Data Processing Agreement (DPA)

Latest update: May 19, 2023

according to Art. 28 GDPR


heylogin GmbH
Sophienstr. 40
38118 Braunschweig, Germany
(hereinafter "Contractor")


you‍(hereinafter "Client"),

collectively referred to as the "Parties".


The Client and the Contractor have concluded a framework agreement on the use of the password management system heylogin. For this purpose it is necessary that the Contractor processes personal data on behalf of the Client.

Having said this, the Parties hereby enter into the following Agreement on Commissioned Processing pursuant to Article 28 of the GDPR (hereinafter: "Agreement"):

1 Subject of the data processing

  1. The subject matter and duration of the data processing as well as the type and purpose of the processing result from the main contract and the service descriptions - which depend on the commissioned services. As a rule, the Contractor processes the following data for the Client:

    Personal data, communication data (e.g. name, position, telephone, e-mail)
    Type and purpose of processing: contract, communication, payment
    Categories of data: Employees of heylogin customers

    Stored data in heylogin (e.g. user names, URLs, passwords)
    Type and purpose of processing: password management; this data is not processed on servers, but only synchronized in an end-to-end encrypted way
    Categories of data: Employees of heylogin customers

    Device data
    Type and purpose of processing: troubleshooting, support
    Categories of data: Employees of heylogin customers
  2. The duration of this data processing corresponds to the term of the main contract.
  3. Processing includes collecting, arranging, storing, reading, using, transmitting and deleting personal data.

2 Scope of application and responsibility

  1. The Contractor shall process personal data on behalf of the Client. This includes activities that are specified in the main contract and in the associated service descriptions. Within the scope of this contract, the Customer shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor as well as for the lawfulness of the data processing ("Responsible Party" within the meaning of Art. 4 No. 7 GDPR).
  2. The instructions shall initially be stipulated by the Contract and may thereafter be amended, supplemented or replaced by the Customer in writing or in an electronic format (text form) to the body designated by the Contractor by means of individual instructions (individual instructions). Instructions not provided for in the contract shall be treated as a request for a change in performance. Verbal instructions shall be confirmed immediately in writing or in text form.

3 Rights and obligations of the Client

  1. The Client is the responsible party pursuant to Art. 4 No. 7 GDPR for the processing of data on behalf of the Contractor. As such, he must inform his employees about which data he collects and forwards to the contractor.
  2. The Client shall inform the Contractor immediately and in full if it discovers errors or irregularities in the results of the order with regard to data protection regulations.
  3. The Customer shall name the Contractor the contact person for data protection issues arising within the scope of the contract.
  4. In the event of a claim against the Client by a data subject with regard to any claims under Art. 82 GDPR, the Client undertakes to support the Contractor in defending the claim to the extent of its possibilities.

4 Duties of the Contractor

  1. The Contractor may only process data of data subjects within the scope of the order and the Client's instructions unless there is an exceptional case within the meaning of Article 28 (3) a) of the GDPR. The Contractor shall inform the Customer without undue delay if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.
  2. The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. The Contractor shall take technical and organizational measures for the adequate protection of the Client's data which meet the requirements of the General Data Protection Regulation (Art. 32 GDPR) and ensure that the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing are permanently guaranteed. The Principal is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.
  3. An up-to-date list of technical and organizational measures can be found at
  4. Contractor may modify or update these measures at its sole discretion, provided that such modifications or updates are in accordance with the relevant state of the art and legal requirements.
  5. To the extent agreed, the Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set forth in Articles 33 to 36 of the GDPR.
  6. The Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the scope of the instruction. Furthermore, the Contractor warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/confidentiality obligation shall continue to exist after termination of the order.
  7. The Contractor shall inform the Client without undue delay if it becomes aware of any violations of the Client's personal data protection.
  8. The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects and shall consult with the Client on this without delay.
  9. The Contractor shall name the contact person for the Customer for data protection issues arising within the scope of the contract.
  10. The Contractor warrants to comply with its obligations under Article 32(1)(d) of the GDPR to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing.
  11. The Contractor shall correct or delete the data that is the subject of the contract if the Client instructs it to do so and this is covered by the scope of the instructions. If a deletion in compliance with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in compliance with data protection on the basis of an individual order by the Customer or shall return these data carriers to the Customer, unless already agreed in the contract.
  12. In special cases to be determined by the Client, storage or handover shall take place; remuneration and protective measures for this shall be agreed separately, unless already agreed in the contract.
  13. Data, data carriers as well as all other materials shall be either surrendered or deleted upon the client's request after the end of the order.
  14. If additional costs arise due to deviating specifications for the release or deletion of the data, these shall be borne by the client.
  15. In the event of a claim against the Principal by a data subject with regard to any claims under Art. 82 GDPR, § 3 (4) shall apply accordingly.

5 Inspection options

  1. Upon request, the Contractor shall prove to the Client compliance with the obligations set forth in this Agreement by appropriate means.
  2. If, in individual cases, inspections by the Client or an inspector commissioned by the Client are necessary, these shall be carried out during normal business hours without disrupting operations after notification and taking into account a reasonable lead time. The Contractor may make such inspections dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organizational measures that have been set up. If the inspector commissioned by the Client is in a competitive relationship with the Contractor, the Contractor shall have a right of objection against the auditor.
  3. Should a data protection supervisory authority or any other sovereign supervisory authority of the Customer carry out an inspection, (2) shall apply accordingly in principle. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality where a violation is punishable under the German Criminal Code.
  4. The Contractor processes data through mobile working or in private homes (home office). The Contractor shall also ensure the measures pursuant to Article 32 of the GDPR ("TOM") in this case.

6 Subprocessors

  1. The Customer agrees that the Contractor may use the subprocessors mentioned at within the framework of the data processing of this Agreement.
  2. The Contractor may commission further and/or other subprocessors, provided that the Contractor informs the Client thereof in text form and the Client has not objected to the intended commissioning at least in text form within a period of two weeks from receipt of the information. If no objection to the intended assignment is raised within the aforementioned period, this shall be deemed to be the Client's consent. If the Client raises an objection, the Contractor may, at its own discretion, provide the services without the intended commissioning. If it is not reasonable or possible for the Contractor to provide the Services without the intended assignment, the Contractor shall notify the Client thereof without undue delay. In this case, the Client may terminate the main contract between the Parties in writing within a period of two weeks from receipt of the Contractor's notification.
  3. The Contractor shall ensure that only those subprocessors are engaged who provide sufficient guarantees that appropriate technical and organizational measures are in place so that the processing of the Client's personal data is carried out in accordance with the requirements of the GDPR and applicable national data protection laws and the protection of the rights of the data subjects is ensured. The Contractor shall carefully select a subprocessor, paying particular attention to the suitability of the technical and organizational measures taken by the sub-processor, and shall regularly review the sub-processor's compliance with the legal and contractual data protection requirements.
  4. The Contractor shall ensure that the agreement reached between it and the subprocessor is governed by a written contract that contains at least the same data protection obligations for the subprocessor that are set forth in this Agreement for the Contractor. To the extent applicable to the Client, the Contractor shall also agree on the professional requirements of the Principal pursuant to § 43e BRAO in relation to the subprocessor.
  5. The disclosure of personal data to a subprocessor is only permitted if the Contractor has satisfied itself in a documented manner that the subprocessor fully complies with its obligations and that a contract has been concluded in accordance with Art. 28 GDPR.
  6. The Contractor shall remain responsible to the Client for compliance with the obligations under this Agreement and shall be liable to the Client if the subprocessor complies with its data protection obligations.

7 Transfer to third countries

Data processing shall take place exclusively within the territory of the Federal Republic of Germany, a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer of processing to another country ("third country"), including through the involvement of any subprocessors, requires the prior consent of the Client and may only take place if the special requirements for data exports to third countries (esp. Art. 44 et seq. GDPR) are met.

8 Liability

The Client and the Contractor shall be liable to data subjects in accordance with the statutory provisions of Art. 82 of the GDPR.

9 Running time

This Data Processing Agreement shall automatically enter into force on the date of signing of the main contract and shall remain effective until the termination of the main contract. If desired, it can also be additionally signed by both parties.

10 Information obligations, written form clause, choice of law

  1. If the Customer's data at the Contractor is endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the "responsible party" within the meaning of the General Data Protection Regulation.
  2. Amendments and supplements to this Annex and all of its components - including any warranties of the Contractor - shall require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to the waiver of this formal requirement.
  3. In the event of any contradictions, the provisions of this Annex on data protection shall take precedence over the provisions of the Agreement. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of the Annex.