Contact us
Legal/avv
>

DPA / AVV (Template)

// Template data processing agreement under Art. 28 GDPR for ROARK GmbH B2B SaaS services.

This document is a template data processing agreement (DPA) pursuant to Art. 28 GDPR for our B2B SaaS services.

Data processing becomes legally binding only after execution of an individual contractual document between the customer (controller) and ROARK GmbH (processor).

1. Subject matter and duration

  1. ROARK processes personal data solely on behalf of and under documented instructions from the customer.
  2. Subject matter, nature and purpose of processing follow from the main agreement and the agreed SaaS services.
  3. The term of this DPA corresponds to the term of the main agreement unless otherwise agreed.

2. Type of data and data subject categories

Depending on usage, processing may include:

  • Personal data categories: master data, contact data, usage data, communication data and content data
  • Data subject categories: employees, customers, users and other contact persons of the customer

The customer remains responsible for deciding which personal data is entered into the SaaS.

3. Instructions

  1. ROARK processes personal data only on documented instructions.
  2. Verbal instructions must be confirmed in text form without undue delay.
  3. If ROARK considers an instruction unlawful under data protection law, ROARK will inform the customer without undue delay.

4. Confidentiality and access control

  1. ROARK ensures that persons involved in processing are bound to confidentiality.
  2. Access to personal data is limited by role-based and need-to-know principles.

5. Technical and organizational measures (TOMs)

ROARK implements appropriate technical and organizational measures under Art. 32 GDPR, including:

  • Physical access, system access and authorization controls
  • Tenant separation and role/permission concepts
  • Encryption in transit (TLS) and, where applicable, at rest
  • Logging of security-relevant events
  • Availability safeguards (backups and recovery procedures)
  • Regular review and improvement of security measures

6. Subprocessors

ROARK uses the following subprocessors:

ProviderFunctionLocation/RegionRole
HetznerHosting, server operation, databases, backupsEU (mainly Germany/Finland)Subprocessor
VercelWeb hosting, deployment, delivery componentsEU and additional regionsSubprocessor
bunny.netDNS resolver, CDN/edge deliveryEU and global edge locationsSubprocessor
MigaduEmail infrastructureSwitzerland and, where applicable, additional locations via subprocessorsSubprocessor
netcupDomain administration/registrarEU (mainly Germany)Subprocessor where processing relationship applies

ROARK informs customers about material intended changes to subprocessors according to the contractual notification mechanism.

7. Third-country transfers

  1. Processing in third countries takes place only where the requirements of Art. 44 et seq. GDPR are met.
  2. Appropriate safeguards may include Standard Contractual Clauses (SCC) and other lawful transfer mechanisms.
  3. For Switzerland, the EU adequacy decision applies.

8. Assistance obligations

ROARK supports the customer, to a reasonable extent, with

  • data subject rights requests,
  • data protection impact assessments,
  • supervisory authority consultations,
  • compliance with personal data breach notification obligations.

9. Personal data breach notification

  1. ROARK notifies the customer without undue delay after becoming aware of a personal data breach within the processing relationship.
  2. The notification includes all information available and required to assess the incident and fulfill legal obligations.

10. Audit and evidence

  1. Upon request, ROARK provides the customer with information required to demonstrate compliance with Art. 28 GDPR obligations.
  2. Audits take place with reasonable prior notice, respecting confidentiality, security requirements and uninterrupted operations.

11. Return and deletion after termination

  1. After termination of processing services, ROARK deletes or returns personal data according to customer instruction, unless statutory retention obligations apply.
  2. Backup deletion follows technical retention cycles.

12. Liability and order of precedence

  1. Liability follows the main agreement, to the extent permitted by law.
  2. In case of conflict, data protection provisions of the DPA prevail over the main agreement.

13. Contact

For DPA-related data protection requests:

ROARK GmbH
Email: datenschutz@roark.at
Phone: +43 660 375 8455