Data processing agreement (DPA)

Last updated: April 20, 2026

This data processing agreement ("DPA") supplements the respective main contract between the customer and Nickle AI for agency services provided by Nickle AI or for other services, insofar as Nickle AI processes personal data on behalf of the customer.

1. Parties and conclusion

This DPA is concluded between:

Nickle AI – Oreshin, Platon und Scheffler, Daniel GbR
Ludwig-Erhard-Straße 10
34131 Kassel
Germany
Email: info@nickle.ai
– hereinafter "Nickle AI", "processor" or – where applicable – "subprocessor" –

and

the customer who concludes a contract for agency services or other services of Nickle AI
– hereinafter "Customer", "controller" or – where applicable – "client" –.

This DPA is concluded in electronic form. It is deemed effectively concluded as soon as the customer:

  1. expressly accepts the validity of this DPA as part of the registration, order or use of a service provided by Nickle AI; or
  2. concludes a main contract, an offer, an order form, an Order Form, a Statement of Work or any other agreement that refers to this DPA.

Nickle AI may document the date of acceptance and the applicable version of this DPA.

2. Preamble and scope

(1) In certain agency services, Nickle AI may process personal data exclusively on behalf of and on instructions from the customer. In such cases, this DPA applies.

(2) This DPA applies only to the extent that Nickle AI processes personal data within the meaning of Art. 28 GDPR on behalf of the customer.

(3) This DPA applies in particular to:

  • project-related agency services in the areas of web, AI, automation, integrations, prototyping, workflow design, assistant systems and related digital services,
  • support, operations, maintenance and administration services, insofar as these require the processing of personal data on behalf of the customer.

(4) This DPA does not apply to the extent that Nickle AI processes personal data for its own purposes and is itself the controller in this respect. This applies in particular – where relevant – to processing for the following purposes:

  • initiating, concluding, managing and processing its own contractual relationship with the customer,
  • invoicing, payment processing, receivable management and accounting,
  • its own legal evidence, retention and compliance obligations,
  • ensuring IT security, preventing abuse, protecting systems and defending against attacks,
  • its own business communication, sales and support organisation,
  • legally required disclosures or other processing due to mandatory legal obligations.

(5) If the customer is itself a processor for a third party and Nickle AI processes personal data of this third party on the customer's instructions, Nickle AI acts as a subprocessor. In this case, the provisions of this DPA apply accordingly.

3. Definitions

Unless otherwise defined in this DPA, the definitions of the GDPR apply.

For the purposes of this DPA:

"Personal data" means any information relating to an identified or identifiable natural person.

"Customer data" means all personal data that Nickle AI processes on behalf of the customer in connection with the contractual services.

"Processing" means any operation performed on personal data, with or without automated means, in particular collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or another form of making available, alignment, combination, restriction, erasure or destruction.

"Subprocessor" means any further processor that Nickle AI uses in whole or in part to provide the services.

"Data protection laws" means all data protection regulations applicable to the processing of personal data, in particular the GDPR, the BDSG and – where relevant – other national data protection regulations.

"Security incident" means a breach of security that has led or could lead to the destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data.

4. Subject matter, nature and duration of processing

(1) The subject matter, nature, purpose and scope of processing as well as the categories of personal data and data subjects are set out in this DPA, the main contract and Appendix 1.

(2) Nickle AI processes personal data exclusively for the provision of the contractually agreed services for the customer.

(3) Processing takes place for the duration of the main contract or as long as Nickle AI processes personal data on behalf of the customer. Statutory retention obligations and technically unavoidable residual data in backups remain unaffected; in these cases, the data is blocked and retained only for legally or technically required purposes.

5. Processing bound by instructions

(1) Nickle AI processes personal data exclusively on documented instructions from the customer, unless Nickle AI is required by Union law or the law of a Member State to process the data otherwise. In this case, Nickle AI informs the customer before processing, unless the law prohibits such notification.

(2) Documented instructions include in particular:

  • the provisions of the main contract,
  • this DPA and its appendices,
  • individual instructions in text form, in particular by email, ticket system or another traceable communication channel,
  • additionally in the agency context, briefings, approvals, project documents, statements of work, technical specifications and documented change requests.

(3) Oral instructions must be confirmed by the customer in text form without delay. Nickle AI may suspend implementation of an instruction until it is confirmed, insofar as this is objectively justified at its due discretion.

(4) If Nickle AI believes that an instruction violates data protection laws, Nickle AI informs the customer without delay. Nickle AI is entitled to suspend execution of the relevant instruction until it is confirmed or changed by the customer.

(5) Nickle AI will not use customer data for its own purposes. This does not affect the use of fully anonymized information for which any personal reference is definitively excluded.

6. Customer obligations and responsibilities

(1) The customer is responsible for the lawfulness of the processing of personal data and for safeguarding the rights of data subjects in relation to those data subjects.

(2) The customer warrants that it has a valid legal basis for the processing of personal data initiated by it and fulfils any information, documentation and evidence obligations.

(3) The customer is responsible for

  • that the purpose, means and limits of the commissioned processing are sufficiently defined,
  • that only personal data whose processing is permissible is introduced into the services,
  • that special categories of personal data pursuant to Art. 9 GDPR as well as data subject to special confidentiality obligations are processed only to the extent legally permissible and, where applicable, additional safeguards have been agreed,
  • that it adequately protects its own systems, access credentials, end devices, user accounts and permissions,
  • that it forwards data subject requests, authority requests or other data protection-relevant matters to Nickle AI without delay, insofar as Nickle AI's cooperation is required.

(4) The customer remains responsible for the data protection assessment and approval of any content, data sources, integrations, tools, APIs or model configurations that it activates, selects or connects to third-party systems itself, insofar as these are not defined by Nickle AI as part of the commissioned processing.

7. Nickle AI obligations

Nickle AI undertakes in particular to

  1. process personal data only within the framework of the contractual agreements and documented instructions of the customer,
  2. entrust processing only to persons who are bound to confidentiality,
  3. to take and maintain appropriate technical and organisational measures in accordance with Art. 32 GDPR;
  4. support the customer to a reasonable extent in fulfilling its obligations pursuant to Art. 28 para. 3 lit. e and f GDPR,
  5. provide the customer with all the information necessary to demonstrate compliance with this DPA;
  6. allow audits and inspections to be carried out in accordance with this DPA;
  7. inform the customer without delay if a security incident relating to the customer's personal data becomes known,
  8. to use subprocessors only in accordance with section 10;
  9. to delete or return personal data after the end of the contract in accordance with Section 14,
  10. inform the customer without delay if, in Nickle AI's opinion, an instruction violates applicable data protection law.

8. Confidentiality and access authorization

(1) Nickle AI ensures that all persons authorized to process personal data process such data only within the scope of the customer's instructions.

(2) Nickle AI shall ensure that these persons have been committed to confidentiality or are subject to appropriate legal confidentiality requirements.

(3) Access to personal data is limited according to the need-to-know principle and based on a role and authorization concept.

9. Technical and organisational measures

(1) Nickle AI shall, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

(2) The basic measures currently implemented are described in Appendix 2.

(3) Nickle AI is entitled to further develop technical and organisational measures and replace them with equivalent or better measures, provided that the contractually owed level of protection is not reduced.

(4) Insofar as the customer has special security requirements, the customer must notify Nickle AI of these before processing begins. Such additional requirements apply only if they have been expressly agreed.

10. Subprocessors

(1) The customer hereby grants Nickle AI the general authorization to use subprocessors.

(2) The subprocessors used at the date this DPA enters into force are listed in Appendix 3.

(3) Nickle AI will inform the customer in a suitable manner about intended changes regarding the use or replacement of subprocessors, in particular by email, via a customer portal, in the account area or by another reasonable notification in text form.

(4) The customer may object to an intended change in text form for important data protection reasons within 14 days after receipt of the information. If no timely objection is made, the change is deemed approved.

(5) In the event of a justified objection, the parties will seek an appropriate solution in good faith. If no reasonable solution is found, the customer may extraordinarily terminate the part of the service affected by the change.

(6) Nickle AI will conclude an agreement with each subprocessor that imposes data protection obligations on the subprocessor that essentially correspond to the level of protection of this DPA. Insofar as the subprocessor processes personal data on behalf, Nickle AI will conclude with it a data processing agreement corresponding to the requirements of Art. 28 GDPR.

(6a) To the extent that personal data is transferred to a third country in connection with the use of a subprocessor and there is no adequacy decision of the European Commission, Nickle AI ensures that appropriate safeguards exist for this transfer pursuant to Art. 44 et seq. GDPR, in particular by concluding the relevant standard contractual clauses of the European Commission and – where necessary – by supplementary safeguards.

(7) Nickle AI remains responsible to the customer for fulfilment of the subprocessor's obligations.

(8) Ancillary services are not considered subprocessors within the meaning of this DPA if they do not involve regular access to the customer's personal data or are of a purely subordinate nature, such as telecommunications services, postal and transport services, general maintenance or disposal services, provided that an appropriate level of protection is ensured.

(9) Insofar as the customer independently activates or connects third-party providers, integrations, external APIs, MCP tools, plugins or connectors that lie outside the standard service defined by Nickle AI, the customer is generally responsible for their data protection assessment, unless Nickle AI has expressly assumed their use as part of commissioned processing.

11. International data transfers

(1) The processing of personal data can also take place – depending on the infrastructure, model configuration, hosting region, integration or subcontractor used – outside the European Union or the European Economic Area.

(2) Nickle AI will transfer personal data to a third country or have it processed there only if the requirements of Art. 44 et seq. GDPR are met.

(3) To the extent that subcontractors are used in third countries or can access personal data from third countries and there is no adequacy decision of the European Commission, Nickle AI shall ensure through appropriate safeguards that the level of protection required by the GDPR is maintained. This includes, in particular, concluding the relevant standard contractual clauses of the European Commission and – where legally required – additional technical, organisational or contractual measures.

(4) Nickle AI will present the transfer basis relevant to the respective third-country transfer in an appropriate form upon request by the customer.

(5) Suitable safeguards may include in particular:

  • an adequacy decision of the European Commission,
  • standard contractual clauses of the European Commission,
  • binding corporate rules (BCR),
  • other legally permissible safeguards or exceptions.

12. Customer support

(1) Taking into account the nature of the processing and the information available to Nickle AI, Nickle AI supports the customer with appropriate technical and organisational measures in

  • handling data subject requests,
  • ensuring the security of processing,
  • assessing and reporting personal data breaches,
  • to carry out data protection impact assessments,
  • preparing consultations with supervisory authorities where applicable.

(2) Insofar as a data subject request or authority request is received directly by Nickle AI and concerns the customer, Nickle AI will forward the request to the customer without delay, provided that forwarding is legally permissible.

(3) Without prior coordination with the customer, Nickle AI will generally not itself provide substantive statements to data subjects or authorities insofar as this concerns processing on behalf, unless Nickle AI is legally obliged to do so.

13. Reporting of security incidents

(1) Nickle AI informs the customer without delay after becoming aware of a security incident, insofar as personal data processed by Nickle AI on behalf of the customer is affected.

(2) Where possible and appropriate at the relevant time, the notification contains in particular:

  • the nature of the incident,
  • the affected data categories,
  • the known or probable consequences,
  • the countermeasures already taken or proposed,
  • a contact person for questions.

(3) The information is initially provided on the basis of the respective available state of knowledge and will be supplemented if necessary.

14. Evidence, audits and inspections

(1) Nickle AI provides the customer with information required to demonstrate compliance with this DPA.

(2) To demonstrate compliance, Nickle AI may provide the customer in particular with current documents, self-assessments, audit reports, certificates, inspection reports, security documentation or equivalent evidence.

(3) If this evidence is not sufficient in an individual case, the customer is entitled, after reasonable advance notice and no more than once per calendar year, to have an audit carried out, unless a special reason – such as a significant security incident or an official order – justifies a more frequent audit.

(4) Audits must be conducted in such a way that operations, security measures, confidentiality interests and the rights of other Nickle AI customers are not unreasonably affected. Nickle AI may require audits to be carried out primarily as a document review, remote audit or interview, insofar as this is sufficient in the individual case.

(5) On-site inspections are permissible only if less intrusive means of verifying compliance are not sufficient and legitimate confidentiality and security interests of Nickle AI are preserved.

(6) The customer bears the costs of its audit itself. Support services by Nickle AI that go beyond legally owed cooperation may be charged based on reasonable effort unless otherwise agreed.

15. Deletion and return of data

(1) After termination of the contractual services, Nickle AI will delete or return personal data at the customer's choice, unless a statutory retention obligation or another legally permissible retention reason prevents this.

(2) To the extent technically provided, deletion may also occur by the customer removing or exporting data itself and Nickle AI deleting remaining data after expiry of agreed periods.

(3) Backups and backup copies are removed as part of normal deletion and overwriting cycles, provided that immediate isolated deletion is not technically possible or can be implemented only with disproportionate effort. During this time, the data remains blocked and is no longer processed productively.

(4) Upon request, Nickle AI confirms deletion or return in an appropriate form.

16. Specific provisions for AI functions

(1) To the extent the services involve AI-supported functions, model access, retrieval, search, analytics, automation or generation functions, Nickle AI processes the content provided by the customer exclusively to provide the functionalities requested by the customer.

(2) Depending on the selected function, in particular the following may be processed:

  • prompts and other text inputs,
  • uploaded files and attachments,
  • context information,
  • generated outputs,
  • log, usage and diagnostic data.

(3) Unless expressly agreed otherwise or specified by a third-party or model configuration actively selected by the customer, Nickle AI does not use customer data to train third-party AI models.

(4) The customer remains responsible for verifying whether certain data – in particular special categories of personal data, professional secrets, business secrets or other highly sensitive information – can be introduced into the AI functions and whether additional protective measures are required.

17. Special provisions for agency services

(1) For agency services, the data protection role distribution depends on the specific project.

(2) In the agency context, this DPA applies only to the extent that Nickle AI processes personal data exclusively on behalf of and on instructions from the customer.

(3) Insofar as Nickle AI determines its own purposes or essential means of processing in the context of consulting, conception, architecture, product design, its own choice of methods, quality assurance, security assessment or other independent decisions, Nickle AI may be wholly or partially a controller or joint controller in this respect. This DPA does not apply to such processing.

(4) Project-specific deviations, additional security requirements, special data categories, industry-specific requirements, customer-specific deletion concepts or additional subprocessors may be specified in project documents, offers, Order Forms, Statements of Work or separate appendices.

18. Remuneration

(1) Unless otherwise agreed in the main contract, Nickle AI's activities under this DPA are covered by the contractually agreed remuneration.

(2) Additional support services that go beyond the statutory scope of obligations, in particular extraordinary audit support, individual security questionnaires, extensive export or migration services, project-specific special measures or short-notice special audits, may be charged based on reasonable effort.

19. Liability

(1) The statutory provisions and the liability provisions of the main contract apply to the liability of the parties, insofar as these are compatible with mandatory data protection law.

(2) Mandatory liability provisions of the GDPR, in particular Art. 82 GDPR, remain unaffected.

20. Term, changes and order of precedence

(1) This DPA enters into force upon its effective conclusion in accordance with section 1 and applies for the duration of the processing of personal data on behalf of the customer.

(2) Nickle AI may amend this DPA with effect for the future to the extent this is necessary

  • to implement changes in the legal situation, case law or official requirements,
  • to further develop services, processes or subprocessors,
  • to make editorial clarifications or improvements,
  • provided that the customer's level of protection is not unreasonably worsened.

(3) Nickle AI will inform the customer of material changes in a suitable manner before they enter into force. If the customer does not object to a material change within a reasonable period or continues to use the services after it enters into force, the amended version is deemed agreed, to the extent legally permissible. Statutory or contractual special termination rights remain unaffected.

(4) In the event of conflicts between this DPA and the main contract, this DPA takes precedence with regard to processing on behalf of the customer.

21. Final provisions

(1) Should individual provisions of this DPA be or become invalid in whole or in part, the validity of the other provisions remains unaffected.

(2) The invalid or unenforceable provision is replaced by an effective provision that comes closest to the economic and data protection purpose of the original provision.

(3) German law applies unless mandatory data protection regulations provide otherwise.

Appendix 1 – Details of processing

A. General description

1. Subject matter of processing

The subject of processing is the provision of the contractually agreed services of Nickle AI, in particular the provision of project-related agency services.

2. Duration of processing

For the duration of the main contract or project-related service provision and – where necessary – until return or deletion in accordance with this DPA.

B. Processing related to agency services

1. Type and purpose of processing

Depending on the order, in particular:

  • conception, development, implementation, optimization and operation of digital solutions
  • technical integration, automation and workflow implementation
  • prototyping, testing, debugging, deployment and support
  • processing project-related content in customer systems or environments provided by customers
  • use of agreed AI or automation functions in the project context

2. Categories of data subjects

Depending on the order, in particular:

  • contact persons and employees of the customer
  • users of the systems or applications operated by the customer
  • customers, interested parties, employees or other persons whose data the customer processes in the project context

3. Categories of personal data

Depending on the order, in particular:

  • contact and communication data
  • project, access and administration data
  • files, documents, texts, images, audio and other content
  • test, usage and error data
  • AI-related inputs, context data and outputs
  • other personal data provided by the customer within the scope of the project or whose processing the customer instructs

C. Special data categories

Special categories of personal data within the meaning of Art. 9 GDPR are processed only to the extent that the customer lawfully introduces them into the services or expressly commissions such processing and there is a corresponding legal basis.

Appendix 2 – Technical and organisational measures (TOMs)

The following measures describe the basic framework of technical and organisational safeguards currently provided by Nickle AI. They are designed on a risk-based basis and are continuously reviewed and further developed.

1. Confidentiality

1.1 Access control

  • Limiting physical access to premises and systems to authorised persons
  • Use of appropriate safeguards in work and hosting environments
  • accompanied or controlled access for visitors, where relevant

1.2 Access control

  • authentication mechanisms for internal systems and administrative access
  • role-based or functional rights assignment
  • principle of least privilege
  • Use of secure passwords and – where provided – additional protection mechanisms such as multi-factor authentication
  • Blocking, withdrawing or adjusting permissions when roles change or upon departure

1.3 Access control

  • restriction of data access to authorized persons
  • authorization concepts for applications, databases, storage and support access
  • logging of security-relevant access and administrative processes, where appropriate
  • client- or tenant-related separation, insofar as the respective service requires this

1.4 Separation requirement

  • logical separation of customer environments, to the extent technically provided
  • separation of development, test and production environments, where appropriate
  • separate processing according to purposes and permissions

2. Integrity

2.1 Disclosure control

  • encrypted data transmission via current transport encryption (e.g. TLS/HTTPS)
  • Use of secure interfaces and transmission paths
  • Restriction and control of external data access

2.2 Input control

  • traceable logging or history of security-relevant changes, to the extent technically provided
  • assignment of administrative interventions and system changes to authorized accounts
  • controlled release processes for productive changes, as appropriate

3. Availability and resilience

  • backup and recovery procedures based on risk assessment
  • Monitoring of essential systems and services
  • Error detection, troubleshooting and recovery measures
  • Protection against data loss and accidental destruction
  • emergency and restart processes to a reasonable extent

4. Procedures for regular review, assessment and evaluation

  • regular review of technical and organisational measures
  • internal security and authorization management
  • patch, update and vulnerability management to a reasonable extent
  • documentation and handling of security events
  • regular awareness training and confidentiality obligations for the persons involved

5. Encryption and protection of stored data

  • Transport encryption when transferring personal data
  • encryption of stored data or infrastructure-side protection mechanisms, where technically provided and risk-appropriate
  • Protection of keys, tokens and access data by appropriate organisational and technical measures

6. Organisational measures

  • confidentiality obligations for employees and other authorized persons
  • definition of internal responsibilities and approval processes
  • need-to-know and least-privilege principle
  • regulated processes for support access, as required
  • risk-oriented selection, management and review of subprocessors

Appendix 3 – Subprocessors

The subprocessors listed below are used depending on the services included in the respective project. The specifically applicable subprocessors are determined by the service configuration agreed in the respective contract.

This list is updated and versioned. Amendments are made pursuant to section 10 para. 3 of this DPA with a notice period of 14 days before their effective date.

A. Project-related subprocessors for agency services

Level 1 – all agency websites (standard)

Render Services, Inc. (USA)
Purpose: website hosting, server execution and deployment infrastructure.
Data transfer basis: Standard contractual clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR.

Level 2 – if a contact form is implemented

Render Services, Inc. (USA)
Purpose: hosting the self-operated n8n workflow instance for processing contact form inputs and calling the endpoint for email delivery.
Data transfer basis: Standard contractual clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR.

Sendinblue GmbH / Sendinblue SAS / Brevo (Germany / France – EU)
Purpose: transactional email delivery. Contact form entries are forwarded to the website operator via Brevo.
Data transfer basis: processing within the EU/EEA; no third-country transfer.

Level 3 – when a chatbot is implemented

Render Services, Inc. (USA)
Purpose: hosting the self-operated n8n workflow instance for the chatbot backend.
Data transfer basis: Standard contractual clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR.

Microsoft Corporation / Microsoft Azure – Azure OpenAI Service (USA / region dependent)
Purpose: AI model inference for the chatbot via the n8n workflow.
Data transfer basis: standard contractual clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR; EU data residency regions are available and used if contractually defined.

Supabase, Inc. (USA)
Purpose: vector database and retrieval infrastructure for the chatbot knowledge database (RAG).
Data transfer basis: Standard contractual clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR.

B. Third-party integrations at the customer's request

If the customer independently requests the integration of additional third-party tools, APIs, plugins or services that are not listed above, the customer is responsible for the data protection assessment of these providers. Nickle AI identifies such additions in the respective offer or project documents as project-specific subprocessors.

Appendix 4 – Contact and exercise of rights under this DPA

Inquiries, instructions, objections to subprocessors, audit requests, deletion instructions and other statements related to this DPA may be addressed to the contact persons designated in the main contract or to the following central email address:

info@nickle.ai

Nickle AI may designate additional communication channels or contact persons for operational data protection and support processes.