Back to Home

This legal document is currently available in German only.

Dieses rechtliche Dokument ist derzeit nur auf Deutsch verfügbar.

Data Processing Agreement (DPA)

Version: January 2025

This Data Processing Agreement (DPA) according to Art. 28 GDPR governs the processing of personal data by SlimPIM.ai on behalf of the Customer.

Note: This DPA automatically becomes part of the service agreement as soon as the Customer processes personal data in SlimPIM.ai.

§ 1 Subject Matter and Duration

(1) The subject matter of this agreement is the processing of personal data by the Processor (Provider) on behalf of the Controller (Customer) in the context of using the SaaS platform SlimPIM.ai.

(2) The duration of this DPA corresponds to the duration of the main contract (Terms and Conditions).

(3) Nature and purpose of processing:

  • Provision of cloud-based PIM software
  • Storage and management of product information
  • User management and access control
  • Technical support

§ 2 Types of Data and Data Subjects

(1) Categories of data subjects:

  • Employees of the Customer (software users)
  • End customers (if their data is contained in product information)
  • Contact persons of business partners

(2) Categories of personal data:

  • Master data (name, email address, company)
  • Usage data (login times, IP addresses, activity logs)
  • Content data (data entered by the Customer such as product descriptions, which may contain personal data)

(3) Special categories of personal data (Art. 9 GDPR) are not processed.

§ 4 Technical and Organizational Measures (TOM)

(1) The Processor implements the following technical and organizational measures:

a) Confidentiality (Art. 32 para. 1 lit. b GDPR)

  • SSL/TLS encryption for data transmission (HTTPS)
  • Encryption of data at rest (AES-256)
  • Password-protected access with bcrypt hashing (12 rounds)
  • Two-factor authentication (optionally available)
  • Role-based access control (RBAC)
  • Regular security audits

b) Integrity (Art. 32 para. 1 lit. b GDPR)

  • Firewall and DDoS protection
  • Intrusion detection systems
  • Regular security updates
  • Logging and monitoring of all system access
  • Malware scanner

c) Availability (Art. 32 para. 1 lit. b GDPR)

  • Redundant server infrastructure
  • Daily automatic backups (30-day retention)
  • Disaster recovery plan
  • 99.5%-99.95% availability guarantee (depending on tier)
  • 24/7 system monitoring

§ 5 Sub-processors

(1) The Controller agrees to the engagement of the following sub-processors:

Company Service Location
Google Cloud Platform Cloud Hosting EU (Frankfurt, Belgium)
Stripe Inc. Payment Processing USA (with EU Standard Contractual Clauses)

Additional Provisions

The complete DPA including data subject rights support, data breach notification, data deletion and return, audit rights, liability, and third-country transfers is available in the German version which is legally binding.

For the full legal text, please refer to the German version .

Data Protection Contact

For questions about data protection and this DPA, please contact us:

Email: [email protected]

Note: A formal Data Protection Officer is currently not appointed according to § 38 BDSG due to company size. Please direct data protection inquiries to the email address above.