Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is concluded between the Customer – hereinafter the “Controller” – and Univents GmbH – hereinafter the “Processor”. This is the currently applicable version; a countersigned, customer-specific copy is available on request.

1. Subject and duration of the processing

(1) The Processor processes personal data on behalf of the Controller in the context of using the “Univents” ERP system.

(2) The subject of the processing is the provision and operation of a software solution for mapping business processes, in particular in the following areas:

Project and event management
Customer and supplier management
Purchasing, production and inventory
Billing and reporting

(3) The duration of the processing corresponds to the term of the main agreement.

2. Nature and purpose of the processing

The processing is carried out solely for the purpose of:

managing customer, project and supplier data
planning and carrying out events
controlling purchasing, production and logistics
billing and business analysis

Any use beyond this is not permitted.

3. Categories of data subjects

Customers and their contact persons
Employees of the Controller
Suppliers and service providers
where applicable, event participants / guests

4. Categories of personal data

Master data (name, address, contact details)
Contract and billing data
Project and event data
Communication data

Optional / potentially sensitive:

Allergens or dietary information

5. Right to issue instructions

(1) The Processor processes personal data solely on documented instructions from the Controller.

(2) Instructions may be given in written or electronic form.

(3) The Processor shall inform the Controller without undue delay if an instruction infringes data protection law.

6. Confidentiality

(1) The Processor ensures that all persons entrusted with the processing:

are bound to confidentiality
have been appropriately trained

(2) Access to data is granted strictly on a need-to-know basis.

7. Technical and organisational measures (TOMs)

(1) The Processor undertakes to implement appropriate technical and organisational measures in accordance with Art. 32 GDPR.

(2) These include in particular:

Access control

role-based user management
authentication (password, MFA where applicable)

Access restriction

differentiated assignment of rights
logging of access

Data transmission

encryption (TLS/HTTPS)

Data storage

secure data centres
protection against unauthorised access

Data backup

regular backups
recoverability

System monitoring

monitoring and logging

(3) The specific measures are described in Annex A (TOMs).

8. Sub-processors

(1) The Processor may engage sub-processors.

(2) A current list is contained in Annex B.

(3) The Controller has a right to object to changes.

(4) The Processor ensures that sub-processors are subject to the same data protection obligations.

9. Third-country transfers

(1) Processing outside the EU takes place only in compliance with the GDPR.

(2) For transfers to third countries, EU Standard Contractual Clauses (SCC) are applied.

10. Duties to assist

The Processor assists the Controller with:

requests for information, rectification and erasure
data protection impact assessments
requests from supervisory authorities

11. Reporting of data protection incidents

(1) The Processor reports data protection incidents without undue delay, at the latest within 24 hours of becoming aware of them.

(2) The report contains:

nature of the incident
data affected
possible consequences
measures taken

12. Deletion and return of data

(1) Upon termination of the agreement, the Processor shall:

return all personal data, or
delete it in a data protection-compliant manner

(2) The deletion must be confirmed in writing.

(3) Statutory retention obligations remain unaffected.

13. Audit rights

(1) The Controller has the right to verify compliance with this agreement.

(2) This may take place by means of:

audits
certificates (e.g. ISO 27001)
audit reports

14. Liability

(1) The parties are liable in accordance with the statutory provisions of the GDPR.

(2) Any exemption of the Processor from liability is excluded.

15. Final provisions

(1) This agreement forms part of the main agreement.

(2) Amendments must be made in writing.

(3) The law of the Federal Republic of Germany applies.

Annex A – Technical and organisational measures (TOMs)

pursuant to Art. 32 GDPR

1. Objective of the measures

These technical and organisational measures serve to ensure:

confidentiality
integrity
availability
resilience of the systems

as well as the protection of personal data against unauthorised access, loss or manipulation.

2. Physical access control

operation of servers in certified data centres (e.g. ISO 27001)
access to data centres only for authorised personnel
use of access control systems (e.g. smart cards, biometric procedures)
video surveillance of security-relevant areas
logging of physical access

3. System access control

user authentication via individual credentials (user ID / password)
password policies (minimum length, complexity, regular change)
optional: multi-factor authentication (MFA)
locking of user accounts after multiple failed login attempts
use of secure connections (HTTPS / TLS)

4. Data access control

role and authorisation concept (role-based access control)
differentiated assignment of read, write and administration rights
separation of administrative and operational roles
regular review of authorisations
logging of access and changes

5. Transfer control

encrypted data transmission (TLS/HTTPS)
securing of interfaces (APIs) through authentication
logging of data exports
restriction of export functions to authorised users

6. Input control

logging of changes to personal data
attribution of changes to user accounts
traceability of the timing and content of changes

7. Commissioned-processing control

processing solely on documented instructions from the Controller
training and obligation of the Processor’s employees
internal data processing guidelines
regular review of compliance with data protection requirements

8. Availability control

regular data backups (at least daily)
redundant data storage
use of uninterruptible power supply (UPS)
protection against hardware failures
emergency plans (disaster recovery)

9. Recoverability

definition of recovery time objectives (RTO)
definition of recovery point objectives (RPO)
regular tests of data recovery
documented emergency processes

10. Separation control

logical separation of data of different customers (multi-tenancy)
separation of test and production systems
access restriction to project-specific data

11. Pseudonymisation and anonymisation

option to use data in anonymised form (e.g. for training or testing purposes)
use of anonymised data when sharing with third parties

12. Monitoring and logging

monitoring of system availability
logging of security-relevant events
analysis of anomalies (e.g. unauthorised access attempts)

13. Security management

regular security updates and patches
use of firewalls and intrusion detection systems
performance of security reviews
documentation of security measures

14. Organisation and processes

appointment of a data protection officer
regular employee training
establishment of an incident response process
documentation of all relevant processes

15. Mobile and external access

access only via secured connections
restriction of access via insecure networks
use of devices in accordance with security policies

16. Review and update

The measures are reviewed regularly and adapted to the state of the art.

Annex B – List of sub-processors

No.	Company	Service	Processing location	Data categories	Legal basis / third country
1	Bubble Group, Inc.	Platform hosting (no-code backend, current operation of the Univents platform)	USA	Master, customer, project, event and communication data	SCC + DPA
2	Vercel Inc.	Hosting of the Next.js application (migration target system)	EU (Frankfurt)	Master, customer, project, event and communication data	DPA + SCC (group reference)
3	Supabase Pte. Ltd.	Database and backend services (PostgreSQL, storage, auth)	EU (Frankfurt)	Master, customer, project, event and communication data	DPA + SCC (group reference)
4	Cloudflare, Inc.	Content delivery network, DDoS protection, web application firewall	Global edge network (HQ USA)	Connection and metadata, IP addresses	SCC + DPA
5	HubSpot, Inc.	CRM (customer and contact management, sales communication)	EU (Frankfurt)	Contact data, communication data, sales data	DPA
6	Intercom Inc.	Support communication, in-app messaging	USA	Contact data, communication data, usage data	SCC + DPA
7	Resend, Inc.	Sending of transactional system emails	USA	Contact data (name, email), content of system emails	SCC + DPA
8	Stripe Payments Europe, Ltd.	Payment processing (where activated)	Ireland (EU), data transfer to Stripe, Inc. USA	Payment and invoicing data	DPA + SCC for US transfer
9	Functional Software, Inc. (Sentry)	Error monitoring and performance logging	EU (Frankfurt)	Technical log data, IP addresses, user IDs where applicable	DPA (SCC not required)
10	PostHog, Inc.	Product analytics, feature flags, session recording (in-app) and AI observability (sentiment analysis of chat and onboarding conversations)	Germany (EU cloud)	Usage data, clicks, page views, user IDs, and the content of chat and onboarding conversations for quality assurance and sentiment analysis	DPA (SCC not required)
11	Anthropic, PBC	AI-powered features (Claude API) – no use for training purposes	USA	User-submitted content for AI processing	SCC + DPA (storage max. 30 days)
12	OpenAI, L.L.C.	AI-powered features (GPT API) – no use for training purposes	USA	User-submitted content for AI processing	SCC + DPA (storage max. 30 days)
13	Google Ireland Limited (Gemini API über Google Workspace)	AI-powered features (Gemini API) – no use for training purposes	EU/Ireland	User-submitted content for AI processing	DPA (Workspace data residency)
14	Google Ireland Limited (Google Workspace)	Email communication, document and file storage	EU/Ireland	Communication data, documents, contact data	DPA (SCC not required)
15	Nylas, Inc.	Email and calendar integration (inbox sync, sending and receiving)	EU (Ireland)	Communication data (email content, subject, sender/recipient), calendar and contact data	DPA + SCC (group reference)

3. Description of services

The sub-processors provide in particular the following services:

Hosting and infrastructure (server operation, CDN)
Storage and processing of data
Sending of system notifications and transactional emails
Monitoring and assurance of system operation (monitoring, error tracking)
Support and communication services
Payment processing
AI-powered features without use of the data for training purposes
Product analytics to improve the application

4. Third-country transfers

(1) Where sub-processors process data outside the EU / EEA, this is done solely in compliance with the GDPR.

(2) This includes in particular:

conclusion of Standard Contractual Clauses (SCC)
where applicable, additional technical safeguards (e.g. encryption, exclusion of data use for training purposes)

(3) The Processor ensures that an adequate level of data protection is guaranteed.

5. Duty to inform of changes

(1) The Processor informs the Controller of:

new sub-processors
changes to existing sub-processors
changes of location

(2) The information is provided at least 14 days in advance.

6. Right to object

(1) The Controller has the right to object to a change.

(2) In the event of a justified objection, the parties are obliged to find an amicable solution.

7. Obligations of the sub-processors

The Processor ensures that all sub-processors:

are contractually obliged to comply with the GDPR
implement appropriate technical and organisational measures
do not process data for their own purposes

8. Evidence obligations

The Processor provides the Controller, on request, with appropriate evidence, in particular:

contracts with sub-processors (in suitable form)
certifications (e.g. ISO 27001)
data protection concepts

9. Final provision

This list forms part of the Data Processing Agreement and is updated regularly.