Data Processing Agreement

Last Updated: November 12, 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between C3RRO GmbH ("Data Processor" or "we") and the customer ("Data Controller" or "you") and governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) and German data protection laws.

2. Definitions

For the purposes of this DPA:

• Personal Data means any information relating to an identified or identifiable natural person
• Processing means any operation performed on personal data
• Data Subject means the individual to whom personal data relates
• Subprocessor means any entity engaged by the Data Processor to process personal data

3. Scope and Purpose

3.1 Subject Matter

This DPA applies to the processing of personal data by C3RRO on behalf of the customer through the provision of our software and services.

3.2 Duration

This DPA remains in effect for the duration of the service agreement and until all personal data is deleted or returned.

3.3 Nature and Purpose of Processing

We process personal data solely for the purpose of:

• Providing building energy analysis software services
• Managing user accounts and authentication
• Providing customer support and technical assistance
• Improving our products and services

3.4 Types of Personal Data

We may process the following categories of personal data:

• Contact information (name, email, phone number)
• Account credentials
• Usage data and analytics
• Building project data and simulations
• Communication records

3.5 Categories of Data Subjects

• Customer employees and authorized users
• Building owners and stakeholders
• Professional contacts

4. Data Processor Obligations

4.1 Processing Instructions

We will process personal data only on documented instructions from you, unless required to do so by EU or Member State law.

4.2 Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Logging and monitoring of system access
• Incident response procedures
• Regular backups and disaster recovery plans
• Employee security training

4.4 Subprocessing

Current Subprocessors:

We currently engage the following subprocessors:

• Cloud hosting providers (AWS, Google Cloud)
• Email service providers
• Analytics providers
• Payment processors

We will:

• Inform you of any intended changes concerning the addition or replacement of subprocessors
• Give you the opportunity to object to such changes
• Ensure subprocessors are bound by equivalent data protection obligations

4.5 Data Subject Rights

We will assist you, insofar as possible, in fulfilling obligations to respond to data subject rights requests, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

4.6 Data Breach Notification

We will notify you without undue delay after becoming aware of a personal data breach, providing:

• Description of the nature of the breach
• Categories and approximate numbers of data subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

4.7 Data Protection Impact Assessment

We will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.

4.8 Deletion or Return of Data

Upon termination of services, we will, at your choice:

• Delete all personal data, or
• Return all personal data to you

We will delete existing copies unless EU or Member State law requires storage of the personal data.

4.9 Audit Rights

We will make available to you all information necessary to demonstrate compliance with obligations under Article 28 GDPR and allow for and contribute to audits.

5. Data Controller Obligations

You, as the Data Controller, represent and warrant that:

• You have all necessary rights and consents to provide personal data to us
• Processing instructions comply with applicable data protection laws
• You have implemented appropriate technical and organizational measures
• You will handle data subject requests in compliance with applicable law

6. International Data Transfers

6.1 Transfer Mechanisms

When personal data is transferred outside the EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other legally recognized transfer mechanisms

6.2 Third Country Subprocessors

We may engage subprocessors located in countries outside the EEA. We ensure such transfers are protected by appropriate safeguards.

7. Liability and Indemnification

7.1 Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

7.2 Third-Party Claims

We will indemnify you against claims brought by data subjects arising from our breach of this DPA, subject to the limitations in the Terms of Service.

8. Term and Termination

8.1 Term

This DPA comes into effect when you start using our services and continues until termination of the service agreement.

8.2 Termination

Either party may terminate this DPA if the other party materially breaches this DPA and fails to remedy the breach within 30 days of written notice.

8.3 Effect of Termination

Upon termination, we will delete or return all personal data as described in Section 4.8.

9. Governing Law

This DPA is governed by the laws of Germany and must be interpreted in accordance with GDPR.

10. Updates to this DPA

We may update this DPA from time to time to reflect:

• Changes in applicable law
• Changes to our data processing practices
• Regulatory guidance

We will provide notice of material changes and give you the opportunity to review and accept the updated DPA.

11. Contact Information

For questions or concerns about data processing, please contact:

Data Protection Officer
C3RRO GmbH
Steinbrucker Str. 11
83064 Raubling
Deutschland

Email: privacy@c3rro.com
Phone: +49 8034 7056110

12. Annexes

Annex 1: Technical and Organizational Measures

Technical Measures:

• Encryption (AES-256 for data at rest, TLS 1.3 for data in transit)
• Access controls (role-based access, multi-factor authentication)
• Network security (firewalls, intrusion detection)
• Secure development practices
• Regular security updates and patches

Organizational Measures:

• Data protection policies and procedures
• Employee training and awareness programs
• Background checks for personnel with data access
• Incident response plan
• Business continuity and disaster recovery plans
• Regular security audits and assessments
• Vendor management program

Annex 2: List of Subprocessors

Subprocessor	Service	Location	Safeguards
AWS	Cloud Hosting	EU (Frankfurt)	EU-US Data Privacy Framework, SCCs
Google Cloud	Cloud Services	EU	Adequacy Decision
[Email Provider]	Email Services	EU	GDPR Compliant
[Payment Processor]	Payment Processing	EU	PCI DSS, GDPR Compliant

This list is regularly updated. Please contact us for the current list.

---

By using our services, you agree to this Data Processing Agreement as part of our Terms of Service.