artefact · 01 · 03
| Role | Name | Address |
|---|---|---|
| Controller | <client firm name> | <client registered address> |
| Processor | Caelith Labs · Einzelunternehmen Julian Laycock | Mariendorfer Damm 1, 12099 Berlin, Germany |
Under GDPR Art. 4(7) and Art. 4(8) respectively. The Processor acts as data processor for the Controller during the engagement scope defined in § 2.
Subject matter: processing of personal data carried out by the Processor on behalf of the Controller in the context of the engagement specified in the underlying service agreement (typically: CRM architecture, automation expansion, or AI agent build).
Duration: for the term of the engagement (3–5 weeks build), plus the 30-day open-line period post-handover. Processor retains no Controller data beyond engagement close except as required to fulfill the 30-day open-line support, after which data is returned or deleted per § 8.
The Processor will process personal data only to the extent necessary to:
Processor will not process Controller data for its own purposes, will not aggregate or anonymize Controller data for separate use, and will not use Controller data to train or improve any model.
| Category | Data subjects | Typical fields |
|---|---|---|
| Contact metadata | Controller's clients, leads, partners | Name, email, phone, company, role |
| Engagement records | Controller's clients | Pipeline stage, deal value, history |
| Internal team data | Controller's employees | Name, email, role, calendar availability |
| End-customer PII (engagement-dependent) | Controller's customers' customers | Per the integration scope — e.g., DATEV bookkeeping data, Holded ERP entries, Idealista listings — defined per engagement |
Special categories under Art. 9 GDPR (health data, biometric data, etc.) are out of scope by default. If the engagement requires special categories, an Annex IV addendum to this DPA is signed before processing begins.
Processor undertakes to:
The Controller authorises the use of the following sub-processors, as relevant to the engagement scope:
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Anthropic, PBC | Claude API — agent prompts & responses (if AI features active) | USA | EU–US DPF + Anthropic DPA (SCCs Mod. 2) |
| Railway Corp | Application hosting (only when Labs hosts data on Controller's behalf) | EU-West · Netherlands | EEA-internal |
| IONOS SE | Email + domain | Germany | EEA-internal |
| GitHub Inc. | Source-code hosting (Controller's code only with explicit consent) | USA | EU–US DPF |
Depending on the engagement scope, the following may apply:
| Sub-processor | Purpose | Location |
|---|---|---|
| Attio | CRM (operations sprint) | EU |
| Calendly | Booking (operations sprint) | USA — SCCs |
| Notion Labs | Project tracking | USA — SCCs |
| n8n GmbH | Workflow automation (automation expansion) | EU |
| <vendor APIs per engagement> | e.g., DATEV, Holded, Idealista, BiPRO | per vendor |
The Controller's signature on the engagement service agreement constitutes prior specific authorisation for the engagement-scoped sub-processors listed in the proposal. Changes to the sub-processor list during the engagement require 14 days prior written notice to the Controller, who may object on reasonable grounds.
Where personal data is transferred outside the EEA, the following safeguards apply:
Processor implements appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:
At Controller's choice, Processor will return or delete all personal data within 30 days of engagement close. Default: deletion + written confirmation. Exceptions: data Processor is legally required to retain (e.g., invoicing records under § 147 AO).
Controller may, no more than once per year and on 30 days' written notice, audit Processor's compliance with this DPA. Audits are at Controller's cost. Processor will assist by providing access to relevant records (sub-processor list, TOM documentation, breach log, deletion confirmations).
This DPA terminates automatically when the underlying service agreement ends. The obligations in § 5 (confidentiality), § 9 (deletion), and any pending breach notification continue to apply.
|
Controller ____________________ Signature <name, role> Date: <date> |
Processor ____________________ Signature Julian Laycock Einzelunternehmen Caelith Labs Date: <date> |