Data Processing Agreement according to Art. 28 GDPR

Steinpilz Risotto UG (haftungsbeschränkt)

Scope

You are a customer who has entered into a contract with Steinpilz Risotto UG (haftungsbeschränkt) for the use of the time-tracking software, hereinafter: “Fritto Time-Tracking Software.” You are subject to the General Terms and Conditions applicable at the respective time for the aforementioned services (the “General Terms and Conditions”).

In order for you to use the Fritto Time-Tracking Software, Steinpilz Risotto UG (haftungsbeschränkt) must access and process personal data on your behalf. Steinpilz Risotto UG (haftungsbeschränkt) acts as the processor of this personal data, while you act as the controller for this personal data. Therefore, Steinpilz Risotto UG (haftungsbeschränkt) is required to enter into a data-processing agreement with the customer.

Accordingly, this Data Processing Agreement is concluded between (a) the customer using the services of Steinpilz Risotto UG (haftungsbeschränkt), and (b) Steinpilz Risotto UG (haftungsbeschränkt).

By accepting the General Terms and Conditions, this DPA, which the customer hereby accepts and agrees to, enters into force in accordance with applicable laws.

Last amended on: 09.12.2025

Contents

1. Preliminary Remarks
2. Subject Matter, Duration, and Purpose of the Agreement
   2.1 Subject Matter of the Assignment
   2.2 Duration of this Assignment
   2.3 Nature, Scope, and Purpose of Data Processing
3. Technical and Organizational Measures (“TOM”)
4. Obligations of the Controller
5. Obligations of the Processor
   5.1 Duty of Cooperation
   5.2 Duty to Report and Notify
   5.3 Control Actions at the Processor
   5.4 Rectification, Blocking, and Deletion of Data
   5.5 Obligation to Appoint a Data Protection Officer
   5.6 Obligation to Maintain Confidentiality
   5.7 Implementation and Verifiability of Compliance with TOM
   5.8 Purpose Limitation
   5.9 Quality Assurance / Self-Monitoring
   5.10 Designation of Persons Authorized to Receive Instructions
   5.11 Obligation to Assist with Requests from Data Subjects
6. Sub-Processing Relationships
7. Rights of Inspection by the Controller
8. Authority to Issue Instructions by the Controller
9. Deletion and Return of Data
10. Final Provisions

Appendix 1: Nature, Scope, and Purpose of Data Processing
Appendix 2: Data Protection Officer, Sub-Processing Relationships, and Persons Authorized to Receive Instructions for the Processor
Appendix 3: TOM of the Processor according to Art. 32 GDPR

1. Preliminary Remarks

The controller is externally—i.e., toward third parties and data subjects—responsible for the lawfulness of the collection and use of the controller’s data as contractually agreed. The controller is also externally responsible for safeguarding the rights of data subjects.

In the course of the activities and/or services carried out by the processor for the controller, it cannot be ruled out that the processor may also gain access to personal data. If this occurs, the processor processes the controller’s personal data on behalf of the controller.

The controller has selected the processor as a service provider in accordance with the due-diligence obligations of Art. 28(1) GDPR. A prerequisite for permissible data processing on behalf is that the controller issues a written assignment to the processor. This agreement constitutes such a written assignment for data processing within the meaning of Art. 28 GDPR, reflecting the intent of both parties, particularly the controller. It governs the rights and obligations of the parties regarding data processing.

Wherever the term “data processing” or “processing (of data)” is used in this agreement, it refers generally to the use of personal data. Where the term “controller data” is used, it refers to personal data within the meaning of the German Federal Data Protection Act (BDSG). The use of personal data includes, in particular, the collection, storage, transmission, blocking, deletion, anonymization, pseudonymization, encryption, or any other form of data use.

The special appendices are part of this agreement. Material changes must be documented in writing.

2. Subject Matter, Duration, and Purpose of the Agreement

2.1 Subject Matter of the Assignment

A precise description of the subject matter, as well as the nature and scope of service provision, is set out in Appendix 1.

2.2 Duration of this Assignment

The duration of this assignment (term) corresponds to the term of the main contract.
The right to terminate without notice remains unaffected.

The controller may terminate the contract at any time without notice if there is a serious breach of applicable data-protection regulations or of obligations under this agreement by the processor, if the processor cannot or will not implement an instruction from the controller, or if the processor unlawfully refuses access to the controller or the competent supervisory authority.

2.3 Nature, Scope, and Purpose of Data Processing

The processor collects, processes, and uses the controller’s data exclusively on behalf of and according to the instructions of the controller within the meaning of Art. 28 GDPR (processing on behalf). The controller remains the responsible body in the sense of data-protection law (the “owner of the data”).

The contractually agreed data processing takes place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Transfer to a third country is permitted if the processor considers it necessary for fulfilling the assignment. The processor provides the controller with the list of subcontractors used in Appendix 2.

The processor may collect and use controller data only in the manner, to the extent, and for the purposes defined exclusively in Appendix 1 (“Nature, Scope, and Purpose of Data Processing”). The collection and use of controller data may only concern the data types and categories of data subjects defined in Appendix 1. Any deviation from or extension of these purposes is prohibited, especially use for the processor’s own purposes.

By signing the main contract, the controller generally consents to the data processing. The type of data processing is definitively listed in Appendix 1.

3. Technical and Organizational Measures (“TOM”)

The processor must document the implementation of the required technical and organizational measures before processing begins—especially with regard to the specific execution of the assignment—and present this documentation to the controller for inspection upon request. This documentation includes the measures implemented by the processor to protect the data. If the controller’s audit reveals the need for adjustments, these must be implemented by mutual agreement.

The measures to be taken are non-assignment-specific measures relating to:

• Pseudonymization and encryption of personal data
• Ensuring confidentiality, integrity, availability, and resilience of systems and services
• Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of TOM for ensuring security of processing

The measures implemented by the processor are listed in Appendix 3.

Special measures relating to:

• The type of data exchange
• Provision of data, nature/circumstances
• Processing/data storage
• Nature/circumstances of output/data transmission are also to be documented in Appendix 3 unless already covered in the main contract.

The processor must ensure security in accordance with Art. 28(3)(c) and Art. 32 GDPR, in conjunction with Art. 5(1) and (2) GDPR. Measures must guarantee an adequate level of protection regarding confidentiality, integrity, availability, and resilience. The state of the art, implementation costs, nature, scope, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons must be considered (details in Appendix 1).

TOM are subject to technical progress. The processor may implement equivalent alternative measures, provided the security level is not reduced. Significant changes must be documented.

4. Obligations of the Controller

The controller is responsible for safeguarding the rights of data subjects (Art. 12 et seq. GDPR or §§ 32 et seq. BDSG), for implementing technical and organizational measures, for reporting and notifying in the event of data breaches, for cooperating with the supervisory authority (Art. 32–36 GDPR), and for quality assurance.

The controller is also responsible for conducting audits. This includes regular checks regarding contract performance, especially compliance with rules and measures required to implement the assignment. The processor must support these inspections appropriately. Support may be provided, in particular, through current audit certificates.

5. Obligations of the Processor

When fulfilling the controller’s obligations, the processor supports the controller. In addition to complying with this agreement, the processor must also fulfill its statutory duties under Art. 28–33 GDPR.

5.1 Duty of Cooperation

If the controller must provide information to a government entity, a data subject, or another person regarding controller data or its collection or use, the processor must support the controller upon first request by promptly providing all information and documents relating to the contractually agreed processing of controller data.

5.2 Duty to Report and Notify

It is known that under Art. 33 GDPR, information obligations may arise in the event of loss, unlawful transmission, or unauthorized access to personal data. Therefore, such reportable incidents—regardless of cause—must be immediately assessed, handled, and communicated to the controller by the processor according to its existing data-protection management system.

In the event of a reportable personal-data breach by the processor, the processor must support the controller with respect to:

• The controller’s reporting obligation to the competent supervisory authority
• The controller’s notification obligation toward affected data subjects

A notification to the controller must occur to the extent documented in the processor’s data-protection management system. Regardless of this, notification must occur whenever the integrity or confidentiality of controller data is otherwise at risk (“security incident”).

In the case of reportable breaches or violations of this agreement, the processor must immediately and fully inform the controller of:

• Time
• Nature
• Scope

of the affected controller data. The controller must be provided with all information necessary to fulfill its reporting obligation to the supervisory authority.

The processor supports the controller with respect to compliance with obligations under Art. 32–36 GDPR, including:

• Ensuring adequate TOM based on the circumstances and purposes of processing and the anticipated probability and severity of risks

• Obligation to assess, handle, and report data breaches
• Assisting the controller in fulfilling its obligation to inform data subjects
• Supporting the controller in conducting Data Protection Impact Assessments
• Supporting prior consultations with supervisory authorities

5.3 Control Actions at the Processor

The processor must immediately inform the controller about inspections or measures taken by a supervisory authority insofar as these relate to this assignment. This also applies when authorities investigate controller data as part of administrative or criminal proceedings.

5.4 Rectification, Blocking, and Deletion of Data

The processor may rectify, delete, or restrict the processing of data processed on behalf only according to documented instructions from the controller unless such actions are typical and necessary for service performance. If a data subject contacts the processor directly, the processor will immediately forward the request to the controller unless the action is typical and necessary for service performance.

Where included in the scope of services, the processor must implement deletion concepts, right to be forgotten, rectification, data portability, and access rights directly per documented instructions from the controller.

5.5 Obligation to Appoint a Data Protection Officer

The processor has appointed a Data Protection Officer where required by law. This person may perform duties in accordance with Art. 38 and 39 GDPR. Their contact details are listed in Appendix 2.

5.6 Obligation to Maintain Confidentiality

The processor employs only staff who are bound to confidentiality and familiar with data-protection rules relevant to their role, especially under Art. 5(1)(f), Art. 28(3)(b), Art. 29, Art. 32(4) GDPR, and § 88 TKG. The processor and any person under its authority who has access to personal data may process such data only in accordance with the controller’s instructions, unless legally required to process it.

This obligation continues indefinitely after termination of this agreement.

5.7 Implementation and Verifiability of TOM

The processor must implement all TOM required for this assignment pursuant to Art. 32 GDPR and must provide the controller with proof thereof. This proof may include audit certificates, independent reports, extracts from reports (e.g., auditors, internal/external DPO, IT security, data-protection auditors, quality auditors), or suitable IT security or data-protection certifications (e.g., BSI Basic Protection, ISO 27001, VdS 3474).

5.8 Purpose Limitation

The processor must not use data for any purpose other than those defined in this agreement and must not disclose data to unauthorized third parties. Copies or duplicates may not be created without the controller’s knowledge, except for required security backups or data necessary for statutory retention obligations.

The processor may not disclose controller data to third parties without prior written consent from the controller, except sub-processors approved pursuant to section 6.

5.9 Quality Assurance / Self-Monitoring

The processor must regularly self-monitor internal processes to ensure that controller data is processed in accordance with this agreement and the controller’s instructions and that TOM are upheld. Documentation must be presented to the controller upon request.

5.10 Persons Authorized to Receive Instructions

The processor may designate persons authorized to receive instructions. These persons are listed in Appendix 2.

In urgent cases, the controller may give instructions to any employee if neither the authorized person nor a deputy is reachable.

If authorized persons change, the processor must notify the controller early and in writing, naming a representative. Until then, the previously named persons remain authorized.

Instructions must be implemented within a reasonable timeframe.

If the processor believes an instruction violates law or this agreement, it must immediately notify the controller.

5.11 Obligation to Assist with Data-Subject Requests

Considering the nature of processing, the processor must support the controller, where possible, through appropriate TOM in responding to requests from data subjects pursuant to Chapter 3 GDPR (Art. 28(1)(f) GDPR).

6. Sub-Processing Relationships

Sub-processing in this context refers to services directly related to providing the main service. Ancillary services—such as telecommunications, postal/transportation services, maintenance, user support, or disposal of data carriers—are not considered sub-processing. Nevertheless, the processor must enter into appropriate and legally compliant agreements and conduct controls to ensure data protection and security even in the case of outsourced ancillary services.

Engaging sub-processors is permitted if the processor deems it necessary for fulfilling the assignment. If the sub-processor performs services outside the EU/EEA, the processor must ensure GDPR-compliant safeguards.

Sub-processors are listed in Appendix 2 (“List of Sub-Processing Relationships”).

7. Rights of Inspection by the Controller

The controller has the right, in consultation with the processor, to conduct inspections or have them conducted by an auditor appointed in individual cases. The controller may carry out sample checks, announced with reasonable notice, to verify compliance with this agreement.

The processor ensures that the controller can verify compliance with Art. 28 GDPR. The processor must provide necessary information and demonstrate implementation of TOM.

Proof of TOM not specific to this assignment may include:

• Self-audits

• Internal company guidelines with external proof of compliance

• Certificates for data protection and/or information security

• Approved codes of conduct under Art. 40 GDPR

• Certifications under Art. 42 GDPR

8. Authority to Issue Instructions

Data handling occurs within the framework of this agreement and according to instructions from the controller (Art. 28 GDPR). The controller retains the right to issue specific instructions within the described processing framework.

Changes to processing subject matter or procedures must be jointly coordinated and documented. The processor may provide information to authorized third parties or data subjects.

Verbal instructions must be promptly confirmed in writing or by email.

Authorized persons/groups of the controller are listed in Appendix 1.

The processor must immediately inform the controller if it believes an instruction violates data-protection law. The processor may suspend implementation until the controller confirms or modifies the instruction.

9. Deletion and Return of Data

After completion of the contracted services, or earlier upon the controller’s request, the processor must return all documents, data carriers, processing and usage results, and data sets to the controller or securely delete/destroy them per the controller’s instructions. This includes copies, test materials, and rejects. A deletion/destruction log must be provided upon request.

Unless instructed otherwise, the processor may provide the controller with electronically stored data in encrypted form on a standard data carrier or via the controller’s online portal.

This does not apply to data stored in archive/long-term storage systems or backup systems necessary for proper data processing or to data required for statutory retention obligations.

If—due to system constraints or special circumstances—data cannot be returned or only with unreasonable effort, secure and GDPR-compliant deletion/anonymization or blocking may be performed instead.

The controller agrees that deletion claims do not apply to revision-secure backup systems, where data will instead be blocked.

A deletion/anonymization/blocking protocol must be provided upon request and must include:

• Details of files, categories of files, or data sets

• Type of deletion/blocking/anonymization method used

• Time of execution

Documentation necessary to prove proper processing must be retained by the processor beyond the end of the contract, according to statutory retention periods. The processor may provide this documentation to the controller at contract end.

10. Final Provisions

If the controller’s property at the processor is endangered by third-party actions (e.g., seizure or confiscation), insolvency proceedings, or other events, the processor must immediately inform the controller. The processor must immediately notify creditors that the data is processed on behalf of another party.

The right of retention under § 273 BGB is excluded with respect to processed data and related data carriers.

Changes, additions, or termination of this agreement must be made in writing. The same applies to modifications of the written-form requirement.

If any provision is invalid or becomes invalid, the remaining provisions shall remain unaffected. The parties commit to replacing the invalid provision with a legally permissible one that best approximates the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.

In case of contradictions between this agreement and other agreements between the parties, particularly the main contract, the provisions of this agreement take precedence.

Appendix 1: Nature, Scope, and Purpose of Data Processing

A 1.1 Persons Authorized to Issue Instructions

Persons authorized to issue instructions on behalf of the controller are:
-The management of the controller

All instructions must be documented in writing. Instructions given by telephone must be immediately confirmed in writing via email.

A 1.2 Purpose of Data Processing

The processor provides the controller with an online service (“Fritto Time-Tracking Software”) as a web application through which users can map business data and processes.

The Fritto Time-Tracking Software is a protected area accessible only through online login.

Purposes of processing include the provision and use of the SaaS solution “Fritto Time-Tracking Software.”

The main contract forms the basis for data processing on behalf. Within the main contract, the nature and scope of service delivery are regulated. This agreement specifies the data-protection rights and obligations of the parties when handling the controller’s personal data (“controller data”).

A 1.3 Processing Activities

Personal data is processed by the processor in accordance with Art. 4(2) GDPR. Essentially, this includes collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Primarily, this consists of technical access during product improvement and customer inquiries to resolve possible errors.

A 1.4 Categories of Data Subjects

-Employees of the controller

A 1.5 Categories of Personal Data

-Master data (first name, last name, email address, phone number)
-Weekly working hours

Appendix 2: Data Protection Officer, Sub-Processing Relationships, and Persons Authorized to Receive Instructions for the Processor

A 2.1 Persons Authorized to Receive Instructions

Persons authorized to receive instructions from the processor:
-The management of Steinpilz Risotto UG (haftungsbeschränkt), represented by Yury Filipovich and Mehmet Önkol

A 2.2 Sub-Processing Relationships:

The following sub-processors are appointed under the condition of a contractual agreement pursuant to Art. 28(2)–(4) GDPR:

Company	Address / Country	Type of Service
Stripe	510 Townsend Street, San Francisco, CA 94103 / USA	Billing
Microsoft Corporation	One Microsoft Way, Redmond, WA 98052-6399 / USA	Communication & Customer Support; Server location: EU; Infrastructure and platform services, computing capacity
Steinpilz GmbH	Rosa-Heinzelmann-Str. 20, 73230 Kirchheim unter Teck / Germany	IT support
SendGrid	Denver, Colorado, USA	Email communication
Atlassian Inc. (Jira)	350 Bush Street, Floor 13, San Francisco, CA 94104, USA	Project management
Functional Software, Inc. (Sentry)	45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	Application monitoring software

Outsourcing to sub-processors or replacing existing sub-processors is permitted if the processor deems it necessary to fulfill the assignment.

A 2.3 Data Protection Officer

Data Protection Officer of the processor:

Viorica-Simona Mic
Verdandi Datenschutz GmbH
Robert-Bosch-Str 7
71229 Leonberg
Phone: +49 (0) 1522 6687466
Email: viorica.mic@verdandi-datenschutz.com

Appendix 3: TOM of the Processor according to Art. 32 GDPR

Technical and organizational measures (“TOM”) are subject to technological progress. The processor may implement adequate alternative measures, provided the security level is not reduced. Significant changes must be documented.

The processor provides proof of TOM implementation upon request. Proof may include certificates, reports, or extracts of reports from independent bodies (e.g., auditors, internal/external DPO, IT security departments, data-protection auditors, quality auditors) or certifications (e.g., BSI Basic Protection).

A 3.1 Self-Commitment and Certifications

To ensure an adequate protection level, the processor commits to implementing TOM required for compliance with data-protection regulations. There is currently no closed company network. Adequacy checks follow the state of the art and data-security standards. Proof of TOM implementation will be provided upon request following Basic Protection requirements.

A 3.2 Description of Technical and Organizational Measures

Physical Security of Infrastructure

Location / Corporate Premises

Corporate premises are separated from public areas through:

• Lockable door
• Separate rooms within a building complex

No other parties in the building have access to company premises.

An access-control system is used to protect rooms where personal data is processed.

Visitor registration is handled by:

• Escort by employees
• Doorbell

Rooms with access to personal data are lockable.

Personal data is not freely accessible in areas with public traffic.

Server Systems

Server Infrastructure

Virtualized servers are used in the company.

Network Structure

Network Documentation

Network documentation exists and is reviewed regularly to compare intended vs. actual state.

Network Architecture

WLAN is encrypted with:

• WPA3

Client-server segmentation exists.

There is separation of “Internet/public network.”

Remote Network Access

The company uses firewalls to protect the network.

Firewalls used:

• Hardware firewalls

Firewalls and switches are connected to uninterruptible power supplies.

A DNS filter is used for incoming traffic.

Network devices (hubs, switches) comply with the current state of the art.

Secure remote-access methods are used:

• VPN (Virtual Private Network)

Position of VPN:

• In the firewall

The remote access is secured by:

• Username & password

Employees accessing the network from outside have been instructed on applicable data-protection regulations.

Network Monitoring

A software tool is used to monitor network and application activity.

Business Continuity

Recoverability

The company performs (regular) data backups of relevant systems.
The following parties are responsible for performing backups:

• Cloud provider
• External service provider

The recovery options cover the following areas:

• System files and data containers
• Configurations (settings and permissions)
• Installations
• Data
• User accounts

The following type of data backup is carried out in the company:

• Full backup

Backups are stored in a separate fire compartment.
Backup procedures are regularly tested and adjusted as required.

Emergency Preparedness

Responsible persons have been defined and made aware of their duties.

Devices

Client Structure and Management

Security and software updates of mobile devices are carried out regularly.
Only pre-approved cloud and online services may be used.
An inventory of all devices used in the company is maintained.
A documented process exists for issuing company-owned items to employees.
The company ensures that all company-owned items related to personal data are reclaimed when a person leaves the organization.
Devices are reintegrated into the IT inventory for reuse through a regulated reintroduction process.

Data Carrier Management

The company has testing and approval procedures for mobile phone/tablet applications.
These devices have access locks.
Complex access-lock mechanisms are in place for the mobile devices used.
Employees are required to properly dispose of personal data.
Electronic data carriers are securely wiped to ensure safe reuse.
Data carriers (including paper files) are regularly disposed of.
Paper files are destroyed using a shredder.

Data Transfers

Data Transmission & Communication

The following encryption methods are used for email transmission:

• Emails are encrypted during transmission using appropriate procedures/protocols (SSL/TLS).

Personnel

Employee Awareness & Training

Employees are required to comply with behavioral rules in accordance with the principles of the GDPR.
Employees receive training on data protection topics.

Authorization Management

A defined process exists for the central management of user identities, specially for creating (e.g., new employee), modifying (e.g., name change after marriage), and deleting (e.g., leaving the company) accounts.
A formal authorization concept exists that documents employee roles and access rights.
The granting and revocation of access rights for IT systems is documented.
A central directory service (LDAP, AD, etc.) is used for authorization verification.
Documentation of authorized users, user groups, and rights profiles is included in the backup procedure.
This documentation is protected against unauthorized access.
Access rights are granted based on the function of the user.
The company ensures that all access rights of a departing person are promptly disabled and, if applicable, deleted.
Administrators and their deputies are designated for all IT systems and networks.
Special administrator accounts are used.
Activities within administrator accounts are logged.

Authentication Procedures

A password manager is used.
The password manager provides sufficient access control and encrypted storage.
Multi-factor authentication is used.
Single sign-on (SSO) is used for login.
SSO logins require multi-factor authentication.
User accounts are automatically locked after inactivity (screen lock).
Screens are locked after less than 10 minutes.
User accounts of IT systems that process personal data are protected by passwords.
Incorrect login attempts are logged.
Initial passwords must be changed upon first login.
User accounts are locked after a defined number of incorrect login attempts.
Unique identifiers are assigned to every individual user of IT systems processing personal data.
Unencrypted password lists do not exist.
Concrete guidelines exist for password creation or system-enforced password requirements.
There is a specification for password composition.
Passwords consist of at least the following elements:

• Special characters
• Numbers
• Letters

A specification for password complexity exists.
A specification for password length exists.
Passwords consist of at least 8 characters.

Organization

Order Control (Processor Management)

A data processing agreement has been concluded with all service providers that process personal data on behalf of the company.
Additional appropriate safeguards have been agreed with service providers whose data processing takes place in third countries outside the EU, to secure data transfers.
External service providers who may have access to personal data are always supervised during their activities.

Software Development and Selection

Productive and development/test systems are separated.
Access to source code during software development is restricted.
An authorization concept has been implemented in the test and development environments.
Multi-tenancy capability of developed software is ensured.
Real user data is not used in test or development environments.

Other Organizational Measures

The company has processes that allow personal data to be blocked or deleted upon request.
All processing of personal data is logged.
Logs relating to the processing of personal data are deleted at the end of the year following their creation.
The data protection officer is consistently involved in security matters and incidents.