Data Processing Agreement (DPA)
Last updated: March 31, 2025
Important notice: This English version of the Data Processing Agreement applies exclusively to customers outside Germany, Austria, and Switzerland (the DACH region). For customers within the DACH region, only the German version of this Data Processing Agreement (Vereinbarung zur Datenverarbeitung) applies: https://www.centrldesk.com/de/dpa
xenthics Solutions GmbH, Alte Landstr. 25, 85521 Ottobrunn, Germany (“Processor”, “Contractor” or “xenthics”) provides the Centrldesk product to the Client (“Customer” or “Client”, together with the Processor “Parties”) for use on the basis of a separate agreement. In this context, personal data is also transferred between the Processor and the Customer. Therefore, the Parties enter into a data processing relationship pursuant to Article 28 of the General Data Protection Regulation (GDPR). In order to specify the rights and obligations arising from this data processing relationship in accordance with their statutory obligations, the Parties conclude the following agreement.
1. Scope of the Agreement
1.1 The Processor processes personal data on behalf of the Customer. In accordance with its due diligence obligations under Art. 28 GDPR, the Customer has selected the Processor as its service provider. This Agreement does not entail any transfer of substantive tasks.
1.2 In accordance with the intentions of both Parties, and in particular of the Customer, this Agreement constitutes the written instruction for commissioned data processing within the meaning of Art. 28 GDPR and governs the rights and obligations of the Parties in connection with such data processing.
1.3 Whenever the term “data processing” or “processing” (of data) is used, it is generally understood to mean the use of personal data. The use of personal data particularly includes the collection, storage, transmission, blocking, erasure, anonymization, pseudonymization, encryption, or any other form of use of the data.
2. Subject matter and duration of the contract
2.1 Subject of the collection, processing, and/or use of personal data: The Processor provides the Customer with a flexible platform (Centrldesk) for creating business applications via the internet. The Customer independently compiles the required applications and configures/administers the respective workspaces (Workspaces) under its own responsibility. The Customer decides which data will be used in the configured applications. Accordingly, the type of personal data is determined by the Customer through its processing in Centrldesk.
2.2 The group of data subjects whose personal data is processed includes employees and customers.
2.3 The intended processing of personal data serves
- the identification of authorized users of Centrldesk;
- correspondence with authorized users;
- use of the Centrldesk product under the concluded agreement (see also (1)); and
- a non-personal and identity-independent analysis and evaluation of Centrldesk usage to improve the range of services provided.
2.4 The commissioned processing relationship exists as long as the Customer maintains a contractual relationship with the Processor for the provision of services and other deliverables.
3. Rights and Obligations of the Customer; Authority to Issue Instructions
3.1 The Customer is responsible for complying with applicable data protection regulations, in particular for the lawfulness of transferring data to the Processor and for the lawfulness of data processing. The Customer may at any time request the release, rectification, erasure, or blocking of the data and of any data carriers provided. If a data subject contacts the Processor directly with a request for deletion or rectification of their data, the Processor shall forward this request to the Customer without undue delay.
3.2 The Customer has the right to issue instructions regarding the nature, scope, and method of data processing. An instruction is a written directive from the Customer concerning how the Processor should handle personal data. The instructions may be changed, supplemented, or replaced by the Customer in writing or in text form. If implementation of an instruction is unreasonable for the Processor, the Processor is entitled to terminate the processing and to terminate the contract extraordinarily. The Customer’s payment obligation ends when the Processor ceases to provide the service. Unreasonableness shall be deemed to exist in particular where the services are provided within an infrastructure used by multiple clients of the Processor (Shared Services) and a modification of the processing for individual clients is not possible or not reasonable.
3.3 The Processor shall inform the Customer without undue delay if, in its opinion, an instruction violates data protection regulations. The Processor is entitled to suspend implementation of the relevant instruction until the responsible person at the Customer confirms or modifies it. The Processor may refuse to implement an instruction that is clearly unlawful.
3.4 All instructions issued shall be documented by both the Customer and the Processor.
3.5 Upon completion of the processing services, the Processor shall, at the Customer’s option, either delete all personal data or return them to the Customer, provided that there is no obligation under Union law or the law of a Member State to further store the personal data. If the Customer does not exercise this option, deletion is deemed agreed. If the Customer opts for the return of the data, the Processor may charge a reasonable fee. The Processor shall provide the Customer with a cost estimate in advance.
3.6 The processing and use of data on behalf of the Customer shall take place within a Member State of the European Union or another state party to the Agreement on the European Economic Area, unless a transfer of data to a third country is required to provide the service. In the event that data is transferred to a third country, the Processor ensures that the requirements of Art. 44 et seq. GDPR are met.
4. Duties of the Processor
4.1 In addition to the contractual provisions set out in this Agreement, the following statutory obligations apply to the Processor.
4.2 The Processor shall ensure that the employees involved in processing the Customer’s data are bound by a confidentiality obligation pursuant to Art. 28(3)(b) GDPR and have been instructed in the data protection provisions of the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). This also includes informing them about the instruction-bound and purpose-bound nature of the processing in this commissioned data processing relationship.
4.3 The Processor shall inform the Customer without undue delay about any inspections or measures conducted by supervisory authorities or if a supervisory authority initiates an investigation into the Processor.
4.4 The Processor shall comply with the implementing regulations and the provisions governing data protection supervision under the applicable data protection laws.
4.5 Within its area of responsibility, the Processor shall organize its internal operations in such a way as to meet the specific data protection requirements. It shall implement technical and organizational measures appropriate to protect the Customer’s data against misuse and loss in accordance with Art. 32 GDPR; this specifically includes:
a) Preventing unauthorized persons from gaining physical access to the data processing facilities used to process and utilize personal data (physical access control);
b) Preventing unauthorized persons from using data processing systems (data access control);
c) Ensuring that those authorized to use a data processing system can access only the data within their access rights, and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage (data usage control);
d) Ensuring that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport or while stored on data carriers, and that it can be determined and verified to which entities a transfer of personal data is intended (transmission control);
e) Ensuring that it can be subsequently checked and determined whether, by whom, and when personal data have been entered into data processing systems, modified, or removed (input control);
f) Ensuring that personal data processed on behalf of the Customer can only be processed in accordance with the Customer’s instructions (job control);
g) Ensuring that personal data are protected against accidental destruction or loss (availability control);
h) Ensuring that data collected for different purposes can be processed separately (separation control).
The Processor’s current technical and organizational measures can be viewed at https://www.centrldesk.com/dpa. The Processor clarifies that the technical and organizational measures described at this link constitute technical descriptions only and are not deemed part of this Agreement. The Processor shall adapt its measures over time to reflect developments in the state of the art. Changes to the technical and organizational measures are permissible, provided that the level of protection required by Art. 32 GDPR is not thereby reduced.
4.6 The Customer shall verify compliance with the aforementioned obligations and document such compliance appropriately. For this purpose, the Processor shall provide the Customer, upon request, with all information necessary for fulfilling the Customer’s oversight obligations and make the relevant documentation available. As part of the Customer’s obligation to monitor compliance with the technical and organizational measures before the commencement of data processing and throughout the term of the Agreement, the Processor shall ensure that the Customer can verify compliance. At the Customer’s request, the Processor shall demonstrate the implementation of the technical and organizational measures pursuant to Art. 32 GDPR. Evidence of the implementation of such measures, which are not exclusive to the specific order, may also be provided by presenting a current certificate, reports from independent authorities (e.g., auditors, internal or external data protection officers, IT security department, data protection auditors), or suitable certifications from IT security or data protection audits (e.g., in accordance with BSI-Grundschutz).
4.7 The Customer may, at any time and during regular business hours, visit the Processor’s business premises for audit purposes, without disrupting normal business operations, in order to verify that the Processor’s measures comply with the technical and organizational requirements under the data protection laws applicable to commissioned data processing.
5. Notification of Breaches by the Processor
The Processor shall promptly notify the Customer of any disruptions, suspected data protection breaches or breaches of contractual obligations by the Processor, suspected security-related incidents, or other irregularities in the processing of personal data.
6. Deletion and Return of Data
6.1 Any data storage media and data records provided shall remain the property of the Customer.
6.2 After completion of the contractually agreed services or earlier at the request of the Customer, the Processor shall hand over to the Customer all documents, processing and usage results, as well as any data sets (including any copies or reproductions thereof) related to the commissioned relationship, or - subject to the Customer’s prior approval - destroy them in compliance with data protection requirements. The same applies to test and scrap material.
6.3 The Processor may retain documentation that serves as evidence of proper and compliant data processing in accordance with the applicable retention periods beyond the end of the contract. Alternatively, the Processor may deliver such documentation to the Customer at the end of the contract in order to discharge its obligations.
7. Subprocessors
7.1 The Customer grants the Processor a general authorization to engage additional subprocessors within the meaning of Art. 28 GDPR for the performance of this Agreement.
7.2 The subprocessors currently engaged by the Processor are listed as annex B. The Customer expressly agrees to their engagement.
7.3 The Processor shall inform the Customer if it intends to change or replace any engaged subprocessors. The Customer may object to such changes.
7.4 An objection to the intended change must be lodged in writing, providing a reasonable justification, within 14 days of receiving notice of the change. In the event of an objection, the Processor may, at its discretion, continue to provide the services without implementing the proposed change or - if it is not feasible for the Processor to provide the services without the proposed change - discontinue the service affected by the change, upon giving reasonable notice (of at least 14 days) following receipt of the objection. The Customer’s payment obligation shall cease as of the date on which the Processor discontinues the service.
7.5 If the Processor engages additional subprocessors, the Processor shall ensure that it transfers its own data protection obligations under this Agreement to such subprocessors.
8. Ancillary Services
Sections 1 through 7 shall apply accordingly if testing or maintenance of automated processes or data processing systems is performed by third parties on behalf of the Processor and such activities may involve access to personal data.
9. Data Protection Audits
The Processor shall grant the Customer and the representative of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) access at any time during normal business hours for the fulfillment of their respective tasks related to this commissioned processing arrangement.
10. Liability and Compensation
10.1 In the event that a data subject asserts a claim for damages under Article 82 GDPR, the Parties agree to support one another and to contribute to clarifying the underlying facts.
10.2 The liability provisions agreed upon between the Parties for the performance of services also apply to any claims arising from this Data Processing Agreement and, in the internal relationship between the Parties, to any third-party claims under Article 82 GDPR, unless explicitly agreed otherwise.
11. Final Provisions
11.1 No verbal collateral agreements have been made. Any amendments or additions to this Agreement must be made in writing to be valid. This requirement of written form also applies to any amendment or waiver of this written form clause.
11.2 Should individual provisions of this Agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. In such a case, the Parties undertake to agree on a provision that corresponds to the economic purpose of the invalid or unenforceable provision. The same applies in the event of any gap in this Agreement.
11.3 To the extent legally permissible, the exclusive place of jurisdiction for all disputes arising out of or in connection with this Agreement shall be the City of Munich, Germany.
Annex A
According to Art. 32 GDPR controller and processor of personal data must take technical and organizational measures (TOM) to ensure that the security and protection requirements of data protection are met. Technical measures are to be understood as all protection attempts that are physically implementable in the broadest sense, such as securing doors and windows or measures implemented in software and hardware, such as setting up a user account and password requirement. Organizational measures are to be understood as protection attempts that are implemented through instructions, procedures and processes.
| Category of Measures | Description of Category | Technical Measures | Organisational Measures |
| pseudonymisation and encryption | Cryptographic measures to ensure that information is hashed when transferred and can only become readable again by using the correct encryption key. |
Encryption of "data in transit"; |
Internal instruction to anonymize/pseudonymize personal data in the event of disclosure or even after the statutory deletion period has expired |
| Confidentiality – physical access control | Measures to prevent unauthorised persons from gaining access to data Processing systems with which personal data is processed or used. |
Manual locking system; |
Key Regulation/List; Visitors' book/log of visitors; Visitors escorted by staff; Selection of security guards; Selection of cleaning services; Instruction for employees |
| Confidentiality – data access control | Measures to prevent data Processing systems from being used without authorization. |
Login with username + password; |
Manage user permissions; |
| Confidentiality – data usage control | Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage. | Logging of access to applications, specifically when data is entered, modified and deleted; Regular security updates; Firewalls; Use of document shredders or appropriate service providers and physical erasure of data media prior to reuse |
Deployment of authorization concepts; |
| Confidentiality – transmission control | Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged. | E-mail encryption; Logging of accesses and retrievals; Secure transport containers; Use of signature procedures; Documentation of all interfaces |
Documentation of data recipients and the duration of the planned transfer or deletion periods; Overview of regular retrieval and transmission processes; Transfer in anonymized or pseudonymized form; Personal handover with protocol |
| Confidentiality – separation control | Measures to ensure that data collected for different purposes can be processed separately. |
Physical separation (systems / databases / data storages); |
Authorization concepts; |
| Integrity – input control | Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom. | Technical logging of data entry, modification and deletion; Manual or automated control of the logs |
Overview of programs which can be used to enter, change or delete data; |
| Availability – availability control | Measures to ensure that personal data is protected from accidental destruction or loss. | Cloud-based systems with own availability concepts and redundancy | Remote data backup at secure, off-site locations; Data backup concepts |
| Availability – job control | Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller. |
Prior review of the security measures taken by the contractor and their documentation; |
|
| Resilience | Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled. | Monitoring of storage, access and resource usage | |
| Restoration of availability and access | Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident. | Services with own TOM |
Verification of backup processes; |
| Data protection management | Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing. | Documented concepts; A review of the effectiveness of the technical protective measures is carried out at least annually |
Employees sensitized to confidentiality/data secrecy at least annually; The organization complies with the information obligations according to Art. 13 and Art. 14 GDPR |
Annex B
Further processors are listed below:
| Name of the further processor | Data processing purpose |
| Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany | Cloud infrastructure services |
| IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany | Cloud infrastructure services |
Applicable for Customers enabling AI-based functionality further processors are listed below:
| Name of the further processor | Data processing purpose |
| OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland | AI-based functionality |
Questions?
Please contact us on privacy@centrldesk.com if you should have any questions.