This English translation is provided for convenience only. The German version of this agreement is the legally binding version and prevails in case of discrepancies.
§ 1 Parties and incorporation
(1) This data processing agreement pursuant to Art. 28 GDPR (“DPA”) is concluded between the customer using the Meykt platform for its organization, processes, customer, employee, shop and production data (hereinafter the “Customer”, acting as controller), and
- Company
- Dumanu GmbH
- Address
- Beethovenstr. 120 C, 42655 Solingen, Germany
- Represented by
- Managing Director Dominik Hassel
- Commercial register
- Local Court (Amtsgericht) Wuppertal, HRB 32857
- info@meykt.com
(hereinafter the “Processor”).
(2) This DPA becomes part of the main agreement governing the use of the Meykt platform upon acceptance of the Terms of Service. In matters of data protection law, this DPA prevails over the Terms of Service.
(3) The Customer is the controller within the meaning of Art. 4 No. 7 GDPR for the personal data it processes, or has processed, via the Meykt platform. The Processor processes such data as a processor within the meaning of Art. 4 No. 8 GDPR.
§ 2 Subject matter and duration
(1) The Processor processes personal data on behalf of the Customer for the provision, maintenance, security and further development of Meykt Central, Meykt Agent and the associated SaaS, integration, support and automation features. Processing takes place exclusively within the scope of this agreement and the Customer’s instructions.
(2) The Processor does not process the Customer’s personal data for its own purposes. The Processor may only evaluate aggregated, non-personal usage statistics for its own purposes; no link to individual persons is established in doing so.
(3) The duration of the processing corresponds to the term of the main agreement. After the end of the agreement, the handling of the data is governed by § 14.
§ 3 Nature and purpose of processing
Processing includes in particular:
- hosting and operation of the platform
- storage and processing of account, organization, shop, customer, product, order, file, production and workflow data
- authentication and permission checks
- shop and third-party integrations
- file uploads and file retrieval
- workflow and automation execution
- machine commands, agent communication and status reporting
- email dispatch on behalf of the Customer (e.g. invitations, notifications)
- payment and billing processes, to the extent processed on behalf of the Customer
- support, error analysis, security and audit logging
- AI-supported features, to the extent activated by the Customer and contractually provided for
§ 4 Categories of personal data
Depending on usage, the Processor processes the following categories of data:
- Master data: name, company, role, organization, contact details
- Account data: email, profile, language, time zone, roles, permissions
- Employee data: name, role, station, machine, work context, attendance or session data, where used
- The Customer’s customer data: name, email, phone, address, contact persons, order and communication data
- Shop data: orders, product data, shipping data, payment status, external IDs, raw API data
- Production data: jobs, work steps, files, process status, logs, machine assignments
- File data: uploaded images, production files, attachments, file names, metadata
- Integration data: connection configurations, tokens or OAuth data via sub-processors, technical status data
- Communication data: email contents, invitations, support messages, notifications
- Security and log data: IP addresses, login events, system events, error data, audit logs
- AI feature data: inputs, outputs, context data and files, where the Customer uses AI features
§ 5 Categories of data subjects
Depending on usage, the following persons may be affected:
- users and administrators of the Customer
- employees of the Customer
- customers and end customers of the Customer
- contact persons at customers, suppliers, service providers and production partners
- service providers, external release recipients or portal users
- shop customers whose data is imported from connected shops
§ 6 Processing on instructions
(1) The Processor processes personal data only on documented instructions from the Customer — including with regard to transfers of personal data to a third country or an international organization — unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
(2) Instructions result in particular from the main agreement, the product configuration and the workflows, integrations, user permissions, agent approvals and support requests set up by the Customer.
(3) If the Processor is of the opinion that an instruction of the Customer infringes the GDPR or other Union or Member State data protection provisions, it informs the Customer without undue delay. The Processor is entitled to suspend the execution of the instruction concerned until the Customer confirms or amends it.
§ 6a Data transfers within the fulfillment network
(1) Releasing order items to another Meykt customer for execution (a “fulfiller”) constitutes an instruction of the Customer. The Customer remains solely responsible for the legal basis of the transfer of personal data (in particular end-customer and shipping data) to the fulfiller. This also applies to multi-level onward transfers within the network.
(2) The Processor also acts as a processor vis-à-vis the fulfiller. No joint controllership within the meaning of Art. 26 GDPR is established.
(3) The Customer informs the data subjects pursuant to Art. 13(1)(e) GDPR about the recipient category “fulfillment service providers”.
§ 7 Obligations of the Customer
The Customer remains the controller within the meaning of the GDPR. The Customer is responsible in particular for:
- the lawfulness of the processing, including the legal bases for the transfers it initiates
- fulfilling information obligations towards data subjects
- safeguarding data subject rights
- assigning and reviewing roles and permissions
- the permissible configuration of integrations, workflows and machine controls
- compliance with employment law, product safety and data protection requirements in its own production environment
- verifying whether special categories of personal data (Art. 9 GDPR) may be processed before such data is entered into the platform
§ 8 Confidentiality
The Processor ensures that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy. The confidentiality obligation continues to apply after the respective activity has ended.
§ 9 Technical and organizational measures
(1) The Processor implements the technical and organizational measures described in Annex 1 pursuant to Art. 32 GDPR and maintains them for the term of this agreement.
(2) The measures are subject to technical progress. The Processor may develop them further and replace them with equivalent or better measures; the level of protection agreed in Annex 1 must not be undercut in doing so. Material changes are documented.
§ 10 Sub-processors
(1) By concluding this agreement, the Customer grants the general written authorization pursuant to Art. 28(2) GDPR for the engagement of the sub-processors listed in Annex 2.
(2) The Processor informs the Customer of any intended addition or replacement of a sub-processor at least four weeks before it takes effect, in text form (e.g. by email to the administrator address stored in the account).
(3) The Customer may object to the intended change on legitimate data protection grounds in text form within 14 days of receipt of the information. In the event of a legitimate objection, the parties endeavour to find a reasonable solution; if no such solution is reached, either party may terminate the affected part of the service, and the Customer may terminate the main agreement, for cause (special termination right).
(4) The Processor imposes on each sub-processor, by way of a contract, the same data protection obligations as set out in this agreement (Art. 28(4) sentence 1 GDPR).
(5) Where a sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Customer for the performance of that sub-processor’s obligations (Art. 28(4) sentence 2 GDPR).
§ 11 Third-country transfers
(1) Personal data is transferred to countries outside the European Union or the European Economic Area only if the requirements of Chapter V GDPR are met (an adequacy decision of the European Commission, appropriate safeguards pursuant to Art. 46 GDPR or a derogation pursuant to Art. 49 GDPR) and only within the scope of the Customer’s documented instructions.
(2) The locations and transfer mechanisms relevant to the individual sub-processors are set out in Annex 2.
(3) A separate arrangement applies to the image vectorization feature: the transfer of the selected image to an external service provider in the USA does not take place on the basis of this agreement but exclusively in accordance with the separate provision in Section 6a of the Terms of Service and the Privacy Policy; these also describe the express consent required before each transfer. This service provider is not part of Annex 2.
§ 12 Assistance to the Customer
Taking into account the nature of the processing and the information available to it, the Processor assists the Customer with appropriate technical and organizational measures in:
- responding to requests from data subjects under Chapter III GDPR
- deleting, rectifying, restricting or exporting data
- ensuring the security of processing pursuant to Art. 32 GDPR
- notifying and investigating personal data breaches (Art. 33, 34 GDPR)
- data protection impact assessments and prior consultations (Art. 35, 36 GDPR), where required
- demonstrating compliance with the obligations under Art. 28 GDPR
§ 13 Personal data breaches
(1) The Processor informs the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s data.
(2) The notification contains, where available, information on the nature of the incident, the categories of data concerned, the approximate categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to remedy and mitigate the breach. Information may be provided in phases where it is not immediately available.
§ 14 Deletion and return
(1) After the end of the main agreement, the Processor deletes all personal data of the Customer or returns it, at the choice of the Customer. The Customer communicates its choice by the end of the 30-day retention period; if the Customer makes no choice, the data is deleted after that period expires.
(2) Paragraph 1 does not apply to the extent that Union or Member State law requires storage of the personal data.
(3) Return format: a structured export as CSV/JSON per data area plus the files stored in storage.
(4) Data contained in backups is deleted or overwritten in accordance with the respective backup cycle; until then it is not further processed and remains protected against access.
(5) Confirmation of deletion is provided on request in text form.
§ 15 Evidence and audit rights
(1) The Processor makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
(2) The Processor allows for and contributes to audits — including inspections — conducted by the Customer or another auditor mandated by the Customer.
(3) Compliance may primarily be demonstrated by current certificates, attestations or audit reports of recognized bodies. If these are insufficient in an individual case, the right to an on-site audit remains unaffected.
(4) Unless there is a specific cause (such as a personal data breach or an order of a supervisory authority), the following applies to audits: no more than one audit per calendar year, announced at least 30 days in advance, conducted during normal business hours and without disproportionate disruption of operations, subject to an appropriate confidentiality agreement; no direct competitor of the Processor may be mandated as auditor. The costs of an audit initiated by the Customer are borne by the Customer.
Annex 1: Technical and organizational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, the Processor implements the following technical and organizational measures (Art. 32 GDPR):
1. Encryption (Art. 32(1)(a) GDPR)
- encryption in transit: all connections to the platform are encrypted via HTTPS/TLS
- encryption at rest: data at rest is stored encrypted with the infrastructure providers used
- protection of credentials, tokens and secrets through separate, access-restricted management
2. Confidentiality and access control (Art. 32(1)(b) GDPR)
- role- and permission-based access controls within the platform
- tenant-separated data processing: organization-level data separation, technically enforced at the database level (row-level security)
- authentication via secure session mechanisms
- private file storage; file access only via time-limited, signed retrieval URLs
- access by the Processor’s staff to production data only to the extent required for operation, support or error analysis (need-to-know principle)
- physical access control through the certified data centres of the infrastructure providers used; database and file storage in the Frankfurt am Main region
3. Integrity and traceability
- logging of security-relevant events and changes (audit logs)
- technical validation of file uploads (content checks, type restrictions)
- content security policy and further security headers of the web application
4. Availability, resilience and recoverability (Art. 32(1)(b), (c) GDPR)
- regular backups with restore tests
- operation on redundant, managed infrastructure with monitoring
- documented procedure for restoring the availability of and access to personal data in a timely manner after a physical or technical incident
5. Procedures for regular testing, assessment and evaluation (Art. 32(1)(d) GDPR)
- regular review of the effectiveness of the technical and organizational measures and adaptation to the state of the art
- secure development and deployment processes including code reviews
- separation of development, test and production environments
6. Organizational measures
- confidentiality obligation of all persons authorized to process data (§ 8)
- processing control: contractual commitment of sub-processors pursuant to § 10; processing on instructions pursuant to § 6
- pseudonymization where possible and appropriate for the nature and purpose of the respective processing
7. Own processing facility for image processing
- certain image processing features (e.g. background removal) run, as described in the Privacy Policy, on the Processor’s own hardware within the EU under access-protected operation; intermediate files are deleted automatically after 14 days at the latest
Reservation of changes: The Processor may adapt the measures in this annex to technical progress and replace them with equivalent or better measures. The level of protection described here must not be undercut in doing so.
Annex 2: Sub-processors
The Processor engages the following sub-processors to provide the services. Changes follow the procedure set out in § 10.
| Provider | Purpose | Registered office / processing region | Safeguard |
|---|---|---|---|
| Vercel Inc. | Hosting and delivery of the web application | USA; processing in the USA possible | EU standard contractual clauses or EU-U.S. Data Privacy Framework as per the provider’s DPA |
| Supabase, Inc. | Database, authentication, file storage | Project region Frankfurt am Main (Germany); provider headquartered in the USA | Provider DPA; EU standard contractual clauses for any third-country access |
| Nango | OAuth connection broker for shop integrations | USA / international; third-country relevance possible | EU standard contractual clauses as per the provider’s DPA |
| Inngest Inc. | Background jobs and event processing | USA; third-country relevance possible | EU standard contractual clauses as per the provider’s DPA |
| Resend Inc. | Transactional email dispatch | USA; third-country relevance possible | EU standard contractual clauses as per the provider’s DPA |
| Stripe Payments Europe Ltd. | Payment processing (only when paid plans are activated) | Ireland; group-level processing in the USA possible | EU standard contractual clauses or EU-U.S. Data Privacy Framework as per the provider’s DPA |
| Google Ireland Ltd. | Sign-in with Google (only when Google login is used) | Ireland; group-level processing in the USA possible | EU standard contractual clauses or EU-U.S. Data Privacy Framework as per the provider’s DPA |
The external service provider for the image vectorization feature is not part of this annex; it is exclusively subject to the separate, consent-based provision in Section 6a of the Terms of Service and the Privacy Policy (see § 11(3)).
Version of this annex: July 16, 2026.
Questions about this agreement are answered by Dumanu GmbH at info@meykt.com.