Auftrags­verarbeitungs­vertrag (AVV) / Data Processing Agreement (DPA)

Die englische Fassung ist rechtsverbindlich.

Version: September 2025

between

Shiftup GmbH,
In der Hardt 18,
76698 Ubstadt-Weiher, Germany,
hereinafter referred to as “Processor”

and

any public authority, organisation, association, cooperative, company, or other legal entity creating an account on the ShiftUp platform and accepting the General Terms and Conditions,
hereinafter referred to as “Controller”

Preamble

The Controller would like to task the Processor with the services outlined in § 2 of this Agreement. Contract implementation also includes the processing of personal data. The General Data Protection Regulation (GDPR), particularly Article 28, places certain requirements on processing of personal data carried out on behalf of a controller. To comply with these requirements, the Parties hereby enter into the following agreement. The implementation of the Agreement shall not be compensated separately, unless explicitly stated otherwise.

1. Definitions

Terms used in this Agreement which are defined by Article 4, 9 and 10 GDPR shall have the same meaning as those established by the relevant GDPR provision.

2. Object

2.1 On behalf of the Controller and based on the Contract agreed to upon creation of an account and acceptance of the General Terms and Conditions (“Principal Agreement”), the Processor shall carry out services in the following sectors for the Controller:

  1. Operation of a web-based Software-as-a-Service platform for project management and participant data collection, specifically:
    1. Processing and storage of participant registration data
    2. Processing of survey responses
    3. Management of participant contact information
    4. Display of event registration data retrieved via third-party service and storage of event identifiers
    5. Handling of digital communication with participants
    6. Storage and management of project-related inquiries from participants
  2. Technical infrastructure services:
    1. Hosting of the platform in ISO27001-certified data centres in Germany
    2. Data backup and recovery
    3. Technical security measures
    4. System maintenance and updates

In doing so, the Processor shall gain access to personal data and shall process said data exclusively on behalf of and according to the instructions given by the Controller, unless otherwise required by EU law or a legal provision of one of the Member States applicable to the Processor. The scope and purpose of the Processor’s data processing are as concluded in the Principal Agreement (and, if applicable, the corresponding service description), as well as described in Annex 1 to this Agreement. The Controller shall be the sole judge of the lawfulness of the processing under Article 6 (1) GDPR.

2.2 The Parties have agreed to the following in order to specify their mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall supersede the provisions of the Principal Agreement.

2.3 The provisions laid out by this Agreement shall be applicable to all activities which are performed in connection with the Principal Agreement and by the Processor, their employees or agents when encountering personal data originating from, collected for or otherwise processed on behalf of the Controller.

2.4 The duration of this Agreement shall be the same as the duration of the Principal Agreement, unless the following provisions stipulate further obligations or rights of termination.

2.5 Any agreed upon data processing shall take place solely in a Member State of the European Union or in the state of another Contracting Party to the Agreement about the European Economic Area. Any relocation of any or whole part of the service to a Third country may only occur if the special requirements of Article 44 et seq. GDPR are fulfilled, and shall be subject to the Controller’s prior agreement in writing or documented electronic format.

3. Nature of the data processed, group of data subjects

In applying the Principal Agreement, the Processor shall receive access to the personal data specified in Annex 1, belonging to the group(s) of data subjects also specified in Annex 1. This data includes no special categories of personal data according to Article 9 GDPR.

4. Right to instruct

4.1 The Processor may only collect, use or otherwise process data within the scope of the Principal Agreement and according to the Controller’s instructions; this is particularly applicable with regard to transfer of personal data to a Third country or to an international organisation. If the Processor must carry out further processing due to EU law or the law in an EU Member State applicable to the Processor, the Processor shall notify the Controller of these legal requirements before any such processing takes place.

4.2 The Controller’s instructions shall be initially determined by this Agreement, though it may be changed, amended or replaced by individual instructions in written or documented electronic format (“Individual Instruction”). The Controller shall have the right to issue such instructions at any time. Changes may include instructions regarding the rectification, erasure and blocking of data. Persons authorised to give, or respectively receive, instructions are specified in Annex 4. In case of a change or longer term hindrance of the designated persons, the successor or substitute shall be made known to the other Contracting Party without undue delay. Text form notification as mandated by Sect. 126b German Civil Code shall be sufficient.

4.3 The Controller and Processor shall document all instructions given and keep such documentation for the duration of their validity, and for three full calendar years thereafter. Instructions going beyond the service as agreed upon by the Principal Agreement shall be deemed a Change Request. Arrangements regarding possible compensation of additional expenses resulting from supplementary instructions given to the Processor by the Controller shall remain unaffected.

4.4 Should the Processor suspect that an instruction given by the Controller goes against data protection requirements; the Processor shall notify the Controller accordingly without undue delay. The Processor is entitled to suspend execution of the instruction in question until confirmation or change by the Controller is received. The Processor is entitled to refuse execution of an evidently unlawful instruction.

5. Protective measures by the Processor

5.1 The Processor shall comply with legal data protection requirements and shall not transfer or make accessible to third parties information originating in the Controller’s sphere. Taking into account the state of the art, documents and data shall be appropriately secured against accessibility by unauthorised persons.

5.2 In regards to its area of responsibility, the Processor shall shape its internal organisation in a manner that is compliant with the special requirements of data protection. The Processor shall also ensure that it has implemented all necessary technical and organisational measures under Article 32 GDPR; particularly in regards to the measures specified in Annex 2. Insofar as the processing includes special categories of personal data, the Processor shall additionally implement the adequate and specific measures laid down by para. 22 sect. 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Upon the Controller’s request, the Processor shall disclose the particulars of how these measures are determined and implemented.
The Processor reserves the right to change the implemented security measures, provided that it ensures that these do not fall short of the contractually agreed upon level of protection.

5.3 As advisor for data protection the Processor has appointed:
Florian Bonert
Email: privacy@shiftup.energy
Phone number: +49 (0) 1567 8293 656

5.4 The persons tasked with data processing and employed by the Processor are prohibited from collecting, using or otherwise processing personal data without authorisation. The Processor shall ensure that all persons (hereafter referred to as “personnel”) tasked with processing and fulfilling this Agreement have committed themselves according to the obligation of confidentiality under Article 28 (3) lit. b GDPR). The Processor has a duty to instruct personnel about the special data protection obligations arising from this Agreement, as well as the existing purpose limitation and binding commitment to instructions. The Processor shall take due care to ensure compliance with the abovementioned obligation. Obligations shall be composed to remain in force beyond the termination of this Agreement or of the employment relationship between the employee and the contractor. Upon the Controller’s request, the Processor shall provide proof of these obligations in an adequate manner.

6. Processor information obligations

6.1 In case of disturbances, suspected data breaches, breaches of contractual obligations on the part of the Processor, suspected security incidents or other irregularities with regards to the processing of personal data by the Processor, by persons tasked within the framework of the Agreement or by third persons, the Processor shall inform the Controller accordingly in writing or in a documented electronic format without undue delay. The same applies to audits of the Processor carried out by the Data Protection Authority. To the extent possible, notification about a personal data breach shall contain the following information:

  1. a description of the nature of the personal data breach including, where possible, the categories and number of data subjects potentially affected, and the categories and number of personal data records concerned;
  2. a description of the likely consequences of the personal data breach, and
  3. a description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate any possible adverse effects.

6.2 The Processor shall take all necessary measures to secure the data and mitigate possible adverse effects on the data subject(s) without undue delay. The Processor shall also inform the Controller of these measures and request further instructions.

6.3 Additionally, insofar as the Controller’s data is concerned by a breach outlined in § 6 (1) of this Agreement, the Processor shall provide details to the Controller at any time.

6.4 The Processor shall, in an adequate manner, assist the Controller in ensuring compliance with the Controller’s obligations under Articles 33 and 34 GDPR (Article 28 (3) sent. 2 lit. f GDPR). The Processor shall only execute notifications under Articles 33 or 34 GDPR on behalf of the Controller upon the Controller’s prior instruction as outlined in § 4 of this Agreement.

6.5 In case the Controller’s data is put at risk due to seizure or confiscation taking place at the Processor’s, because of insolvency or composition proceedings or because of other events or measures taken by third parties, the Processor shall inform the Controller accordingly and without undue delay, unless prohibited from doing so by court or administrative order. In this context, the Processor shall, without undue delay, inform all competent entities that, as “Controller” under the GDPR, the Controller bears sole decision-making authority with regard to the data.

6.6 In case of substantial changes to the security measures under § 5 (2) of this Agreement, the Processor shall notify the Controller accordingly, without undue delay.

6.7 In case of a change of the person fulfilling the role of the advisor for data protection the Processor shall, without undue delay, notify the Controller accordingly.

6.8 The Processor, and if applicable, his representative, shall maintain a record of all processing activities carried out on behalf of the Controller, containing all specifications required under Article 30 (2) GDPR. The record shall be made available to the Controller upon request.

6.9 The Processor shall, to adequate extent, also contribute to the record the Controller establishes regarding the processing activities. The Processor shall also contribute to any data protection impact assessment the Controller establishes under Article 35 GDPR, and if applicable, when a prior consultation of supervisory authorities under Article 36 GDPR takes place. The Processor shall in each case convey the necessary specifications to the Controller in an appropriate manner.

7. Control rights of the Controller

7.1 Prior to the start of the data processing, and then on a regular basis, the Controller shall convince himself of the technical and organisational measures taken by the Processor. To this end, he can, for example, obtain information from the Processor or require seeing existing attestations by experts, certifications or of internal audits. The Controller may, after timely coordination and during normal business hours, also personally check the Processor’s technical and organisational measures or have them checked by an expert third party, unless the latter is in a competitive relationship with the Processor. The Controller shall conduct controls only to the extent necessary so as to not unduly disturb the Processor’s business operations.

7.2 Upon the Controller’s verbal, written or electronic request, the Processor shall, in a timely manner, provide him with all information and records necessary for controlling the Processor’s technical and organisational measures.

7.3 The Controller shall document the control result and notify the Processor accordingly. In case of mistakes or irregularities detected by the Controller, particularly when assessing order results, the Controller shall inform the Processor accordingly without undue delay. If the control reveals issues to be avoided in the future that require changes to the ordered process, the Controller shall, without undue delay, notify the Processor of the necessary changes.

7.4 Upon request, the Processor shall provide the Controller with a comprehensive and up to date data protection and security concept for the data processing and regarding authorised persons for access.

7.5 Upon request, the Processor shall provide the Controller with the employee obligation under § 5 (4) of this Agreement.

7.6 The Controller shall reimburse the Processor for the expenses incurred in the course of the control.

8. Engagement of subcontractors

8.1 The contractually agreed upon services, or the parts of the services described hereafter, will be executed by involving the subcontractors named in Annex 3. Within the scope of his contractual obligations, the Processor shall be entitled to establish further subcontracting relationships. The Processor shall, without undue delay, notify the Controller thereof. The Processor shall carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Processor shall ensure their commitment to confidentiality in line with the provisions of this Agreement and ensure that the Controller is able to directly exercise its rights under the Agreement (particularly the rights of audit and control) against the subcontractors. If subcontractors from a third country are involved, the Processor shall ensure that an adequate level of data protection is guaranteed by the subcontractor in question (for example, by establishing an agreement according to the EU standard data protection clauses). Upon request, the Processor shall demonstrate the conclusion of the aforementioned agreements with his subcontractors.

8.2 When the Processor charges a third party with a purely ancillary service, this shall not constitute a subcontractor relationship within the meaning of these provisions. Such ancillary services include, but are not limited to, postal, transport and shipping services, cleaning services, security services, and telecommunications services without concrete reference to services provided by the Processor to the Controller. Maintenance and testing services constitute subcontractor relationships requiring approval insofar as they are provided for IT systems also used in connection with the Processor’s provision of services on behalf of the Controller.

9. Data subject inquiries and rights

9.1 The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligations as established under Articles 12 22, 32, and 36 GDPR.

9.2 If a data subject asserts her rights regarding to her data directly against the Processor, the Processor shall not react independently. Rather, the Processor shall refer the data subject to the Controller without undue delay and wait on the Controller for instructions on how to proceed.

9.3 The Controller shall reimburse the Processor for the expenses incurred in the course of the supportive services.

10. Liability

10.1 The Controller and the Processor shall be liable to the data subjects in accordance with the provisions of Article 82 GDPR. The Processor shall coordinate with the Controller regarding any possible fulfilment of liability claims.

10.2 At first request, the Processor shall exempt the Controller from all claims data subjects assert against the Controller due to the breach of an obligation imposed on the Processor by the GDPR, or due to the Processor’s failure to comply with an instruction outlined in this Agreement or given separately by the Controller.

10.3 The Parties shall each release themselves from liability if/insofar as one Party proves that they are in no way responsible for the circumstance through which the damage occurred to a data subject. Apart from that, Article 82 (5) GDPR shall apply.

10.4 Unless otherwise stipulated above, the liability within the scope of this Agreement shall correspond to that of the Principal Agreement.

11. Right to extraordinary termination

The Controller may terminate the Principal Agreement, in whole or in part, without notice if the Processor fails to fulfil his obligations under this Agreement, intentionally or through gross negligence violates the provisions of the DSGVO or other applicable data protection provisions, is unable or unwilling to execute an instruction given by the Controller, or opposes the Controller’s rights of control in a manner contrary to the contractual terms. In particular, failure to comply with the obligations agreed in this contract and derived from Art. 28 DSGVO constitutes a serious infringement.

12. Termination of the Principal Agreement

12.1 After termination of the Principal Agreement, or at any time upon the Controller’s request, the Processor shall return to the Controller all documents, data and data carriers made available to him or delete them at the Customer’s request, unless such deletion is prohibited by EU law or the laws of the Federal Republic of Germany. This also applies to any data backups made by the Processor. The Processor must provide documentation of proper deletion of any data still available.

12.2 The Controller has the right to verify that the Processor has completed the contractually correct return or deletion of the data in an appropriate manner. Conversely, the Controller may have such verification done through an expert third party, provided that the third party is not in a competitive relationship with the Processor.

12.3 The Processor must retain the confidentiality of any data that has become known to it in connection with the Principal Agreement beyond the end of the Principal Agreement. This Agreement shall remain valid beyond the end of the Principal Agreement for as long as the Processor has personal data supplied by or collected for the Controller at the Processor’s disposal.

13. Final provisions

13.1 The Parties agree that the Processor’s right to assert retention under Section 273 of the German Civil Code (Bürgerliches Gesetzbuch, BGB) is excluded with regard to the data to be processed and the corresponding data carriers.

13.2 To be valid, any changes and amendments to this Agreement must be rendered in writing in a documented electronic format. This also applies to a change in this formal requirement. This shall not apply to the priority of individual contract agreements.

13.3 Should any provision of this Agreement be invalid or become partially or entirely invalid or unenforceable, the remainder of this Addendum shall remain valid and in force.

13.4 This agreement shall be governed by and construed in accordance with German Law. Each Party agrees to submit to the sole jurisdiction of the registered office of the Processor.

Annexes:

  • Annex 1 – Description of the data subjects / groups of data subjects as well as the data / data categories requiring special protection
  • Annex 2 – Technical and organisational measures by the Processor
  • Annex 3 – Approved Subcontractors
  • Annex 4 – Persons allowed to issue/receive instructions

Annex 1 – Description of the data subjects / groups of data subjects as well as the data / data categories requiring special protection

A. Data subjects / groups of data subjects:

  1. Users of the Controller’s project website
  2. Residents within the project area
  3. Administrative users of the platform appointed by the Controller

B. Categories of personal data:

  1. Basic personal information:
    • Name (first name, last name)
    • Contact information (email address, telephone number)
    • Postal address (street, house number, postal code, city)
  2. Technical data:
    • Authentication tokens (encrypted)
    • Connection data for security and verification
    • Usage data of the platform
    • Click routes and interaction data
    • Aggregated, anonymised website usage metrics (e.g., visitor counts, session data, page views, registrations)
  3. Project-specific data:
    • Building-related information
    • Energy consumption data
    • Responses to surveys and questionnaires
    • Other questions/inquiries submitted through the platform
    • Media-related data (e.g., uploaded files, embedded content references)
    • User-generated content (e.g., questions, feedback, or text entries)
  4. Event management and ticketing data linked to respective projects:
    • Event title
    • Event page reference (slug) and event ID
    • Attendance reference (slug)
      Note: Event registration data (e.g., selected ticket type) and attendance data (e.g., check-in status or time) data is processed via API calls to Tito, the third-party event management and ticketing platform. ShiftUp’s systems only process this data as part of the integration and do not directly store it.
  5. Contract and administrative data:
    • Contract information
    • User role assignments
    • Communication preferences
    • Activity logs (e.g., tracked interactions)
    • Administrator-specific data (e.g., access permissions)

Important:
The processing of special categories of personal data according to Article 9 GDPR must not be processed as part of the standard services. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. Controllers must ensure no such data is submitted or processed through the platform.

Annex 2 – Technical and organisational measures by the Processor

The Processor shall implement and maintain the following technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk associated with the processing of personal data, in compliance with Article 32 GDPR. These measures include:

1. Confidentiality (Article 32(1)(b) GDPR)

1.1 Physical Access Control

  • Cloud infrastructure hosted within German/EU jurisdiction using Amazon Web Services (AWS), specifically in ISO 27001-certified data centres in Frankfurt am Main, Germany
  • Servers positioned within physically protected security areas with restricted access
  • Company operates under a remote-first policy, with no fixed physical office for employees, while maintaining a registered company address at the CEO’s residence

1.2 Electronic Access Control

  • Mandatory password requirements (minimum 12 characters, including numbers, lowercase, uppercase, and special characters)
  • Mandatory multi-factor authentication (2FA/MFA) for security-sensitive systems
  • Automatic time-based blocking after multiple failed login attempts
  • Use of company-provisioned password manager for storing login information

1.3 Internal Access Control

  • Access rights strictly based on job responsibilities
  • Access to production database limited to CTO and CEO
  • Development team has access to separate development and test database
  • Production data is never used for test or development purposes
  • Annual review of roles, responsibilities, and access rights

2. Integrity (Article 32(1)(b) GDPR)

2.1 Data Transfer Control

  • Encryption for all data in transit
  • Implementation of HTTPS using TLS 1.3
  • All databases are encrypted
  • Use of state-of-the-art cryptographic methods

2.2 Data Input Control

  • Comprehensive logging system for user interactions and technical system events, with logs stored securely
  • Regular evaluation and monitoring of logs to detect anomalies
  • Input validation on both client and server sides to prevent unauthorised or malicious inputs

3. Availability and Resilience (Article 32(1)(b) GDPR)

3.1 Availability Control

  • Automated daily backups of all databases and infrastructure setup, with retention and regular verification
  • Storage of backups in multiple geographic zones to ensure redundancy
  • Implementation of redundant systems (e.g., failover servers) for critical infrastructure

3.2 Rapid Recovery (Article 32(1)(c) GDPR)

  • Implemented incident response and disaster recovery plans
  • Defined protocols for handling security breaches, including immediate notification of affected individuals, where necessary
  • System architecture designed for high availability and resilience, with minimal downtime during failover scenarios

4. Procedures for Regular Testing (Article 32(1)(d) GDPR)

4.1 Data Protection Management

  • Regular review and updates of security concept to ensure it remains effective
  • Implementation of privacy by design principles for all new projects and system updates
  • Regular training and awareness programs for employees covering IT and data protection topics
  • Documentation of all security measures and protocols

5. Additional Technical Measures

5.1 Development Security

  • Use of GitHub for version control with controlled access based on user roles and responsibilities
  • Structured development process with multiple review stages, including peer code reviews and automated checks before deployment
  • Separate staging and production environments to ensure secure testing and validation of new features
  • Regular updates and patch management for third-party libraries and tools used in development
  • Thorough testing in staging environments to identify and resolve issues before deployment to production

5.2 Archive Management

  • Clear, documented rules for data retention periods, with automatic enforcement where possible
  • Secure deletion of archived data after retention period
  • Archive access limited to CTO and CEO
  • Dedicated archive systems of  the production database

Annex 3 – Approved Subcontractors

The following companies are approved subcontractors under § 8 of this Agreement:

SubcontractorProcessing locationProcessing description
Amazon Web Services EMEA SARL,
Niederlassung Deutschland,
Marcel-Breuer-Str. 12,
80807 München,
Germany		Frankfurt am Main, GermanyProvides cloud infrastructure and storage services for hosting and processing data, including the secure storage of personal and operational data for platform functionality and backups.
Sendinblue GmbH,
Köpenicker Straße 126
10179 Berlin,
Germany		Germany, France, BelgiumProvides a digital marketing and customer communication platform offering tools for email delivery, SMS, and marketing automation, including the processing of contact and usage data for campaign management, analytics, and performance optimisation.
Functional Software Inc. (Sentry),
45 Fremont St, 8th Floor,
San Francisco, CA 94105,
United States of America		Frankfurt am Main, GermanyProvides error monitoring and debugging tools to track and resolve software issues in real time, including the processing of technical and usage data for performance analysis and troubleshooting.
Team Tito Limited,
64 Dame Street,
Dublin, D02 RT72,
Ireland		Dublin,
Ireland		Provides an event management and ticketing platform, including the processing of attendee personal data as well as technical and usage data, for performance optimisation, and troubleshooting.

Annex 4 – Persons allowed to issue / receive instructions and communication channels for instructions

The following person(s) shall be allowed to issue instructions for the Controller:

Those persons designated as account administrators in the ShiftUp platform (as maintained by the Controller).

For the Processor, shall be recipient(s) of instructions:

  • Florian Bonert, CEO of Shiftup GmbH (Email: privacy@shiftup.energy, Phone: +49 (0) 1567 8293 656)
  • Dennis Kamau Njuguna, CTO of Shiftup GmbH (Email: privacy@shiftup.energy, Phone: +49 (0) 1567 8293 656)