Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

According to Art. 28 GDPR

Last updated: April 14, 2026

This Data Processing Agreement ("DPA") supplements the Terms and Conditions of the PropyBot service and applies when the Customer (as Controller) stores or processes personal data of third parties (e.g. tenant data, owner data, business contacts) within PropyBot. In this case, Acheros acts as a Processor within the meaning of Art. 28 GDPR.

Download as PDF: Data Processing Agreement (PDF) — print, sign, and return to info@propybot.com.

§ 1 Subject Matter, Duration, and Nature of Processing

Subject matter: The Processor provides a web-based real estate management platform (PropyBot). In the course of using the Service, the Controller may enter personal data of data subjects into the platform.

Duration: The processing begins when the Controller's account is activated and ends upon deletion of the account or termination of the subscription, plus any statutory retention periods.

Nature and purpose: Storage, display, organization, and export of real estate data entered by the Controller, including property details, financial calculations, notes, documents, and images.

§ 2 Types of Personal Data

The following categories of personal data may be processed:

• Names, addresses, and contact information of tenants, property owners, or business contacts
• Financial data related to properties (rent amounts, purchase prices, mortgage terms)
• Notes and free-text fields that may contain personal information at the Controller's discretion
• Uploaded documents and images that may depict or reference identifiable persons

§ 3 Categories of Data Subjects

• Tenants of properties managed by the Controller
• Property owners, sellers, or agents
• Business contacts (brokers, notaries, banks)
• Any other persons whose data the Controller enters into PropyBot

§ 4 Obligations of the Processor

1. The Processor shall process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR), unless required to do so by EU or member state law. The instructions are defined by the scope of the Service as described in the Terms and Conditions and any written amendments agreed between the parties.
2. The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
3. The Processor shall take all measures required pursuant to Art. 32 GDPR (security of processing), including but not limited to:
   • Encryption of data in transit (TLS 1.2+) and at rest
   • Regular automated backups (retained for 14 days minimum)
   • Access control via authentication (password + optional MFA)
   • Logical separation of customer data (per-account isolation)
   • Regular security updates for all software components
   • Payment data handled exclusively by PCI-DSS Level 1 certified sub-processor (Stripe)
4. The Processor shall not engage another processor without prior specific or general written authorization of the Controller (Art. 28(2) GDPR). The current sub-processors are listed in § 7 below. Changes will be communicated with at least 30 days' notice.
5. The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests (access, rectification, erasure, portability) under Arts. 15–22 GDPR, taking into account the nature of the processing (Art. 28(3)(e) GDPR).
6. The Processor shall assist the Controller in ensuring compliance with obligations under Arts. 32–36 GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of processing and the information available to the Processor (Art. 28(3)(f) GDPR).
7. At the choice of the Controller, the Processor shall delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage (Art. 28(3)(g) GDPR). Account data is deleted within 30 days of account closure. Invoices are retained for 10 years per § 147 AO.
8. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR). Audits shall be conducted with reasonable notice and during business hours.

§ 5 Obligations of the Controller

1. The Controller is responsible for the lawfulness of the data processing and for safeguarding the rights of data subjects. The Controller determines the purposes and means of processing.
2. The Controller shall ensure that they have a valid legal basis for entering personal data of third parties into PropyBot (e.g. consent, legitimate interest, contractual necessity).
3. The Controller shall inform the Processor without delay if they identify errors or irregularities regarding data protection provisions in the processing of personal data.

§ 6 Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Art. 33(2) GDPR). The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.

§ 7 Sub-Processors

The Controller grants the Processor general authorization to engage the following sub-processors. The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object.

² Specific hosting and email providers will be named once the production infrastructure is finalized. This DPA will be updated accordingly.

§ 8 Transfer to Third Countries

The Processor shall not transfer personal data to a country outside the EEA without ensuring that an adequate level of protection exists (Art. 44–49 GDPR). Currently, transfers to the United States are safeguarded by the EU–U.S. Data Privacy Framework (adequacy decision per Art. 45 GDPR). Should this framework be invalidated, the Processor will implement Standard Contractual Clauses (SCCs) or cease the transfer.

§ 9 Liability

The liability of Controller and Processor towards data subjects is governed by Art. 82 GDPR. The internal liability between Controller and Processor is governed by the Terms and Conditions and applicable law.

§ 10 Term and Termination

This DPA is effective for the duration of the subscription agreement and any applicable statutory retention periods. Either party may terminate this DPA if the other party materially breaches its obligations and does not remedy the breach within 30 days of written notice.

Upon termination, the Processor shall delete or return all personal data in accordance with § 4(7).

§ 11 Applicable Law

This DPA is governed by the laws of the Federal Republic of Germany and the provisions of the GDPR. In case of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to data protection matters.

Signatures

This DPA becomes effective upon acceptance of the Terms and Conditions by the Controller (electronic acceptance at registration) or upon return of a signed copy.

Contact for data protection matters: info@propybot.com