ZENTRE – Data Processing Agreement (DPA)

English convenience translation. Only the German version (“AVV/DPA”) is legally binding; the English translation is provided for information purposes only. In case of discrepancies, the German version prevails.

Last updated: 06 Jun 2026

1. Preamble, parties, order of precedence

2. Roles and delineation (Processor vs. Controller)

3. Definitions

4. Subject matter, nature, purpose, duration

5. Instructions and instruction management

6. Obligations of the Controller

7. Confidentiality

8. Security of processing (Art. 32 GDPR)

9. Hosting and data location (default)

10. Assistance with data subject rights

11. Assistance with compliance (Art. 28 (3) (f) GDPR)

EZTO appropriately assists the Controller with Art. 32–34, 35, 36 GDPR. Additional effort may be remunerated in accordance with the main agreement, to the extent permissible.

12. Subprocessors

13. AI providers / AI routing

14. Third-country transfers

15. Deletion and return

16. Personal data breaches

17. Authority requests / disclosure

18. Evidence and audits

19. Documentation

EZTO maintains – to the extent required – a record of processing activities as a processor (Art. 30 (2) GDPR) and provides the Controller upon request with appropriate information/extracts therefrom, to the extent necessary to fulfil the accountability obligation and provided no legitimate confidentiality interests or third-party trade secrets conflict.

20. Involvement in professional secrecy (Section 203 StGB; professional law requirements)

21. Final provisions


Annexes to the DPA

Annex 1 — Description of the processing (Art. 28 (3) GDPR)

Subject matter of the processing: provision and operation of the AI orchestration and governance platform “Zentre” (chat assistant, agents, RAG/knowledge tool) as SaaS.

Nature of the processing: automated collection, recording, storage, display, structuring, transmission (to the AI gateway/AI providers and – where activated – to the search provider), restriction, and deletion.

Purpose: provision of the contractually agreed services, user/access management, support/error analysis, security/abuse prevention/incident handling.

Categories of personal data:

Categories of data subjects: users of the Controller (employees); where applicable, third parties named in content/search data (e.g., clients, patients, customers, business partners of the Controller) – depending on the Controller’s inputs.

Special categories (Art. 9 GDPR): only where the Controller inputs such data; this is the responsibility of and on the instruction of the Controller (cf. Section 6).

Duration: for the term of the main agreement; chat/workspace content data 90 days; thereafter deletion/return pursuant to Section 15 and Annex 4.

Place of processing: EU/EEA – hosting Scaleway (France, Paris fr-par); AI routing via Cortecs (EU); web search via Linkup (EU). Third-country transfers only pursuant to Section 14.

Annex 2 — Technical and organizational measures (Art. 32 GDPR)

EZTO operates an ISO/IEC 27001-aligned information security management system (ISMS) and is currently undergoing ISO/IEC 27001 certification. Pending issuance, evidence (TOM documentation, pen-test reports, security questionnaires) is provided upon request.

1. Confidentiality

2. Integrity

3. Availability and resilience

4. Procedures for regular review, assessment, and evaluation

5. Key management: provider-managed keys; “Bring Your Own Key” (BYOK) is not currently offered.

Annex 3 — Subprocessors

The current subprocessor list (/legal/subprocessors) is decisive. The following are engaged in particular:

ProviderPurposeLocation/CountryTransfers
Scaleway (Scaleway SAS)Hosting/infrastructureEU (France, Paris fr-par)n/a (EU)
Cortecs (Cortecs GmbH)AI gateway/routing (EU routing, ZDR)EU (Austria)generally none; SCC where necessary
Linkup (Linkup Technologies SAS)Web search (where activated; ZDR)EU (France)n/a (EU)
Infomaniak (Infomaniak Network SA)Transactional emailsSwitzerland/EUadequacy decision (CH)
Stripe (Stripe Payments Europe Ltd.)Billing/paymentEU (Ireland)/USASCC where necessary
Usercentrics (Usercentrics GmbH)Consent management (website)EU (Germany)n/a (EU)
Plausible (Plausible Insights OÜ)Analytics (website)EUn/a (EU)

The AI model providers are integrated via the Cortecs gateway as its subprocessors (decisive: Cortecs subprocessor list). Changes are announced at least 30 days in advance (Section 12).

Annex 4 — Retention and deletion