Data Processing Agreement (DPA)

between

EViRAL - Owner: Mert Özcan

Friedrich-Ebert-Straße 322, 47139 Duisburg

Email: eviralgermany@gmail.com

hereinafter "Processor"

and

the Customer (entrepreneur within the meaning of Section 14 BGB)

hereinafter "Controller"

1. Subject Matter of the Agreement

This agreement governs the processing of personal data by the Processor on behalf of the Controller pursuant to Article 28 GDPR. The subject matter is the provision of EViRAL's cloud-based reputation management platform, including AI-based analysis functions, review management, communication functions, and automation workflows.

2. Nature and Purpose of Processing

The processing serves the use of all functions of the platform, in particular:

  • aggregation and display of reviews
  • sending review requests via email, SMS, or WhatsApp
  • AI-based response suggestions
  • evaluation of reputation and performance
  • management of end-customer data
  • use of landing pages, widgets, and QR codes

3. Types of Data

The following personal data may be processed:

  • names, email addresses, telephone numbers
  • reviews, replies, feedback
  • technical data (IP address, browser information, timestamps)
  • communication content in connection with review requests
  • metadata and logs

4. Categories of Data Subjects

  • end customers of the Controller
  • employees of the Controller
  • users of the platform

5. Duties of the Processor

The Processor undertakes to:

  • process data only within the framework of this agreement
  • not disclose data to third parties except where required for the performance of the service
  • bind all persons to confidentiality
  • implement appropriate technical and organizational measures
  • support the Controller in fulfilling data subject rights
  • report personal data breaches without undue delay
  • delete or hand over data after the end of the contract

6. Technical and Organizational Measures (TOMs)

The Processor guarantees measures such as:

  • TLS encryption
  • access restrictions and role models
  • secure EU server locations
  • regular backups
  • security logging
  • system monitoring

7. Sub-processors

The Controller agrees to the use of the following sub-processors:

  • white-label platform provider (technical provision)
  • hosting provider (EU servers)
  • Stripe (payment processing)
  • WhatsApp Business API / Meta Platforms (communication services)
  • CloudTalk (VoIP services)
  • AI service providers for automated texts and analyses

Additional sub-processors may only be used after notifying the Controller.

8. Place of Processing

Processing takes place within the EU.

For services involving third-country transfers (Meta, Stripe, AI providers), standard contractual clauses pursuant to Article 46 GDPR are used.

9. Rights and Obligations of the Controller

The Controller remains the owner of the data and is responsible for its lawfulness.

It must ensure that all stored end-customer data has been collected in compliance with the law.

10. Assistance with Data Subject Rights

The Processor supports with:

  • access requests
  • rectification
  • deletion
  • restriction and data portability

11. Deletion of Data

After the end of the contract, data shall be deleted unless statutory retention obligations exist.

Export is the responsibility of the Controller.

12. Instructions Binding the Processor

The Processor may process personal data only in accordance with documented instructions of the Controller.

In the event of unclear instructions, clarification shall be sought.

13. Liability

Each party is liable within the framework of the statutory provisions.

The Processor is not liable for errors resulting from incorrect or unlawful instructions of the Controller.

14. Contract Term

This agreement applies for the duration of the use of the EViRAL platform and ends automatically with the main contract.

15. Final Provisions

German law applies.

The place of jurisdiction is Duisburg.

Amendments require text form.