This CarriedAI Data Processing Agreement (the “DPA”) is entered into and becomes effective in conjunction with the Order Form and the CarriedAI Master Terms, and shall take effect on the date specified in the applicable Order Form (the “Effective Date”). This DPA is made by and between:
The individual or entity listed on the Order Form as “Customer” (“Customer”)
and CarriedAI GmbH with a principal place of business at Goethestr. 5, 10623 Berlin (“CarriedAI”),
The following Data Processing Agreement is concluded:
PREAMBLE.
The Parties have entered into a data processing relationship pursuant to the Order Form and the CarriedAI Master Terms. In order to define the respective rights and obligations in accordance with the European General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”), the Parties hereby enter into the following Data Processing Agreement.
§ 1. SCOPE OF APPLICATION.
(1.1) This agreement applies to all processing of personal data that is subject to the Order Form and the CarriedAI Master Terms or arises from its execution and is carried out on behalf of the Controller. Employee data of the Processor is excluded unless directly related to this agreement.
(1.2) This agreement takes precedence over other agreements unless otherwise explicitly agreed between the Parties.
§ 2. SPECIFICATION OF PROCESSING.
(2.1) The subject, duration, scope, type, and purpose of data processing are set out in the Order Form and the CarriedAI Master Terms.
(2.2) Types of personal data processed: Name, Location, Birth Date, Position, Professional Experience, Education, Gender, Email, Phone, Skills, Interests, Social Media.
(2.3) Categories of data subjects: Startup Founders, Startup Managers, Investors, Startup Employees, Investors’ Employees.
(2.4) No special categories of data are processed.
(2.5) The data processed does not require enhanced or special protection measures under GDPR.
§ 3. DUTIES AND INSTRUCTION RIGHTS.
(3.1) Both Parties must comply with data protection laws, especially the GDPR. The Controller may request correction, deletion, restriction, or return of data at any time.
(3.2) The Processor must support the Controller in protecting data subject rights.
(3.3) Any requests from data subjects must be forwarded to the Controller without delay.
(3.4) Changes in processing must be coordinated and documented.
(3.5) Disclosure to third parties requires prior written consent unless disclosure is legally required, in which case the Processor shall, where legally permissible, inform the Controller prior to disclosure.
(3.6) No personal data may be used for other purposes without consent.
(3.7) The Controller maintains the processing activities record (Art. 30(1) GDPR); the Processor maintains a similar record per Art. 30(2).
§ 4. LEGAL OBLIGATIONS OF THE PROCESSOR.
(4.1) Authorized personnel must be bound to confidentiality and informed of the purpose and instructions.
(4.2) The Parties assist each other in demonstrating compliance and implementing technical and organizational measures.
(4.3) The Processor must share the contact of its DPO or a privacy contact person with the Controller.
(4.4) The Processor informs the Controller of any regulatory audits or inquiries.
§ 5. TECHNICAL AND ORGANIZATIONAL MEASURES (TOM).
(5.1) A list of TOMs are available upon request.
§ 6. NOTIFICATION OF VIOLATIONS.
The Processor must notify the Controller immediately of severe disruptions, suspected breaches, or data protection violations and support in fulfilling notification obligations under GDPR Articles 33 and 34. The notification must, where possible, include all information required under Article 33(3) GDPR
§ 7. DELETION AND RETURN OF DATA.
(7.1) Data carriers remain property of the Controller.
(7.2) Upon contract termination or request, all personal data must be returned or securely deleted, including any copies.
(7.3) Documentation required for legal obligations may be retained by the Processor, provided that such documentation is subject to ongoing confidentiality and data protection obligations.
§ 8. SUBPROCESSORS.
(8.1) Subprocessors may be engaged only with specific or general prior approval by the Controller. The Controller must be informed and can object. Objections by the Controller must be based on legitimate data protection grounds. Subprocessors are detailed in the attached annex.
(8.2) The Controller has audit and information rights regarding subprocessor arrangements. Audits shall be conducted during regular business hours with reasonable notice, to balance the Processor’s operational concerns.
§ 9 DATA PROTECTION AUDIT.
The Processor must allow access and cooperation with the Controller’s DPO, including inspection rights.
§ 10 LIABILITY AND COMPENSATION.
Refers to GDPR Article 82 regarding liability and compensation.
§ 11 FINAL PROVISIONS.
(11.1) Amendments require written form and explicit indication.
(11.2) Invalid clauses do not affect the rest. The closest valid provision replaces any invalid clause.
