Data Processing Agreement (DPA)

As of: March 19, 2026

This order processing agreement (“DPA”) supplements the main contract existing between the customer and Nickle AI regarding the use of the app “nickle”, agency services from Nickle AI or other services, insofar as Nickle AI processes personal data on behalf of the customer.

1. Parties and formation

This DPA is concluded between:

Nickle AI – Oreshin, Platon and Scheffler, Daniel GbR
Ludwig-Erhard-Strasse 10
34131 Kassel
Germany
Email: info@nickle.ai
– hereinafter “Nickle AI”, “processor” or – where relevant – “sub-processor” –

and

the customer who concludes a contract for the use of nickle, agency services or other services from Nickle AI
– hereinafter referred to as “Customer”, “Responsible” or – where relevant – “Client” –.

This DPA is created in electronic form. It is considered effectively closed as soon as the customer:

  1. When registering, ordering or using a service provided by Nickle AI, you expressly accept the validity of these DPA, or
  2. concludes a main contract, an offer, an order form, an order form, a statement of work or another agreement that refers to these GCU.

Nickle AI can document the time of acceptance and the current version of these DPA.

2. Preamble and scope

(1) As part of the use of the “nickle” app and as part of certain agency services, it may be necessary for Nickle AI to process personal data exclusively on behalf of and in accordance with the customer’s instructions. In these cases, this DPA applies.

(2) This DPA applies only if Nickle AI processes personal data within the meaning of Art. 28 GDPR on behalf of the customer.

(3) This DPA applies in particular to:

  • the use of the “nickle” app including workspace, team, organization, upload, search, analysis, automation, integration and AI functions,
  • Project-related agency services in the areas of web, AI, automation, integrations, prototyping, workflow design, assistance systems and related digital services,
  • Support, operation, maintenance and administration services, insofar as these require the processing of personal data on behalf of the customer.

(4) This DPA does not apply if Nickle AI processes personal data for its own purposes and is responsible for this. This applies in particular – where relevant – to processing for the following purposes:

  • Initiation, conclusion, management and processing of your own contractual relationship with the customer,
  • Invoicing, payment processing, receivables management and accounting,
  • own legal proof, storage and compliance obligations,
  • Ensuring IT security, preventing misuse, system protection and defense against attacks,
  • own business communication, sales and support organization,
  • Disclosures required by law or other processing based on mandatory legal obligations.

(5) If the customer is a third-party processor and Nickle AI processes personal data of this third party on the customer's instructions, Nickle AI acts as a sub-processor. In this case, the provisions of these DPA apply accordingly.

3. Definitions

Unless otherwise defined in this DPA, the definitions of the GDPR apply.

In the sense of this DPA means:

“Personal Data” means any information relating to an identified or identifiable natural person.

“Customer Data” all personal data that Nickle AI processes on behalf of the customer in connection with the contractual services.

“Processing” any process carried out with or without the aid of automated procedures in connection with personal data, in particular the collection, recording, organization, structuring, storage, adaptation, modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison, combination, restriction, deletion or destruction.

“Sub-processor” any other processor that Nickle AI uses in whole or in part to provide the services.

“Data protection laws” all data protection regulations applicable to the processing of personal data, in particular the GDPR, the BDSG and - where relevant - other national data protection regulations.

“Security Incident” means a breach of security that has resulted or may result in the destruction, loss, alteration or unauthorized disclosure of or access to Personal Information.

4. Subject, type and duration of processing

(1) The subject matter, type, purpose and scope of processing as well as the categories of personal data and data subjects result from this DPA, the main contract and Appendix 1.

(2) Nickle AI processes personal data exclusively to provide the contractually agreed services to the customer.

(3) Processing takes place for the duration of the main contract or as long as Nickle AI processes personal data on behalf of the customer. Legal retention obligations and technically unavoidable remaining stocks in backups remain unaffected; In these cases, the data will be blocked and only retained for legally or technically necessary purposes.

5. Processing based on instructions

(1) Nickle AI processes personal data exclusively on documented instructions from the customer, unless Nickle AI is obliged to process them differently by Union law or the law of a member state. In this case, Nickle AI will inform the customer before the processing, unless the law prohibits such notification.

(2) Documented instructions include in particular:

  • the provisions of the main contract,
  • these DPA and their appendices,
  • Configurations, settings, role and authorization assignments, releases, model or integration selections that the customer makes within the services themselves,
  • individual instructions in text form, in particular by email, ticket system or other traceable communication channel,
  • In the agency context, additional briefings, releases, project documents, statements of work, technical specifications and documented change requests.

(3) Oral instructions must be confirmed by the customer immediately in text form. Nickle AI can suspend the implementation of an instruction until it is confirmed, provided that this is objectively justified at its best discretion.

(4) If Nickle AI is of the opinion that an instruction violates data protection laws, Nickle AI will inform the customer immediately. Nickle AI is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the customer.

(5) Nickle AI will not use customer data for its own purposes. This does not affect the use of completely anonymized information, for which personal reference is definitively excluded.

6. Customer Duties and Responsibilities

(1) The customer is responsible for the lawfulness of the processing of personal data and for safeguarding the rights of the data subjects in relation to those affected.

(2) The customer warrants that he has a valid legal basis for the processing of personal data initiated by him and that he has fulfilled any information, documentation and proof obligations.

(3) The customer is responsible for

  • that the purpose, means and limits of the commissioned processing are sufficiently determined,
  • that only personal data whose processing is permitted are included in the services,
  • that special categories of personal data in accordance with Art. 9 GDPR as well as data with a special obligation of confidentiality are only processed to the extent that this is legally permissible and, if necessary, additional protective measures have been agreed,
  • that he adequately protects his own systems, access, devices, user accounts and authorizations,
  • that he immediately forwards inquiries from those affected, inquiries from authorities or other matters relevant to data protection law to Nickle AI, insofar as this requires Nickle AI's cooperation.

(4) The customer remains responsible for the data protection assessment and release of such content, data sources, integrations, tools, APIs or model configurations that he himself activates, selects or connects to third-party systems, unless these are determined by Nickle AI as part of the order processing.

7. Nickle AI Obligations

Nickle AI is particularly committed to:

  1. to process personal data only within the framework of the contractual agreements and documented instructions of the customer,
  2. to only entrust the processing to those persons who are obliged to maintain confidentiality,
  3. to take and maintain appropriate technical and organizational measures in accordance with Art. 32 GDPR,
  4. to support the customer to an appropriate extent in fulfilling his obligations in accordance with Article 28 Paragraph 3 Letters e and f GDPR,
  5. to provide the customer with all information necessary to demonstrate compliance with these DPA,
  6. to enable audits and inspections in accordance with these DPA,
  7. to inform the customer immediately if a security incident involving the customer's personal data becomes known,
  8. to use sub-processors only in accordance with Section 10,
  9. to delete or return personal data after the end of the contract in accordance with Section 14,
  10. to inform the customer immediately if, in Nickle AI's opinion, an instruction violates applicable data protection law.

8. Confidentiality and Access Authorization

(1) Nickle AI ensures that all persons authorized to process personal data only process personal data within the scope of the customer's instructions.

(2) Nickle AI ensures that these persons have been obliged to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality.

(3) Access to personal data is restricted according to the need-to-know principle and based on a role and authorization concept.

9. Technical and organizational measures

(1) Nickle AI takes appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing.

(2) The basic measures currently implemented are described in Appendix 2.

(3) Nickle AI is entitled to further develop technical and organizational measures and to replace them with equivalent or better measures, provided that the contractually agreed level of protection is not fallen short of.

(4) If the customer has special security requirements, he will inform Nickle AI of these before processing begins. Such additional requirements only apply if they have been expressly agreed.

10. Sub-processors

(1) The customer hereby grants Nickle AI general permission to use sub-processors.

(2) The sub-processors used at the time this DPA comes into force can be found in Appendix 3.

(3) Nickle AI will inform the customer about intended changes in relation to the use or replacement of sub-processors in an appropriate manner, in particular by email, via a customer portal, in the account area or through other reasonable notification in text form.

(4) The customer can object to an intended change for important data protection reasons in text form within 14 days of receipt of the information. If no objection is made in a timely manner, the change is deemed approved.

(5) In the event of a justified objection, the parties will seek an appropriate solution in good faith. If no reasonable solution is found, the customer can terminate the part of the service affected by the change extraordinarily.

(6) Nickle AI will enter into an agreement with each sub-processor that imposes data protection obligations on it that essentially correspond to the level of protection in this GPA. If the sub-processor processes personal data on behalf of the sub-processor, Nickle AI will conclude a data processing agreement with the sub-processor that meets the requirements of Art. 28 GDPR.

(6a) If personal data is transferred to a third country in connection with the use of a sub-processor and there is no adequacy decision by the European Commission, Nickle AI ensures that suitable guarantees in accordance with Art. 44 ff. GDPR exist for this transfer, in particular by concluding the relevant standard contractual clauses of the European Commission and - if necessary - through additional protective measures.

(7) Nickle AI remains responsible to the customer for the fulfillment of the sub-processor's obligations.

(8) Auxiliary or ancillary services for which there is no regular access to the customer's personal data or which are only of a purely subordinate nature, such as telecommunications services, postal and transport services, general maintenance or disposal services, are not considered sub-processors within the meaning of this DPA, provided that an appropriate level of protection is ensured.

(9) If the customer independently activates or connects third-party providers, integrations, external APIs, MCP tools, plugins or connectors within the services that lie outside the standard services set by Nickle AI, the customer is generally responsible for their data protection assessment, unless Nickle AI has expressly accepted their use as part of the order processing.

11. International data transfers

(1) Processing of personal data can also take place outside the European Union or the European Economic Area - depending on the infrastructure used, model configuration, hosting region, integration or sub-processor.

(2) Nickle AI will only transfer personal data to a third country or have it processed there if the requirements of Art. 44 ff. GDPR are met.

(3) To the extent that sub-processors are used in third countries or personal data can be accessed from there and there is no adequacy decision from the European Commission, Nickle AI will ensure through appropriate guarantees that the level of protection required by the GDPR is maintained. This includes, in particular, the conclusion of the relevant standard contractual clauses of the European Commission as well as - where legally required - additional technical, organizational or contractual measures.

(4) Nickle AI will present the relevant transfer basis for the respective third country transfer in an appropriate form upon request from the customer.

(5) Suitable guarantees can in particular be:

  • an adequacy decision by the European Commission,
  • European Commission Standard Contractual Clauses,
  • binding internal data protection regulations (BCR),
  • other legally permissible guarantees or exceptions.

(6) To the extent that different models, regions or integrations can be selected, the specific processing location may depend on the configuration selected by the customer.

12. Customer support

(1) Nickle AI supports the customer with appropriate technical and organizational measures, taking into account the type of processing and the information available to Nickle AI,

  • to process requests from data subjects,
  • to ensure the security of processing,
  • assess and report personal data breaches,
  • carry out data protection impact assessments,
  • prepare consultations with supervisory authorities, if necessary.

(2) If a request from a data subject or an authority request is received directly by Nickle AI and it concerns the customer, Nickle AI will immediately forward the request to the customer, provided forwarding is legally permissible.

(3) Nickle AI will generally not comment on the content to those affected or authorities without prior consultation with the customer, as far as this concerns the processing on behalf of the customer, unless Nickle AI is legally obliged to do so.

13. Reporting of Security Incidents

(1) Nickle AI will inform the customer immediately after becoming aware of a security incident to the extent that personal data is affected that Nickle AI processes on behalf of the customer.

(2) As far as possible and appropriate at the time, the notification contains in particular:

  • the nature of the incident,
  • the affected data categories,
  • the known or likely consequences,
  • the countermeasures already taken or proposed,
  • a contact person for questions.

(3) The information is initially provided based on the available level of knowledge and is supplemented as necessary.

14. Evidence, audits and inspections

(1) Upon request, Nickle AI will provide the customer with information necessary to demonstrate compliance with these DPA.

(2) To prove compliance, Nickle AI can provide the customer with current documents, self-disclosures, audit reports, certificates, test reports, security documentation or equivalent evidence.

(3) If this evidence is not sufficient in an individual case, the customer is entitled to have an inspection carried out after reasonable advance notice and no more than once per calendar year, unless a special reason - such as a significant security incident or an official order - justifies a more frequent inspection.

(4) Audits must be carried out in such a way that Nickle AI's operations, security measures, confidentiality interests and the rights of other customers are not unreasonably impaired. Nickle AI may request that audits be carried out primarily as a document review, remote audit or interview, as long as this is sufficient in the individual case.

(5) On-site inspections are only permitted if milder means of checking compliance are not sufficient and Nickle AI's legitimate confidentiality and security interests are safeguarded.

(6) The customer bears the costs of his examination himself. Support services from Nickle AI that go beyond the legally owed cooperation can be invoiced based on reasonable effort, unless otherwise agreed.

15. Deletion and return of data

(1) After termination of the contractual services, Nickle AI will delete or return personal data at the customer's discretion, unless there is a statutory retention requirement or another legally permissible reason for retention.

(2) If technically provided, deletion can also be carried out by the customer removing or exporting data himself and Nickle AI deleting any remaining data after the agreed deadlines have expired.

(3) Backups and backup copies will be removed as part of normal deletion and overwriting cycles if immediate, isolated deletion is not technically possible or can only be implemented with disproportionate effort. During this time, the data remains locked and is no longer processed productively.

(4) Upon request, Nickle AI will confirm the deletion or return in an appropriate form.

16. Special provisions for AI functions

(1) To the extent that the services include AI-supported functions, model access, retrieval, search, analysis, automation or generation functions, Nickle AI processes the content provided by the customer exclusively to provide the functionalities requested by the customer.

(2) Depending on the function selected, the following can be processed in particular:

  • Prompts and other text input,
  • uploaded files and attachments,
  • context information,
  • generated expenses,
  • Log, usage and diagnostic data,
  • team or organization-related administrative data.

(3) Unless expressly agreed otherwise or specified by a third-party provider or model configuration actively selected by the customer, Nickle AI does not use customer data to train third-party AI models.

(4) The customer remains responsible for checking whether certain data - in particular special categories of personal data, professional secrets, trade secrets or other highly sensitive information - may be included in the AI ​​functions and whether additional protective measures are required.

17. Special provisions for agency services

(1) For agency services, the distribution of roles under data protection law depends on the specific project.

(2) This DPA only applies in the agency context to the extent that Nickle AI processes personal data exclusively on behalf of and according to the instructions of the customer.

(3) To the extent that Nickle AI determines its own purposes or essential means of processing in the context of consulting, conception, architecture, product design, its own choice of methods, quality assurance, security assessment or other independent decisions, Nickle AI may be the responsible party in whole or in part or jointly responsible. This DPA does not apply to such processing.

(4) Project-specific deviations, additional security requirements, special data categories, industry-specific specifications, customer-specific deletion concepts or additional sub-processors can be specified in project documents, offers, order forms, statements of work or separate appendices.

18. Compensation

(1) Unless otherwise agreed in the main contract, the usual services provided by Nickle AI under this DPA are compensated for by the contractually agreed remuneration.

(2) Additional support services that go beyond the legally required scope, in particular exceptional audit support, individual security questionnaires, extensive export or migration services, project-specific special measures or short-term special audits, can be invoiced at reasonable expense.

19. Liability

(1) The legal provisions and the liability provisions of the main contract apply to the liability of the parties, insofar as these are compatible with mandatory data protection law.

(2) Mandatory liability provisions of the GDPR, in particular Article 82 GDPR, remain unaffected.

20. Term, Changes and Ranking

(1) This DPA comes into force upon its effective conclusion in accordance with Section 1 and applies for the duration of the processing of personal data on behalf of the customer.

(2) Nickle AI can change these DPA with effect for the future if this is necessary,

  • to implement changes in the legal situation, case law or official requirements,
  • to further develop services, processes or sub-processors,
  • to make editorial clarifications or improvements,
  • provided that the customer's level of protection is not unreasonably deteriorated.

(3) Nickle AI will inform the customer in an appropriate manner about any significant changes before they come into force. If the customer does not object to a significant change within a reasonable period of time or continues to use the services after it comes into force, the changed version is deemed to have been agreed to, to the extent this is legally permissible. Statutory or contractual special termination rights remain unaffected.

(4) In the event of contradictions between this DPA and the main contract, this DPA takes precedence with regard to order processing.

21. Final provisions

(1) If individual provisions of these DPA are or become ineffective in whole or in part, the effectiveness of the remaining provisions remains unaffected.

(2) The invalid or unenforceable provision is replaced by an effective provision that comes closest to the economic and data protection purpose of the original provision.

(3) German law applies unless mandatory data protection regulations provide otherwise.

Appendix 1 – Details of processing

A. General description

1. Subject of processing

The subject of the processing is the provision of the contractually agreed services by Nickle AI, in particular the operation and provision of the app “nickle” as well as – where relevant – the provision of project-related agency services.

2. Duration of processing

For the duration of the main contract or the project-related provision of services and - if necessary - until returned or deleted in accordance with these DPA.

B. Processing in connection with the “nickle” app

1. Type and purpose of processing

  • Provision and operation of the platform
  • Management of user accounts, workspaces, teams and organizations
  • Processing inputs, uploads and attachments
  • Execution of AI-powered functions, searches, analysis, transformations and generations
  • Storing, structuring, retrieving and managing content
  • technical administration, monitoring, error analysis, support and system security

2. Categories of data subjects

  • Customer user
  • Employees, representatives, agents or other members of the customer's organization
  • End users or other persons whose data is processed by the customer via the platform

3. Categories of personal data

  • Identification and contact information (e.g. name, email address, telephone number)
  • Account and Registration Information
  • Authentication data and login related information
  • Team, role and organizational data
  • Communication data
  • Usage, device, diagnostic and log data
  • Content from inputs, prompts, uploads, attachments, outputs and history entries
  • other data that the customer processes as part of using the platform

C. Processing in connection with agency services

1. Type and purpose of processing

Depending on the order, in particular:

  • Conception, development, implementation, optimization and operation of digital solutions
  • technical integration, automation and workflow implementation
  • Prototyping, testing, debugging, deployment and support
  • Processing project-related content in customer systems or customer-provided environments
  • Use of agreed AI or automation functions in the project context

2. Categories of data subjects

Depending on the order, in particular:

  • Customer contacts and employees
  • Users of systems or applications operated by the customer
  • Customers, interested parties, employees or other persons whose data the customer processes in the project context

3. Categories of personal data

Depending on the order, in particular:

  • Contact person and communication data
  • Project, access and administration data
  • Files, documents, text, images, audio and other content
  • Test, usage and error data
  • AI-related inputs, contextual data and outputs
  • other personal data that the customer provides as part of the project or which he instructs to be processed

D. Special Categories of Data

Processing of special categories of personal data within the meaning of Art. 9 GDPR only takes place if the customer lawfully incorporates them into the services or expressly orders such processing and there is a corresponding legal basis.

Appendix 2 – Technical and organizational measures (TOMs)

The following measures describe the basic framework of technical and organizational protective measures currently provided by Nickle AI. They are risk-based and are continually reviewed and developed.

1. Confidentiality

1.1 Access control

  • Restrict physical access to premises and systems to authorized persons
  • Use of appropriate security measures in working and hosting environments
  • accompanied or controlled access for visitors, where relevant

1.2 Access Control

  • Authentication mechanisms for internal systems and administration access
  • Role-based or function-related rights assignment
  • Principle of minimum rights allocation
  • Use of secure passwords and – where provided – additional protection mechanisms such as multi-factor authentication
  • Blocking, revoking or adjusting permissions when changing roles or leaving

1.3 Access Control

  • Restricting data access to authorized persons
  • Authorization concepts for applications, databases, storage and support access
  • Logging of security-relevant access and administrative processes, where appropriate
  • Client- or tenant-related separation, as long as the respective service requires this

1.4 Separation requirement

  • Logical separation of customer environments, workspaces or organizations, if technically provided
  • Separation of development, test and production environments, where appropriate
  • separate processing according to purposes and authorizations

2. Integrity

2.1 Transfer control

  • Encrypted data transmission via current transport encryption (e.g. TLS/HTTPS)
  • Use of secure interfaces and transmission paths
  • Restriction and control of external data access

2.2 Input control

  • Traceable logging or historization of security-relevant changes, if technically provided
  • Assign administrative interventions and system changes to authorized accounts
  • Controlled release processes for productive changes, where appropriate

3. Availability and resilience

  • Backup and restore procedures based on risk assessment
  • Monitoring essential systems and services
  • Measures for error detection, troubleshooting and recovery
  • Protection against data loss and accidental destruction
  • Emergency and restart processes to an appropriate extent

4. Periodic review, assessment and evaluation procedures

  • regular review of technical and organizational measures
  • internal security and authorization management
  • Patch, update and vulnerability management to an appropriate extent
  • Documentation and processing of security events
  • Regular awareness raising and confidentiality obligation of the people involved

5. Encryption and protection of stored data

  • Transport encryption when transferring personal data
  • Encryption of stored data or infrastructure-based protection mechanisms, if technically provided and risk-adequate
  • Protection of keys, tokens and access data through appropriate organizational and technical measures

6. Organizational measures

  • Confidentiality obligation of employees and other authorized persons
  • Determination of internal responsibilities and approval processes
  • Need-to-know and least privilege principle
  • Regulated processes for support access, if necessary
  • Risk-based selection, control and review of sub-processors

Appendix 3 – Sub-processors

The sub-processors listed below may work for Nickle AI depending on the service used, configuration, region, function or project.

A. Standard sub-processor for the “nickle” app

1. Supabase, Inc.

Purpose: Database infrastructure, storage, authentication
Place/Reference: USA / possibly international processing

2. Render Services, Inc.

Purpose: Hosting, deployment, server execution, infrastructure
Place/Reference: USA / possibly international processing

3. Stripe Technology Company Limited

Purpose: Payment processing, subscription and billing infrastructure
Place/Reference: Ireland / EU

4. Sendinblue GmbH / Brevo

Purpose: Email communication, transactional messaging, communication workflows
Place/Reference: Germany / France / EU

5. Microsoft Corporation / Microsoft Azure

Purpose: AI infrastructure, model deployment, compute and cloud services
Location/Reference: depending on the region used

6. Google LLC / Google Cloud / Vertex AI

Purpose: AI infrastructure, model processing, cloud services
Location/Reference: depending on the region used

7. Jina AI GmbH

Purpose: Search and retrieval infrastructure or web search within the app, if used
Place/Reference: Germany / possibly international processing depending on the service design

8. GitHub, Inc.

Purpose: Development, repository and deployment-related infrastructure, as far as relevant for support, development or operational processes in individual cases
Location/Reference: USA

B. Project-related sub-processors for agency services

For agency services, depending on the specific order, additional or different sub-processors may be used, in particular for hosting, integrations, email services, model providers, cloud infrastructure, monitoring, error analysis, deployment, support or customer-specific SaaS components.

Such project-related sub-processors, to the extent that they process the customer's personal data as part of order processing, will be identified in the respective project documents, offer documents, order forms, statements of work, technical documentation, customer portals or separate communications.

C. Third Party Integrations at Customer's Instigation

If the customer activates or connects third-party providers, tools, APIs, plugins, MCP tools or connectors that are not part of Nickle AI's standard service, these are generally not considered sub-processors used by Nickle AI, unless Nickle AI itself determines their selection or use.

Appendix 4 – Contact and exercise of rights under this DPA

Inquiries, instructions, objections to sub-processors, audit requests, deletion instructions and other statements in connection with this DPA can be addressed to the contact persons named in the main contract or to the following central email address:

info@nickle.ai

Nickle AI may designate additional communication channels or contacts for operational data protection and support processes.