Service Provider shall assist the Client to the necessary extent.

10. Evidence and Audits

The Service Provider shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR. The Client or an auditor commissioned by the Client is entitled to verify compliance with this DPA through inspections. Inspections must be announced with at least 14 days' notice and conducted in a manner that does not disproportionately disrupt business operations.

11. Final Provisions

In the event of conflicts between this DPA and the Service Description or the GTC, the provisions of this DPA shall take precedence in matters of data protection law. The DPA is governed by the law of the Republic of Austria; the GDPR applies directly in addition. Should any provision of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.