Data Processing Agreement (DPA)

Last updated: 3rd of September 2025

This Data Processing Agreement (“DPA”) supplements the Productlane Terms of Service or other written agreement governing Customer’s use of the Services (the “Agreement”) between Productlane GmbH, a company incorporated in Germany with its registered office at Albert-Rosshaupter-Str. 3b, 81369 Munich, Germany (“Productlane”), and the entity identified as Customer in the Agreement (“Customer”).

By executing the Agreement, Customer enters into this DPA on behalf of itself and, where required under Data Protection Laws, on behalf of its Affiliates using the Services. Capitalized terms not defined here have the meanings in the Agreement.

1. Definitions

• Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party (≥50% ownership or voting control), only for so long as such control exists.

• Authorized Sub-processor means a third party engaged by Productlane to process Customer Personal Data in order to provide the Services, listed in Exhibit B or later authorized under Section 4.

• Customer Account Data means personal data relating to Customer’s account with Productlane (e.g., admin names, contact details, billing).

• Customer Usage Data means service usage/telemetry data generated by Customer’s use of the Services (e.g., logs, performance metrics) used to operate, secure, and improve the Services.

• Customer Personal Data means personal data processed by Productlane on behalf of Customer within the Services (e.g., support messages, portal content) excluding Customer Account Data and Customer Usage Data.

• Data Protection Laws means all applicable privacy/data protection laws and regulations, including GDPR, UK GDPR, the Swiss FADP, CCPA/CPRA, and implementing rules, as amended. Terms like controller, processor, personal data, processing, supervisory authority, and personal data breach have the meanings in GDPR.

• EU SCCs means the European Commission’s Standard Contractual Clauses (2021/914) as incorporated in this DPA.

• UK Addendum means the UK Information Commissioner’s International Data Transfer Addendum to the EU SCCs, as incorporated in this DPA.

• Services means the Productlane services provided under the Agreement.

2. Scope; Roles; Customer Instructions

2.1 Roles. For Customer Personal Data, Customer is controller (or processor on behalf of a third-party controller) and Productlane is processor (or sub-processor). For Customer Account Data and Customer Usage Data, Productlane acts as an independent controller (see Section 8).

2.2 Instructions. Productlane will process Customer Personal Data only (a) to provide, maintain, and secure the Services; (b) as documented in the Agreement and this DPA (including transfers); and (c) as otherwise documented by Customer’s lawful instructions. Productlane will notify Customer if, in Productlane’s opinion, an instruction infringes Data Protection Laws.

2.3 Details of Processing. The subject matter, duration, nature and purpose of processing, categories of data subjects, and types of personal data are set out in Exhibit A.

2.4 Return/Deletion. Upon termination of the Services or at Customer’s written request, Productlane will delete or return Customer Personal Data (at Customer’s choice), unless retention is required by law. Certifications of deletion will be provided upon request where required by the EU SCCs/UK Addendum.

2.5 CCPA/CPRA. For Customer Personal Data, Productlane is a service provider/processor and will not sell or share such personal information nor use it for purposes other than providing the Services or as permitted by law.

3. Customer Responsibilities

Customer is responsible for (i) the accuracy, quality, and lawfulness of Customer Personal Data; (ii) providing any necessary notices and obtaining all required consents; and (iii) making lawful instructions.

4. Sub-processors

4.1 Authorization. Customer provides general written authorization for Productlane to use Sub-processors to provide the Services.

4.2 List & Updates. Current Sub-processors are listed in Exhibit B. Productlane will provide at least 15 days’ prior notice of any new Sub-processor by updating Exhibit B and/or notifying Customer via email subscription. Customer may object on reasonable data-protection grounds within 10 days of notice. If no commercially reasonable alternative is available, Customer may suspend the affected Service (without prejudice to fees accrued).

4.3 Flow-down. Productlane will impose data protection obligations on Sub-processors equivalent to those in this DPA and remains liable for their acts and omissions.

5. Security

5.1 Technical and Organizational Measures. Taking into account the state of the art, costs, and risks, Productlane implements appropriate technical and organizational measures to protect Customer Personal Data as described in Exhibit C (including encryption in transit and at rest, access controls, logging/monitoring, resilience, and backup/DR).

5.2 Confidentiality. Productlane ensures personnel accessing Customer Personal Data are subject to appropriate confidentiality obligations and receive security/privacy training.

5.3 Personal Data Breach. Productlane will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information to assist Customer in meeting its legal obligations (including GDPR Articles 33–34), consistent with law enforcement or regulatory restrictions.

6. Audits; DPIAs; Assistance

6.1 Assistance. Taking into account the nature of processing and available information, Productlane will assist Customer with DPIAs, data subject requests (see also Section 7), and security obligations under Data Protection Laws. Reasonable, documented costs of non-standard assistance may be charged.

6.2 Audit Rights. Upon written request no more than once per 12 months, Productlane will provide (a) available third-party security reports/certifications or (b) where insufficient, permit Customer (or an independent auditor bound by confidentiality) to perform a reasonable audit of Productlane’s data protection controls during normal business hours with 30 days’ notice, without disrupting operations, and limited to facilities, systems, and records relevant to the Services and Customer Personal Data. Customer bears audit costs; Productlane may charge reasonable fees for support.

7. Data Subject Requests

Where a data subject request relates to Customer Personal Data, Productlane will, where legally permitted, redirect the requester to Customer and reasonably assist Customer in responding, considering the nature of processing and available features. Customer remains responsible for responding to requests and for any applicable fees.

8. Productlane as Independent Controller

Productlane processes Customer Account Data and Customer Usage Data as an independent controller to: manage the relationship and billing; operate, secure, and improve the Services; detect, prevent, and investigate abuse/security incidents; comply with law; and as otherwise permitted by Data Protection Laws. Productlane may de-identify/aggregate data for legitimate purposes.

9. International Transfers

9.1 General. Customer Personal Data may be transferred and processed outside its origin country where necessary to provide the Services, subject to appropriate safeguards under Data Protection Laws.

9.2 EU/EEA/Switzerland. Where GDPR/Swiss FADP applies and Customer Personal Data is transferred to a country without an adequacy decision, the EU SCCs (2021/914) are incorporated by reference and deemed executed between the parties as completed below:

• Module Two (C2P) applies where Customer is controller and Productlane is processor;

• Module Three (P2Sub-P) applies where Customer is processor and Productlane is sub-processor.

For the EU SCCs: Clause 7 (Docking) not used; Clause 9 (general authorization; notice per Sec. 4.2); Clause 17 (governing law): Ireland; Clause 18 (forum): Ireland. Annex I/II/III details are in Exhibits A–C.

9.3 United Kingdom. For transfers under UK GDPR, the UK Addendum is incorporated and deemed executed (with Exhibits A–C completing the tables). If the ICO updates the Addendum, the newest version will automatically apply per its terms.

9.4 Supplementary Measures. Productlane maintains supplementary technical/organizational/legal measures consistent with EDPB guidance (see Exhibit C) and will notify Customer of any government access requests to the extent legally permitted.

10. Miscellaneous; Precedence

If there is a conflict, the order of precedence is: (1) EU SCCs/UK Addendum; (2) this DPA; (3) the Agreement. Liability and limitations in the Agreement apply to this DPA to the extent permitted by law. This DPA is governed by the governing law in the Agreement, except where the EU SCCs/UK Addendum specify otherwise.

Exhibit A — Details of Processing

Subject matter & purpose. Productlane processes Customer Personal Data to provide the Productlane customer support platform (support inbox, live chat widget, customer portal, docs/help center, changelog, AI features), including hosting, storage, transmission, display, logging, support, security, troubleshooting, and product improvement (as processor).

Duration. For the term of the Agreement plus any legally required retention period.

Data subjects. Customer’s end-users, employees/contractors, and other individuals whose data Customer submits to the Services.

Categories of personal data. Typically business contact data (name, email, role), support messages and attachments (free-text may incidentally include personal data), usage metadata (timestamps, IPs, device/browser information), and configuration data. Customer does not need to submit special category/sensitive data for normal Service use.

Special categories. Not intended to be processed. If Customer elects to submit such data in support content, it will be processed under this DPA but is discouraged.

Processing operations. Collection, storage, retrieval, organization, transmission, display, deletion, and other operations necessary to deliver the Services per Customer’s instructions.

Processor/Sub-processor roles. Customer = controller (or processor); Productlane = processor (or sub-processor).

Exhibit B — Authorized Sub-processors

Sub-processor Purpose Location/Region

Amazon Web Services (AWS) Primary hosting (compute, storage, databases) EU (Frankfurt)

Cloudflare, Inc. CDN, WAF, edge services Global

Sentry (Functional Software, Inc.) Error tracking/monitoring US

PostHog Product analytics EU

Stripe, Inc. Payments/billing US

Resend Transactional email delivery US

Loops Transactional email delivery US

OpenAI AI inference for optional features (regional endpoints where configured) EU

Flightcontrol Deployment/hosting platform services US

Notes:

• Productlane will provide at least 15 days’ prior notice of changes via email.

• Where available, EU data residency options are enabled (e.g., AWS Frankfurt, PostHog EU). Some providers are global/US with SCCs and supplementary measures.

Exhibit C — Technical & Organizational Security Measures

Organization & Policies

• Information Security Policy; Access Control; Acceptable Use; Secure SDLC; Vendor Management; Incident Response; Business Continuity & Disaster Recovery; Data Retention/Deletion.

• Roles and responsibilities defined; least privilege and need-to-know enforced.

Personnel Security

• Confidentiality agreements for employees/contractors.

• Onboarding/offboarding with timely access provisioning/deprovisioning.

• Security and privacy awareness training at hire and at least annually.

Access Controls

• Unique user IDs; MFA/SSO where supported; strong password policies.

• Role-based access control with periodic reviews; admin access restricted to authorized personnel.

• Production and non-production environments separated.

Infrastructure & Network Security

• Hosting on AWS (EU Frankfurt); private networking and security groups; Cloudflare WAF/CDN for internet-facing services.

• Encryption in transit (TLS 1.2+) and at rest (AES-256).

• Regular vulnerability management and dependency scanning; patch management through CI/CD workflows.

• Logging/monitoring with alerts (e.g., Sentry, platform logs).

• Backups in EU region with periodic restore testing; documented RTO/RPO.

Application Security

• Secure development lifecycle with code review, CI checks, and dependency scanning.

• Secrets management; separation of duties for deploys and sensitive actions.

• Regular security testing (internal and/or independent); remediation tracked to closure by engineering leadership.

Endpoint Security

• Company devices with full-disk encryption, screen-lock, and endpoint protection.

• Software installation restricted and monitored.

• Controls for removable media (restricted/encrypted where allowed).

• Ability to remotely wipe company data on lost/stolen devices (via device management or account revocation).

Incident Response

• Documented plan with defined roles, triage, containment, eradication, recovery, and post-incident review.

• Customer notification without undue delay after awareness of a breach affecting Customer Personal Data; timelines consistent with applicable law (e.g., GDPR 72-hour rule).

Data Subject Rights & Privacy

• Processes and tooling to export/delete Customer Personal Data upon Customer request.

• Data minimization and retention schedules tied to business/legal needs; secure deletion on request or contract end.

International Transfers

• EU SCCs (2021/914) and UK Addendum incorporated; supplementary measures applied (encryption, access controls, policies, and challenge of government requests where permitted).

EU SCCs & UK Addendum — Completion Language

By entering into the Agreement, the parties are deemed to have executed the EU SCCs (2021/914) and the UK Addendum, with:

• Module Two (Controller-to-Processor) and/or Module Three (Processor-to-Sub-processor) as applicable;

• Clause 9 (general authorization; notice per Sec. 4.2); Clause 17 Ireland; Clause 18 Ireland;

• Annex I/II/III populated by Exhibits A–C of this DPA;

• UK Addendum tables populated by Exhibits A–C.