Data Processing Agreement for AI service

  1. Home
  2. Company
  3. Data Processing Agreement for AI service

(Version March 01, 2026)

Data Processing Agreement for AI service

Client and think-cell Technologies GmbH (“Provider”) agree that this Data Processing Agreement (“DPA”) sets out the obligations of both parties with respect to the processing of Client’s personal data during the use of Provider’s AI service, in the event that the Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation "GDPR") is applicable to Client. The DPA is incorporated by reference into the AI Service Agreement (“Main Agreement”).

1.           Scope

1.1        The Provider acts as a data processor (“Processor”) for the Client the data controller (“Controller”). The Controller is the solely responsible entity for the processing of personal data under this DPA.

1.2        The data processing activities concern the purposes, categories of data and categories of data subjects set out in ANNEX 1. Technical and Organizational Measures are provided in provided in ANNEX 2.

1.3        "Personal data" means any information relating to an identified or identifiable natural person according to Art. 4 No. 1 GDPR.

1.4        The Controller is allowed according to the AI Service of the Processor, to grant usage rights for the AI Service to the affiliated companies. (According to Art. 15 German Corporate Law-Aktiengesetz). If personal data of the Controller’s affiliates is processed under this DPA, each affiliate shall be considered a data controller for its respective personal data, or a joint controller with the controller as the Client, as applicable. Notwithstanding the foregoing, the controller as the Client shall remain the central and primary operational contact point for the processor under this DPA at all times.

2.           Processing of Personal Data

2.1        The Processor is instructed to process the personal data only for the purposes of providing data processing services set out in ANNEX 1, unless the Processor is required to process personal data by Union or Member State law to which the Processor is subject. In latter case, the Processor shall inform the Controller about such legal requirement before processing, unless that law prohibits such information on grounds of public interest. Any additional instructions by the Controller need to be in writing.

2.2        Any transfer of personal data to any third country or international organisation may only take place in case the additional requirements under Art. 44 ff. GDPR are met.

2.3        If the Processor considers an instruction from the Controller to be in violation of the GDPR, or other Union or Member State data protection provisions, the Processor shall immediately inform the Controller in writing about this. The Processor shall be entitled to suspend the performance of the respective instruction until it is legitimately confirmed or amended by the Controller.

3.           General Obligations

3.1        The Processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2        In accordance with Art. 32 GDPR, the Processor shall implement the technical and organisational measures as set out in ANNEX 2. The Controller deems these technical and organisational measures of the Processor as appropriate in regard to the processing of personal data under this DPA.

3.3        The Processor shall upon request provide the Controller with sufficient information to enable the Controller to ensure that the Processor complies with its obligations under this DPA, including ensuring that the appropriate technical and organisational security measures have been implemented.

3.4        Furthermore, the Controller is entitled at its own cost to appoint an independent auditor who is not in direct competition with the Processor, is sworn to professional secrecy and shall have access to the Processor's data processing facilities as well as receive the necessary information in order to be able to audit whether the Processor complies with its obligations under this DPA, including ensuring that the appropriate technical and organisational security measures have been implemented. The auditor shall upon the Processor's request sign a customary non-disclosure agreement, and treat all information obtained or received from the Processor confidentially and may only share the information with the Controller. Any audit conducted under this clause shall not unreasonably interfere with the Processor’s business operations, may be carried out no more than once per calendar year and shall take place during the Processor’s normal business hours.

3.5        The Controller shall be responsible for any fees charged by any auditor appointed by Controller to execute any such audit. If the Controller initiated any audit, the processor may charge a fee based on Processor`s reasonable costs and reimbursement of reasonable expenses, provided such costs are communicated by the Processor in advance. 

3.6        The Processor must without undue delay after becoming aware of the facts in writing notify the Controller about any suspicion or finding of breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Processor under this DPA. Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller to the extent required in ensuring the Controller’s compliance with any obligations under Art. 33 or Art. 34 GDPR.

3.7        Taking into account the nature of the processing the Processor will promptly assist the Controller with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, blocking, or deletion. The Processor will also assist the Controller by implementing appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to such requests.

3.8        The Processor will assist the Controller with meeting the other obligations that may be incumbent on the Controller according to Union or member state law where the assistance of the Processor is implied, and where the assistance of the Processor is necessary for the Controller to comply with its obligations. This includes, but is not limited to, at request to provide the Controller with all necessary information about an incident under Clause 3.5 and all necessary information for an impact assessment in accordance with Art. 35 and Art. 36 GDPR.

4.           Further sub-processing of the Processor

4.1        Any listed sub-processors under the link provided in ANNEX 3 of this DPA shall be deemed authorized by the Controller. Processor will inform Controller on the addition or replacement of further sub-processor for the processing of personal data under this DPA.

4.2        Prior to the engagement of a sub-processor, the Processor shall conclude a written agreement with the sub-processor, in which at least the same data protection obligations as set out in this DPA shall be imposed on the sub-processor.

4.3        The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

5.           Term and termination

5.1        This DPA remains in force during the term of the Main Agreement. Regardless of the term of the Main Agreement, the DPA shall be in force as long as the Processor processes Controller’s personal data.

5.2        Regardless of the term of the Main Contract, the DPA shall be in force as long as the Processor processes the personal data, for which the Controller is data controller.

5.3        On the Controller's request the Processor shall immediately transfer or delete personal data, which the Processor is processing for the Controller, unless Union or member state law requires storage of the personal data.

6.           Miscellaneous

6.1        If any of the provisions of this DPA conflicts with the provisions of the Main Agreement, the provisions of this DPA shall prevail.

6.2        The Parties may at any time agree to amend this DPA. Amendments must be in writing.

6.3        This DPA shall not apply if and to the extend the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for the Processor and/or for sub-suppliers.

 

ANNEX 1: Description of processing

This ANNEX 1 constitutes the Controller's instruction to the Processor in connection with the Processor's data processing for the Controller concerning the AI service and is an integrated part of the DPA.

1.           General description of the processing

According to the Main Agreement no personal data shall be entered in the input fields when using the AI Service. If, contrary to this contractual agreement, the input contains personal data, the following applies to its processing:

Personal data might be processed when included in the input fields. Processor only provides an API to third party services and does not store personal data contained in the input.

2.           Details of processing

The processing of personal data

(a)         Purpose and nature of the processing operations

The Processor is providing the following digital services for the Controller:

·       Editing and generation of slides, including but not limited to translation, text rewriting, generation of slide titles, generation of slide summaries

·       Assisting the user with analyzing and transforming data in Excel

·       Recommending charts and automatically creating charts linked to Excel data

·       Searching data in the think-cell Library from the AI chat

·       Automating all think-cell features

·       Searching statistics on Statista/Morningstar

(b)        Categories of data subjects

(i)           Users of Controller

(ii)         Other data subjects (mentioned in the input)

(c)         Categories of personal data

Any personal data the User shares with the Provider. If the User shares special categories of data in his/her input, the Controller is obliged to obtain respective consent of the affected data subjects with respect to the processing.

(d)        Location(s), including name of country/countries of processing

The processing will be performed by think-cell Technologies GmbH, Leipziger Strafe 51, DE-10117, Berlin, Germany.

 

ANNEX 2: Technical and organizational measures in accordance with Art. 32 GDPR

M.1 Confidentiality measures

M.1.1 Physical Access Control:

  • Physical security perimeters and controlled building access procedures.
  • Physical entry controls and visitor management.
  • Clear desk and clear screen policy.
  • Where cloud infrastructure is used, physical security is ensured via:
    • Supplier due diligence
    • ISO/IEC 27001 certification

M.1.2 System Access Control:

  • Secure authentication mechanisms, including mandatory MFA for privileged and administrative access.
  • Logical access restrictions based on information classification and asset inventory.
  • Logging and monitoring of system access.
  • Endpoint protection and secure configuration management.
  • Patch and vulnerability management procedures.

M.1.3 User Access Governance:

  • Documented Access Control Policy.
  • Governance and monitoring of privileged access.
  • Role-based access control (RBAC).
  • Joiner–Mover–Leaver lifecycle management.
  • Controlled assignment and periodic review of access rights.
  • Logging and audit trail of user activities.

M.1.4 Development & Source Code Governance:

  • Restricted and monitored access to source code repositories.
  • Secure Development Lifecycle (SDLC) procedures.
  • Secure system architecture with defined trust boundaries.
  • Security testing prior to production deployment.
  • Controlled change management process.

M.1.5 Transfer Control:

  • Enforced TLS 1.2+ encryption for all internal and external communications.
  • HTTPS-based API communication with certificate validation.
  • Encrypted data exchange with sub processors and AI providers.
  • Selection and configuration of AI services and cloud infrastructure with EU data residency commitments.
  • Cryptographic key and certificate lifecycle management.
  • Periodic review of transport encryption configurations.

M.1.6 Separation Requirements:

  • Logical and technical separation of development, test, and production environments.
  • Segregation of duties across development and security roles.
  • Network segmentation between internal systems and external AI providers.
  • Role-based restrictions preventing modification or deletion of audit logs by operational users.
  • Controlled and monitored access to logging and monitoring systems.

M.1.7 Pseudonymization:

  • AI processing uses pseudonymized client identifiers that prevent direct attribution to individual data subjects.
  • Re-identification information is stored separately in segregated systems with independent access controls, ensuring that re-identification is not possible within the AI processing environment.

M.1.8 Encryption:

  • Encryption in transit (mandatory TLS version (TLS 1.2+), certificate management practices, encryption of internal service communication, VPN usage where applicable).
  • Encryption at rest (coverage databases, backups).
  • Secure key storage using dedicated key management systems.
  • Role-based access to key material.
  • Defined key rotation and revocation procedures.

M.1.9 Network and Infrastructure Security:

  • Secure baseline configurations for cloud and container infrastructure.
  • Restriction of administrative interfaces.
  • Vulnerability management process for infrastructure components.
  • Intrusion detection and centralized logging.
  • Secure decommissioning procedures for infrastructure components.

M.2 Integrity measures

M.2.1 Description of the input controls

  • Enforced use of individual user accounts (no shared credentials).
  • Prompt priming to reduce risks of prompt injection and malicious instruction override.
  • Controlled system prompt architecture separating user input from system-level instructions.
  • Monitoring of API usage patterns and rate limiting to prevent abuse or service misuse.
  • Protection of logs against alteration.
  • Version control of preprocessing configurations.

M.2.2 Incident response and breach management

  • Logging covers production systems, administrative actions, authentication events, and security-relevant configuration changes.
  • Formal incident response procedures.
  • Escalation procedures including breach notification process (72-hour per Art. 33).
  • Logs are protected against unauthorized modification and deletion.
  • Post-incident review and remediation tracking.

M.3 Availability and resilience measures

M.3.1 Description of availability control:

  • Capacity monitoring and management for infrastructure resources.
  • Redundancy and failover mechanisms within cloud infrastructure.
  • Backup concept covering relevant system components.

M.3.2 Description of rapid recoverability:

  • Defined RTO and RPO objectives.
  • Documented disaster recovery procedures.
  • Periodic testing of backup restoration.
  • Inclusion of configuration artifacts and orchestration components in recovery scope.
  • Escalation and communication procedures during recovery.

M.3.3 Regular testing and evaluation of measures

  • Periodic penetration testing.
  • Vulnerability assessments.
  • Backup testing.
  • Independent security reviews.
  • Management review of remediation measures.

M.4 Further measures for data protection

M.4.1 Supplier Governance:

  • Supplier due diligence and security evaluation prior to onboarding.
  • Data processing agreements with sub processors (Art. 28 GDPR).
  • AI models are selected and configured so that customer input data is not used for model training or service improvement purposes.
  • Ongoing monitoring of supplier compliance.
  • Confidentiality commitments for personnel.
  • Mandatory security and data protection training.
  • Defined data protection roles and responsibilities.

M.4.2 Description of the management system for data protection:

  • Formally approved data protection policies.
  • Integration of privacy by design and by default into development lifecycle.
  • Structured documentation of processing activities.
  • Periodic internal audits and compliance reviews.
  • Defined data retention and deletion policies aligned with legal requirements.

 

ANNEX 3: Sub processors

The Processor is continuously adding new Skills what might cause additional subcontractors or replacing the existing ones. The Processor does not consider solely the quality of the subcontractor but always checks for highest data privacy and security possible. The current list of subcontractors can be found on the Subcontractors page.

***