Data Processing Agreement (DPA)

Version 1.0 Effective: 2026-01-24
DE EN

Preamble

This Data Processing Agreement (DPA) governs the processing of personal data within the use of Reflytic according to Art. 28 GDPR.

Contracting Parties:

  • Controller (Principal): You as Moderator or Promoter
  • Processor (Contractor): KERNATEC, operator of Reflytic

Subject: Provision of the Reflytic platform for revenue-share management and analytics evaluation

1. Subject and Duration of Processing

1.1 Subject
The Contractor processes personal data on behalf of the Principal exclusively to provide the contractually agreed services (Terms of Service).

1.2 Duration
The term of this DPA corresponds to the duration of the usage relationship. The DPA ends automatically upon termination of use or account deletion.

1.3 Type of Processing

  • Storage in encrypted databases
  • Automated processing through Celery tasks
  • API calls to Google Analytics
  • Aggregation and visualization of data
  • Communication via in-app chat

2. Type of Personal Data

2.1 Categories of Data Subjects

  • Moderators (Google Analytics property owners)
  • Promoters (influencers)
  • End users (indirectly via Google Analytics)

2.2 Categories of Personal Data

  • Master data: Name, email, username
  • Authentication: Password hashes, OAuth tokens
  • Usage data: Login times, IP addresses, device info
  • Campaign data: Analytics metrics, revenue data
  • Communication data: Chat messages (encrypted)
  • Payment data: Subscription status, transaction history

3. Obligations of the Processor

3.1 Instruction Binding
The Contractor processes personal data only on documented instruction from the Principal (e.g., by using platform functions).

3.2 Confidentiality
All persons authorized to process are bound to confidentiality and have been trained accordingly.

3.3 Technical and Organizational Measures (TOMs)
The Contractor ensures:

  • Encryption: Fernet (AES-256) for data at rest, TLS 1.3 in transit
  • Access control: Role-based permissions, 2FA option
  • Data backup: Daily encrypted backups
  • Incident Response: Notification within 72h for data breaches
  • Logging: Audit logs for all critical operations

3.4 Support for the Controller
The Contractor supports the Principal in:

  • Subject access requests
  • Data deletions and corrections
  • Data portability (export functions)
  • Data protection impact assessments (on request)

4. Sub-Processors

4.1 Approval
The Principal agrees to engage the following sub-processors:

Hosting and Infrastructure:

  • Google Cloud Platform (Google Ireland Limited, Ireland)

    • Purpose: Analytics API, OAuth services
    • Guarantees: EU Standard Contractual Clauses

  • Hetzner Online GmbH (Germany) [OR Your Provider]

    • Purpose: Server hosting
    • Guarantees: GDPR-compliant, EU location

Payment Processing:

  • Stripe Inc. (USA)
    • Purpose: Payment processing
    • Guarantees: PCI DSS, EU Standard Contractual Clauses

Caching and Queues:

  • Redis Labs (EU region)
    • Purpose: Performance optimization
    • Guarantees: Encrypted connections

4.2 Notification of Changes
The Contractor informs the Principal at least 30 days before engaging new sub-processors. Objection leads to contract termination without notice period.

5. Rights and Obligations of the Principal

5.1 Right to Instruct
The Principal can issue documented instructions for data processing at any time (e.g., deletion, export request).

5.2 Control Rights
The Principal can conduct audits or have them conducted by third parties (after advance notice, max. 1x per year).

5.3 Information Obligations
The Principal must inform the Contractor about:

  • Restrictions on processing authorization
  • Errors or irregularities in processing
  • Control measures by supervisory authorities

6. Data Breaches

6.1 Reporting Obligation
The Contractor reports data breaches immediately (within 72h) to:

  • Email: dpo@reflytic.com
  • Emergency Hotline: 015563450629

6.2 Documentation
Every data breach is documented with:

  • Type of breach
  • Affected data categories and persons
  • Damage mitigation measures
  • Recommendations to prevent future incidents

6.3 Cooperation
The Contractor supports the Principal in reporting to supervisory authorities and affected persons.

7. International Data Transfers

7.1 Processing Location
Primary processing location: Germany/EU

7.2 Third-Country Transfers
For transfers to third countries (USA):

  • EU Standard Contractual Clauses
  • Additional guarantees according to Schrems II ruling
  • Principal is informed of all transfers

7.3 Third-Country Access
No routine access from outside the EU. In case of authority requests, Principal is notified (if legally permissible).

8. Deletion and Return of Data

8.1 After Contract End
The Contractor deletes all personal data within 30 days after contract end, unless:

  • Legal retention obligations exist (e.g., tax law: 10 years)
  • Principal requests return (export as JSON/CSV)

8.2 Deletion Confirmation
Upon request, the Contractor issues a deletion confirmation.

8.3 Backups
Data in backups are automatically deleted after 90 days (normal backup rotation).

9. Liability and Damages

9.1 Liability of the Processor
The Contractor is liable for damages caused by GDPR violations according to Art. 82 GDPR.

9.2 Limitation of Liability
Liability is limited to:

  • Intent and gross negligence: unlimited
  • Slight negligence: Amount of fees paid in the last year

10. Final Provisions

10.1 Priority
This DPA takes precedence over the Terms of Service in data protection matters.

10.2 Changes
Changes are announced 30 days in advance. Objection leads to termination.

10.3 Severability Clause
Invalidity of individual provisions does not affect the validity of the remaining DPA.

10.4 Applicable Law
German law in compliance with GDPR.

Last updated: 2026-01-24
Privacy Terms Legal Notice
Back to Home