Data Processing Agreement

This Data Processing Agreement (hereinafter "DPA") is concluded between David Proga, operating under the trade name "Simple.Grow", c/o Impressumservice Dein-Impressum, Stettiner Strasse 41, 35410 Hungen, Germany, david.proga@simplegrow.io (hereinafter "Processor") and the customer (hereinafter "Controller") who uses the Processor's services.

This DPA supplements the Terms and Conditions and the Privacy Policy of Simple.Grow and becomes an integral part of the agreement upon conclusion of the contract.

1. Subject and Duration of Processing

1.1 The Processor processes personal data on behalf of the Controller in the course of providing and managing AI Employees. This includes in particular:

• Provision and operation of AI Employees (AI agents) for the Controller's day-to-day consulting operations
• Processing of data through AI models (AWS Bedrock Claude) for task execution according to the role profile
• Storage and management of work results, feedback, and performance data
• Automated creation of content, research, reports, and analyses

1.2 The duration of processing corresponds to the term of the main contract (see Terms §6).

2. Nature and Purpose of Processing

2.1 Types of data: The following categories of personal data may be processed in the course of the service:

• Contact data (name, email address, phone number, company name)
• Business data (industry, position, company size)
• Communication data (email content, chat histories, feedback)
• Customer data of the Controller (data of their end customers, insofar as within the AI Employee's scope of tasks)
• Usage data (performance metrics, approval histories)

2.2 Categories of data subjects:

• Employees of the Controller
• Customers and business partners of the Controller
• Contacts and leads of the Controller

2.3 Purpose of processing: Processing is carried out exclusively for the provision of the agreed service in accordance with the respective role profile of the AI Employee.

3. Obligations of the Processor

3.1 The Processor processes personal data only on documented instructions from the Controller, unless required by law to process otherwise.

3.2 The Processor ensures that all persons with access to personal data are bound by confidentiality obligations.

3.3 The Processor makes available to the Controller, upon request, all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR.

3.4 The Processor does not use personal data for its own purposes and does not disclose it to third parties unless expressly agreed or legally required.

3.5 No AI model training: The AI models used (AWS Bedrock Claude) are configured so that data provided by the Controller is not used for training the models. Customer data is processed exclusively for the provision of the agreed service. Temporary caching for processing a request occurs exclusively in the EU (Frankfurt) and is deleted after processing is complete (maximum 24 hours).

4. Obligations of the Controller

4.1 The Controller is responsible for ensuring that the processing of personal data by the Processor is based on a valid legal basis.

4.2 The Controller ensures that data subjects are informed about the data processing (Art. 13/14 GDPR) and that required consents are in place.

4.3 The Controller informs the Processor without delay of any errors or irregularities in the processing of personal data.

5. Technical and Organizational Measures (TOMs)

5.1 The Processor has implemented the following measures to protect personal data:

Confidentiality:

• Access control via API keys, role management, and individual user accounts
• Row Level Security (RLS) at the database level for tenant separation: one Controller's data is not visible to other Controllers
• Encryption in transit (TLS 1.2+) and at rest (AES-256)

Integrity:

• Input control through documented approval workflows
• Logging of data changes and accesses
• Regular security updates of the deployed infrastructure

Availability:

• Regular automated database backups
• Redundant infrastructure through cloud hosting (Supabase, AWS)
• Monitoring and alerting for system outages

Resilience:

• Scalable cloud infrastructure
• Documented disaster recovery procedures

Data minimization in AI processing:

• Only data required for the respective task area is transmitted to AI models
• Anonymization and pseudonymization before transmission, where technically feasible
• Exclusively API usage (no web interface of the AI providers)

6. Sub-Processors

6.1 The Processor engages the following sub-processors:

6.2 All sub-processors are subject to comparable data protection obligations as the Processor. The Processor ensures that an agreement meeting the requirements of Art. 28 GDPR exists with each sub-processor.

6.3 The Processor informs the Controller of any intended change to the sub-processor list. The Controller may object to such a change within 14 days.

7. Data Transfers to Third Countries

7.1 The processing of personal data takes place principally within the EU/EEA. The primary processing location is Frankfurt am Main (eu-central-1).

7.2 Insofar as sub-processors based outside the EU are engaged (Supabase Inc., Vercel Inc., Cal.com Inc.), the Processor ensures that appropriate safeguards pursuant to Art. 46 GDPR are in place (in particular EU Standard Contractual Clauses and/or an adequacy decision by the EU Commission).

7.3 AI processing via AWS Bedrock is carried out exclusively via EU Inference Profiles with server location Frankfurt. Customer data demonstrably does not leave the EU during AI processing.

8. Rights of Data Subjects

8.1 The Processor supports the Controller in fulfilling obligations under Art. 15–22 GDPR (access, rectification, erasure, restriction, data portability, objection).

8.2 If a data subject directs a request directly to the Processor, the Processor forwards the request to the Controller without delay.

8.3 The Controller remains responsible for responding to data subject requests.

9. Notification Obligations in Case of Data Breaches

9.1 The Processor informs the Controller without delay (within 24 hours at the latest) after becoming aware of a breach of protection of personal data.

9.2 The notification includes at minimum: the nature of the breach, affected data categories, approximate number of affected persons, likely consequences, and remedial measures taken.

10. Deletion and Return of Data

10.1 Upon termination of the main contract, the Processor deletes all personal data of the Controller within 30 days, unless statutory retention obligations apply. Exceptions include: (1) anonymized analytics data for performance measurement (retention up to 12 months), (2) invoicing and accounting data (10 years pursuant to §257 HGB / §147 AO).

10.2 At the Controller's request, data will be returned in a common, machine-readable format prior to deletion.

10.3 The Processor confirms the complete deletion of data to the Controller in writing.

11. Audit Rights of the Controller

11.1 The Controller has the right to verify the Processor's compliance with this DPA, including on-site inspections upon reasonable prior notice.

11.2 The Processor makes available to the Controller, upon request, all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR.

12. Liability

12.1 Liability is governed by the provisions in the Terms and Conditions (§11).

12.2 The Controller is liable for all legal consequences arising from unlawful processing for which the Controller provides the legal basis.

13. Final Provisions

13.1 This DPA is governed by German law.

13.2 Amendments and supplements to this DPA must be in writing.

13.3 Should individual provisions be invalid, the validity of the remaining DPA shall not be affected.

13.4 The place of jurisdiction is the Processor's registered office, insofar as legally permissible.

As of: March 3, 2026