Data Processing Agreement (DPA)

Data Processing Agreement pursuant to Art. 28 GDPR
Last updated: April 2026

Preamble

The following Data Processing Agreement (“DPA”) is concluded between:

Controller (Data Controller):
the customer of the Groupies platform who registers at www.getgroupies.app or www.getgroupies.io and uses the services (hereinafter “Controller”),

Processor (Data Processor):
Hoever & Kirchhartz – Groupies GbR
Thomas Kirchhartz
Auf dem Rott 13
50259 Pulheim, Germany
Email: datenschutz@getgroupies.app
(hereinafter “Processor”)

This DPA supplements the General Terms and Conditions (GTC) and the Privacy Policy of the Groupies platform. It takes effect upon the Controller’s acceptance of the GTC.

§ 1 Subject Matter and Duration of Processing

(1) The Processor processes personal data on behalf of the Controller in connection with the provision of the Groupies platform (SaaS). Processing includes in particular:

  • Storage and management of user account data
  • Storage, processing, and delivery of user-generated content (videos, images, text)
  • Rendering and merging of videos
  • Sending transactional emails (login links, reminders, notifications)
  • Payment processing through integrated payment service providers

(2) The duration of processing corresponds to the term of the service agreement between Controller and Processor. It ends upon deletion of the user account or termination of the agreement, unless statutory retention obligations apply.

§ 2 Nature and Purpose of Processing

The processing serves the provision of Groupies services in accordance with the GTC, in particular:

  • Provision and operation of the web application
  • Authentication and account management
  • Storage, editing, and rendering of video content
  • Sending emails on behalf of the Controller (e.g. invitation links to participants)
  • Processing of payment transactions

§ 3 Types of Personal Data

The following categories of personal data are processed:

  • Contact data (email address)
  • Usage data (login timestamps, project assignments, device and browser information)
  • Content data (videos, images, text uploaded by the Controller or their invited participants)
  • Payment data (forwarded to payment service providers, not stored by the Processor)
  • Communication data (email metadata, delivery information)

§ 4 Categories of Data Subjects

The following categories of persons are affected by the processing:

  • Customers (Controllers) of the Groupies platform
  • Participants invited by the Controller to contribute to a film project
  • Recipients of emails sent through the platform

§ 5 Obligations of the Processor

(1) The Processor shall process personal data only on documented instructions from the Controller – including with regard to transfers of personal data to a third country – unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28(3)(a) GDPR).

(2) The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

(3) The Processor shall take all measures required pursuant to Art. 32 GDPR to ensure the security of processing (see § 7).

(4) The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of requests from data subjects exercising their rights laid down in Chapter III GDPR (Art. 28(3)(e) GDPR).

(5) The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR (security, notification of data breaches, data protection impact assessments, prior consultation).

(6) At the choice of the Controller, the Processor shall delete or return all personal data after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data (Art. 28(3)(g) GDPR).

(7) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR).

§ 6 Obligations of the Controller

(1) The Controller is responsible for the lawfulness of data processing and for safeguarding the rights of data subjects under the GDPR.

(2) The Controller shall issue all instructions in writing or in text form as a rule. Oral instructions must be confirmed in writing or text form without undue delay.

(3) The Controller shall ensure that content processed through the platform is lawful and does not infringe the rights of third parties.

§ 7 Technical and Organizational Measures (Art. 32 GDPR)

The Processor implements the following measures to protect personal data:

Confidentiality

  • SSL/TLS encryption of all data transmissions
  • Access control through role-based permissions
  • Authentication via time-limited magic links
  • Encrypted storage of sensitive configuration data

Integrity

  • Protection against unauthorized modification through versioned deployments
  • Validation of input data on both server and client side
  • Logging of administrative access

Availability and Resilience

  • Hosting on highly available cloud infrastructure (Vercel, AWS)
  • Automatic scaling during peak loads
  • Regular database backups (MongoDB Atlas)
  • Geographic redundancy of infrastructure

Procedures for Regular Review

  • Regular review and updating of security measures
  • Infrastructure monitoring and alerting on anomalies

§ 8 Sub-processing

(1) The Controller grants the Processor general authorization to engage further processors (sub-processors) pursuant to Art. 28(2) GDPR.

(2) At the time of conclusion of this DPA, the Processor engages the following sub-processors:

  • Vercel Inc. – Location: USA – Service: Website hosting, Blob Storage – Third-country transfer: SCC, EU-US DPF
  • Amazon Web Services (AWS) – Location: USA (servers: Frankfurt) – Service: S3, CloudFront, SES, Lambda – Third-country transfer: SCC, EU-US DPF
  • MongoDB, Inc. – Location: USA – Service: Database (MongoDB Atlas) – Third-country transfer: SCC, EU-US DPF
  • Stripe Payments Europe, Ltd. – Location: Ireland – Service: Payment processing – Third-country transfer: SCC (for transfers to USA)
  • Google Ireland Limited – Location: Ireland – Service: Tag management (GTM) – Third-country transfer: SCC, EU-US DPF
  • Meta Platforms Ireland Limited – Location: Ireland – Service: Conversion tracking (Meta Pixel) – Third-country transfer: SCC, EU-US DPF
  • Silktide Ltd. – Location: United Kingdom – Service: Cookie consent management – Third-country transfer: SCC (UK Adequacy)

(3) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors. The Controller may object to such changes within 14 days of notification. The objection must be justified. If no timely objection is raised, consent is deemed given.

(4) The Processor shall ensure that a contract is concluded with each sub-processor that imposes at least the same data protection obligations as set out in this DPA (Art. 28(4) GDPR).

§ 9 Notification of Data Breaches

(1) The Processor shall assist the Controller in complying with the notification obligations pursuant to Art. 33 and 34 GDPR.

(2) The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of any personal data breach. The notification shall include at least:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and data records concerned
  • A description of the likely consequences
  • A description of the measures taken or proposed

§ 10 Third-Country Transfers

(1) Any transfer of personal data to a third country shall only take place in compliance with the requirements of Art. 44 to 49 GDPR.

(2) Where sub-processors based in the USA are engaged, the transfer is based on the adequacy decision of the EU Commission under the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914.

§ 11 Liability

The liability of the parties is governed by Art. 82 GDPR. In all other respects, the liability provisions of the GTC shall apply.

§ 12 Term and Termination

(1) This DPA takes effect upon acceptance of the GTC and is valid for the duration of the service agreement.

(2) After termination of the service agreement, the Processor shall delete all personal data processed on behalf within 30 days, unless statutory retention obligations apply. Upon request by the Controller, confirmation of deletion will be provided.

(3) The right to extraordinary termination in the event of serious violations of data protection provisions remains unaffected.

§ 13 Final Provisions

(1) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall remain unaffected.

(2) Amendments and additions to this DPA require text form.

(3) German law shall apply. The place of jurisdiction is Cologne, Germany.

Last updated: April 2026