• Deutsch
LOGIN
TRY FOR FREE
TRY FOR FREE

Data Processing Agreement

Version: April 2026

This Data Processing Agreement (“DPA”) forms an integral part of the terms of use and/or service agreement concluded between you and sisTent UG (“Agreement”). It specifies the data protection obligations of the parties in connection with the use of the services provided by sisTent UG.

Terms not separately defined in this DPA shall have the meaning assigned to them in the service terms or the Agreement.

This DPA is concluded in accordance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR).

Where personal data is processed on behalf of the user, sisTent UG acts as a processor within the meaning of the GDPR. In this case, the user is the controller.

1. Roles and Scope

The Customer is the Controller within the meaning of Art. 4 No. 7 GDPR. The Contractor processes personal data exclusively on behalf of and based on the documented instructions of the Customer (Processor pursuant to Art. 28 GDPR). The use of the platform and its functions constitutes an instruction within the meaning of this DPA.

2. Object and Scope of Processing

2.1 Object of Processing 

The processing of personal data occurs exclusively for the purpose of providing and using the contractually agreed services via the platform accessible at [URL].

2.2 Types of Personal Data 

In the context of using the service, the following personal data in particular may be processed:

The processing of special categories of personal data pursuant to Art. 9 GDPR is prohibited, unless expressly agreed otherwise.

2.3 Categories of Data Subjects

3. Nature and Purpose of Processing

3.1 Processing of Sensitive Data (Optional Use) 

Provided it is activated by the Customer, the platform may also be used to process sensitive personal data (e.g., health data in the context of inquiries such as prescription orders). In this case, the following applies:

3.2 Nature of Processing 

Processing is carried out exclusively in an automated and electronic manner and includes, in particular, the collection, storage, retrieval, transmission, and erasure of personal data, insofar as this is necessary for the fulfillment of the contract.

3.3 Use of AI Systems 

Processing includes the use of AI models to generate responses and automate processes. In this context:

Important Clarification: No Customer data is used to improve or train AI models unless explicitly agreed otherwise. Processing by external AI service providers occurs exclusively within the framework of data processing agreements and in compliance with the GDPR.

3.4 Purpose of Processing 

The purpose of the processing is the proper provision, security, and further development of the contractually agreed services.

4. Right of Instruction

The Contractor processes data exclusively based on documented instructions from the Customer. Instructions may be issued through:

The Contractor shall inform the Customer immediately if an instruction violates applicable data protection law.

5. Duration of Processing and Data Deletion

Processing is carried out for the duration of the contractual term. After termination of the Agreement, sisTent UG shall delete the processed personal data no later than within three months, unless statutory retention obligations prevent such deletion.

At the user’s request, the data may be returned prior to deletion against payment of a reasonable fee.

6. Rights and Obligations of the Parties

6.1 Obligations of sisTent UG

sisTent UG is obliged to process personal data exclusively within the scope of the Agreement and on documented instructions from the user. This includes in particular:

6.2 Obligations of the User

The user is the controller within the meaning of the GDPR and remains responsible for the lawfulness of the processing. In particular, the user undertakes to:

6.3 Data Subject Requests

If sisTent UG receives a request from a data subject directly regarding their personal data, sisTent UG shall – to the extent legally permissible – forward the request to the user. sisTent UG shall support the user in handling the request to a reasonable and legally permissible extent.

6.4 Audit and Inspection Rights

The user is entitled to verify sisTent UG’s compliance with this DPA. Audits must be announced in due time and limited to an appropriate scope. They must not unreasonably interfere with business operations and must be conducted in compliance with confidentiality obligations.

Further details regarding audits may be agreed in advance, in particular with respect to scope, timing, and security requirements.

7. Subprocessors

The controller grants the processor general authorization to engage additional subprocessors for the processing of controller data.

Service providers performing maintenance, testing, or other ancillary services for which access to data cannot be excluded generally do not require separate consent, provided that appropriate measures to protect data confidentiality are in place.

The processor shall inform the controller of any intended changes or the engagement of additional subprocessors. The controller may object for good cause within 14 days of notification. If no objection is raised, the engagement shall be deemed approved. In the event of an objection, the processor may terminate the main agreement and this DPA with 30 days’ notice.

Agreements with subprocessors must impose the same obligations as those imposed on the processor vis-à-vis the controller. Where subprocessors are used in third countries, the EU Standard Contractual Clauses (4 June 2021, Module 3) shall be applied, provided that Section 2.3 of this Agreement is complied with.

An overview of the currently used subprocessors, AI models, embedding services, and storage solutions is contained in Appendix A. Changes to the Appendix shall be communicated to the controller at least 10 business days in advance; the controller has the right to object within this period.

8. Data Security and Security Incidents

8.1 Technical and Organizational Measures

sisTent UG implements appropriate technical and organizational measures in accordance with Art. 32 GDPR to ensure a level of security appropriate to the risk. These measures include in particular:

All employees of sisTent UG involved in the processing of personal data are bound by confidentiality and appropriately trained.

8.2 Notification of Personal Data Breaches

If sisTent UG becomes aware of a personal data breach, it shall inform the user without undue delay, and no later than within 48 hours of becoming aware of the incident.
The notification shall include, where available, in particular:

sisTent UG shall support the user, to the extent legally permissible, in fulfilling their notification and communication obligations vis-à-vis supervisory authorities and data subjects.

9. Data Location

The processing and storage of personal data generally takes place within the European Union (EU) or the European Economic Area (EEA).

Insofar as processing occurs outside the EU/EEA in individual cases (e.g., through sub-processors), it shall be ensured that appropriate safeguards pursuant to Art. 44 et seq. GDPR are in place (e.g., Standard Contractual Clauses or the EU-US Data Privacy Framework).

10. Liability and Final Provisions

The liability provisions of the service terms apply. Amendments to this DPA shall be made in accordance with the provisions set out therein.

This DPA enters into force together with the Agreement.