Effective Date: 28 November 2025
THIS DATA PROCESSING AGREEMENT (THE "dpa") SUPPLEMENTS AND FORMS AN INTEGRAL PART OF THE TERMS & CONDITIONS (THE "agreement") ENTERED INTO BY AND BETWEEN THE CUSTOMER, AS DEFINED IN THE AGREEMENT (THE "controller"), AND RM HOLDING GMBH, AUCHTWEIDE 32, D-87775 SALGEN, GERMANY (THE "processor"). BY ACCEPTING OR EXECUTING THE AGREEMENT, THE CONTROLLER ENTERS INTO THIS DPA ON BEHALF OF ITSELF AND, WHERE REQUIRED UNDER APPLICABLE DATA PROTECTION LAWS, ON BEHALF OF ITS AFFILIATES. THIS DPA INCORPORATES THE TERMS OF THE AGREEMENT, AND ANY TERMS NOT DEFINED HEREIN SHALL HAVE THE MEANINGS ASSIGNED TO THEM IN THE AGREEMENT. THE PARTIES THEREFORE AGREE AS FOLLOWS:
Clarifying key terms used in this dpa
"dpa" means this Data Processing Agreement, including its appendix and any amendments agreed by the parties.
"agreement" means the Terms & Conditions or other main service agreement governing the provision of the services by the processor to the controller.
"controller" means the customer entity that determines the purposes and means of the processing of personal data and that has entered into the agreement with the processor.
"processor" means RM Holding GmbH, acting as a data processor on behalf of the controller in connection with the provision of the services.
"services" means the software-as-a-service platform "offgen," including all associated add-ins, integrations, AI functionalities, features, documentation and related services provided under the agreement.
"affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to the agreement.
"data protection laws" means all applicable data protection and privacy laws and regulations, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any implementing or supplementary national laws.
"personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR, processed by the processor on behalf of the controller in connection with the services.
"processing" means any operation or set of operations performed on personal data, whether or not by automated means, as defined in Article 4(2) GDPR.
"data subject" means an identified or identifiable natural person whose personal data is processed under this dpa.
"personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.
"sub-processor" means any third party engaged by the processor to process personal data on behalf of the controller in connection with the services.
"standard contractual clauses" or "sccs" means the contractual clauses adopted by the European Commission or a competent authority for the transfer of personal data to third countries under the GDPR, as may be amended or replaced from time to time.
"technical and organisational measures" or "toms" means the security measures implemented by the processor to protect personal data as required by Article 32 GDPR.
Describing the boundaries and operational characteristics of the processing activities
The subject matter of this dpa is the processing of personal data by the processor on behalf of the controller in connection with the services, including authentication, slide-generation functionality, AI-assisted features, analytics, support, subscription management, and associated technical operations.
The processing operations performed by the processor include, as applicable: (a) collection, (b) storage, (c) transmission, (d) pseudonymisation, (e) retrieval, (f) modification, (g) analysis, (h) logging and auditing, (i) deletion, and (j) any other operation reasonably necessary for the provision of the services.
Personal data is processed solely for the following purposes: (a) providing and operating the services, (b) verifying user identity and enabling authentication, (c) managing subscriptions and licenses, (d) delivering support and resolving technical issues, (e) enabling and improving AI functionality, (f) ensuring the security, availability, and performance of the services, (g) analysing usage in aggregated or pseudonymised form, and (h) complying with applicable laws, billing obligations, and audit requirements.
The processor does not use personal data for advertising, profiling unrelated to the services, or AI training unless expressly requested by the controller.
The processor shall process personal data for the term of the agreement, unless otherwise required by applicable laws, including statutory retention obligations for billing and tax compliance.
The processor may process the following categories of personal data:
The processor does not process special categories of data as defined in Article 9 GDPR. If the controller includes such data in uploaded content, the controller bears full responsibility for such content.
Data subjects include employees, contractors, agents, and other authorised users acting on behalf of the controller, as well as individuals whose data is included by the controller in slide content or AI prompts.
Determining the responsibilities and assurances required from the controller
The controller shall ensure that all personal data provided or made available to the processor under the agreement has been collected and is processed in compliance with data protection laws, including maintaining a valid legal basis under Articles 6 and, where applicable, 9 GDPR.
The controller shall instruct the processor only in a lawful manner. All instructions must be documented, including through the configuration and use of the services. The controller is responsible for the accuracy, legality, and completeness of its instructions.
The controller shall ensure that all personal data shared with the processor is accurate, relevant, and limited to what is strictly necessary for the purposes described in Section 2. The controller shall promptly update or correct personal data as required under GDPR Articles 5 and 16.
The controller is solely responsible for the content uploaded, transmitted, or generated through the services, including slide content, AI prompts, and associated user inputs. The processor does not monitor, read, extract, transfer, analyse, or otherwise process personal data embedded in such content beyond what is required to provide the services.
The controller is solely responsible for responding to requests made by data subjects under GDPR Articles 12–23. The processor shall not respond directly to data subjects unless legally compelled. The processor shall provide reasonable assistance upon written request of the controller.
The controller shall ensure that all use of the services complies with the agreement, including all acceptable use restrictions. This includes prohibiting the uploading of unlawful content, special categories of personal data, or data irrelevant to the legitimate use of the services.
The controller shall indemnify and hold harmless the processor from any claims, damages, liabilities, or expenses arising from: (a) unlawful personal data provided by the controller, (b) violations of data protection laws caused by the controller, (c) misuse of the services, and (d) instructions that violate GDPR or other applicable laws.
Describing the duties and safeguards undertaken by the processor
The processor shall process personal data solely on documented instructions from the controller, including those reflected in the agreement, this dpa, and configuration of the services, unless processing is required by Union or Member State law. In such cases, the processor shall inform the controller prior to processing, unless prohibited by law.
The processor ensures that all persons authorised to process personal data are bound by appropriate confidentiality obligations and have received proper training regarding data protection, information security, and restricted data access.
The processor shall implement and maintain the TOMs required by Article 32 GDPR, including but not limited to: (a) encryption of personal data in transit and at rest, (b) strict access controls and multi-factor authentication (MFA), (c) role-based access and "need-to-know" authorisation principles, (d) network security, including firewalls and isolation, (e) pseudonymisation where appropriate, (f) secure development and deployment practices, (g) audit logging and monitoring, (h) emergency and continuity procedures, (i) regular security reviews and threat assessments, (j) data minimisation and storage limitation controls, (k) enforcement of data hosting rules with selected providers (Hetzner, Neon, AWS).
A description of the prevailing TOMs is provided in Appendix A.
The processor maintains the records required by Article 30(2) GDPR regarding categories of processing activities conducted on behalf of the controller.
Considering the nature of the processing, the processor shall assist the controller, upon reasonable written request, in responding to data subjects' rights requests under Articles 12–23 GDPR, including access, rectification, erasure, and data portability.
The processor shall provide assistance to the controller with regard to data protection impact assessments and consultations with supervisory authorities, as required under Articles 35 and 36 GDPR.
The processor shall not: (a) process personal data for advertising or profiling purposes, (b) use personal data to build or enhance models unrelated to the services, (c) train external AI systems with personal data, (d) combine personal data from different controller accounts, (e) process personal data beyond what is strictly required to provide the services.
The processor shall ensure that only personnel with strictly necessary access can view or interact with personal data, and only in accordance with the TOMs and documented instructions.
To the extent legally required, the processor shall cooperate with competent supervisory authorities regarding personal data processed under this dpa.
Regulating the engagement and obligations of third-party service providers
The controller grants the processor a general authorisation to engage sub-processors for the performance of the services, provided that such sub-processors meet the requirements of Article 28 GDPR and this dpa.
As of the effective date of this dpa, the processor engages the following sub-processors to support the services:
The current version of the sub-processor list is included in Appendix A.
The processor shall ensure that each sub-processor is bound by a written agreement imposing obligations that are no less protective of personal data than those set forth in this dpa, including requirements regarding: (a) confidentiality, (b) data security and TOMs, (c) restricted processing purposes, (d) breach notification obligations, (e) cross-border transfer mechanisms.
Where a sub-processor processes personal data outside the European Economic Area, the processor shall ensure the use of an appropriate GDPR transfer mechanism, including but not limited to: (a) standard contractual clauses (sccs), (b) supplementary technical measures (encryption, access controls), (c) compliance assessments of destination country laws.
The processor may update the list of sub-processors from time to time. The processor shall provide notice by making such updates available through its website, product dashboard, or other suitable channels. Continued use of the services after such updates constitutes authorisation of the new sub-processors.
The processor remains fully liable to the controller for the performance of its sub-processors and for ensuring the protection of personal data entrusted to them.
Clarifying where personal data is stored and how cross-border transfers are safeguarded
The processor stores and processes personal data in the geographic region associated with the controller's account or operations. Personal data may be stored in: (a) the European Union for EU-based controllers, (b) the United States for US-based controllers, or (c) other regions as reasonably required to deliver the services with optimal performance.
The processor does not intentionally store or replicate EU customer data outside the EU unless necessary for providing the services or unless explicitly configured by the controller.
For the purpose of providing, supporting, securing, and improving the services, the processor may transfer personal data globally to sub-processors or infrastructure providers listed in Appendix A, subject to the safeguards described in this Section 6. Such transfers are strictly limited to what is necessary for: (a) authentication, (b) hosting and infrastructure, (c) AI functionality, (d) analytics, (e) support and troubleshooting, and (f) billing and compliance.
Where personal data is transferred from the EEA, Switzerland, or the United Kingdom to a country that does not provide an adequate level of protection under data protection laws, the processor ensures such transfers are subject to a lawful transfer mechanism, including: (a) standard contractual clauses (sccs) adopted by the European Commission, (b) the UK Addendum or UK International Data Transfer Agreement, (c) supplementary technical measures (encryption, access governance), (d) documented transfer risk assessments as required under EDPB guidance.
To ensure a level of protection essentially equivalent to the GDPR, the processor employs additional measures, including: (a) encryption of data in transit and at rest, (b) strict access controls and role-based permissions, (c) segregation of controller environments, (d) no unsolicited personal data access by AI vendors, (e) contractual restrictions preventing sub-processors from using data for their own purposes.
The processor shall maintain an up-to-date list of sub-processors and their respective data processing locations in Appendix A. Updates to this list are considered appropriate notice under Section 5.
The processor does not use personal data: (a) for marketing or advertising, (b) for unrelated analytics, (c) to build or improve models outside the scope of the services, (d) for profiling unrelated to the services, (e) in ways that would create international transfers not listed in Appendix A.
Regulating the end-of-term handling, retention, and erasure of personal data
The processor retains personal data for the duration of the agreement and only for as long as is necessary to fulfil the purposes described in Section 2. Unless otherwise required by law, the processor does not retain personal data longer than necessary for the operation of the services.
Upon termination or expiration of the agreement, the processor shall delete the personal data within 90 days, unless continued retention is required to comply with statutory obligations, including tax and billing laws.
Deletion shall include removal from active systems, backups, and disaster recovery environments, subject to reasonable delays inherent in secure deletion processes.
The controller acknowledges that the services do not require or support specific data export or return procedures for personal data. The processor is not obligated to provide return, extraction, or restitution of personal data prior to deletion, except as required by applicable law.
Notwithstanding Section 7.2, the processor may retain certain personal data (e.g., billing, invoicing, tax-relevant records) for periods mandated by applicable laws. Such retention shall be limited to the minimum extent necessary and protected under the TOMs described in Appendix A.
The processor uses industry-standard deletion practices, including: (a) secure overwriting, (b) cryptographic erasure, (c) scheduled purge processes, (d) controlled deletion workflows with audit logs, (e) deletion safeguards at hosting providers (Hetzner, Neon, AWS).
Establishing the safeguards implemented to protect personal data
The processor shall implement and maintain appropriate technical and organisational measures ("tom's") designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 GDPR. The processor's TOMs reflect the nature of personal data processed, the risks associated with processing, industry best practices, and the state of the art.
The processor employs encryption technologies to protect personal data: (a) encryption in transit using TLS or equivalent standards, (b) encryption at rest, (c) key management policies aligned with industry standards. Where feasible, the processor utilises pseudonymisation or data minimisation techniques to reduce risks and limit exposure.
The processor maintains strict access controls, including: (a) multi-factor authentication (MFA) for privileged accounts, (b) role-based access control (RBAC), (c) "least privilege" and "need-to-know" principles, (d) documented access provisioning and revocation procedures, (e) periodic review of access rights.
The processor ensures security through: (a) firewalls and network segmentation, (b) intrusion detection and prevention mechanisms, (c) secure VPN and remote access controls, (d) DDoS mitigation capabilities, (e) hardened cloud environments (Hetzner, Neon, AWS). Hosting providers are required to maintain their own security measures, including physical security, redundancy, and backup protocols.
The processor enforces secure development practices, including: (a) code review processes, (b) dependency and vulnerability scanning, (c) separation of development, staging, and production environments, (d) deployment pipelines with integrity validation.
The processor maintains logs and monitoring systems to detect unusual or unauthorised activities, including: (a) audit logs for administrative actions, (b) system event monitoring, (c) anomaly detection, (d) incident ticketing workflows. Logs are protected against tampering and retained for an appropriate period.
To validate the effectiveness of TOMs, the processor conducts: (a) periodic penetration testing, (b) vulnerability assessments, (c) security audits of internal systems, (d) review of third-party risk (sub-processors).
The processor maintains: (a) backup systems with integrity checks, (b) disaster recovery plans, (c) incident response procedures, (d) emergency playbooks for critical outages. These measures ensure continuity and resilience of the services.
The processor may update its TOMs from time to time to reflect technological advances, threat evolution, or regulatory requirements, provided such updates do not materially reduce the level of protection afforded to personal data.
Establishing the procedures and timelines for responding to security incidents
A "personal data breach" means any breach of security leading to: (a) accidental or unlawful destruction of personal data, (b) loss of personal data, (c) alteration of personal data, (d) unauthorised disclosure of personal data, or (e) unauthorised access to personal data, whether transmitted, stored, or otherwise processed by the processor.
Upon becoming aware of a personal data breach affecting personal data processed on behalf of the controller, the processor shall notify the controller without undue delay, and in any event no later than 72 hours, unless a different timeline is required under data protection laws.
Such notice shall include, where reasonably possible: (a) a description of the nature of the breach, (b) the categories and approximate number of affected data subjects, (c) the categories and approximate number of personal data records concerned, (d) likely consequences of the breach, (e) measures taken or proposed to address the breach, (f) contact information for the responsible incident manager.
The processor shall: (a) promptly investigate the breach, (b) take necessary steps to mitigate or remedy any adverse effects, (c) assist the controller with any required notifications to supervisory authorities or affected data subjects, (d) document all relevant facts, actions, and outcomes related to the breach, (e) provide timely updates as more information becomes available.
The processor shall not notify any supervisory authority or data subject of the breach on the controller's behalf unless expressly instructed to do so by the controller, unless mandated by applicable law.
The processor shall maintain internal records of all personal data breaches in accordance with Article 33(5) GDPR and make such records available to the controller upon reasonable request.
Outlining the cooperation mechanisms for fulfilling data subjects' GDPR rights
The controller is solely responsible for responding to data subject requests under Articles 12–23 GDPR, including requests for: (a) access, (b) rectification, (c) erasure, (d) restriction of processing, (e) data portability, (f) objection, (g) rights related to automated decision-making. The processor shall not respond directly to a data subject unless expressly instructed by the controller or required by data protection laws.
Taking into account the nature of the processing, the processor shall provide reasonable assistance to the controller upon written request, including by: (a) providing relevant system logs, (b) enabling the controller to locate relevant personal data, (c) providing technical clarification about system behavior, (d) supporting secure deletion or correction actions. Such assistance may be limited to what is technologically feasible and shall not include developing custom tools or performing manual data reviews.
If personal data appears within slides, AI prompts, or other user-generated content, the controller is solely responsible for: (a) locating such data, (b) responding to deletion or rectification requests, (c) ensuring lawful access and processing by its users. The processor does not process, extract, or inspect personal data contained within such content except as required to provide the services.
If a supervisory authority or regulatory body contacts the processor regarding personal data processed under this dpa, the processor shall: (a) promptly notify the controller, unless legally prohibited; (b) refrain from responding directly unless required by law; (c) cooperate with the controller in preparing any response; (d) provide documentation or clarifications necessary for compliance.
Where assistance under this Section requires significant time, manual effort, or resources beyond standard operational tasks, the processor may charge reasonable fees, provided such fees are communicated to the controller in advance.
Establishing the mechanisms for verifying compliance with data protection obligations
The controller acknowledges and agrees that it is not entitled to conduct on-site audits of the processor, its facilities, or its sub-processors. This restriction ensures the security and integrity of the processor's environments and aligns with industry-standard SaaS practices.
To demonstrate compliance with data protection laws, the processor shall make available, upon reasonable written request: (a) security policies and TOMs summaries, (b) data flow descriptions, (c) penetration testing summaries (high level), (d) relevant third-party compliance documentation from hosting and infrastructure providers, (e) records of processing activities required under Article 30(2) GDPR, (f) results of internal or commissioned security assessments (where appropriate). Such documentation shall be provided electronically, unless another method is reasonably required.
The processor may redact or limit any documentation, reports, or information provided under this Section to: (a) protect confidentiality, (b) safeguard intellectual property, (c) avoid exposure of internal architecture details, (d) comply with security or operational requirements, (e) protect other customers' data. Redactions shall not materially undermine the controller's ability to assess the processor's compliance.
Where a competent supervisory authority requires an audit or inspection of the processor under data protection laws, the processor shall: (a) promptly inform the controller, unless legally prohibited, (b) cooperate with the authority to the extent required, (c) implement corrective measures where mandated by law.
If the controller requests assistance that involves significant manual effort or goes beyond standard documentation-based verification, the processor may charge reasonable fees for such assistance, provided such fees are communicated and agreed in advance.
Allocating responsibility and defining limitations of liability under this dpa
The parties agree that the liability limitations set forth in the agreement — including any caps on liability, exclusions of indirect, incidental, and consequential damages, and overall monetary limitations — apply equally and fully to this dpa, to the maximum extent permitted under data protection laws.
To the fullest extent permitted by law, the processor's total aggregate liability arising out of or in connection with this dpa, whether in contract, tort, or otherwise, shall not exceed the total fees paid by the controller under the agreement in the twelve (12) months preceding the event giving rise to the claim. Nothing in this dpa shall limit liability where such limitation is not permitted under applicable law, including liability for intentional misconduct or gross negligence.
The processor shall not be liable for any damages, claims, or losses arising from: (a) the controller's failure to comply with data protection laws, (b) the controller's unlawful or inappropriate use of the services, (c) personal data uploaded by the controller in violation of the agreement, this dpa, or the GDPR, (d) instructions issued by the controller that contravene applicable laws, (e) special categories of personal data introduced into the services by the controller, (f) data subject claims based on inaccurate or incomplete data supplied by the controller.
The controller shall indemnify, defend, and hold harmless the processor, its affiliates, officers, employees, and agents from and against all claims, damages, liabilities, penalties, costs, and expenses arising from: (a) the controller's breach of this dpa, (b) the controller's misuse of the services, (c) the controller's failure to obtain required consents or provide notices, (d) personal data provided to the processor in violation of statutory restrictions, (e) the controller's instructions that result in unlawful processing.
Each party remains responsible for its own compliance with GDPR and other applicable data protection laws. Nothing in this dpa shall be construed as shifting a party's statutory responsibilities.
Addressing supplementary contractual provisions governing this dpa
This dpa shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without regard to conflict-of-law principles. The exclusive place of jurisdiction for all disputes arising out of or in connection with this dpa shall be the courts of Memmingen, Germany, unless otherwise required by mandatory data protection laws.
The processor may update this dpa from time to time to reflect changes in legal requirements, technical measures, or sub-processor practices. The processor shall provide reasonable notice of material updates. Continued use of the services following such updates constitutes acceptance of the revised dpa.
Notices under this dpa must be provided in writing and delivered by email or other electronic means. Notices to the processor shall be sent to: support@offgen.ai. Notices to the controller shall be sent to the email address associated with the controller's account.
If any provision of this dpa is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced by a valid provision that most closely reflects the original intent.
This dpa becomes effective upon the controller's acceptance or execution of the agreement and shall remain in effect for the duration of the agreement, unless superseded by a later version or terminated earlier in accordance with the agreement. Sections of this dpa that by their nature should survive termination (including confidentiality, liability, and data deletion obligations) shall remain effective thereafter.
This dpa, together with the agreement and privacy policy, constitutes the entire agreement between the parties concerning the processing of personal data and supersedes all prior proposals, representations, or agreements relating to such subject matter.
Summarising the details of processing required under GDPR Articles 28 and 30
The processor may process personal data relating to the following categories of data subjects:
The processor may process the following categories of personal data:
Authentication & Account Data
Technical & Usage Data
Operational Data
Content-Adjacent Metadata
The processor may perform the following operations on personal data:
Personal data is processed exclusively for:
The processor engages the following sub-processors:
AI Processing
Hosting & Infrastructure
Analytics
Payments
Platform Integration
Depending on the controller's region:
Where data is transferred outside the EEA, the processor ensures:
The processor implements the following TOMs:
Technical Controls
Organisational Controls
Testing & Monitoring
Additional information regarding TOM's, sub-processors, and infrastructure may be provided upon reasonable request, subject to the restrictions in Section 11.