← caelith labs

artefact · 01 · 03

data processing agreement — template.

Caelith Labs engagement DPA · v0.1 · 9 sections · GDPR Art. 28

DRAFT v0.1 For buyer review · counsel pass pending. This is the structure Caelith Labs uses for engagement DPAs. Specific terms (sub-processor list, retention windows, TOMs) are finalized per engagement during the proposal phase. A counsel-signed final is delivered at engagement start. If your firm has its own DPA template you prefer, we sign yours instead.

§ 1parties

RoleNameAddress
Controller<client firm name><client registered address>
ProcessorCaelith Labs · Einzelunternehmen Julian LaycockMariendorfer Damm 1, 12099 Berlin, Germany

§ 2subject matter + duration

Subject matter: processing of personal data carried out by the Processor on behalf of the Controller in the context of the engagement specified in the underlying service agreement (typically: CRM architecture, automation expansion, or AI agent build).

Duration: for the term of the engagement (3–5 weeks build), plus the 30-day open-line period post-handover. Processor retains no Controller data beyond engagement close except as required to fulfill the 30-day open-line support, after which data is returned or deleted per § 8.

§ 3nature + purpose of processing

The Processor will process personal data only to the extent necessary to:

Processor will not process Controller data for its own purposes, will not aggregate or anonymize Controller data for separate use, and will not use Controller data to train or improve any model.

§ 4categories of data + data subjects

CategoryData subjectsTypical fields
Contact metadataController's clients, leads, partnersName, email, phone, company, role
Engagement recordsController's clientsPipeline stage, deal value, history
Internal team dataController's employeesName, email, role, calendar availability
End-customer PII (engagement-dependent)Controller's customers' customersPer the integration scope — e.g., DATEV bookkeeping data, Holded ERP entries, Idealista listings — defined per engagement

§ 5processor obligations (Art. 28(3))

Processor undertakes to:

  1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country
  2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality
  3. Take all measures required pursuant to Art. 32 (security of processing) — see § 8 (TOMs)
  4. Respect the conditions referred to in § 6 (sub-processors) for engaging another processor
  5. Assist the Controller by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR
  6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (security, breach notification, DPIA, prior consultation)
  7. At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services, and delete existing copies (see § 9)
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

§ 6sub-processors

The Controller authorises the use of the following sub-processors, as relevant to the engagement scope:

Caelith Labs's own sub-processors (apply to every engagement)

Sub-processorPurposeLocationTransfer basis
Anthropic, PBCClaude API — agent prompts & responses (if AI features active)USAEU–US DPF + Anthropic DPA (SCCs Mod. 2)
Railway CorpApplication hosting (only when Labs hosts data on Controller's behalf)EU-West · NetherlandsEEA-internal
IONOS SEEmail + domainGermanyEEA-internal
GitHub Inc.Source-code hosting (Controller's code only with explicit consent)USAEU–US DPF

Engagement-specific sub-processors (vary by engagement)

Depending on the engagement scope, the following may apply:

Sub-processorPurposeLocation
AttioCRM (operations sprint)EU
CalendlyBooking (operations sprint)USA — SCCs
Notion LabsProject trackingUSA — SCCs
n8n GmbHWorkflow automation (automation expansion)EU
<vendor APIs per engagement>e.g., DATEV, Holded, Idealista, BiPROper vendor

The Controller's signature on the engagement service agreement constitutes prior specific authorisation for the engagement-scoped sub-processors listed in the proposal. Changes to the sub-processor list during the engagement require 14 days prior written notice to the Controller, who may object on reasonable grounds.

§ 7international transfers

Where personal data is transferred outside the EEA, the following safeguards apply:

§ 8technical + organisational measures (TOMs)

Processor implements appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:

access control

data security

operational

§ 9return / deletion · audit · termination

at engagement close

At Controller's choice, Processor will return or delete all personal data within 30 days of engagement close. Default: deletion + written confirmation. Exceptions: data Processor is legally required to retain (e.g., invoicing records under § 147 AO).

audit rights

Controller may, no more than once per year and on 30 days' written notice, audit Processor's compliance with this DPA. Audits are at Controller's cost. Processor will assist by providing access to relevant records (sub-processor list, TOM documentation, breach log, deletion confirmations).

termination

This DPA terminates automatically when the underlying service agreement ends. The obligations in § 5 (confidentiality), § 9 (deletion), and any pending breach notification continue to apply.

signatures

Controller


____________________
Signature

<name, role>
Date: <date>
Processor


____________________
Signature

Julian Laycock
Einzelunternehmen Caelith Labs
Date: <date>