Data Processing Agreement
Data Processing Agreement (DPA)
1. Preamble
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller: The customer ("Controller") using the services of Creativate Technologies GmbH
- Data Processor: Creativate Technologies GmbH, Lahnstraße 65, 60326 Frankfurt am Main, Germany ("Processor")
2. Scope and Purpose of Processing
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Services as defined in the Terms of Use, including:
- Hosting and storage of business content and user data
- AI-powered analysis, content generation, and decision support
- Account management and authentication
- Customer relationship management and communication
- Analytics and platform optimization
3. Categories of Data Subjects
- Users (employees, contractors, or agents of the Controller)
- End users of the Controller's products or services (where applicable)
- Business contacts and stakeholders referenced in uploaded content
4. Categories of Personal Data Processed
- Identity and contact information
- Account and authentication data
- Business content and AI interaction data
- Technical and device data
- Usage and interaction data
- Communication data
5. Duration of Processing
Processing shall continue for the duration of the service agreement plus any legally required retention period. Upon termination, data shall be deleted or returned in accordance with Section 11.
6. Obligations of the Processor
The Processor shall:
a) Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
b) Ensure that persons authorized to process personal data have committed to confidentiality
c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS) and at rest
- Role-based access controls (RBAC)
- Regular security assessments and vulnerability testing
- Logging and monitoring of data access
- Data breach response procedures
d) Not engage another processor without prior specific or general written authorization of the Controller
e) Assist the Controller in ensuring compliance with data subject rights requests
f) Assist the Controller with DPIAs and prior consultations with supervisory authorities where required
g) At the Controller's choice, delete or return all personal data after the end of service provision
h) Make available all information necessary to demonstrate compliance and allow for audits
7. Sub-Processors
The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning sub-processors, giving the Controller the opportunity to object.
Current Sub-Processors
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (EC2, S3, CloudFront, Route 53) | EU (Frankfurt) |
| Anthropic | AI language model (Claude) | US (SCCs) |
| OpenAI | AI language model (GPT) | US (SCCs) |
| Google AI | AI language model (Gemini) | US (SCCs) |
| HuggingFace | ML model hosting and inference | EU/US (SCCs) |
| HubSpot | CRM and marketing automation | EU (Germany) |
8. International Data Transfers
Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Data Processing Agreements with each sub-processor
- Technical measures including encryption and access controls
- Transfer Impact Assessments where required
9. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests under GDPR Articles 15–22, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
11. Data Deletion and Return
Upon termination of the service agreement:
- The Processor shall delete or return all personal data within 30 days, at the Controller's choice
- The Processor shall delete existing copies unless EU or Member State law requires retention
- The Processor shall provide written confirmation of deletion upon request
12. Audits and Inspections
The Controller may audit the Processor's compliance with this DPA:
- With at least 30 days' written notice
- During normal business hours
- Without unreasonably disrupting the Processor's operations
- At the Controller's expense
13. Enterprise Provisions
For enterprise customers, a custom DPA may be negotiated to address specific requirements. Contact legal@creativate.tech to discuss enterprise data processing arrangements.
14. Contact
For questions about this DPA or data processing:
Creativate Technologies GmbH
Lahnstraße 65, 60326 Frankfurt am Main, Germany
Email: legal@creativate.tech
Data Protection Officer: privacy@creativate.tech
Effective Date: February 2026 Creativate Technologies GmbH