Article 28 DPA

Capitalised terms used in this DPA have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”). In particular, “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-Processor” and “Supervisory Authority” have their GDPR meanings.

Customer means the legal entity that has signed an offer with CatinTech and acts as the Controller of any personal data processed under the engagement.

CatinTech means the legal entity identified in our Imprint, acting as the Processor under this DPA.

Services means the design, development, hosting, email, and support services CatinTech provides to the Customer under the applicable offer.

The Customer is the Controller of personal data submitted to or generated by the Services. CatinTech is the Processor. CatinTech processes personal data only on documented instructions from the Customer, including with regard to international transfers.

For our own marketing site, account system, billing and support desk, CatinTech acts as an independent Controller. The treatment of that data is described in the Privacy Policy.

The offer, the brief submitted in the Customer's portal, and the Customer's ongoing instructions through the ticketing system constitute the documented processing instructions for purposes of GDPR Art. 28(3)(a).

CatinTech will immediately notify the Customer if, in its opinion, an instruction infringes the GDPR or other applicable Union or Member State data-protection laws.

Subject matter

Provision of the Services as set out in the relevant offer: designing, building, deploying, hosting, and maintaining the Customer's website or platform.

Duration

From acceptance of the offer until the latest of: termination of the engagement, end of any hosting subscription, plus 24 months retention for tax/warranty obligations.

Categories of data subjects

• Visitors of the Customer's site
• Account holders and end users of the Customer's platform
• Employees of the Customer who use the admin portal

Categories of personal data

• Identification data (name, email)
• Authentication data (hashed credentials, session tokens)
• Billing data (Stripe metadata; no card numbers)
• Usage data (IP, timestamps, user-agent strings)
• Content data submitted by the Customer or its users

CatinTech ensures that any person authorised to process personal data under this DPA has committed to confidentiality or is under an appropriate statutory obligation of confidentiality. Access is restricted to people who need it to perform the Services.

CatinTech implements appropriate technical and organisational measures, including:

• Encryption — TLS 1.2+ in transit, AES-256 at rest for object storage and database snapshots.
• Access control — role-based access, least privilege, MFA on all administrative consoles.
• Auditing — every administrative action against customer data is logged with actor, time, and IP.
• Backups — encrypted nightly backups with a 30-day retention window. Restores tested quarterly.
• Vulnerability management — automated dependency scanning, security patches applied within 7 days of disclosure for high/critical severity.
• Resilience — Postgres point-in-time recovery, stateless web tier behind a CDN, separate worker pool.

The Customer authorises CatinTech to engage the sub-processors listed at /legal/subprocessors. CatinTech will give the Customer at least 30 days' notice via in-portal banner and email before adding or replacing a sub-processor that processes personal data.

The Customer may object on reasonable data-protection grounds. If the objection can't be resolved, the Customer may terminate the affected portion of the Services with a pro-rata refund.

CatinTech imposes substantially the same data protection obligations on each sub-processor as those in this DPA via a written contract.

Where personal data is transferred to a country outside the EEA that the European Commission has not decided ensures an adequate level of protection, CatinTech relies on the European Commission's 2021 Standard Contractual Clauses, together with supplementary technical measures (end-to-end TLS, at-rest encryption, key management inside the EEA) where appropriate.

CatinTech assists the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR.

If CatinTech receives a request directly from a data subject, CatinTech forwards the request to the Customer without undue delay and does not respond to the data subject except on the Customer's instruction (or as required by law).

In the event of a personal data breach, CatinTech notifies the Customer without undue delay and at the latest within 48 hours after becoming aware of it.

The breach notice will include, to the extent known:

• The nature of the breach and categories of data affected
• Approximate number of data subjects and records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its possible adverse effects

CatinTech makes available to the Customer all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer once per calendar year on reasonable prior notice and during business hours, with reasonable cost-recovery for time spent beyond two business days.

On termination of the Services and at the Customer's choice, CatinTech either deletes or returns all personal data to the Customer and deletes existing copies, unless EU or Member State law requires storage of the personal data. Default behaviour is deletion within 90 days of termination.

Each party's liability under this DPA is governed by the liability provisions of the underlying offer. To the extent any provision of this DPA conflicts with the offer, this DPA prevails for matters of data protection.

This DPA is governed by the law of the EU Member State where CatinTech is established, with exclusive jurisdiction of the courts competent at that seat.