Data Processing Agreement (DPA)

This Data Processing Agreement (DPA) governs the processing of personal data within the use of Reflytic according to Art. 28 GDPR. **Contracting Parties:** - **Controller (Principal):** You as Moderator or Promoter - **Processor (Contractor):** [Your Company Name], operator of Reflytic **Subject:** Provision of the Reflytic platform for revenue-share management and analytics evaluation

**1.1 Subject** The Contractor processes personal data on behalf of the Principal exclusively to provide the contractually agreed services (Terms of Service). **1.2 Duration** The term of this DPA corresponds to the duration of the usage relationship. The DPA ends automatically upon termination of use or account deletion. **1.3 Type of Processing** - Storage in encrypted databases - Automated processing through Celery tasks - API calls to Google Analytics - Aggregation and visualization of data - Communication via in-app chat

**2.1 Categories of Data Subjects** - Moderators (Google Analytics property owners) - Promoters (influencers) - End users (indirectly via Google Analytics) **2.2 Categories of Personal Data** - Master data: Name, email, username - Authentication: Password hashes, OAuth tokens - Usage data: Login times, IP addresses, device info - Campaign data: Analytics metrics, revenue data - Communication data: Chat messages (encrypted) - Payment data: Subscription status, transaction history

**3.1 Instruction Binding** The Contractor processes personal data only on documented instruction from the Principal (e.g., by using platform functions). **3.2 Confidentiality** All persons authorized to process are bound to confidentiality and have been trained accordingly. **3.3 Technical and Organizational Measures (TOMs)** The Contractor ensures: - Encryption: Fernet (AES-256) for data at rest, TLS 1.3 in transit - Access control: Role-based permissions, 2FA option - Data backup: Daily encrypted backups - Incident Response: Notification within 72h for data breaches - Logging: Audit logs for all critical operations **3.4 Support for the Controller** The Contractor supports the Principal in: - Subject access requests - Data deletions and corrections - Data portability (export functions) - Data protection impact assessments (on request)

**4.1 Approval** The Principal agrees to engage the following sub-processors: **Hosting and Infrastructure:** - **Google Cloud Platform** (Google Ireland Limited, Ireland) - Purpose: Analytics API, OAuth services - Guarantees: EU Standard Contractual Clauses - **Hetzner Online GmbH** (Germany) [OR Your Provider] - Purpose: Server hosting - Guarantees: GDPR-compliant, EU location **Payment Processing:** - **Stripe Inc.** (USA) - Purpose: Payment processing - Guarantees: PCI DSS, EU Standard Contractual Clauses **Caching and Queues:** - **Redis Labs** (EU region) - Purpose: Performance optimization - Guarantees: Encrypted connections **4.2 Notification of Changes** The Contractor informs the Principal at least 30 days before engaging new sub-processors. Objection leads to contract termination without notice period.

**5.1 Right to Instruct** The Principal can issue documented instructions for data processing at any time (e.g., deletion, export request). **5.2 Control Rights** The Principal can conduct audits or have them conducted by third parties (after advance notice, max. 1x per year). **5.3 Information Obligations** The Principal must inform the Contractor about: - Restrictions on processing authorization - Errors or irregularities in processing - Control measures by supervisory authorities

**6.1 Reporting Obligation** The Contractor reports data breaches immediately (within 72h) to: - Email: dpo@reflytic.com - Emergency Hotline: [Phone Number] **6.2 Documentation** Every data breach is documented with: - Type of breach - Affected data categories and persons - Damage mitigation measures - Recommendations to prevent future incidents **6.3 Cooperation** The Contractor supports the Principal in reporting to supervisory authorities and affected persons.

**7.1 Processing Location** Primary processing location: Germany/EU **7.2 Third-Country Transfers** For transfers to third countries (USA): - EU Standard Contractual Clauses - Additional guarantees according to Schrems II ruling - Principal is informed of all transfers **7.3 Third-Country Access** No routine access from outside the EU. In case of authority requests, Principal is notified (if legally permissible).

**8.1 After Contract End** The Contractor deletes all personal data within 30 days after contract end, unless: - Legal retention obligations exist (e.g., tax law: 10 years) - Principal requests return (export as JSON/CSV) **8.2 Deletion Confirmation** Upon request, the Contractor issues a deletion confirmation. **8.3 Backups** Data in backups are automatically deleted after 90 days (normal backup rotation).

**9.1 Liability of the Processor** The Contractor is liable for damages caused by GDPR violations according to Art. 82 GDPR. **9.2 Limitation of Liability** Liability is limited to: - Intent and gross negligence: unlimited - Slight negligence: Amount of fees paid in the last year **9.3 Insurance** The Contractor maintains cyber insurance with coverage of [X EUR].

**10.1 Priority** This DPA takes precedence over the Terms of Service in data protection matters. **10.2 Changes** Changes are announced 30 days in advance. Objection leads to termination. **10.3 Severability Clause** Invalidity of individual provisions does not affect the validity of the remaining DPA. **10.4 Applicable Law** German law in compliance with GDPR.