Effective: April 2026

1. Preamble and Scope

This Data Processing Agreement (DPA) governs the processing of personal data in accordance with GDPR Art. 28 between:

  • Data Controller: The customer of PlotonIQ (hereinafter "Data Controller")
  • Data Processor: K-Werbetechnik, proprietor: Ralph Kowalski, Banatstraße 31, 66424 Homburg, Germany, represented through the PlotonIQ platform (hereinafter "Data Processor")

This DPA is an integral part of the Terms of Service and governs the processing of personal data on behalf of the Data Controller in the context of PlotonIQ services.

2. Subject Matter and Duration of Processing

The Data Processor processes personal data exclusively on behalf of and according to documented instructions from the Data Controller.

2.1 Subject Matter of Processing

Data processing encompasses the following categories:

  • Customer Data: Names, addresses, email, phone, company name of customers of the Data Controller
  • Order Data: Project descriptions, timelines, requirements, changes
  • Performance Data: Calculations, material specifications, dimensions, areas
  • Communication Data: Emails, chat messages, memos, and audio recordings in business operations
  • Team Data: Employee data, location data (if geofencing is enabled), permissions
  • Financial Data: Invoice information, payment data (tokenized), credit card details (Stripe only)
  • Visual Data: Photos for AI measurement recognition, screenshots, design proposals

2.2 Duration of Processing

Data processing occurs during the entire contract period and beyond according to Section 8 (Data Deletion and Retention).

3. Nature and Purpose of Processing

The Data Processor processes data for the following purposes:

  • Provision and management of PlotonIQ services (quote calculations, measurement recognition, job management, CRM, time tracking)
  • AI-powered calculations and analyses using Anthropic Claude API
  • Automatic measurement recognition from photos using Computer Vision (SAM/DINO)
  • Communication with users (transactional emails, notifications)
  • Payment processing and invoicing
  • Implementation of security and authentication measures
  • Logging and system monitoring for security and error diagnosis
  • Geofencing and team management (optional, only if enabled)

4. Categories of Data Subjects

The Data Processor processes data of the following persons:

  • Customers of the Data Controller (end customers of signage services)
  • Employees of the Data Controller (platform users)
  • Subcontractors and partners of the Data Controller
  • Contact persons and representatives

5. Categories of Personal Data

The Data Processor processes the following categories:

  • Master Data: Name, title, address, phone, email address, company name
  • Identification Data: User ID, JWT tokens, session cookies, browser fingerprint (hashed)
  • Location Data: IP address, GPS coordinates (only if geofencing is enabled)
  • Business Data: Project descriptions, calculations, quotes, orders, invoices
  • Communication Data: Messages, audio transcripts, emails
  • Technical Data: Logfiles, server logs, system access, error protocols
  • Special Categories: None (except voluntarily provided identifying information)

6. Obligations of the Data Processor — Technical and Organizational Measures

6.1 Technical Security Measures

  • Data Encryption:
    • AES-256 encryption for sensitive data in the database
    • TLS 1.2+ for transmission (HTTPS)
    • JWT authentication with httpOnly cookies (not JavaScript-accessible)
  • Database Protection:
    • PostgreSQL database with strong authentication
    • Encrypted connections between app and database
    • Regular automated backups with encryption
    • Redundant storage and disaster recovery
  • Access Control:
    • Role-based access control (RBAC)
    • Multi-tenant architecture with strict tenant isolation
    • Audit logs for all administrative access
    • Principle of least privilege: no unnecessary permissions
  • Network Security:
    • DDoS protection via Cloudflare
    • Firewall rules and intrusion detection
    • Regular security updates and patches
  • API Security:
    • JWT-based API authentication
    • Rate limiting to prevent brute-force attacks
    • No sensitive data in URLs or query parameters

6.2 Organizational Security Measures

  • Personnel and Training:
    • Limited number of employees with access to customer data
    • Non-disclosure agreements (NDAs) with all employees
    • Data protection training for relevant personnel
  • Data Protection Governance:
    • Privacy Policy and this DPA
    • Data Protection Officer (where required)
    • Policies for protection and use of personal data
  • Incident Response:
    • Procedures for detection and reporting of data breaches
    • Notification of Data Controller within 24 hours of known security incidents
    • Cooperation in notification obligations to authorities and affected persons
  • Documentation and Monitoring:
    • Records of Processing Activities per GDPR Art. 30
    • Regular security audits
    • Logging of all data access (where technically feasible)
  • Physical Security:
    • Hosting with Hetzner Online GmbH (Falkenstein, Germany) with ISO-27001 certification
    • Control of physical access to the data center
    • Monitoring and security measures of the hosting provider

7. Sub-processors and Third Parties

The Data Processor uses the following sub-processors and service providers to deliver services:

7.1 Required Sub-processors

Service Provider Location Purpose Data Transfer
Server Hosting Hetzner Online GmbH Falkenstein, Germany Database, application server Intra-EU (DE)
CDN / DDoS Protection Cloudflare, Inc. San Francisco, USA Website performance, security USA (EU-US DPF, SCC)
Transactional Emails Brevo SAS Paris, France Confirmation and notification emails Intra-EU (FR)
Payment Processing Stripe, Inc. San Francisco, USA Card payments, subscription management USA (SCC) — tokenized
AI API (Calculations) Anthropic, PBC San Francisco, USA AI calculations, text generation USA (SCC) — Zero Data Retention

7.2 Transfers to Third Countries

For data transfers to the USA, the following mechanisms apply:

  • EU-US Data Privacy Framework (DPF): Cloudflare is certified
  • Standard Contractual Clauses (SCCs): For Anthropic and Stripe

The Data Controller consents to these transfers by accepting the Terms of Service.

7.3 Changes to Sub-processors

The Data Processor will inform the Data Controller before engaging new sub-processors. The Data Controller has the right to object to the use of new sub-processors by providing written notice within 30 days of notification. In such case, either party may terminate the contractual relationship.

8. Data Deletion and Retention

8.1 Deletion Periods After Contract Termination

  • Customer and Project Data: Will be deleted upon request by Data Controller, at the latest 30 days after contract termination
  • Backups: Will be automatically deleted per Hetzner retention policies after approximately 30-90 days
  • Logfiles and System Data: Will be automatically anonymized or deleted after 90 days
  • Financial Records and Invoices: Will be retained per German tax law (§14 StGB, §239 HGB) for 6-10 years

8.2 Right to Erasure During Use

The Data Controller may request deletion of individual records at any time, unless prevented by law. Deleted data will not be recovered.

8.3 Data Export

The Data Controller may request data export in a structured, common format (e.g., CSV, JSON) to enable portability.

9. Rights and Obligations of the Data Controller

9.1 Instructions from the Data Controller

The Data Controller may issue instructions for processing personal data through:

  • Configuration of platform settings
  • Explicit written instruction via email to [email protected]
  • Use of API endpoints with appropriate parameters

9.2 Data Controller Cooperation

The Data Controller is responsible for:

  • Securing login credentials and access codes
  • Compliance with applicable laws when collecting customer data
  • Accuracy and legality of processed data
  • Documentation of the legal basis for data processing
  • Notifying affected persons per GDPR (where required)

9.3 Data Controller's Privacy Policy

The Data Controller is responsible for providing its own privacy policy to end customers, disclosing that data is transmitted to PlotonIQ / the Data Processor.

10. Rights and Obligations of Data Subjects

The Data Processor supports the Data Controller in fulfilling data subject rights:

  • Right of Access (GDPR Art. 15): Data Controller may request access; Data Processor will respond within 14 days
  • Right to Rectification (GDPR Art. 16): Data subjects may correct or request correction of erroneous data
  • Right to Erasure (GDPR Art. 17): Erasure requests will be processed within 14 days (except for legal retention obligations)
  • Right to Restrict Processing (GDPR Art. 18): Available via platform settings
  • Right to Data Portability (GDPR Art. 20): Data Controller may export data in standard format
  • Right to Object (GDPR Art. 21): Applies to processing based on legitimate interests

11. Data Breaches and Notification Obligations

11.1 Data Breach Notification

In case of a data breach, the Data Processor will notify the Data Controller immediately, but no later than 24 hours, in writing. The notification includes:

  • Nature and extent of the breach
  • Categories and approximate number of affected persons
  • Probable consequences of the breach
  • Measures taken and planned to remedy and mitigate damage
  • Name and contact information of the Data Protection Officer or contact person

11.2 Cooperation with Authorities

The Data Processor will cooperate with the Data Controller and competent data protection authorities and will assist the Data Controller in:

  • Notifying affected persons
  • Reporting to the competent supervisory authority
  • Investigations and audits

12. Data Controller's Audit Rights

12.1 Inspection Rights

The Data Controller has the right to audit how the Data Processor processes personal data upon request:

  • Access to Records of Processing Activities
  • Review of security measures
  • Audits with advance notice

Audits should occur during normal business hours and must not materially disrupt operations.

12.2 Certificates and Audits

The Data Processor will provide the following evidence:

  • Hetzner ISO-27001 certificate (hosting provider)
  • SOC-2 report (if available)
  • Security policies and measures catalog

13. Privacy by Design and Privacy by Default

The Data Processor implements privacy by design per GDPR Art. 25:

  • Minimal data collection: only necessary data is collected
  • Pseudonymization: browser fingerprints are hashed
  • Encryption: AES-256 for sensitive data
  • Access control: role-based permissions
  • Regular review: audits and penetration testing

14. AI Processing and Automated Decision-Making

14.1 Nature of AI Processing

PlotonIQ uses AI for:

  • Quote calculations (Anthropic Claude API)
  • Recognition of areas and measurements from photos (SAM/DINO — local on Hetzner)
  • Transcription of audio memos (OpenAI Whisper — optional)
  • Generation of business insights and recommendations

14.2 No Purely Automated Decision-Making

Per GDPR Art. 22, there is NO purely automated decision-making with legal effect. This means:

  • AI calculations are SUGGESTIONS, not binding
  • Users always decide manually
  • No automated rejection of orders or customers

14.3 Transparency in AI Use

Users are clearly informed when AI is involved in a process through:

  • Labeled areas in the user interface (e.g., "AI Suggestion")
  • Explanation of the AI approach in help texts
  • This Privacy Policy and this DPA

15. EU AI Act — Compliance

AI systems used in PlotonIQ are classified per the EU AI Act:

  • Text Generation (Claude API): Limited risk — transparency requirements fulfilled
  • Measurement Recognition (SAM/DINO): Limited risk — locally executed, no third-country transfer
  • Audio Transcription (Whisper): Limited risk — user opt-in required

There are NO high-risk AI applications per the AI Act.

16. Fees and Costs

This Data Processing Agreement is included as part of the subscription contract. There are NO additional fees for compliance with this DPA.

17. Legal Basis and Scope

  • Primary Legal Basis: EU GDPR (2016/679), GDPR, ePrivacy Directive (Germany)
  • Scope: All users with registered office in Germany or the EU
  • Effective From: April 1, 2026
  • Language: German; in case of discrepancies, the German version applies

18. Term and Termination

18.1 Contract-Bound Term

This DPA runs in parallel with the subscription contract. Upon termination of the subscription, this DPA also terminates.

18.2 Termination

Termination of this DPA is only possible jointly with termination of the subscription contract.

18.3 Effects of Termination

After termination, customer data will be deleted per Section 8 or retained if required by law.

19. Amendments to This DPA

The Data Processor may modify this DPA with 30 days' notice if:

  • Legal or regulatory requirements require it
  • The change improves personal data protection
  • The Data Controller does not object in writing within 30 days

The Data Controller will be informed of changes in advance in writing.

20. Contact and Complaints

20.1 Contact Address of the Data Processor

K-Werbetechnik / PlotonIQ
Banatstraße 31
66424 Homburg
Germany
Email: [email protected]
Phone: +49 (0)6821-6797414

20.2 Data Protection Authority

Complaints about data processing may be filed with the competent data protection authority. The contact information for Germany (Saarland) is:

Independent Data Protection Center Saarland
Fritz-Dobisch-Straße 12
66111 Saarbrücken, Germany
Email: [email protected]
Website: www.datenschutz.saarland.de

21. Validity and Severability Clause

Should any provision of this DPA be invalid, this does not affect the validity of the entire agreement. The parties will agree on a valid replacement provision that corresponds to the economic purpose of the original agreement.

22. Final Provisions

This Data Processing Agreement becomes effective on April 1, 2026, and is binding for all PlotonIQ customers who conclude a contract as of that date or renew existing contracts.

Version: 1.0

Effective from: April 1, 2026

Last Updated: April 2026