Data Processing Agreement (DPA)

Version: April 2026

This Data Processing Agreement (hereinafter "DPA") is entered into between the customer using the capty platform (hereinafter "Controller") and

Frömmgen und Wintjens GbR
KWL Büro 0.05, Lothringer Str. 38
44805 Bochum, Germany
Email: info@capty.ai
(hereinafter "Processor" or "capty")

The Controller and Processor are hereinafter referred to collectively as the "Parties".

This DPA supplements the main contract between the Parties (subscription agreement / Terms and Conditions, hereinafter "Main Contract") and governs the processing of personal data by capty on behalf of the Controller pursuant to Art. 28 GDPR.

Art. 1 – Subject Matter and Term

1.1 The subject matter of this DPA is the processing of personal data by capty in the course of providing the capty.ai SaaS platform in accordance with the services agreed in the Main Contract.

1.2 The term of this DPA corresponds to the term of the Main Contract.

Art. 2 – Nature, Purpose, and Scope of Processing

2.1 capty processes personal data solely for the purpose of providing the services agreed in the Main Contract and in accordance with the Controller's instructions.

2.2 Processing includes in particular:

  • Storage and processing of media content uploaded by the Controller
  • AI-assisted analysis and text generation based on uploaded content
  • Management of user data, access rights, and workspace settings within the Platform
  • Transmission of content to connected social media platforms at the Controller's instruction

Art. 3 – Categories of Personal Data and Data Subjects

3.1 Categories of personal data (to the extent provided by the Controller):

  • Contact data (name, email address, company details)
  • Media content that may contain personal data (images, videos, text)
  • Usage and access data (roles, timestamps)

3.2 Categories of data subjects (to the extent provided by the Controller):

  • Employees and users of the Controller
  • Customers and contacts of the Controller who may appear in uploaded content

Art. 4 – Instructions

4.1 capty processes personal data solely on documented instructions from the Controller, including the instructions set out in this DPA and the Main Contract.

4.2 If capty considers that an instruction infringes the GDPR or other applicable data protection law, capty is entitled to suspend the execution of that instruction until the matter is resolved.

Art. 5 – Obligations of the Processor

capty undertakes to:

  • process personal data only on documented instructions from the Controller;
  • ensure that persons authorised to process data are bound by confidentiality;
  • implement all technical and organisational measures required under Art. 32 GDPR (see Annex 2);
  • comply with the conditions set out in Art. 28(2) and (3) GDPR for engaging sub-processors (see Art. 6);
  • assist the Controller in fulfilling its obligations under Art. 32–36 GDPR;
  • at the Controller's choice, delete or return all personal data after the end of processing (see Art. 9);
  • make available to the Controller all information necessary to demonstrate compliance with this article and to allow for audits.

Art. 6 – Sub-processors

6.1 The Controller hereby grants general authorisation for the engagement of sub-processors. The sub-processors currently engaged are listed in Annex 1.

6.2 capty will inform the Controller of any intended changes to sub-processors (additions or replacements) with at least 14 days' notice by email. The Controller may object to an intended change in writing within this period for substantive reasons.

6.3 capty ensures that sub-processors are subject to the same data protection obligations set out in this DPA.

Art. 7 – International Data Transfers

7.1 Where the provision of services involves transfers of personal data to countries outside the EU/EEA, or where access from such countries cannot be excluded, the safeguards listed in Annex 1 apply.

7.2 capty ensures that appropriate safeguards pursuant to Chapter V GDPR are in place for such transfers (e.g. Standard Contractual Clauses, adequacy decision).

Art. 8 – Technical and Organisational Measures

capty implements the technical and organisational measures described in Annex 2 to ensure a level of protection appropriate to the risk. These measures may be further developed and adapted, provided the level of protection is not reduced.

Art. 9 – Deletion and Return of Data

9.1 Following termination of the Main Contract, capty deletes all personal data belonging to the Controller upon expiry of the 30-day export window set out in the Terms and Conditions, unless statutory retention obligations require further storage.

9.2 Upon written request by the Controller, capty will provide a data export in a machine-readable format to the extent technically feasible.

Art. 10 – Assistance and Audit Rights

10.1 capty will assist the Controller to a reasonable extent in responding to requests from data subjects and in fulfilling the obligations referred to in Art. 32–36 GDPR.

10.2 The Controller is entitled to verify capty's compliance with this DPA. Audits will be conducted with reasonable prior notice (at least 14 days) and during normal business hours. capty may alternatively provide evidence of compliance through certifications, audit reports, or equivalent documentation.

Art. 11 – Confidentiality and Liability

11.1 The liability provisions of the Main Contract and the statutory provisions of the GDPR (in particular Art. 82 GDPR) apply to the liability of the Parties under this DPA.

11.2 This DPA is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Bochum, Germany.

Annex 1: Current Sub-processors

Sub-processor Purpose Location / Transfer safeguard
Hostinger International Ltd. Hosting and infrastructure EU (Lithuania)
AI service providers (one or more, depending on use case) AI-assisted processing of uploaded content and text generation EU and/or third countries – appropriate safeguards pursuant to Chapter V GDPR (e.g. SCCs), where applicable
Stripe Payments Europe, Ltd. Payment processing EU (Ireland) – SCCs for any third-country transfers

Annex 2: Technical and Organisational Measures (TOMs)

capty implements at minimum the following measures at the time of processing:

  • Encryption in transit: All data transfers between users and the Platform use TLS/HTTPS.
  • Access controls: Access to the Platform and administrative systems is secured by authentication. Internal access rights are limited to the minimum necessary.
  • Tenant separation: Customer data and workspaces are isolated from each other and cannot be shared across accounts.
  • Availability: Infrastructure is operated with a professional hosting provider (Hostinger). Backup processes are in place.
  • Software security: Security-relevant updates are applied promptly.
  • Staff confidentiality: Persons with access to personal data are bound by confidentiality obligations.

These measures are reviewed regularly and updated as required. Further certifications (e.g. ISO 27001, SOC 2) are not currently in place.