Data Processing Agreement (DPA)
Last Updated: June 12, 2025
Contracting Parties: Circle Hand UG (haftungsbeschränkt), Bülowstr. 51, 10783 Berlin (“Circle-Hand,” “Processor”) and the respective customer using the services under the Terms and Conditions (“Merchant,” “Controller”).
Relation to Terms & Conditions: This DPA supplements the Terms and Conditions and the Privacy Policy of Circle Hand UG. This DPA applies exclusively in the B2B context.
1. Purpose and Scope
1.1 This DPA governs the processing of personal data of the Merchant’s customers (e.g. delivery customers) by Circle-Hand as Processor in accordance with Art. 28 GDPR, solely for the provision of SaaS services pursuant to the Terms and Conditions (creation/management of items and delivery customers, search/display, CSV export, PDF labels, optional integrations).
1.2 Circle-Hand acts only on documented instructions of the Merchant (Art. 28 (3)(a) GDPR). Circle-Hand does not pursue its own purposes, except (i) legal obligations of proof (e.g. commercial/tax retention obligations under its own responsibility) and (ii) purely technical metadata for ensuring operation, security, and billing of Circle-Hand services.
1.3 In rare cases where Circle-Hand requires its own controllership (e.g. Merchant’s invoicing data or its own fraud/security logs), such data does not fall under this DPA; the Terms and Conditions and Privacy Policy of Circle-Hand apply.
2. Definitions
Terms such as personal data, processing, controller, processor, sub-processor, third country, personal data breach correspond to the GDPR. “Merchant Data” means all personal data processed by Circle-Hand on behalf of the Merchant. “Data Subjects” are, in particular, delivery customers, the Merchant’s contact persons, and the Merchant’s user accounts.
3. Nature, Subject, Duration, Purpose, Data, Data Subjects
3.1 Subject/Type of processing: collection, storage, organization, querying, display, transmission, export (CSV), creation of PDF labels, deletion/anonymization.
3.2 Purposes: provision of contractually owed SaaS functions, support (on instruction), operation/security (e.g. backups, logs), fulfillment of legal obligations.
3.3 Categories of Data Subjects: delivery customers of the Merchant; employees/contact persons of the Merchant; Merchant’s user accounts.
3.4 Data categories (examples): master data (name, address), contact data (email, phone), customer numbers/terms, order/transaction references, notes, label data, usage/metadata (e.g. log timestamps, truncated IP, device/browser family), documents/attachments as provided by the Merchant. Special categories of data under Art. 9 GDPR are not intentionally processed and must not be uploaded by the Merchant.
3.5 Duration: For the term of the contract and – according to the Terms and Conditions/legal retention obligations – beyond only as required. After contract termination: deletion/anonymization pursuant to Sec. 8.
4. Obligations of Circle-Hand (Processor)
4.1 Instructions. Circle-Hand processes Merchant Data only on documented instruction (Terms and Conditions, this DPA, admin settings, support tickets). Circle-Hand rejects unlawful instructions.
4.2 Confidentiality. Circle-Hand’s employees and agents are obligated to confidentiality and data protection.
4.3 Technical and organizational measures (TOMs). Circle-Hand maintains TOMs in accordance with Art. 32 GDPR, Appendix B (including physical/access/access control, encryption, pseudonymization, backups, recovery, logging, least-privilege, 2FA, change & vulnerability management). TOMs may be adapted to technical progress, without lowering the protection level.
4.4 Sub-processors.
a) The Merchant gives general authorization to the use of sub-processors (e.g. hosting, email, monitoring, support for PDF/CSV functions, optional integrations).
b) Circle-Hand obligates sub-processors in writing to GDPR-compliant duties (Art. 28 (4) GDPR) and remains responsible for their services.
c) Circle-Hand informs of new/changed sub-processors (e.g. by email or admin notice). Objection for important data protection reasons is possible within 30 days; Circle-Hand may offer a reasonable alternative. If none is possible, the Merchant has a special termination right for the affected function.
4.5 Assistance with Data Subject Rights. Circle-Hand provides reasonable assistance (Art. 28 (3)(e) GDPR) with access, rectification, erasure, restriction, portability, and objection, insofar as the request concerns data Circle-Hand processes for the Merchant.
4.6 Breach notification. Circle-Hand informs the Merchant without undue delay about a personal data breach (Art. 33 GDPR) with available information and takes reasonable remedial measures.
4.7 Evidence & Audits. Circle-Hand keeps records of processing activities (Art. 30 (2) GDPR) and provides reasonable evidence (e.g. policies, security questionnaire answers, reports of external data center providers). Audits by the Merchant or an independent auditor are possible with reasonable advance notice (min. 14 days), during business hours, max. once per 12 months, subject to confidentiality and proportionality of costs/benefits; remote audits/questionnaires take precedence if sufficient.
4.8 Data protection impact assessment & cooperation with authorities. Circle-Hand reasonably assists the Merchant with DPIAs and supervisory authority inquiries insofar as processing at Circle-Hand is concerned.
4.9 Deletion/Return. After contract termination (or on instruction), Circle-Hand deletes or returns Merchant Data. Backups/archives are overwritten after their regular cycles; statutory retention obligations remain unaffected.
4.10 No Disclosure / No “Sale.” Circle-Hand does not use Merchant Data for its own marketing purposes, does not sell it, and does not use it for “targeted advertising” within the meaning of applicable U.S. state laws.
5. Obligations of the Merchant (Controller)
The Merchant:
a) Ensures legal bases/transparency (Art. 6, 12–14 GDPR) and fulfills information, notification, and response duties towards data subjects;
b) issues instructions in lawful, clear form and independently reviews results/exports (see Terms & Conditions § 1 h));
c) configures integrations (e.g. Shopify, Zettle, SumUp) lawfully, checks plausibility/matching, and ensures compliance with ePrivacy/TTDSG obligations (cookies/tags);
d) does not transmit special categories (Art. 9 GDPR), children’s data, or highly sensitive content unless expressly agreed;
e) secures access credentials/devices (strong passwords, 2FA where available) and restricts access to authorized users;
f) informs Circle-Hand without delay of data protection requests, breaches, unlawful content/instructions;
g) bears responsibility for data quality, data minimization, deletion concepts, and retention periods in its own area of responsibility.
6. International Data Transfers
6.1 Circle-Hand processes Merchant Data principally within the EU/EEA.
6.2 Where transfer to a third country is required (e.g. sub-processors), Circle-Hand ensures adequate safeguards, in particular the EU Standard Contractual Clauses (2021/914, Module 2); for the United Kingdom the IDTA/UK Addendum, for Switzerland the FDPIC addendum. Circle-Hand assesses supplementary measures (“Schrems II”).
7. Government/Authority Requests & Disclosure
Circle-Hand assesses legal obligations to disclose Merchant Data, informs the Merchant (where legally permitted), and restricts disclosure to what is legally required. Circle-Hand discloses data confidentially and, where possible, requests judicial/administrative clarification or protective orders.
8. Deletion, Return, Blocking
After contract termination: return of Merchant Data available in the system via export functions until contract end; thereafter blocking and deletion/anonymization within reasonable time frames. Backups are overwritten in regular cycles; statutory retention obligations prevail.
9. Liability
The liability provisions of the Terms and Conditions (§ 5) also apply to this DPA. Internal relationship: each party bears responsibility for its own area of duties; damages are subject to the Terms & Conditions limits, as far as legally permissible.
10. Term, Amendments
10.1 This DPA applies for the duration of the main contract.
10.2 Circle-Hand may amend this DPA where legal/technical changes require and the Merchant is not unreasonably disadvantaged; information and objection rights pursuant to Terms & Conditions § 10 apply accordingly.
Appendix A – Description of Processing (Art. 28 (3), Art. 32 GDPR)
A1 – Subject/Instructions: Operation of Circle-Hand SaaS; processing according to Merchant’s admin settings and documented instructions (support tickets, written instructions).
A2 – Types of processing: storage, structuring, retrieval, display, export (CSV), label creation (PDF), transmission to interfaces configured by the Merchant; logging/backups.
A3 – Purpose: contract performance (SaaS functions), support, operation/security, legal obligations.
A4 – Data types: see Sec. 3.4.
A5 – Data Subjects: see Sec. 3.3.
A6 – Duration: contract term + legal retention.
A7 – Categories of recipients: sub-processors (hosting, email, monitoring, PDF/CSV services), authorities as legally required, third parties engaged by the Merchant according to its instructions.
Appendix B – Technical and Organizational Measures (Excerpt)
Organization/Governance
Information security management, responsibilities, training, confidentiality agreements.
Data protection by design & by default (Art. 25 GDPR).
Records of processing activities, authorization concepts, approval of new sub-processors.
Physical/Access Control
Data center security measures of IaaS providers (protection against unauthorized entry).
Access only for authorized persons; two-factor authentication for admin systems; strong password policies; IP restrictions where possible.
Access Control / Authorization
Least-privilege roles, need-to-know, regular recertification.
Logging of administrative access; change/release processes.
Disclosure/Transmission Control
TLS for data in transit; encryption of data at rest, where technically possible/appropriate.
Tenant separation logic; test/prod separation; pseudonymization where appropriate.
Input Control
Change/access logs (audit logs) for administrative actions.
Ticket/instruction documentation.
Availability/Resilience Measures
Backups, recovery/disaster recovery plans; redundancies.
Monitoring, alerting, DDoS protection according to provider standards.
Vulnerability/Patch Management
Regular vulnerability scans, security updates, remediation processes, dependency management.
Secure development (code reviews, secret management).
Supply Chain/Sub-processor Controls
Contractual binding to Art. 28 GDPR; evaluation of TOMs; regular re-assessment.
Incident Management
Documented processes for detection, assessment, notification, and remediation of security incidents.
Appendix C – Sub-processors (Framework)
Circle-Hand uses sub-processors for hosting, email/communication, system monitoring, document generation (PDF/labels), storage/backups, and optional integrations.
Circle-Hand maintains a current list of sub-processors and informs of changes with reasonable notice.
The Merchant may object for important data protection reasons within 30 days; Sec. 4.4 applies accordingly.
Signatures / Acceptance
This DPA is accepted through use/entering into the contract and applies from the time of contract conclusion or from entry into force of updated versions pursuant to the Terms & Conditions amendment mechanism.
