Data Processing Agreement pursuant to Art. 28 GDPR

between

1.
[Customer name/company]
[Customer address]
[Postal code, city]
– hereinafter referred to as the “Controller” –

and

2.
Leon Petersen
operating under the name “ZentraLink”
Am Schwalbennest 21
04205 Leipzig, Germany
Email: support@zentralink.net
Data protection contact: privacy@zentralink.net
Website: https://zentralink.net
– hereinafter referred to as the “Processor” –

jointly referred to hereinafter as the “Parties”.

Preamble

This agreement governs the rights and obligations of the Controller and the Processor with regard to the processing of personal data on behalf of the Controller arising from the usage, SaaS, service or main agreement concluded between the Parties for the use of ZentraLink.

ZentraLink is a software solution for the central management, monitoring and documentation of domains, DNS records, SSL certificates, provider connections, tickets, reports, team permissions, audit logs and security-relevant domain information.

The Processor processes personal data exclusively on the documented instructions of the Controller, unless there is a legal obligation to process.

§ 1 Subject matter and duration of the assignment

(1) The subject matter of the assignment is the provision and operation of the “ZentraLink” software platform as a SaaS solution for the Controller. ZentraLink serves in particular the management and monitoring of domains, DNS data, SSL certificates, provider connections, tickets, reports, user accounts, team members, permissions, audit logs and billing-related information.

(2) The scope of services results from the main agreement, the service description, the selected plan and the functions activated within the platform.

(3) The Processor processes the Controller's personal data exclusively on the Controller's instructions within the meaning of Art. 4(2) and Art. 28 GDPR.

(4) The duration of this assignment corresponds to the term of the main agreement. The data processing agreement ends automatically upon termination of the main agreement, unless statutory retention obligations or contractual post-contractual obligations stand in the way.

§ 2 Nature and purpose of the collection, processing or use of data

(1) Within the scope of ZentraLink, the Processor carries out in particular the following processing activities:

• provision of user accounts and login functions
• registration and management of customer accounts
• management of admins and support staff
• management of roles and permissions
• storage and display of domain information
• processing of DNS, SSL, RDAP and provider data
• performance and storage of domain, DNS, SSL and mail-security checks
• management of provider connections and API access credentials
• storage of audit logs and activity records
• creation and storage of reports, in particular domain and security reports
• processing of support tickets, contact enquiries and attachments
• sending of system emails, e.g. confirmation codes, ticket notifications and invoice information
• processing of billing and payment metadata
• provision of status, notification and monitoring functions
• technical error analysis, logging and abuse prevention
• backup, restoration and system maintenance

(2) The following categories of data subjects may be affected by the processing:

• the Controller itself, where a natural person
• the Controller's employees
• admins of the customer account
• support staff or invited team members
• the Controller's contact persons
• users of the platform
• persons named in tickets, reports, domain information or DNS records
• invoice recipients and accounting-related contacts
• communication partners in the context of support and contact enquiries

(3) In particular, the following categories of personal data may be processed:

• master data: name, first name, surname, company, address, country
• contact data: email address, phone number
• login and account data: user ID, role, permissions, status, language, verification status
• communication data: ticket content, support messages, contact enquiries, email communication
• contract and billing data: plan, invoice data, payment status, payment references, contract status
• technical usage data: IP address, user agent, timestamps, login times, session information
• audit and log data: activities, changes, user actions, security events
• domain-related data: domain names, DNS records, name servers, SSL information, RDAP data, provider data
• provider connection data: API tokens, API keys or comparable credentials, where stored by the Controller
• report data: generated PDF reports, security assessments, health scores, DNS diff information
• attachments: files uploaded by the Controller or users in connection with tickets or reports

(4) Special categories of personal data within the meaning of Art. 9 GDPR are not the subject of the regular processing by ZentraLink. The Controller undertakes not to enter such data into ZentraLink without prior coordination.

§ 3 Scope and responsibility

(1) The Processor processes personal data on behalf of the Controller. The Controller is the controller within the meaning of Art. 4(7) GDPR and decides on the purposes and means of the processing, unless these are technically predetermined by the provision of ZentraLink.

(2) The Controller is responsible for the lawfulness of the data processing, for the lawfulness of the transfer of data to the Processor and for safeguarding the rights of data subjects.

(3) The Controller's instructions arise initially from the main agreement, this agreement and the settings made by the Controller within the platform.

(4) Individual instructions may be issued in text form, by email, via the support system or via a function provided for this purpose within ZentraLink. Verbal instructions must be confirmed in text form without undue delay.

(5) The Processor is entitled to suspend the execution of an instruction if it considers that the instruction infringes data protection law or other statutory provisions. The Processor will inform the Controller of this without undue delay.

§ 4 Obligations of the Processor

(1) The Processor processes personal data exclusively within the scope of the assignment and on the documented instructions of the Controller, unless there is a legal obligation to process.

(2) The Processor takes appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. This includes in particular measures to ensure the confidentiality, integrity, availability and resilience of the systems.

(3) The Processor ensures that the persons involved in the processing have been committed to confidentiality or are subject to a statutory obligation of confidentiality.

(4) The Processor supports the Controller, to a reasonable extent, in fulfilling data subject rights pursuant to Art. 12 to 23 GDPR and obligations pursuant to Art. 32 to 36 GDPR.

(5) The Processor informs the Controller without undue delay if it becomes aware of a personal data breach affecting the Controller's data. The information is provided, where possible, with details of the nature of the breach, the categories of data affected, the possible consequences and the measures already taken.

(6) The Processor names the following contact for data protection matters to the Controller:

Leon Petersen / ZentraLink
Email: privacy@zentralink.net

(7) The Processor regularly reviews the effectiveness of its technical and organisational measures and adjusts them as necessary.

(8) The Processor rectifies, erases or blocks personal data on the instructions of the Controller, where this is technically possible and legally permissible.

(9) After termination of the main agreement, the Processor erases or returns personal data at the Controller's choice, unless statutory retention obligations stand in the way.

(10) The Processor may not use personal data for its own purposes, in particular not for advertising, profiling or disclosure to third parties outside the purpose of the contract.

§ 5 Obligations of the Controller

(1) The Controller is responsible for the lawfulness of the processing of personal data.

(2) The Controller ensures that it is entitled to have the personal data entered into ZentraLink processed by the Processor.

(3) The Controller informs the Processor without undue delay if it identifies errors or irregularities in the processing.

(4) The Controller is responsible for:

• the correct assignment of user permissions
• the management of its admins and support staff
• the content of tickets, reports, domain information and attachments
• the lawfulness of stored provider access credentials
• compliance with its own information obligations towards data subjects
• assessing whether the technical and organisational measures offered are sufficient for its processing

(5) The Controller is obliged to manage access credentials, API keys and user accounts carefully and to prevent unauthorised access.

§ 6 Requests from data subjects

(1) If a data subject contacts the Processor directly with a request for access, rectification, erasure, restriction, data portability or objection, the Processor will forward the request to the Controller, provided that it can be allocated.

(2) The Processor does not answer such requests independently, unless instructed to do so by the Controller or legally obliged to.

(3) The Processor supports the Controller, to a reasonable extent, in handling such requests.

§ 7 Means of proof and audit rights

(1) On request, the Processor makes available to the Controller suitable information to demonstrate compliance with the obligations under this agreement and Art. 28 GDPR.

(2) The Controller is entitled to verify compliance with data protection obligations and the technical and organisational measures to a reasonable extent, or to have this verified by a qualified third party.

(3) On-site inspections are only permitted after prior notice, during normal business hours and with due regard for proportionality, unless an urgent reason makes an unannounced inspection necessary.

(4) For inspections that go beyond the usual extent or that are not necessary due to a breach of duty by the Processor, the Processor may charge a reasonable fee.

(5) The Processor's trade and business secrets, as well as the security interests of other customers, must be respected during inspections.

§ 8 Sub-processing relationships

(1) The Controller grants the Processor general authorisation to engage sub-processors, where this is necessary for the provision of the services.

(2) The Processor undertakes to select sub-processors carefully and to conclude contracts with them that ensure an adequate level of data protection.

(3) The Processor informs the Controller of material changes regarding sub-processors. The Controller may object for an important data protection reason.

(4) Currently, in particular the following categories of sub-processors may be engaged:

• hosting and server providers
• database and infrastructure operators
• email / SMTP / transactional-mail service providers
• payment service providers
• monitoring and logging service providers
• backup and storage providers
• DNS / domain / provider interface vendors, where connected by the Controller

(5) A specific list of sub-processors is set out in Annex 2 and is updated when changes occur.

§ 9 Information obligations, written form, choice of law

(1) Amendments and additions to this agreement require at least text form, unless a stricter form is prescribed by law.

(2) The Processor informs the Controller without undue delay of material changes affecting the processing of personal data.

(3) German law applies.

(4) The place of jurisdiction is, to the extent permissible, the registered seat of the Processor.

§ 10 Liability and compensation

(1) The liability of the Parties is governed by the statutory provisions, in particular Art. 82 GDPR.

(2) In the internal relationship, the Parties are liable in accordance with their respective share of responsibility and fault.

(3) The Controller bears responsibility for the lawfulness of the data processing and of the instructions.

(4) The Processor is liable for damages arising from processing within the Processor's area of responsibility that is not in accordance with instructions or that infringes data protection law, to the extent that it is at fault.

§ 11 Remuneration

(1) The remuneration for the Processor's services results from the main agreement, the selected plan or the respective pricing agreement.

(2) Support services that go beyond the contractually owed scope — in particular special analyses, extensive audit activities, data exports or individual data protection reviews — may be remunerated separately after prior agreement.

Annex 1: Technical and organisational measures

The Processor implements in particular the following technical and organisational measures:

1. Physical access control

As ZentraLink is operated as a cloud-based SaaS solution, physical access control is essentially carried out by the hosting and infrastructure providers used. The Processor selects providers that offer appropriate security measures for data centres and infrastructure.

2. System access control

• user accounts with individual authentication
• password protection
• role-based access control
• separation of owner, admin and support staff
• email verification on registration
• session management
• protection against unauthorised access to protected areas
• access to administration areas only for authorised persons

3. Data access control

• role- and permission-based authorisations
• plan- and feature-based access restriction
• separation of customer data
• access to data only within the respective customer account
• server-side permission checks for protected API routes
• audit logs for relevant actions
• restricted access to provider and API credentials

4. Disclosure control

• TLS/HTTPS encryption for data transmission
• no disclosure of personal data outside the purpose of the contract
• use of sub-processors only in accordance with this agreement
• access to data by third parties only to the extent necessary for the provision of services

5. Input control

• logging of relevant changes
• audit logs for user actions
• storage of timestamps, users and affected objects
• traceability of changes to domains, tickets, reports, team members and settings

6. Assignment control

• processing only on the instructions of the Controller
• contracts with sub-processors
• review and selection of suitable service providers
• internal access restrictions

7. Availability control

• regular backups, where technically set up
• restoration options
• monitoring of system availability
• error logging
• protection against accidental destruction or loss within the scope of reasonable technical means

8. Separation requirement

• logical separation of customer data
• access restrictions by customer account
• separation of owner, admin and support areas
• separate permissions for different roles and functions

9. Encryption and protection of secrets

• HTTPS/TLS for platform access
• encrypted storage of sensitive provider credentials and API tokens, where these are required for functionality
• no renewed plain-text display of stored secrets in the dashboard
• access to secrets only by authorised system processes
• confidential handling of provider API keys, tokens and credentials

10. Review and improvement

• regular review of security-relevant functions
• updates and maintenance of the software used
• adjustment of the technical and organisational measures as needed
• error and security events are assessed and remediated where necessary

Annex 2: Sub-processors

1. Hosting / server operation

Provider: Hetzner Online GmbH
Purpose: hosting of the ZentraLink application, database, server infrastructure, storage and processing of platform data.
Place of processing: Germany / European Union

2. Domain, DNS and email services

Provider: STRATO AG
Purpose: domain management, DNS operation and the sending and receiving of emails for ZentraLink.
Place of processing: Germany / European Union

3. Payment service provider

Provider: Mollie B.V.
Purpose: processing of payments, payment status, subscription and checkout metadata.
Place of processing: European Union / European Economic Area

4. Domain / DNS / provider interfaces

Provider: depending on the provider actively connected by the Controller, e.g. IONOS, Gandi, GoDaddy, Namecheap, InterNetX, STRATO, Cloudflare, Hetzner DNS or others.
Purpose: synchronisation, checking and management of domain, DNS, SSL and provider data on behalf of the Controller.

Note: where the Controller stores its own provider credentials for external domain, DNS or hosting providers in ZentraLink, processing at those providers regularly takes place on the basis of the respective contractual relationship between the Controller and the provider. ZentraLink processes the credentials and the retrieved provider data only on behalf of the Controller.

5. Monitoring / logging

Currently no separate external monitoring or logging service provider is engaged. The monitoring of system availability and the error and security logging are carried out by the ZentraLink platform itself within the hosting infrastructure named under item 1.
Place of processing: Germany / European Union

Annex 3: Categories of processing

1. Categories of data subjects

• the Controller
• the Controller's employees
• admins
• support staff
• contact persons
• invoice recipients
• users of the platform
• persons in tickets, reports, attachments or domain/DNS data

2. Categories of personal data

• name, first name, surname
• email address
• phone number
• address
• company
• billing data
• login and account data
• roles and permissions
• IP addresses
• timestamps
• audit logs
• ticket content
• attachments
• domain and DNS data with a personal reference
• provider credentials, API keys and tokens
• payment and subscription metadata
• report data

3. Purpose of the processing

• provision of the ZentraLink platform
• management of domains, DNS, SSL and providers
• management of users and permissions
• support and ticket handling
• reporting and security analysis
• contract and billing management
• system operation, security and error analysis

Annex 4: Erasure and return

(1) After termination of the main agreement, the Processor erases the Controller's personal data after the expiry of technical and contractual post-contractual periods, unless statutory retention obligations exist.

(2) Before the end of the contract, the Controller may request an export of the data stored for it, where this is technically possible and covered by the scope of services.

(3) For technical reasons, backups may persist for up to 30 days and are subsequently overwritten or deleted in the regular backup cycle, unless statutory retention obligations stand in the way.

(4) Statutory retention obligations, in particular for invoice and accounting data, remain unaffected.

Place, date

For the Controller:

____________________________________
Name:
Function:
Signature:

For the Processor:

____________________________________
Leon Petersen
ZentraLink
Signature: