Data Processing Agreement

Agreement between

Contracting party (hereafter "Controller")

and KAZIMI (hereafter "Processor" or "KAZIMI")

the Controller and KAZIMI each being a Party, and together referred to as the Parties.

The company referred to as KAZIMI is listed as KAZIMI UG, Baseler Str. 51, 12205 Berlin.

Recitals

1. This Agreement governs the data protection obligations relating to the processing of personal data in the context of the services provided by KAZIMI under the General Terms and Conditions ( "KAZIMI GTC" and the corresponding Customer Purchase Order (the "Main Agreement").

2. The terms which are not expressly defined herein shall have the meanings ascribed to them in the Main Agreement.

Now, therefore, the Parties agree as follows:

1. Subject-Matter of Processing

1.1 To the extent KAZIMI gains access to personal data in the course of performing its contractual obligations under the Main Agreement, which it processes on behalf of the Controller (the "Subject-Matter of Processing"), the provisions of this Agreement shall apply. Details of the processing are set out in Appendix 1, which forms an integral part of this Agreement.

1.2 The Subject-Matter of Processing shall be deemed an instruction within the meaning of Section ‎2.1.

1.3 Any change to the Subject-Matter of Processing requires a corresponding written instruction by the Controller.

2. Processing only upon Controller's instructions

2.1 Personal data shall only be processed upon written or electronic instruction of the Controller, in particular with regard to transfers of personal data to a third party outside of the European Union or any international organisation.

2.2 If a specific processing activity is not covered by an instruction issued by the Controller, but KAZIMI is required to carry out such processing directly under national or European law (i.e. to process or transfer personal data), KAZIMI shall inform the Controller in writing and in advance, before commencing the respective processing activity, unless the relevant law prohibits such notification on important grounds of public interest.

2.3 KAZIMI shall immediately inform the Controller if, in its opinion, an instruction issued by the Controller would result in a violation of applicable data protection laws.

3. Maintaining data secrecy

3.1 In respect of processing personal data KAZIMI shall maintain data confidentiality, in particular with regard to all information obtained based on processing results.

3.2 For any person entrusted by KAZIMI with the processing of personal data, KAZIMI shall ensure that these persons have committed themselves in writing to data secrecy before commencing their respective processing activities, unless these persons are subject to adequate obligations to secrecy provided by the law.

4. Security of Processing and Obligation to Assist

4.1 KAZIMI shall take all measures required pursuant to Article 32 of the General Data Privacy Regulation (Regulation (EU) 2016/279, "GDPR"). The technical and organisational measures implemented by KAZIMI in accordance with Article 32 GDPR are set out in Appendix 2, which forms an integral part of this Agreement.

4.2 KAZIMI shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR.

4.3 KAZIMI shall assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller’s obligations to respond to requests for exercising the data subject’s rights as set out in Chapter III of the GDPR.

5. Information Obligations and Audit rights

5.1 KAZIMI shall allow for and contribute to audits, including inspections, conducted by the Controller himself or through a designated representative. Such audits shall take place during KAZIMI’s regular business hours and, unless otherwise required in individual cases, with at least 3 weeks business days’ prior notice. The Controller shall ensure that such audits are carried out in a manner that causes as little disruption as possible to KAZIMI’s business operations. Audits shall not take place more than once per year, unless there are specific indications of a breach of data protection obligations. In the event of additional audits, the Controller shall bear the reasonable costs incurred by KAZIMI.

5.2 KAZIMI shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this Agreement.

5.3 The Controller shall upon request and without undue delay make available to KAZIMI all information on the data processing activities conducted pursuant to this Agreement, as required for the record of processing activities.

6. Sub-Processors

6.1 Controller hereby grants KAZIMI the general authorization to engage or replace third parties as a sub-processor for the processing of data set forth in this Agreement. A list of the sub-processors approved by the Controller at the time of conclusion of this Agreement is attached as Appendix 3, which forms an integral part of this Agreement.

6.2 KAZIMI shall notify the Controller in advance of any intended changes to the engaged sub-processors, so that the Controller may object pursuant to Article 28 (2) GDPR in individual cases. An objection may only be raised by the Controller for important reasons which must be demonstrated to KAZIMI. If the Controller does not raise an objection within 14 days of receiving the notification, its right to object to the engagement of the respective sub-processor shall expire. If the Controller raises an objection, KAZIMI shall be entitled to terminate the Main Agreement as well as this Agreement with 3 months' notice.

6.3 KAZIMI shall ensure that any sub-processor is contractually bound by data protection obligations which are no less protective than those set out in this Agreement, and which comply with the requirements of Article 28 (4) of the GDPR, in particular with regard to providing sufficient guarantees to implement appropriate technical and organisational measures.

7. Commencement, term and right of termination

7.1 This Agreement shall enter into force upon commencement of the Services by KAZIMI in accordance with the Customer Purchase Order.

7.2 This Agreement is concluded for the term of the Main Agreement and shall automatically terminate upon its expiry or early termination.

7.3 Ordinary termination of this Agreement independently of the Main Agreement is excluded.

8. Consequences of termination

8.1 After termination of this Agreement or termination of the respective data processing activities, KAZIMI shall, at the Controller’s choice and within a period specified by the Controller, return and/or delete all personal data, processing results and documents containing personal data, unless KAZIMI is required by national or EU law to retain such data.

8.2 If the Controller does not make a corresponding choice upon or prior to the termination of this Agreement or the processing activities, KAZIMI shall return all personal data, processing results and documents containing personal data to the Controller within four (4) weeks and, after confirmed delivery, delete such data without undue delay.

9. Miscellaneous

9.1 In case of universal legal succession, both Parties undertake to transfer all rights and obligations arising out of this Agreement, including this transfer obligation, to their respective universal legal successors.

9.2 Amendments or supplements to the Agreement existing between the Parties, including a contract to waive this formal requirement, must be made in written form.

9.3 In case individual provisions of the Agreement are or become invalid or unenforceable, this shall not affect the validity of the remaining contractual provisions. The Parties shall endeavour to replace the invalid or unenforceable provision by a valid and enforceable provision that comes as close as possible in economic terms to the invalid or unenforceable provision. The same shall apply in the event of a gap in the Agreement.

9.4 The applicable law and jurisdiction are determined by the KAZIMI GTC.

Appendix 1 

Description of the Processing

Subject-Matter and Duration of the Processing

The subject matter and duration of the processing of personal data are directly related to the services provided under the Main Agreement. In particular, KAZIMI processes personal data as set out below. 

Purpose of Processing

• Provision of customer support services

• Acting as intermediary in the event KAZIMI offers cloud services to the Controller via subcontractors 

Nature of Processing

• Customer support services: Access, use, transmission, adaptation, analysis 

• Intermediary for cloud services: Access, use, transmission collection, storage, organisation, analysis, dispatch, deletion (via the respective subcontractor)

Type of Personal Data

• Customer support services: Personal data that KAZIMI accesses while providing support service for the Controller, such as name, address, email address, and any other data the Controller may process for their employees.

• Intermediary for cloud services: All data submitted by the Controller to the subcontractor, e.g. name, address, email address and any other data the Controller may process for their employees.

Categories of Data Subjects

Controller, employees of the Controller

Transfer to third countries (or international organisations) 

No

Appendix 2

Security measures

1. General Information

• Physical access control: The prevention of unauthorized parties gaining access to data processing systems. These measures include an electronic access control system with protocols, a documented key allocation to employees..

• Logical access control: Measures that prevent the unauthorized use of the data processing systems. A password protected access is used that only authorized personnel can use.

• Data access control: Measures that ensure that people entitled to use the data processing systems can solely access data that they are entitled to access in accordance with their access rights, and that during the course of processing, use and after storage, data cannot be read, copied, modified or deleted without authorization. Audit-proof and binding authorization procedures have been implemented for the authorized employees.

• Separation control: Measures that ensure that data that was collected for different purposes can be processed separately. The data is physically or logically stored separately from other data and the data backups are made on systems that are logically and/or physically separate.

2. Pseudonymisation (Art. 32 (1) (a) GDPR; Art. 25 (1) GDPR)

• The processing of data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

3. Integrity (Art. 32 (1) (b) GDPR)

• Data transfer control: Measures that ensure that during electronic transmission, transport or storage on data carriers data cannot be read, copied, modified or deleted without authorization, and that it can be established and verified to which entities a transfer of data by means of data transmission facilities is planned. All employees have undertaken to comply with the principle of data secrecy and there are capacities for encrypted data transmissions. Furthermore, the data is deleted in accordance with data protection laws after the end of the commission.

4. Entry control

• Measures that ensure the establishment of an audit trail to document whether and by whom data have been entered into, modified in or removed from the data processing systems. Entries can only be done by authorized persons that possess the identification key and password. All logins and log-offs as well as entries into the system are logged. The integrity of the data is assured by the software design.

5. Availability and Resilience (Art. 32 (1) (b) GDPR)

• Availability control: Measures that ensure that the data is protected against accidental destruction or loss. Backup and recovery procedures with a daily mirroring of the data have been implemented. The technical availability is ensured by hard disk mirroring.

• In addition, there is uninterruptible power supply and a firewall system as well as port regulations are in place for our sub-processors.

6. Rapid Recovery (Art. 32 (1) (c) GDPR)

• KAZIMI creates continuous backups. With this back-up, KAZIMI can restore data. There is a regular check to see if recovery works this way.

7. Procedures for regular testing, assessment and evaluation (Art. 32 (1) (d) GDPR; Art. 25 (1) GDPR)

   
   

• Data protection management: All employees are demonstrably committed to data secrecy and receive training at least once a year.

8. Incident response management

• In the event of a data loss, notification to the affected customers will happen without undue delay upon discovery of the relevant data loss incident. In addition, the management, the CTO and the data protection officer are informed immediately. The Customer and others may report any loss of data to

9. Data protection by design and default (Art. 25 (2) GDPR)

• KAZIMI only collects data that is mandatory for the provision of the Services.

10. Control of instructions

• Measures that ensure that the data is solely processed in accordance with the Customer’s instructions. KAZIMI’s employees are instructed on the relevant data protection law on a regular basis, and they are familiar with the procedural requirements and user guidelines for data processing. The unambiguous wording of this DPA ensures that the data may only be processed in accordance with the instructions issued by the Customer.

Appendix 3

Authorised Sub-Processors

• Name and Address of Sub-Processor: Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland

  
  

• Scope, nature and purpose of sub-processing: Cloud storage (Drive) and communication (Gmail) for customer-related support and data management.

  
  

• Categories of Data Subject: As defined in Appendix 1.

  
  

• Duration of sub-processing: For the term of this DPA.

Last update 18 February 2026