Data Processing Agreement (DPA)

This post is also available in: German

This statement was written in German. If you are facing inconsistencies between the translated version of this statement compared to the German version, always the German version shall prevail.

In case you need a signed copy of this agreement (inclusive TOM), please contact us.

Last modified: April 5, 2023

To the extent that Conceptboard Cloud Service GmbH, Mansfelder Str. 56, 06108 Halle (Saale), Germany – the Processor – hereinafter referred to as “Conceptboard Company” or “Supplier”, processes on behalf of the Customer – the Controller – hereinafter referred to as the “Client”, in the provision of the service hereunder any Personal Data as part of Customer Data that is subject to the General Data Protection Regulation (the “GDPR”), the terms of the Data Processing Agreement apply.

1 Subject matter and duration

1.1 Subject matter

(1) The Subject matter of the Order or Contract results from the Concept-board usage contract between the con-tractor and the client, which was either concluded as an individual contract or is available within the framework of the Conceptboard terms of use of May 25, 2018 (hereinafter referred to as Main Contract).

1.2 Duration

(1) The duration of this Order or Contract corresponds to the duration of the Main Contract.

(2) Insofar as the regulatory content of individual regulations extends beyond the term of this agreement, the corresponding obligations remain unaffected by the termination of this agreement. This applies in particular to the obligation to delete data and return data carriers.

2 Specification of the Order or Contract Details

2.1 Nature and Purpose of the intended Processing of Data

2.1.1 Collection and use of data

(1) The Conceptboard Company offers services for online collaboration between computer users. In doing so, personal data is requested and collect while registering for the services, using the services and visiting the web sites. The personal information is used to operate the services, to improve the services, for anonymous statistics, and for communication with the users. This is done by the Conceptboard Company itself or by authorized service providers (see section “Subcontracting”). Only anonymized usage data is used to improve the services.

(2) The undertaking of the contractually agreed Processing of Data shall be carried out essentially within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled. In these cases, the appropriate level of protection is determined by an adequacy decision by the European Commission or on the basis of special guarantees, such as contractual obligations through so-called Standard Data Protection Clauses of the Commission, the existence of certifications or binding internal data protection regulations.

2.1.2 Sharing data between users

(1) Collaboration in Conceptboard takes place within interactive workspaces (the “boards”). Users can transfer data to these boards. Once the user shares a board with other users, also some of this data (e.g. users’ names, their profile pictures, the content they contributed, information about when they contributed) is also shared to enable the collaboration.

(2) The Supplier has no influence on data sharing between users.

2.2 Type of Data

(1) The Subject Matter of the processing of personal data comprises the following data types/categories:

  • Personal Master and Contact Data (e.g. name, email, contact details, profile picture)
  • Key Contract Data (e.g. contractual/legal relationships, contractual or product interest)
  • Customer History and Usage Behavior (e.g. modification history on content)
  • Identification and Authentication Data (e.g. IP address, user ID, session cookie, login tokens)
  • Content Data within the interactive workspaces (the “boards”), which, depending on the actual use, can include personal data

2.3 Categories of Data Subjects

(1) The Categories of Data Subjects comprise:

  • Users

(2) As the case may be, personal data of other data subjects may also be found in the content data of the interactive workspaces (“boards”) in the context of user collaboration. The Supplier has no influence on this type of use and therefore also no knowledge of which persons are affected.

3 Technical and Organisational Measures

(1) Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organisational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken include measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account (details in “Appendix 1: TOM”).

(3) The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented and communicated to the Client at least in text form.

4 Rectification, restriction and erasure of data

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

(2) Erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.

5 Quality assurance and other duties of the Supplier

(1) In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

  1. Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. His/Her current contact details are always available and easily accessible on the website of the Supplier.
  2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier undertakes to maintain confidentiality when processing the Client’s personal data in accordance with the order. This continues even after the contractual relationship with the client has ended. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The confidentiality obligation continues to exist even after the employment relationship has ended. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by a Union or Member State law to which the contractor is subject.
  3. Implementation of and compliance with all Technical and Organisational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR (details in “Appendix 1: TOM”).
  4. The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
  5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
  6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.
  7. The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
  8. Verifiability of the Technical and Organisational Measures conducted by the Client as part of the Client’s supervisory powers according to section “Supervisory powers of the Client” of this contract.
  9. The Supplier informs the Client, unless prohibited by a court or authority, if the Client’s data should be endangered by seizure, confiscation, or the like.
  10. The Supplier informs the Client if the data protection officer or the contact person for data protection changes.

6 Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even in the case of outsourced ancillary services.

(2) The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client. The Client agrees to the commissioning of the subcontractors named in “Appendix 2: Subcontractors” on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.

(3) The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.

(5) Further outsourcing by the subcontractor requires the express consent of the main Client (at the minimum in text form); all contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7 Supervisory powers of the Client

(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.

(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

(3) The Supplier may claim remuneration for enabling Client inspections.

(4) The result of the inspections must be documented by the client.

8 Cooperation obligations of the Supplier

(1) The Supplier shall assist the Client in fulfilling inquiries and claims of data subjects in accordance with Chapter III of the GDPR as well as in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

  1. Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  2. The obligation to report a personal data breach immediately to the Client
  3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
  4. Supporting the Client with its data protection impact assessment
  5. Supporting the Client with regard to prior consultation of the supervisory authority

(2) If a Data Subject should contact the Supplier directly with inquiries or requests for the transfer, restriction of processing, correction or deletion of their data, the Supplier will immediately forward this request to the Client and inform the Data Subject that the Client is the responsible body within the meaning of the GDPR. If the Supplier cannot assign the Data Subject to a specific Client, the Supplier will refer the Data Subject to the responsible body from their point of view. Information to third parties or Data Subjects may not be given without a corresponding instruction from the Client.

(3) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier, insofar as these do not insignificantly exceed the contractually agreed services. The contractor must explain and prove his concrete additional expenditure and his additional costs.

9 Authority of the Client to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).

(2) The receiving of the instructions takes place via the customer support of the Supplier, preferably by e-mail to

(3) The Supplier shall inform the Client immediately if he considers that an instruction violates the General Data Protection Regulation and other data protection provisions of the Union or of the member states. The Supplier is entitled to suspend the implementation of the specific instruction until it is confirmed or changed by the Client.

10 Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of:

  1. copies or duplicates as far as they are temporarily necessary in the context of user collaboration,
  2. back-up copies as far as they are necessary to ensure orderly data processing,
  3. data required to meet Union or member state requirements to retain data.

(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Main Contract, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. As the case may be, exceptions to this rule can apply to content data in the context of user collaboration. This depends on the owning user (“Owner”) of the interactive workspace („Board“):

  1. Boards can be deleted by their owners; the deletion of the board triggers the deletion of the content data
  2. Boards that are only accessible to the owning user are deleted when the user is deleted
  3. Boards that are accessible to other users but not users within the organization of the owning user (“Team Members”) are deleted when the user is deleted
  4. Boards that are accessible to other users within the organization of the owning user (“Team Members”) will, upon deletion of the user, become the property of one of these other users
  5. A user’s content data that persists on other boards after deleting the user (e.g., comments) is represented as being caused by a “deleted user”

(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

11 Liability

(1) Reference is made to Article 82 GDPR.

12 Extraordinary right of termination

(1) The Client can terminate the contract at any time without observing a notice period if the Supplier has seriously violated data protection regulations or the provisions of this contract, the Supplier cannot or does not want to carry out an instruction from the Client, or the Supplier refuses control rights by the Client contrary to the contract. In particular, non-compliance with the obligations stipulated in this contract and derived from Article 28 GDPR constitutes a serious violation.

13 Data Protection Officer of the Supplier

Data Protection Officer
c/o Conceptboard Cloud Service GmbH
Mansfelder Str. 56
06108 Halle (Saale)


Appendix 1: TOM

See Security Measures (TOM).

Appendix 2: Subcontractors

Service Address Purpose Exchanged Personal Data
AWS* Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy
L-1855, Luxembourg
Data Center, Virtual Server Operation – IP address
Elgendorfer Str. 57
56410 Montabaur, Germany
Data Center, Virtual Server Operation – IP address
Host Europe Host Europe GmbH
Hansestrasse 111
51149 Köln, Germany
Email Server Hosting – User email address
– Email content
SendinBlue SendinBlue SAS 47
Rue de la Chaussée d’Antin
75009 Paris, France
Onboarding, Product Update Emails – User email address
– User name

* By default, processing for the purpose of “Data Center & Virtual Server Operation” takes place ex-clusively via AWS and, if separately agreed, exclusively via IONOS.


The Client has the option of deactivating the additional functions offered by the following subcontractors and thus preventing any associated data transmission.

Service Address Purpose Exchanged Personal Data
Zendesk Zendesk, Inc.
1019 Market Street
San Francisco, CA 94103, USA
Support Ticket Management, Help Center Hosting – User email address
– User name
– IP address
– Cookie data
– Support content
Tokbox Vonage Holdings Corp.
23 Main Street
Holmdel, NJ 07733, USA
In-App Video Conferencing – IP address
– Cookie data
– Audio/video stream
Aspose Aspose Pty Ltd,
79 Longueville Road, Suite 163
Lane Cove, NSW, 2066, Australia
Office File Conversion (Word, Powerpoint, Excel) – Upload content