Agreement (DPA) under Art. 28 GDPR
1. Subject and Duration of Processing
1.1 This Data Processing Agreement (DPA) governs the processing of personal data on behalf of the customer by yappyBuy in accordance with Art. 28 GDPR.
1.2 Processing is carried out solely for the purposes contractually agreed. The duration of processing corresponds to the term of the respective module.
2. Nature and Purpose of Processing
2.1 Data processed include those collected during use of the SaaS modules, such as customer data, usage data, and support data.
2.2 The purpose of processing is to provide and improve the contracted modules (e.g., Buddy Assistant, Buddy Reporter, Eazy Checkout).
3. Types of Data and Data Subjects
3.1 The following categories of data may be processed:
• Contact data (e.g., names, email addresses),
• Technical usage data (e.g., IP addresses, log files),
• User communication content (e.g., chats with Buddy Assistant).
3.2 Data subjects may include users of the customer's systems and their customers.
4. Customer Responsibilities
4.1 The customer is the controller under Art. 4(7) GDPR.
4.2 The customer shall fulfill their information obligations and obtain consent from data subjects where required.
5. Obligations of yappyBuy
5.1 yappyBuy will only process personal data based on documented instructions from the customer.
5.2 All yappyBuy personnel involved in data processing are bound to confidentiality.
5.3 yappyBuy ensures appropriate technical and organizational measures in line with Art. 32 GDPR.
5.4 yappyBuy supports the customer in responding to data subject requests and in fulfilling obligations under data protection law.
6. Sub-processors
6.1 yappyBuy uses sub-processors (e.g., hosting providers, IT service providers). A current list is available at https://www.yappybuy.com/de/auftragsverarbeitungsvertrag
6.2 The customer will be informed of material changes to this list and may object within 14 days. Without objection, the change is deemed accepted.
7. Deletion and Return of Data
7.1 Upon termination of processing, yappyBuy shall, at the customer’s choice, return or delete all personal data unless retention is required by EU or Member State law.
7.2 Deletion must be permanent and irreversible. Processes must be logged and confirmed within 72 hours of execution.
8. Audits and Documentation
8.1 yappyBuy will allow reasonable inspections (e.g., via documentation or audits with notice).
8.2 yappyBuy maintains a record of processing activities and documents technical and organizational safeguards.
9. Instructions and Support
9.1 yappyBuy shall follow the customer's instructions unless legally prevented. In such cases, yappyBuy shall inform the customer unless prohibited by law.
9.2 Instructions must be documented and retained for three years beyond the contract term.
9.3 yappyBuy shall notify the customer if any instruction appears to violate applicable law.
9.4 Both parties shall appoint contact persons for instructions and notify each other of changes.
9.5 yappyBuy will assist the customer in fulfilling obligations under Articles 12–22 and 32–36 GDPR.
9.6 yappyBuy will inform the customer without undue delay of any data subject requests or inquiries from supervisory authorities.
10. Data Protection Contact
Data protection officer of yappyBuy:
PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich
Email: datenschutzbeauftragter@datenschutzexperte.de
11. Technical and Organizational Measures (TOMs)
11.1 yappyBuy implements TOMs in accordance with Art. 32 GDPR to ensure confidentiality, integrity, availability, and resilience of systems.
11.2 Adjustments to TOMs must maintain an equivalent security level. Material changes must be documented and agreed in writing.
12. Breach Notification and Communication
12.1 yappyBuy shall notify the customer without undue delay of any data breaches or suspected breaches.
12.2 yappyBuy assists in mitigation, resolution, and communication with supervisory authorities and data subjects.
12.3 In case of insolvency or third-party access to personal data, yappyBuy shall inform the customer immediately.
12.4 Findings from supervisory authority audits must be shared with the customer if related to the data processing.
13. Final Provisions of the DPA
13.1 The customer may not withhold data under § 273 BGB.
13.2 Appendices to this agreement are integral parts.
13.3 Amendments require written or electronic form, including to this clause.
13.4 If any provision is or becomes invalid, the remainder shall remain unaffected.
yappyBuy GmbH
Kaiselsbergstraße 41
63808 Haibach
Germany
https://www.yappybuy.com
Johannes P. Hattingh
CEO
If you have questions or need assistance, please contact us at support@yappybuy.com or call +49 6021 32 711 50. Our support hours are Monday to Wednesday 09:00–17:00 (CET) and Thursday–Friday 09:00–12:00 (CET).