Data Processing Agreement (DPA) pursuant to Art. 28 GDPR
Last updated: 1 August 2025
By using the services of weblens GmbH, the Customer acknowledges and accepts this DPA as binding.
1. Parties to the Agreement
Controller:
The Customer (in particular, the operator of the website or online services in which the commissioned solution is deployed)
Processor:
weblens GmbH
Birkenstraße 23, 40233 Düsseldorf, Germany
Commercial Register: HRB 104423 (District Court Düsseldorf)
Managing Directors: Paul Tiedtke, Giovanni Cascio, Florian Piltz
2. Subject Matter of Processing
The Processor provides the Controller with services for the provision of an AI-powered dialogue and advisory solution to assist website or platform users, particularly in the areas of:
Information retrieval
Product recommendations
Decision-making support
Customer interaction (advice, navigation, lead generation)
Details on categories of personal data and data subjects are set out in Annex 1.
3. Term
This DPA remains in effect for the duration of the contractual relationship between the Parties.
4. Rights & Obligations
Controller:
Ensures compliance with the GDPR.
Issues documented instructions to the Processor.
Processor:
Processes personal data only on documented instructions from the Controller.
Implements appropriate technical and organisational measures in accordance with Art. 32 GDPR.
Assists the Controller in fulfilling data subjects’ rights.
5. Sub-Processors
Sub-Processor
Service Provided | Location | Data Transfer to Third Country | Safeguards | |
|---|---|---|---|---|
OpenAI Ireland Ltd. | Language processing API | Ireland / USA | Yes | SCC, DPA |
Cloudflare Inc. | CDN, DNS, TLS, DDoS protection, hosting | USA | Yes | SCC, DPA |
Neon Inc. | PostgreSQL hosting | USA | Yes | SCC, DPA |
Clerk Inc. | Authentication | USA | Yes | SCC, DPA |
Sentry Inc. | Logging, monitoring | USA | Yes | SCC, DPA |
Additional sub-processors may only be engaged following prior notification to the Controller.
6. Technical and Organisational Measures
See Annex 2.
7. Deletion of Data
Data will be deleted upon termination of the contract or upon instruction from the Controller, unless statutory retention obligations apply.
8. Audit Rights
The Controller may verify compliance with this DPA. The Processor shall provide all information reasonably required for such audits.
9. Confidentiality
All persons authorised to process personal data on behalf of the Processor are bound by confidentiality obligations.
10. Final Provisions
German law applies. Amendments must be made in written form. Continued use of the services following notification of amendments constitutes acceptance of such amendments.
Annex 1 – Description of Processing
Data Subjects: Website visitors, customers
Categories of Personal Data: Text entries, chat histories, IP addresses (if applicable), browser information
Processing Activities: Analysis, response generation, temporary storage for quality improvement
Retention Period: Only as long as necessary; deletion upon instruction or in accordance with statutory requirements
Annex 2 – Technical and Organisational Measures (TOMs)
Physical Access Control: Processing exclusively in certified data centres
System Access Control: User-based logins, secure authentication
Data Access Control: Role-based access, restricted to authorised personnel
Data Transfer Control: Encrypted transmission, contractual binding of sub-processors
Input Control: Logged administrative access
Processing Control: Processing only in accordance with contractual terms
Separation Control: Logical tenant separation
Erasure Control: Manual or automated deletion after fulfilment of purpose
Availability Control: Redundancy, backups
Privacy by Design: Data minimisation, transparency
Confidentiality: Staff training and confidentiality undertakings
Documentation: Documentation of TOMs for accountability purposes