Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT (DPA)

between

KPIQ – Alter Günes, Pechlerausstr. 15, 83308 Trostberg, Germany

(“Processor”)

and

the Customer using KPIQ services

(“Controller”).

 

1. Subject and Duration

  1. The Processor processes personal data on behalf of the Controller in accordance with Art. 28 GDPR.
  2. Processing is carried out solely for providing KPIQ platform functions, analytics, and optional integrations (e.g., Shopify).
  3. This Agreement remains valid for the duration of the Controller’s use of KPIQ.

 

2. Purpose of Processing

The Processor processes personal data for the following purposes:

  • Providing KPIQ services
  • Analysis of marketing and performance metrics
  • Account and authentication management
  • API integrations (e.g., Shopify, if activated)
  • Error handling, monitoring, logging, IT security
  • Hosting and data storage (AWS)

Processing is carried out only under documented instructions from the Controller.

 

2a. Storage, Processing and Anonymization of User Data (AWS S3)

The Processor handles analysis and business data provided by the Controller or its users exclusively server-side within KPIQ’s infrastructure (e.g., AWS S3, AWS Lambda).

Processing includes:

  1. Initial temporary storage:
    Data entered into KPIQ is first placed in a secure processing area to enable calculations and analysis.
  2. Processing and analysis:
    Data is processed to generate metrics, reports, and AI-based insights.
  3. Anonymization:
    Personal identifiers are removed or anonymized so that individuals can no longer be identified.
  4. Archiving of anonymized data:
    Only anonymized datasets may be retained long-term for system improvement, quality assurance, or statistical evaluation.
  5. Deletion of personal data:
    Personal data that is no longer required for service delivery is deleted unless legal retention obligations apply.

These processing steps are unrelated to cookies and apply exclusively to server-side processing required to provide KPIQ services.

 

3. Types of Personal Data

May include:

  • Contact information (name, email)
  • Account and shop data
  • KPI, analytics and performance metrics
  • Log data (IP address, device, browser)
  • API integration data (e.g., Shopify: products, orders, KPIs)
  • Dashboard usage and interaction data

No special categories of personal data are processed.

 

4. Categories of Data Subjects

  • Customers of the Controller
  • Employees of the Controller
  • Online shop visitors (if Shopify integration is enabled)
  • Users of KPIQ

 

5. Rights and Obligations of the Controller

The Controller is responsible for:

  • Ensuring lawful data collection
  • Complying with GDPR information obligations
  • Providing privacy notices to its own customers
  • Ensuring legal compliance within its shop system (e.g., Shopify)

 

6. Obligations of the Processor

The Processor shall:

  1. Process data only under documented instructions
  2. Ensure confidentiality
  3. Implement appropriate technical and organizational measures (TOMs)
  4. Use subprocessors only following documented notification
  5. Report data breaches without undue delay
  6. Ensure deletion of data after contract termination

 

7. Technical and Organizational Measures (TOMs)

The Processor implements, among others:

  • AWS data centers (ISO 27001 certified)
  • Encryption in transit and at rest
  • IAM access control, MFA, least privilege
  • Logging and monitoring (CloudWatch)
  • Backup and disaster recovery
  • Role-based access concepts
  • Continuous anomaly detection and security logging

 

8. Subprocessors

Current subprocessors:

  • Amazon Web Services (AWS) – hosting, storage, server infrastructure
  • OpenAI – AI-based processing, only if the Controller uses AI features
  • Shopify – provides shop data, only if the Controller activates Shopify integration

Additional subprocessors may only be engaged following proper documentation and in accordance with Art. 28 GDPR.

 

9. International Transfers

Transfers outside the EU rely on:

  • Standard Contractual Clauses (SCCs), or
  • Adequacy decisions, or
  • Other GDPR-approved safeguards

 

10. Assistance

The Processor assists the Controller with:

  • Responses to data subject requests
  • Security incident notifications
  • Data export and deletion requests
  • Data Protection Impact Assessments (DPIA)

 

11. Deletion of Data

After contract termination:

  • All personal data is deleted within 30 days
  • unless legal retention requirements apply

 

12. Audit Rights

The Controller may audit compliance through documentation review, certificates, or remote audits.

On-site audits are only required where legally necessary.

 

13. Liability

Liability follows the terms of the main contract (Terms of Service).

The Processor is liable only within the limits of applicable law.

 

14. Final Provisions

  • Amendments must be made in writing
  • German law applies
  • Court of jurisdiction is the Processor’s business location