dpa / data processing agreement.
Data Processing Agreement
Pursuant to Article 28 GDPR
Version date: March 30, 2026.
This Data Processing Agreement ("DPA") forms part of and supplements the General Service Terms between gsant.net / Gabriel Santini and the Client. It applies where gsant.net processes personal data on behalf of the Client and is intended to satisfy Article 28 GDPR and the German Federal Data Protection Act (BDSG).
Parties
Controller / Client: the client entity identified in the relevant proposal, order, statement of work, or other principal agreement.
Processor: gsant.net / Gabriel Santini, as identified in the legal notice at https://gsant.net/imprint/.
Each individually a "Party" and together the "Parties".
1. Subject Matter and Duration
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the General Service Terms or any specific project agreement between the Parties (the "Principal Agreement").
The types of personal data processed, categories of data subjects, purposes, and nature of processing are set out in Annex 1.
This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller and terminates automatically with the Principal Agreement, subject to Clause 11.
2. Obligations of the Processor
The Processor agrees to:
- process personal data only on documented instructions from the Controller, including with respect to transfers to third countries or international organizations, unless required otherwise by applicable EU or German law;
- ensure that authorized persons are bound by confidentiality obligations or an equivalent statutory duty of confidentiality;
- implement appropriate technical and organizational measures in accordance with Article 32 GDPR and Annex 2;
- respect the conditions for engaging sub-processors under Clause 5;
- assist the Controller, where reasonably practicable, with data subject rights requests under Chapter III GDPR;
- assist the Controller with compliance under Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor;
- delete or return personal data at the Controller's choice after the end of the services, unless EU or German law requires retention; and
- make available the information necessary to demonstrate compliance with Article 28 GDPR and allow audits or inspections as set out in this DPA.
3. Instructions
The Processor shall process personal data only on documented instructions of the Controller. The execution of tasks within the scope of the Principal Agreement is deemed to be documented instruction.
If the Processor considers an instruction to breach the GDPR or other applicable data protection law, it shall inform the Controller without undue delay and may suspend execution of the instruction until it is confirmed or modified.
Instructions may be given in writing, including by email. Verbal instructions must be confirmed in writing without undue delay.
4. Technical and Organisational Measures
The Processor shall implement and maintain appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall take into account the state of the art, implementation costs, and the risks to the rights and freedoms of natural persons.
The measures in place at the date of this DPA are described in Annex 2. The Processor may update those measures over time provided the level of protection is not reduced below the minimum required by Article 32 GDPR. Material changes will be notified to the Controller.
5. Sub-Processors
The Controller grants the Processor general written authorization to engage sub-processors for the processing activities described in this DPA, subject to the conditions in this Clause.
The current authorized sub-processor list is maintained as a live document at https://gsant.net/sub-processors/. That list forms part of this DPA by incorporation by reference.
The Processor will notify the Controller by email of intended additions, replacements, or removals to the sub-processor list with at least fourteen (14) calendar days' prior notice. If the Controller does not raise a written objection on documented data protection grounds within that period, the change is deemed accepted.
The Processor maintains records of material changes to the sub-processor list and will provide relevant prior information on reasonable request where required for an active engagement. Where a sub-processor is engaged, the Processor shall impose data protection obligations equivalent to this DPA by written contract and remains fully liable for that sub-processor's performance.
6. Data Subject Rights
The Processor shall promptly notify the Controller, and in any case within five (5) business days, of any request from a data subject exercising rights under Chapter III GDPR. The Processor shall not respond on the Controller's behalf without express authorization.
The Processor shall provide reasonable assistance to help the Controller fulfill its obligations to data subjects. Reasonable additional costs incurred by the Processor for such assistance may be invoiced to the Controller.
7. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
To the extent available at the time, the notification shall include the nature of the breach, the categories and approximate number of affected data subjects and records, the Processor's data protection contact, the likely consequences, and the measures taken or proposed to address the breach and mitigate adverse effects.
The Processor shall cooperate with the Controller and provide reasonable assistance with any required notifications to supervisory authorities or affected data subjects.
8. Data Protection Impact Assessments
Where the Controller is required to carry out a data protection impact assessment under Article 35 GDPR, the Processor shall provide reasonable assistance and information to the extent the Processor has access to the relevant information.
9. International Data Transfers
The Processor shall not transfer personal data outside the European Economic Area (EEA) or to an international organization without the prior written consent of the Controller.
Where a transfer is necessary and authorized, the Processor shall ensure that an appropriate safeguard under Chapter V GDPR is in place, such as an adequacy decision, Standard Contractual Clauses, or Binding Corporate Rules. Where Standard Contractual Clauses are used, the relevant transfer impact assessment shall be documented and made available on request.
10. Audit Rights
The Controller may request information reasonably necessary to verify the Processor's compliance with this DPA and applicable data protection law. Any audit or inspection requires reasonable prior notice, must take place during normal business hours, and must not unreasonably interfere with the Processor's operations.
The Processor may satisfy this obligation by providing relevant documentation, including current certification from an accredited body, third-party audit reports, or equivalent compliance information covering the relevant processing activities. On-site inspections are permitted only where reasonably necessary and where less intrusive means are insufficient.
Unless a material breach by the Processor is established, the Controller shall bear its own audit costs and reimburse the Processor for reasonable external costs directly caused by the audit.
11. Return and Deletion of Data
Upon termination or expiry of the Principal Agreement, or upon request by the Controller, the Processor shall, at the Controller's choice, return all personal data or securely delete all copies unless EU or German law requires retention.
The Processor shall provide written confirmation of deletion or return within thirty (30) days of the termination date or the relevant request. Data retained due to legal obligation shall be isolated and protected from further processing until deletion is permissible.
12. Liability
Each Party is liable to the other in accordance with applicable data protection law, including Article 82 GDPR. The Processor's liability under this DPA remains subject to the limitations set out in the General Service Terms, to the extent permitted by applicable law.
Nothing in this DPA limits or excludes liability for intentional misconduct, gross negligence, or any liability that cannot be excluded under mandatory law.
13. Confidentiality of Processing
The Processor shall ensure that all staff or contractors with access to personal data processed under this DPA are subject to binding confidentiality obligations. This obligation survives termination of the DPA.
14. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany. The GDPR and the German Federal Data Protection Act (BDSG) apply as mandatory law. Jurisdiction for disputes under this DPA is governed by the General Service Terms at https://gsant.net/terms/.
15. Amendments
Any amendment to this DPA must be documented in writing, including electronic form, and agreed by both Parties. In the event of conflict between this DPA and the Principal Agreement on matters of data protection, this DPA prevails.
Agreed and Executed
By agreeing to the Principal Agreement and the applicable engagement documents, the Parties agree to be bound by this DPA. If a signed version is required for a specific engagement, the Parties may execute this DPA separately in writing.
For signed DPA requests, contact contact@gsant.net.
Annex 1. Details of Processing
This Annex is to be completed by the Controller and the Processor for the relevant engagement and may be updated by written agreement without amending the body of the DPA.
| Category | Details |
|---|---|
| Subject matter | Technical services provided by gsant.net to the Controller as described in the Principal Agreement. |
| Duration | For the duration of the Principal Agreement and as otherwise required by applicable law. |
| Nature of processing | Collection, storage, transmission, organization, structuring, use, access, consultation, and deletion as required to deliver the agreed services. |
| Purpose of processing | Delivery of technical services, including web development, hosting configuration, email system setup, analytics implementation, automation, and related digital services. |
| Types of personal data | To be specified per engagement. May include names, email addresses, IP addresses, usage data, contact information, or other data provided by the Controller. |
| Categories of data subjects | Employees, customers, users, or other natural persons whose data is contained in systems or services managed under the engagement. |
| Sensitive data | Not anticipated unless separately agreed in writing. Where special category data under Article 9 GDPR is involved, additional safeguards shall be agreed. |
Annex 2. Technical and Organisational Measures
| Measure | Implementation |
|---|---|
| Access control | Access to systems and data is restricted to authorized personnel only. Role-based access controls are applied where appropriate. Multi-factor authentication is used for critical systems. |
| Encryption in transit | Data transmitted over public networks is encrypted using TLS 1.2 or higher. |
| Encryption at rest | Personal data stored in Processor-managed environments is encrypted at rest where the underlying hosting infrastructure supports it. |
| Pseudonymisation | Applied where appropriate to reduce risk. It is not universally applied due to operational requirements. |
| Confidentiality | Staff and contractors with data access are bound by confidentiality obligations. Credentials are not shared. |
| Integrity | Checksums, version control, and access logs are used where applicable to protect data integrity. |
| Availability and resilience | Primary reliance is placed on third-party infrastructure providers with their own availability commitments. Regular operational checks are conducted. |
| Backup and recovery | Responsibility for backups lies primarily with the Controller or the relevant hosting provider. The Processor assists with transfer procedures as agreed. |
| Incident response | The Processor maintains a personal data breach notification procedure with a 24-hour notification commitment to the Controller. |
| Vendor management | Sub-processors are evaluated for data protection compliance before engagement and are bound by contractual obligations equivalent to this DPA. |
| Physical security | Services are delivered remotely. Physical access to any relevant on-premise equipment is controlled by the Controller or third-party data centers. |
| Regular review | Technical and organizational measures are reviewed at least annually and following any significant security incident. |
Annex 3. Sub-Processor List
This Annex is maintained as a live document at https://gsant.net/sub-processors/ and is incorporated into this DPA by reference. The version current on the date of signing applies, with subsequent updates governed by Clause 5.
The live sub-processor list specifies for each sub-processor the legal name and country of establishment, the nature and purpose of processing, and the legal basis for any transfer outside the EEA.
If you have questions about current or prior sub-processors relevant to an active engagement, contact the Processor via the legal notice at https://gsant.net/imprint/ or by email at contact@gsant.net.