Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Pursuant to Art. 28 GDPR

1. Subject and Duration

This agreement specifies the data protection obligations of the parties resulting from the use of ManagerCloud (Main Contract). The duration corresponds to the term of the Main Contract.

2. Nature and Purpose of Processing

Purpose: Provision of a cloud solution for managing business transactions, e-invoices, and documents.

Data Categories: Master data, contact details, contract data, billing and accounting records.
Data Subjects: Customers, employees, suppliers, and business partners of the Client.

3. Obligations of the Provider (Processor)

  • Processing takes place exclusively on documented instructions from the Client.
  • Guarantee of confidentiality (secrecy obligations of personnel).
  • Implementation of Technical and Organizational Measures (TOM) according to Art. 32 GDPR.
  • Assistance to the Client in responding to requests from data subjects and authorities.

4. Sub-processors

The Client authorizes the use of the following sub-processors:

Partner Service Location
IONOS SE Cloud Hosting Germany
AWS (Amazon) Document Storage Germany (Frankfurt)
This DPA is an integral part of the ManagerCloud Terms of Service.

Annex: Technical and Organizational Measures (TOM)

1. Confidentiality (Art. 32 Para. 1 lit. b GDPR)

  • Physical Access Control: Hosting in certified high-security data centers (IONOS/AWS) with biometric access controls and 24/7 security staff.
  • System Access Control: Strict password policies, Two-Factor Authentication (2FA) for administrators, and encrypted password hashing.
  • Data Access Control: Rights management based on the "need-to-know" principle; staff access is limited to essential tasks only.
  • Separation Control: Logical separation of customer databases (multi-tenancy) to prevent cross-account data access.

2. Integrity (Art. 32 Para. 1 lit. b GDPR)

  • Transmission Control: All data transfers are encrypted via SSL/TLS. Documents stored in AWS S3 utilize server-side encryption (AES-256).
  • Input Control: Logging of system access and data modifications to ensure traceability.

3. Availability and Resilience

  • Availability Control: Daily backups with redundant storage. Deployment of firewalls, DDoS protection, and load balancing.
  • Recoverability: Tested disaster recovery plans to ensure rapid restoration after system failures.

4. Procedures for Regular Review

Regular software updates (patch management), application penetration testing, and ongoing auditing of sub-processor agreements.

We use cookies to make the website more user-friendly.

For more details, see our Privacy Policy