Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
Legal

Data Processing Agreement (DPA)

Agreement on the processing of personal data on behalf of the controller pursuant to Art. 28 GDPR between the customer as controller and Datargo GmbH as processor.

1. Preamble and allocation of roles

(1) This Data Processing Agreement (hereinafter the “DPA”) sets out in concrete terms the data protection rights and obligations of the parties in connection with the processing of personal data that Datargo GmbH, Frankfurt am Main (hereinafter “Datargo” or the “Processor”), carries out on behalf of and in accordance with the instructions of the customer (hereinafter the “Customer” or the “Controller”) in the course of providing the modules Datargo Monitor, Datargo CRM, Datargo ID, Datargo ERP and NextPKI as well as the bundled offering Datargo One (individually and collectively hereinafter the “Services”).

(2) With respect to the personal data that the Customer introduces into the Services or that is processed via the Services, the Customer is the controller within the meaning of Art. 4 No. 7 GDPR. In this respect, Datargo is the processor within the meaning of Art. 4 No. 8 GDPR and processes personal data exclusively on behalf of and in accordance with the documented instructions of the Customer.

(3) This DPA is directed exclusively at entrepreneurs within the meaning of section 14 BGB (German Civil Code), at legal persons under public law and at special funds under public law.

(4) This DPA applies to all processing of personal data that Datargo carries out on behalf of the Customer within the scope of the main contract concluded between the parties (hereinafter the “Main Contract”), consisting of the General Terms and Conditions , the respectively applicable special module terms, the Service Level Agreement and any individual contracts. This DPA forms an integral part of the Main Contract.

(5) Terms used in this DPA with the meaning of the GDPR (such as “personal data”, “processing”, “data subject”, “personal data breach”, “supervisory authority”) are to be understood within the meaning of Art. 4 GDPR. “GDPR” refers to Regulation (EU) 2016/679. “Data protection law” refers to the GDPR as well as the data protection law of the member states applicable in each case, in particular the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

2. Subject matter, nature, purpose and duration of the processing

(1) The subject matter of the processing is the processing of personal data by Datargo to the extent necessary for the provision of the Services agreed in the Main Contract.

(2) The nature and purpose of the processing result from the Main Contract and the respective service description of the module used. Datargo processes personal data exclusively for the purpose of providing, operating, maintaining, servicing, securing and supporting the contractually agreed Services for the Customer. Datargo does not process personal data for its own purposes, in particular not for advertising, analytics or training purposes.

(3) The typical processing activities per module are set out in the following overview; the respective service description shall be authoritative:

ModuleTypical processing activity
Datargo MonitorStoring and analysing contact and escalation data for the delivery of notifications, as well as retaining the associated incident and delivery history.
Datargo CRMRecording, structuring, storing and sending contact, prospect and customer data as well as the associated communication.
Datargo IDManaging identity, authentication and authorisation data of the Customer’s users.
Datargo ERPProcessing master, transaction and document data including personal data contained therein (for example of the Customer’s contact persons, employees or business partners).
NextPKIProcessing certificate, key and request data including personal data contained therein.
Datargo OneProcessing of the bundled modules in accordance with the respective individual contract.

(4) Duration of the processing: The processing begins with the provision of the Services and ends with the termination of the Main Contract, subject to the provisions on deletion and return under Section 11. This DPA applies for the entire term of the Main Contract and beyond its termination for as long as Datargo processes the Customer’s personal data.

(5) Place of processing: The personal data processed on behalf of the Customer under this DPA is processed exclusively within the European Union. Hosting takes place in a data centre in Frankfurt am Main. This data is not processed in a third country within the meaning of Art. 44 et seq. GDPR (see Section 9).

3. Categories of data subjects and types of personal data

(1) The specific categories of data subjects and types of personal data are determined by the Customer by using the Services and introducing personal data. Datargo has no influence over this. The overview below describes the typical scope; the respective use by the Customer as well as the determination documented in Annex 1 shall be binding.

(2) Categories of data subjects (typical):

CategoryExamples
Employees and users of the CustomerStaff members, administrators, designated authorised representatives.
Contacts, prospects and customers of the CustomerContact persons, end customers, leads.
Business partners and service providers of the CustomerSuppliers, external service providers, contact persons.
Recipients of notificationsPersons contacted in the course of escalation and alerting workflows.

(3) Types of personal data (typical):

Type of dataExamples
Master dataName, form of address, function, organisational affiliation.
Contact dataEmail address, telephone number, postal address.
Contract and business dataDocuments, transactions, communication content (in the context of Datargo ERP/CRM).
Identification and access dataUser identifiers, authentication features, authorisations (in the context of Datargo ID/NextPKI).
Usage and log dataAccess, activity and security logs, to the extent that they can be related to a person.
Content dataContent entered or sent by the Customer.

(4) Special categories of personal data (Art. 9 GDPR) are not the subject of the Services. If the Customer nevertheless introduces such data, this is done under the Customer’s sole responsibility; in this case the Customer must ensure the additional requirements necessary under Art. 9 GDPR and must inform Datargo thereof in advance in text form, so that appropriate additional protective measures can be assessed.

4. Right to issue instructions and binding effect of instructions

(1) Datargo processes personal data exclusively within the scope of the Main Contract and in accordance with the documented instructions of the Customer, including with regard to transfers to a third country, unless Datargo is required to do so by Union or member state law to which Datargo is subject. In such a case, Datargo shall inform the Customer of these legal requirements prior to processing, unless that law prohibits such information on important grounds of public interest (Art. 28(3)(a) GDPR).

(2) The determinations made in the Main Contract and in this DPA shall be deemed the Customer’s documented initial instruction. Subsequent instructions shall be issued in text form or confirmed in text form without undue delay. Datargo documents the instructions issued.

(3) On the Customer’s side, the persons designated for this purpose are authorised to issue instructions. The Customer designates to Datargo a person authorised to issue instructions as well as that person’s deputy in Annex 2. Datargo may rely on the continued validity of the authority to issue instructions.

(4) Notice in the event of an unlawful instruction: If Datargo is of the opinion that an instruction of the Customer infringes data protection law, Datargo shall inform the Customer without undue delay (Art. 28(3) sentence 3 GDPR). Datargo is entitled to suspend the execution of the instruction in question until it is confirmed or amended by the Customer. Datargo is not obliged to carry out a comprehensive review of the lawfulness of the instructions.

(5) If an instruction goes beyond the contractually agreed scope of services or if its implementation causes more than insignificant additional effort, Datargo may make the implementation conditional on separate, reasonable remuneration, unless it concerns a mandatory statutory obligation.

5. Confidentiality and obligation of personnel

(1) Datargo ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b), Art. 29 GDPR).

(2) Datargo obligates the persons involved in the processing to confidentiality and to data secrecy prior to the commencement of their activity and instructs them to an appropriate extent regarding the obligations arising from data protection law as well as the existing binding effect of instructions. The confidentiality obligation continues to apply after termination of the activity.

(3) Datargo ensures that access to personal data is limited to those persons who require it to perform their contractual tasks (principle of necessity, “need to know”).

(4) No data protection officer has been appointed, as there is no statutory obligation to appoint one under Section 38 BDSG; data protection enquiries should be directed to privacy@datargo.com .

6. Technical and organisational measures (TOMs)

(1) Datargo takes the technical and organisational measures required under Art. 32 GDPR to ensure a level of protection appropriate to the risk (Art. 28(3)(c) GDPR). The measures take into account the state of the art, the costs of implementation as well as the nature, scope, circumstances and purposes of the processing and the risk to the rights and freedoms of the data subjects.

(2) The specific technical and organisational measures are described in Annex 3 (TOMs) and form an integral part of this DPA. They include in particular measures in the following areas:

Area of protectionMeasures (overview)
ConfidentialityPhysical access, system access and data access control, strict multi-tenant separation, role-based authorisations, multi-factor authentication.
IntegrityEncryption in transit and at rest, tamper-proof audit trail, input and modification control.
Availability and resilienceRedundancy, data backup, recovery procedures, protection against unauthorised impairment.
Pseudonymisation and data separationSeparation by purpose and tenant, pseudonymisation where appropriate.
Procedures for regular reviewRegular assessment, testing and evaluation of the effectiveness of the measures.
Processing controlEnsuring processing in accordance with instructions.

(3) The technical and organisational measures are subject to technical progress and further development. Datargo is entitled to take alternative appropriate measures, provided that the level of protection of the agreed measures is not undercut. Datargo documents material changes affecting the level of protection and makes them available to the Customer upon request.

(4) The standards relevant to the security of the processing are demonstrated, where applicable, by recognised certifications and audit reports (see Section 12).

7. Engagement of further processors (sub-processors)

(1) The Customer grants Datargo the general authorisation to engage further processors (hereinafter “sub-processors”) within the meaning of Art. 28(2) sentence 1 and (4) GDPR. The sub-processors engaged at the time the contract is concluded are available at Sub-processors and are deemed authorised.

(2) Datargo contractually obligates the sub-processors to data protection obligations that correspond to those of this DPA, in particular to provide sufficient guarantees for the implementation of appropriate technical and organisational measures (Art. 28(4) GDPR). Where the sub-processor fails to fulfil its data protection obligations, Datargo remains liable to the Customer for the performance of the sub-processor’s obligations.

(3) Notice of change and right to object: Datargo shall inform the Customer of any intended addition or replacement of a sub-processor with a period of at least 30 days prior to the intended engagement. The notification is made by updating the list at Sub-processors and, to the extent the Customer has set this up, by notification to the contact provided. The Customer may object to the change within 14 days of the notification in text form on important grounds substantiated under data protection law.

(4) If the Customer objects in good time and on important grounds, the parties shall endeavour to reach an amicable solution. If such a solution cannot be reached and Datargo adheres to the use of the sub-processor in question, the Customer is entitled to extraordinarily terminate the part of the Services affected by the change with reasonable notice. No further claims exist in this respect.

(5) Sub-processors are engaged exclusively within the European Union. Sub-processors are engaged with processing in a third country only in accordance with Section 9.

(6) Ancillary services that Datargo procures from third parties as an incidental activity (such as telecommunications, maintenance or cleaning services) do not constitute sub-processors within the meaning of this Section, provided that they have no material connection to the processing of the Customer’s personal data. In this respect, too, Datargo takes appropriate measures to safeguard confidentiality.

8. Support of the controller

8.1 Support with data subject rights

(1) Datargo supports the Customer, insofar as possible, with appropriate technical and organisational measures in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (in particular access, rectification, erasure, restriction, data portability and objection) (Art. 28(3)(e) GDPR).

(2) If a data subject addresses such a request directly to Datargo, Datargo shall forward the request to the Customer without undue delay and shall not respond to it itself, unless the Customer has issued a deviating instruction to that effect.

8.2 Support with security, data protection impact assessment and notification obligations

(1) Taking into account the nature of the processing and the information available to Datargo, Datargo supports the Customer in complying with the obligations set out in Art. 32 to 36 GDPR (Art. 28(3)(f) GDPR), in particular with the security of the processing (Art. 32), the notification of personal data breaches (Art. 33, 34), the data protection impact assessment (Art. 35) and the prior consultation (Art. 36).

(2) Notification of personal data breaches: Datargo informs the Customer without undue delay, as a rule without culpable hesitation, after it has become aware of a breach of the protection of the Customer’s personal data (Art. 33(2) GDPR). The notification is made to the contact provided by the Customer and contains, to the extent available, the information set out in Art. 33(3) GDPR (nature of the breach, categories and number affected, likely consequences, measures taken or proposed, point of contact). If not all information is immediately available, it shall be provided in stages without undue further delay.

(3) The notification to the competent supervisory authority and, where applicable, the communication to the data subjects is the sole responsibility of the Customer as controller; Datargo does not make such a notification independently.

(4) To the extent that the support services under this Section 8 go beyond the contractually agreed scope of services or are based on circumstances attributable to the Customer, Datargo may claim reasonable remuneration for them. Support services in connection with a personal data breach for which Datargo is responsible are provided free of charge.

9. Data location, third-country transfer and international transmission

(1) The personal data processed on behalf of the Customer under this DPA is processed exclusively within the European Union, with hosting in Frankfurt am Main. This data is not transferred to a third country or to an international organisation within the meaning of Art. 44 et seq. GDPR; in this respect there is no access pursuant to the US CLOUD Act. The handling of the payment and invoicing relationship between Datargo and the Customer is not the subject of this data processing relationship; for this purpose Datargo is an independent controller and uses the payment service provider Stripe (Stripe, LLC, USA), whose transfer of personal data to the USA is safeguarded via the EU-US Data Privacy Framework (Art. 45 GDPR) and supplementary Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 (details in the Privacy Policy ).

(2) Should, exceptionally and following a separate agreement, processing in a third country be considered, this shall take place only if the requirements of Art. 44 to 49 GDPR are met, in particular if an adequacy decision of the European Commission exists or appropriate safeguards, in particular the Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, have been agreed and, where necessary, a transfer impact assessment has been carried out and safeguarded by supplementary measures.

(3) Region pinning as well as further operating and sovereignty options can be agreed via Datargo One.

10. Obligations and rights of the controller

(1) As controller, the Customer is solely responsible for the permissibility and lawfulness of the processing and for safeguarding the rights of the data subjects (Art. 24, 28(3) sentence 1 GDPR). In particular, the Customer ensures that a valid legal basis exists for the processing it initiates and that the required information obligations under Art. 13, 14 GDPR are fulfilled.

(2) The Customer is responsible for issuing and documenting the instructions as well as for determining the categories of data subjects and types of data. The Customer informs Datargo without undue delay if, when reviewing the processing results, it identifies errors or irregularities with regard to data protection provisions.

(3) The Customer designates to Datargo the persons authorised to issue instructions and to act as contacts for the data processing, as well as a point of contact for notifications under Section 8.2.

(4) To the extent that the Customer is legally obliged to provide information on the processing to authorities or data subjects, Datargo supports the Customer within the scope of Sections 8 and 12.

11. Deletion and return upon termination

(1) After the end of the processing activities, Datargo shall, at the Customer’s choice, return all personal data to the Customer or delete it and delete existing copies, unless there is an obligation to store the personal data under Union or member state law (Art. 28(3)(g) GDPR).

(2) Datargo makes the personal data available to the Customer for export after termination of the Main Contract for a period of 30 days in a common, structured and machine-readable format. This period and the modalities of the export are governed by the provisions of the Main Contract, to the extent that separate agreements have been made there.

(3) After expiry of the export period and any agreed transition period, the personal data including existing copies shall be deleted within 30 days using recognised procedures. Data backups are deleted within the regular deletion and overwriting cycles.

(4) To the extent that statutory retention obligations preclude deletion, the data concerned shall be blocked and processed only to the extent of the statutory obligation; once the retention obligation no longer applies, it shall be deleted.

(5) Datargo documents the deletion or return and demonstrates it to the Customer in an appropriate manner upon request.

12. Verification, control and audit rights

(1) Datargo makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (Art. 28(3)(h) GDPR).

(2) Priority of document-based evidence: Compliance with the technical and organisational measures may primarily be demonstrated by the provision of suitable, current evidence, in particular by recognised certifications, attestations or independent audit reports (such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II reports or a BSI C5 attestation), by approved codes of conduct or by meaningful self-disclosures. The Customer accepts such evidence to the extent that it covers the area examined and is current.

(3) On-site audit: To the extent that document-based evidence is not sufficient in an individual case, the Customer has the right to carry out an on-site review or to have it carried out by an auditor bound to professional secrecy who is not in competition with the parties. The following applies to the conduct of the review:

AspectProvision
AnnouncementPrior announcement in text form with reasonable notice, as a rule at least 14 days, except in the case of imminent danger or following a personal data breach.
FrequencyAs a rule no more than once per calendar year; additional reviews where there is a concrete cause (for example following a personal data breach or at the request of a supervisory authority).
Business operationsConducted during normal business hours and without disproportionate impairment of Datargo’s operations.
ConfidentialitySafeguarding confidentiality, multi-tenant separation and the data protection and security interests of other customers; no inspection of third-party data.
CostsThe Customer bears the costs of routine reviews; Datargo bears the costs of reviews occasioned by a breach of duty for which Datargo is responsible. Datargo may claim reasonable remuneration for support that goes beyond the usual effort.

(4) Extended rights of regulated customers: For customers that, as financial entities within the meaning of Regulation (EU) 2022/2554 (DORA) or as important or critical entities within the meaning of Directive (EU) 2022/2555 (NIS2) and its national implementation, are subject to extended regulatory requirements, supplementary information, access and audit rights apply, including the rights of the competent supervisory and resolution authorities. These are governed by the DORA Addendum , which, for the customers concerned, takes precedence over this Section in this respect.

(5) Datargo informs the Customer without undue delay if it is of the opinion that an instruction infringes data protection law (see Section 4(4)) and informs the Customer, to the extent legally permissible, of requests from supervisory authorities or other governmental bodies relating to the processing of the Customer’s personal data.

13. Liability

(1) The liability provision of the Main Contract, in particular Section 9 of the General Terms and Conditions , which applies as the single core provision for the entire contractual relationship, shall govern the liability of the parties. This DPA does not establish any independent or extended contractual liability.

(2) Liability in the external relationship towards data subjects as well as the allocation of liability between controller and processor under Art. 82 GDPR remain unaffected by paragraph 1. Mandatory statutory liability, in particular for intent and gross negligence, for damage arising from injury to life, body or health, under the German Product Liability Act (Produkthaftungsgesetz, ProdHaftG) and from an assumed guarantee, remains unaffected in any case.

(3) In the internal relationship, the parties bear any compensation paid under Art. 82 GDPR in accordance with their respective share of responsibility for the damage that occurred; in all other respects, the liability provision of the Main Contract applies.

14. Final provisions

(1) Relationship to the Main Contract and order of precedence: This DPA supplements the Main Contract. In the event of conflicts between this DPA and the other components of the Main Contract, this DPA shall prevail in matters concerning the processing of personal data. In all other respects, the following order of precedence applies: individual agreement before this DPA before the Service Level Agreement and the special module terms before the General Terms and Conditions . The liability provision under Section 13 remains unaffected by this.

(2) Annexes: The following annexes form an integral part of this DPA: Annex 1, Annex 2 and Annex 3 (TOMs) as well as the respectively current list of Sub-processors .

(3) Text form and amendments: Amendments and supplements to this DPA require text form. This also applies to the waiver of this text form requirement. Individual contractual agreements take precedence in any case (section 305b BGB).

(4) Applicable law and place of jurisdiction: The law of the Federal Republic of Germany applies, to the exclusion of the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is, to the extent that the Customer is a merchant, a legal person under public law or a special fund under public law, Frankfurt am Main. Mandatory statutory places of jurisdiction remain unaffected.

(5) Severability clause: Should individual provisions of this DPA be or become wholly or partly invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The statutory provision shall take the place of the invalid or unenforceable provision.

(6) Obtaining the signature-ready DPA: Business customers can obtain the signature-ready DPA including the annexes via hello@datargo.com or in the Trust Center .

Annex 1: Categories of data subjects and types of personal data

This Annex sets out in concrete terms the categories of data subjects and types of personal data described in Section 3 of this DPA. The actual form depends on the modules used by the Customer and its configuration; the respective use by the Customer shall be binding.

(a) Categories of data subjects

Category of data subjectsDescription
Users and employees of the CustomerStaff members, administrators and other persons who work with the Services on behalf of the Customer or are managed via them.
Contact persons of the CustomerDesignated contacts and authorised representatives of the Customer, for example for contractual, data protection or technical matters.
Contacts, prospects and end customers of the CustomerNatural persons whose data the Customer processes via Datargo CRM, for example the Customer’s leads, contact persons and end customers.
Data subjects from the systems monitored by the CustomerNatural persons whose data, to the extent that it can be related to a person, is processed via Datargo Monitor in the course of monitoring, escalation and alerting workflows.
Business partners and service providers of the CustomerSuppliers, external service providers and their contact persons, to the extent that the Customer processes their data via the Services.

(b) Types of personal data per module

ModuleTypical types of personal data
Datargo MonitorContact data, usage and log data, technical connection data as well as personal data from the incident and delivery history, to the extent that it can be related to a person.
Datargo CRMMaster data, contact data as well as communication and content data (for example the content of transactions, tickets and chat communication).
Datargo IDAuthentication and identity data, user identifiers and authorisations as well as associated usage and log data.
Datargo ERPMaster data, contact data as well as contract and billing data including personal data contained therein (for example of the Customer’s contact persons, employees or business partners).
NextPKIIdentification and request data in connection with certificates and keys as well as associated log data, to the extent that it can be related to a person.
Datargo OneTypes of personal data of the bundled modules in accordance with the respective individual contract.

Across all modules, general usage and log data as well as technical connection data may also arise, to the extent that they can be related to a person.

(c) Clarification regarding special categories

Special categories of personal data within the meaning of Art. 9 GDPR as well as data relating to criminal convictions and offences within the meaning of Art. 10 GDPR are not the subject of the Services. If the Customer nevertheless introduces such data, this is done under the Customer’s sole responsibility (see Section 3(4)). The specific form of the above categories and types of data depends on the modules used by the Customer and its configuration.

Annex 2: Contact persons and persons authorised to issue instructions

This Annex names the contact persons and persons authorised to issue instructions of the parties (see Section 4(3) as well as Section 10(3)). The tables below are to be completed by the parties.

(a) On the Customer’s side

FunctionDetails
Person(s) authorised to issue instructions and deputyAndreas Mallek, Managing Director, privacy@datargo.com
Technical point of contactAndreas Mallek, Managing Director, privacy@datargo.com
Data protection contact (point of contact for notifications under Section 8.2)Andreas Mallek, Managing Director, privacy@datargo.com

(b) On the side of Datargo GmbH

FunctionDetails
Point of contact for requests under this DPAhello@datargo.com
Data protection officer (where designated)None appointed; no obligation to appoint one under Section 38 BDSG. Data protection enquiries: privacy@datargo.com

Changes to the above details are to be communicated to the parties in text form. They take effect upon receipt of the communication and do not require an amendment of this DPA.

Annex 3: Technical and organisational measures (TOMs)

This Annex describes the technical and organisational measures taken by Datargo pursuant to Art. 32 GDPR (see Section 6). It forms an integral part of this DPA.

(1) Confidentiality

Area of measuresDescription
Physical access controlProcessing on own infrastructure in a data centre in Frankfurt am Main with physical access security (for example restriction of access to authorised persons, single-person entry control, monitoring and logging of entries).
System access controlProtection against unauthorised system use through personal authentication, multi-factor authentication for administrative and sensitive access as well as restrictive default settings based on the principle of denial in case of doubt (deny by default).
Data access controlRole-based assignment of authorisations based on the principles of necessity (need to know) and least privilege as well as logging of access to personal data.
Separation controlStrict separation of the data of different customers (multi-tenant separation) deep within the platform as well as separation of production and test environments.
Pseudonymisation and encryptionEncryption in transit in accordance with the state of the art as well as encryption of data at rest; pseudonymisation where appropriate. In particular: transport encryption (TLS) for all connections, encryption of data at rest, and storage of passwords exclusively as a hash.

(2) Integrity

Area of measuresDescription
Transfer controlProcessing exclusively within the European Union as well as encrypted transmission of personal data.
Input controlTraceability of entries, changes and deletions through a tamper-proof, append-only log and evidence trail (append-only audit trail) with end-to-end traceability.

(3) Availability and resilience

Area of measuresDescription
Availability controlOngoing monitoring, redundant design, protection against overload and against overload attacks (DDoS) as well as regular data backups, in particular daily backups together with continuous transaction logs.
Rapid recoverabilityRestart and contingency concept for the rapid restoration of the availability of personal data after a physical or technical incident, with target values of recovery time (RTO) of up to 4 hours and maximum data loss (RPO) of up to 24 hours.

(4) Procedures for regular review, assessment and evaluation

Area of measuresDescription
Data protection managementDefined responsibilities, policies and processes to ensure and review compliance with data protection law.
Incident and incident response managementDefined process for the detection, assessment and handling of security and data protection incidents, including the notification process towards the Customer (see Section 8.2).
Processing and sub-processor controlEnsuring processing in accordance with instructions as well as contractual onward obligation of the sub-processors to corresponding protective measures (see Section 7).
Regular reviewsRegular review and assessment of the effectiveness of the measures, including annual external penetration tests as well as regular patch management.
Training and obligation of personnelObligation of the persons involved in the processing to confidentiality and data secrecy as well as regular awareness-raising and training (see Section 5).
Data protection by design and by defaultConsideration of data protection by design (privacy by design) and through data protection-friendly default settings (privacy by default) pursuant to Art. 25 GDPR.

Clarification on worldwide check nodes: The technical reachability and availability checks (check regions/check nodes) are carried out in part via third-party infrastructure worldwide. At these check nodes, only non-personal raw data of the technical checks (target system, response times, status) is processed; customers’ personal data is not stored or processed there and remains within the European Union.

The above measures are continuously adapted to the state of the art. Changes may not undercut the agreed level of protection (see Section 6(3)).

Authoritative language version

This document is provided in German, English and French. The English and French versions are translations provided solely for convenience. The German version is authoritative and solely binding in the event of any dispute or any difference of interpretation or translation.

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy