This Data Processing Agreement (DPA / AVV) specifies the data protection obligations of the parties where AIream processes personal data on behalf of the customer. It supplements the Terms and prevails over the Terms in case of contradictions concerning commissioned processing of personal data.
1. Roles of the Parties
- The customer is the controller within the meaning of Art. 4 No. 7 GDPR where it determines the purposes and means of processing personal data in the customer project.
- AIream is the processor within the meaning of Art. 4 No. 8 GDPR where AIream processes personal data solely on behalf of and under documented instructions of the customer.
- Where AIream processes personal data for its own purposes, in particular website operation, communication, contract administration, billing, security and own business operations, AIream acts as an independent controller. AIream’s privacy policy applies to those processing activities.
2. Subject Matter, Duration, Nature and Purpose of Processing
- Subject matter: Supporting the customer in creating, further developing, analyzing, testing, providing and documenting customer-specific web applications through the AIream development pipeline.
- Duration: Processing takes place for the duration of the cooperation and until deletion or return of data according to the Terms, unless statutory retention duties apply.
- Nature of processing: Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure and destruction of personal data where required for the customer project.
- Purpose: Implementation of customer-defined roadmap items, software development and testing, error analysis, testing support, documentation, deployment support, project communication and workspace provision.
AIream does not process personal data for its own product development, advertising, profiling or training of public or provider-internal foundation models.
3. Categories of Personal Data
Depending on the project, the following data may be processed:
- Contact data, such as name, email address, phone number, company, role and communication data.
- Project and content data, such as descriptions, documents, tickets, roadmap items, attachments, screenshots, files and test data.
- Usage and technical data, such as log data, IP addresses, device and browser data, error logs, access times and technical IDs.
- Business data of the customer or its users, where introduced into the project by the customer.
- Special categories of personal data under Art. 9 GDPR, children’s data, health data, biometric data, payment data, ID data or criminal-law relevant data may be processed only if expressly agreed in text form in advance and if required safeguards have been defined.
4. Categories of Data Subjects
Depending on the project, affected persons may include:
- Customer contacts, employees, contractors or advisors.
- Customers, prospects, users or business partners of the customer.
- Test users, applicants, participants, patients or other persons whose data the customer introduces into the project.
- AIream employees or contractors where they appear in project communication.
5. Customer Instructions
- AIream processes personal data only on documented customer instructions unless legally required otherwise.
- Instructions may be issued through the workspace, roadmap items, tickets, email, project chats or other communication channels documented in text form.
- Oral instructions must be confirmed by the customer in text form without undue delay.
- AIream informs the customer without undue delay if AIream believes an instruction violates data protection law. AIream may suspend execution of an obviously unlawful instruction until clarification.
- The customer remains responsible for lawfulness of processing, lawfulness of instructions and safeguarding data subject rights.
6. AIream Obligations
AIream undertakes to:
- process personal data only within this DPA, the Terms and documented customer instructions;
- bind persons involved in processing to confidentiality or ensure they are subject to appropriate statutory confidentiality obligations;
- implement and maintain appropriate technical and organizational measures under Art. 32 GDPR;
- support the customer where possible in fulfilling obligations toward data subjects;
- reasonably support the customer with data protection impact assessments and supervisory authority consultations where AIream processing is affected;
- delete or return personal data at the end of processing at the customer’s choice, unless statutory retention duties apply;
- provide the customer with information required to meet Art. 28 GDPR obligations.
7. Customer Obligations
The customer undertakes to:
- provide personal data to AIream only where a sufficient legal basis exists;
- properly inform data subjects where required;
- not provide special categories of personal data, health data, children’s data, biometric data, payment data, ID data or criminal-law relevant data unless expressly agreed in text form in advance;
- not provide trade secrets requiring special protection, highly confidential business data, regulated data or other sensitive content unless processing by AIream, subprocessors or AI-assisted tools has been expressly agreed in text form in advance;
- clearly label confidential, sensitive or regulated data before submission and provide only what is necessary for the customer project;
- inform AIream in time about industry-specific, regulatory or special data protection requirements;
- issue instructions clearly, completely and lawfully;
- anonymize, pseudonymize or use synthetic test data where real personal data is not required for development;
- appropriately manage accesses, roles and permissions on the customer side.
If the customer provides special categories of personal data, trade secrets requiring special protection, highly confidential business data, regulated data or other sensitive content without prior express agreement, this is outside the agreed scope. The customer remains responsible for lawfulness, necessity, labelling and minimization of such data and for resulting risks, damages, third-party claims or authority measures, unless AIream is liable under mandatory law or due to its own breach.
8. Technical and Organizational Measures (TOMs)
AIream implements appropriate technical and organizational measures considering the state of the art, implementation costs, nature, scope, context and purposes of processing as well as likelihood and severity of risks.
Measures include, where applicable:
- Access control: role-based access rights, need-to-know principle, individual user accounts and appropriate authentication.
- Administrative access protection: protection of privileged access, secure password and key management, limitation of privileged access.
- Transmission protection: encrypted transmission via current TLS connections where technically available.
- Storage protection: appropriate encryption or access restrictions for stored data, secrets and configurations.
- Separation: project-based separation of workspaces, repositories, environments and permissions.
- Logging: appropriate logging of security-relevant access and changes where technically and economically reasonable.
- Availability: appropriate measures to restore development and workspace access after technical disruptions within AIream’s responsibility.
- Deletion: processes for deletion or return of project data after contract end.
- Confidentiality: confidentiality obligations for persons who receive access to personal data.
- Review: regular internal review and adjustment of TOMs based on project and risk situation.
Customer production environments, customer-selected third-party providers and customer-operated systems are not covered by AIream TOMs unless AIream expressly assumes their operation.
9. Subprocessors
- The customer grants AIream general authorization to use subprocessors where required for hosting, workspace operation, code repositories, communication, email, file storage, AI-assisted processing, testing, deployment, monitoring or other contract performance.
- AIream contractually binds subprocessors to data protection and confidentiality obligations substantially corresponding to this DPA.
- AIream remains responsible toward the customer for performance of subprocessors’ data protection obligations.
- AIream informs the customer about new or replaced subprocessors in an appropriate manner, such as by current list, email or workspace notice.
- The customer may object for important data protection reasons within 14 days after notification. If the objection cannot be resolved by reasonable measures, AIream may suspend affected services or terminate the affected project part.
Current Subprocessors
The concrete list must be completed and kept current before productive use of personal data.
| Provider | Purpose | Processing Location | Third-Country Transfer / Safeguard |
|---|---|---|---|
| [insert Git/repository provider] | Code repository, project files | [insert] | [insert] |
| [insert hosting/workspace provider] | Workspace, preview, storage | [insert] | [insert] |
| [insert AI model provider] | AI-assisted code and text processing | [insert] | [insert] |
| [insert email/communication provider] | Project communication | [insert] | [insert] |
10. Third-Country Transfers
- Processing or access outside the EU/EEA occurs only where GDPR requirements are met.
- Suitable safeguards may include an adequacy decision of the European Commission, the EU-U.S. Data Privacy Framework, standard contractual clauses or other GDPR-permitted mechanisms.
- The customer acknowledges that certain cloud, AI, repository or communication services may involve third-country aspects. Details are set out in the current subprocessor list.
11. Data Subject Rights
- If a data subject contacts AIream directly and the request concerns a customer project, AIream forwards the request to the customer where allocation is possible.
- AIream does not answer such requests independently unless instructed by the customer or legally required.
- AIream reasonably supports the customer in fulfilling access, rectification, erasure, restriction, portability and objection obligations where AIream processing is affected.
12. Personal Data Breaches
- AIream informs the customer without undue delay after becoming aware of a personal data breach within the meaning of Art. 4 No. 12 GDPR where it affects the customer project.
- The notice includes, where available, the nature of the breach, affected data and persons, likely consequences and measures taken or proposed.
- The customer decides whether notification to a supervisory authority or data subjects is required where the customer is controller. AIream reasonably supports the customer.
13. Evidence and Audits
- AIream provides the customer, upon request, with information required to fulfill Art. 28 GDPR obligations to a reasonable extent.
- Audits by the customer or its auditor are possible after reasonable prior notice, during usual business hours and subject to confidentiality, security and rights of other customers.
- Audits must not unreasonably disrupt AIream’s business and must be limited to the scope relevant to the customer project.
- Where equivalent evidence, reports, certificates or security documentation are available, AIream may provide these first.
- Efforts for customer-specific audits beyond legally required standard support may be charged separately after prior notice.
14. Deletion and Return
- After the last purchased package ends, the deletion periods under the Terms apply.
- The customer is responsible for exporting or downloading required content before the deletion period expires, including source code, roadmap exports, documents and other materials.
- Upon documented customer instruction, AIream deletes personal data earlier unless statutory retention duties or legitimate security interests prevent deletion.
- Legally retained data is stored only for the applicable retention duty and no longer processed for project purposes.
15. Liability
The parties’ liability is governed by the Terms unless mandatory data protection law provides otherwise. Statutory claims of data subjects and powers of supervisory authorities remain unaffected.
16. Final Provisions
- Amendments and additions to this DPA require text form.
- In case of conflict between this DPA and the Terms, this DPA prevails with regard to commissioned processing of personal data.
- If any provision is invalid, the remaining provisions remain effective.