dpa - fintechgraphs

##### Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag) > Use this when FintechGraphs processes personal data **on behalf of** a business customer (Art. 28 GDPR). Link it from your footer and attach it to order forms. **Last updated:** October 1, 2025 ###### Parties - **Controller (Customer):** The business entity subscribing to FintechGraphs. - **Processor:** **FintechGraphs**, Waldstraße 11, 65428 Rüsselsheim am Main, Germany ([email protected]). ###### 1. Subject Matter & Duration Processor provides data processing necessary to deliver the FintechGraphs Service to Controller. Duration = term of the underlying agreement + any wind-down/return period. ###### 2. Nature & Purpose of Processing Hosting, storage, transmission, analysis, display, and support necessary to provide graph-based explainers/insights and related features, including security logging and troubleshooting. ###### 3. Types of Personal Data & Data Subjects - **Data types (as provided by Controller):** identification data (e.g., names, emails), usage metadata, support content. - **Data subjects:** Controller’s users, employees, contractors, end customers (as applicable). **Special categories:** not intended; Controller shall avoid submitting such data. ###### 4. Processor Obligations Processor shall: (a) process personal data **only on documented instructions** from Controller; (b) ensure confidentiality (NDA) of authorized personnel; (c) implement appropriate **technical and organizational measures (TOMs)** (see Security page); (d) assist Controller with data subject requests, security incidents, DPIAs, and consultations (Arts. 32–36 GDPR) to a reasonable extent; (e) notify Controller **without undue delay** after becoming aware of a personal data breach; (f) delete/return personal data after termination, unless law requires storage; (g) make available information necessary to demonstrate compliance and allow/support audits (with reasonable notice, during business hours, not more than once per 12 months, except for cause). ###### 5. Sub-processors Controller authorizes the sub-processors listed on the **Sub-processors** page (kept up-to-date). Processor will impose Art. 28-compliant obligations on sub-processors. Processor will notify Controller of changes and provide **30 days** to object on reasonable grounds; if unresolved, Controller may terminate affected services. ###### 6. International Transfers Where sub-processors are outside the EEA/UK, Processor ensures appropriate safeguards (e.g., **SCCs**, adequacy decisions, supplementary measures). ###### 7. Controller Obligations Controller ensures a valid legal basis for processing, provides instructions that comply with law, and does not submit data that violates third-party rights or contains special categories unless agreed in writing. ###### 8. Liability & Miscellaneous Between the parties, limitations of liability in the main agreement apply to this DPA. In case of conflict, this DPA prevails for processing activities. German law; venue Frankfurt am Main. --- ##### Sub-processors **Last updated:** October 1, 2025 | Vendor | Role | Data categories | Location | Safeguards | | ----------------------------------------- | ------------------------ | ------------------------------------------------------- | ------------------------------ | ------------------------------- | | **Cloudflare, Inc.** | CDN, DDoS/WAF, TLS | IPs, request metadata, security logs; necessary cookies | EU/Global (incl. US) | SCCs, TOMs | | **Google Ireland Ltd.**(Google Analytics) | Analytics (if consented) | pseudonymous IDs, pages/events, UA/device, approx. geo | EU/Global (incl. US) | SCCs, IP anonymization, consent | | **Obsidian Publish** | Hosting/publishing | site content, access logs | EU/Global (depending on infra) | DPA/SCCs, TOMs | | **Google Ireland Ltd.** (Gmail) | Transactional mail | names, emails, meta | EU/Global | SCCs/DPA | > We will update this list before onboarding new sub-processors and provide notice via this page and/or email.