Data Processing Agreement

between

– hereinafter "Processor" or "KMUPIM" –

and the Customer with whom a contract for the use of the KMUPIM platform has been concluded,

– hereinafter "Controller" or "Customer" –

– collectively the "Parties" –

Preamble

The Controller uses the SaaS platform "KMUPIM" of the Processor on the basis of a separate main contract ("Usage Contract") for the management of product information, media, releases and associated workflows. In the course of this use, the Processor processes personal data on behalf of and under the instructions of the Controller. With this agreement, the Parties specify the obligations pursuant to Art. 28 GDPR.

This DPA is part of the Usage Contract. Unless otherwise regulated in this DPA, the provisions of the Usage Contract apply supplementarily.

§ 1 Subject Matter of the Data Processing

(1) The subject matter of the data processing is the provision and operation of the software-as-a-service application KMUPIM including all auxiliary services required for this purpose (hosting, backup, maintenance, support, optional connections to third-party systems).

(2) The processing of personal data by the Processor within the scope of this agreement shall be carried out exclusively on documented instructions of the Controller, unless the Processor is exceptionally required to do otherwise by Union or Member State law (Art. 28 para. 3 lit. a GDPR).

(3) The main contract and its appendices including the respective current product description simultaneously contain the basic instructions of the Controller.

§ 2 Duration

The term of this DPA corresponds to the term of the Usage Contract. The provisions of this DPA apply as long as the Processor processes personal data on behalf of the Controller and survive termination of the Usage Contract insofar as this is necessary for the proper return or deletion of the data (§ 11).

§ 3 Nature and Purpose of Processing, Type of Data, Categories of Data Subjects

3.1 Purpose of Processing

Provision of the KMUPIM platform for the Controller, in particular:

• management of product information (PIM), media and assets,
• planning and control of product releases,
• synchronization with connected third-party systems (e.g. Shopify) within the scope of the connectors enabled by the Controller,
• provision of optional AI-assisted auxiliary functions, insofar as activated by the Controller (BYOK),
• user and permission management within the Controller's account,
• sending technical and transactional notifications,
• support and maintenance services.

3.2 Nature of Processing

Collection, recording, storage, organization, structuring, alteration, retrieval, display, transmission (e.g. to connected third-party systems), provision, comparison, linking, restriction, erasure.

3.3 Type of Personal Data

• Account and master data of the Controller's users: First/last name, business e-mail address, language, avatar (if uploaded), role in the account.
• Authentication and security data: Password hashes (Argon2id), refresh tokens, 2FA secrets (AES-256-encrypted), login logs (IP, timestamp, User-Agent).
• Account credentials: Access credentials to third-party systems stored by the Controller (e.g. Shopify Custom App – Client ID/Secret, Access Token), encrypted with libsodium / XSalsa20-Poly1305.
• Content data: Product, media and release data created by the Controller or its users; these may contain personal data insofar as the Controller feeds such data into the platform.
• Communication data: Content of support messages to KMUPIM.

3.4 Categories of Data Subjects

• Employees, collaborators and administrators of the Controller (users of the platform);
• Contact persons and other individuals whose personal data the Controller processes in its content data.

3.5 No Special Data Categories

The processing of special categories of personal data pursuant to Art. 9 GDPR as well as data pursuant to Art. 10 GDPR is not intended. The Controller warrants that it will not upload such data into the platform unless previously agreed in writing and secured with supplementary guarantees.

§ 4 Obligations of the Processor

(1) The Processor shall process personal data exclusively within the scope of the agreements made and on the instructions of the Controller, unless it is required to do otherwise by Union or Member State law. In this case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the relevant law prohibits such notification on grounds of important public interest (Art. 28 para. 3 lit. a GDPR).

(2) The Processor shall maintain written or electronic records of categories of processing activities pursuant to Art. 30 para. 2 GDPR.

(3) To maintain confidentiality, the Processor has obliged all persons involved in the processing to confidentiality before commencing their activity and ensures its continuation even after the end of their activity (Art. 28 para. 3 lit. b, Art. 29, 32 para. 4 GDPR).

(4) The Processor implements the technical and organizational measures set out in Annex 1 (TOM) and further develops them in line with the state of the art. Material changes will be communicated to the Controller.

(5) The Processor shall assist the Controller – insofar as appropriate and taking into account the nature of the processing – in fulfilling requests of data subjects as well as in complying with its obligations pursuant to Art. 32 to 36 GDPR (Art. 28 para. 3 lit. e, f GDPR).

(6) The Processor shall notify the Controller without undue delay after becoming aware, but no later than within 72 hours, of any personal data breach (Art. 33, 34 GDPR). The notification shall contain at least the information referred to in Art. 33 para. 3 GDPR, insofar as known to the Processor.

(7) The Processor shall inform the Controller immediately if, in its opinion, an instruction infringes data protection provisions (Art. 28 para. 3 sentence 3 GDPR). The Processor is entitled to suspend the implementation of the respective instruction until it is confirmed or modified by the Controller.

(8) The Processor has not appointed a data protection officer; a corresponding obligation pursuant to Art. 37 GDPR in conjunction with § 38 BDSG does not exist. Data protection inquiries are handled at info@kmupim.com.

§ 5 Obligations of the Controller

(1) The Controller is the controller within the meaning of Art. 4 No. 7 GDPR for the personal data processed by it in the platform. It is responsible for the lawfulness of the processing and the protection of the rights of the data subjects (Art. 24 GDPR).

(2) The Controller shall issue all instructions in principle in writing or by e-mail to info@kmupim.com. Oral instructions must be confirmed in writing or by e-mail without undue delay.

(3) The Controller shall designate a contact point for data protection-related inquiries (in the normal case, the e-mail address provided in the main order).

(4) The Controller ensures that it has the necessary legal basis for the transfer of personal data into the platform (in particular consent of the data subjects, insofar as required) and that the data subjects are informed accordingly.

(5) The Controller has comprehensive possibilities for controlling, accessing, rectifying, deleting and exporting data ("self-service") through the administrative functions provided by the Processor. In addition, it may request support from the Processor.

§ 6 Requests of Data Subjects

(1) If a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay, insofar as it is evident from the request that it concerns the Controller.

(2) The Processor shall assist the Controller to the best of its ability in responding to requests for access, rectification, restriction, data portability, objection or erasure pursuant to Art. 12 ff. GDPR. The Processor may charge for the proven additional effort insofar as the effort exceeds the self-service functions normally included in the product; standard requests are free of charge.

§ 7 Sub-Processors

7.1 General Consent

(1) The Controller hereby grants general written authorization (Art. 28 para. 2 sentence 2 GDPR) for the engagement of the sub-processors listed in Annex 2 as of the date of contract conclusion.

(2) The Processor shall inform the Controller at least 30 days prior to any intended change concerning the engagement or replacement of sub-processors (by e-mail to the stored data protection contact address or by notification in the application).

(3) The Controller may object to the engagement or replacement in writing within 14 days of notification for a compelling data protection reason. In the event of a justified objection, the Parties are obliged to find an amicable solution; if this is not achieved, the Controller is entitled to extraordinarily terminate the Usage Contract with a notice period of 30 days. Remuneration already paid will be refunded on a pro-rata basis.

7.2 Requirements

The Processor obliges each sub-processor, before commencing the activity, to data protection obligations equivalent to those of this agreement, in particular to compliance with confidentiality, the TOM and the purpose limitation (Art. 28 para. 4 GDPR). The Processor is liable to the Controller for compliance with the data protection obligations by the sub-processors as for its own fault.

7.3 Other Recipients (Not Sub-Processing)

The following recipients are accessed by the Controller itself in the course of platform use or act as independent controllers and are not sub-processors of the Processor:

• Shopify International Ltd. / Shopify Inc. – recipient of the API calls initiated by the Controller to its own store;
• Mistral AI SAS, OpenRouter, Inc., Runware AI, Inc. and comparable AI providers – insofar as the Controller voluntarily provides its own API key and actively uses AI features ("Bring Your Own Key"). Contractual partner of these providers is the Controller.

§ 8 Third-Country Transfer

(1) A transfer of personal data to third countries outside the EEA takes place exclusively within the scope of the constellations set out in Annex 2.

(2) Insofar as third-country transfers occur, the Processor bases them on:

• the adequacy decision of the European Commission on the EU-US Data Privacy Framework of 10.07.2023 (Art. 45 GDPR), provided the recipient is DPF-certified;
• supplementarily the Standard Contractual Clauses of the EU Commission (Implementing Decision 2021/914, Art. 46 para. 2 lit. c GDPR) including supplementary technical and organizational measures in accordance with the EDPB Recommendations 01/2020.

(3) The Processor shall provide evidence to the Controller upon request.

§ 9 Audit Rights

(1) The Controller has the right to verify compliance with the TOM and the obligations of this agreement (Art. 28 para. 3 lit. h GDPR).

(2) The Processor shall provide this evidence in the normal case by:

• the current TOM documentation available (Annex 1),
• the provision of status, security and, if available, audit reports (e.g. penetration tests) upon justified request,
• written or electronic response to appropriate questionnaires of the Controller within a reasonable period.

(3) An on-site inspection is possible, but only in coordination with the Processor, with reasonable advance notice (at least 30 days), during normal business hours and without material disruption of business operations. The Controller bears its own costs; the Processor may charge for the additional effort caused by the inspection, insofar as this was not triggered by indications of a specific violation.

(4) Auditing personnel must be obliged to confidentiality; competitors of the Processor are excluded as auditors.

§ 10 Liability

For the liability of the Parties under this DPA, the provisions of the Usage Contract apply; supplementarily, Art. 82 GDPR as well as other mandatory law remain unaffected. In the internal relationship, the Parties bear any compensation payments made pursuant to Art. 82 GDPR in accordance with their respective share of responsibility.

§ 11 Return and Deletion after Contract Termination

(1) Upon termination of the Usage Contract, the Processor shall delete all personal data stored for the Controller within 30 days completely and irrevocably, including copies contained in backups after expiry of the respective backup retention period (max. 30 days after initial deletion in the live system).

(2) At the Controller's request, the Processor shall make the personal data available for export prior to deletion in a structured, commonly used and machine-readable format (e.g. JSON, CSV, ZIP of media files). The effort incurred for this may be charged separately; a one-time data export in the standard format is free of charge.

(3) The deletion will be confirmed in writing or by e-mail upon request.

(4) Statutory retention obligations remain unaffected; data subject to such retention will be blocked and deleted after the retention period expires.

§ 12 Final Provisions

(1) The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods.

(2) Should individual provisions of this agreement be or become invalid, the agreement shall remain valid in its remaining parts. The invalid provision shall be replaced by a valid regulation that comes closest to the economic purpose pursued with it.

(3) Changes and supplements to this agreement require text form (e-mail is sufficient). This also applies to the revocation of this written form requirement.

(4) The place of jurisdiction is – insofar as legally permissible – the registered office of the Processor.

Annexes

• Annex 1: Technical and Organizational Measures (TOM) – available upon request at info@kmupim.com or via the trust portal.
• Annex 2: List of Sub-Processors – see below.

Annex 2 – List of Sub-Processors

Effective: 26 May 2026. Contracts pursuant to Art. 28 GDPR exist with all sub-processors. The respective current version of this list is publicly available at www.kmupim.com/subprocessors and is updated in accordance with § 7.1 of this DPA with a notice period of at least 30 days.

Any additional recipients to whom the Processor transmits data only on the Controller's own initiative (e.g. Shopify as the target of the sync connection configured by the Customer) as well as BYOK AI providers (Section § 7.3) are not considered sub-processors of the Processor.