Data Processing Agreement (DPA) – TRACE.App

§ 1 Subject Matter of Processing

1. This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of TRACE.App as an enterprise account. The subject matter is in particular the processing of employee data (e.g. energy consumption data, usage behaviour, communication data) within the scope of the business use of the app.
2. The processing activities are set out in Annex A to this Agreement, which forms an integral part hereof.
3. This DPA supersedes all prior agreements between the parties regarding the processing of data on behalf of the Controller in connection with TRACE.App.
4. This DPA is available at trace-electricity.com/en/dpa-app/.
5. This DPA applies exclusively to processing within the scope of the TRACE.App enterprise subscription. Separate agreements apply to TRACE.Parser and TRACE.Configurator/Studio.

§ 2 Duration of Processing

1. The processing of personal data takes place for the duration of the TRACE.App enterprise subscription between the Controller and the Processor.
2. After termination of the subscription, the provisions of § 8 of this Agreement regarding data deletion and return shall apply.
3. Statutory retention obligations of the Processor remain unaffected.

§ 3 Instruction Binding and Prohibition of Own Processing

1. The Processor processes personal data solely on documented instructions from the Controller (the enterprise customer), unless it is required to process data by the law of the European Union or of Member States. In such a case, the Processor shall inform the Controller of those legal requirements before processing, unless the relevant law prohibits such notification.
2. Prohibition of own processing: Processing of employee data transmitted under this DPA for the Processor's own purposes does not take place. Anonymised usage statistics that cannot be traced back to individual persons (e.g. aggregated app usage rates at company level) are excluded from this prohibition.
3. Instructions are generally issued in writing (including by email to privacy@trace-electricity.com). Verbal instructions are confirmed in writing without delay. The Processor documents received instructions and their execution.
4. The Controller is entitled to issue additional instructions at any time. The Processor shall inform the Controller without delay if it considers that an instruction infringes data protection provisions.
5. Suspension Right: If the Controller issues an instruction that, in the assessment of TRACE Electricity, violates the GDPR or other applicable data protection provisions, TRACE Electricity is entitled and obliged to suspend the execution of that instruction without delay and to inform the Controller in writing. TRACE Electricity will only execute the instruction after the Controller has confirmed in writing that the instruction is lawful and that TRACE Electricity is indemnified from any resulting liability.
6. The Controller shall ensure that an appropriate legal basis exists for the transfer of employee data to TRACE (e.g. § 26 BDSG for employees or informed consent pursuant to Art. 6(1)(a) GDPR).

§ 4 Categories of Personal Data and Data Subjects

Categories of Data Subjects

• Employees of the Controller using TRACE.App within the scope of the enterprise subscription
• Where applicable, other persons invited by the Controller (e.g. freelancers, interns)

Categories of Personal Data

• Master data: Name, email address, password hash, profile information
• Energy consumption data: Consumption measurements, energy costs, savings recommendations, household data (insofar as stored by the employee in the app)
• Usage data: App usage times, functions accessed, session data, device information
• Communication data: Push notifications (AWS SNS / push service), in-app messages
• Technical log data: IP address (anonymised before permanent storage; no complete IP address is persisted), access times, error reports (max. 90 days, then automatically deleted)

Special categories of personal data pursuant to Art. 9 GDPR are not covered by the subject matter of this Agreement and may not be processed by the Controller via the app.

§ 5 Obligations of the Processor

The Processor undertakes vis-à-vis the Controller in particular to:

1. Process personal data solely on documented instructions from the Controller (§ 3 of this Agreement).
2. Ensure that persons authorised to process the data are subject to obligations of confidentiality or are under an appropriate statutory obligation of secrecy.
3. Implement all required technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. The complete TOM documentation (Technical and Organisational Measures TRACE.App (TOM)) constitutes Annex B to this DPA. The Processor is entitled to adapt the TOM provided that the agreed level of protection is not reduced; material changes will be communicated to the Controller.
4. Ensure AWS-specific security measures, in particular: encryption of all data in transit (TLS 1.2+) and at rest (AES-256) on AWS eu-central-1 (Frankfurt); IAM policies and resource-based policies for access control; secure token management via Auth0 (EU tenant) and AWS Cognito; regular review of security rules and access rights.
5. Assist the Controller in fulfilling its obligations to respond to requests from data subjects (§ 7).
6. Assist the Controller in complying with the obligations referred to in Art. 32 to 36 GDPR, in particular in connection with any Data Protection Impact Assessment (§ 14).
7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of processing services (§ 8).
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and to allow for and contribute to audits, including inspections (§ 9).

§ 6 Sub-processors

1. The Controller hereby grants general authorisation for the engagement of the following sub-processors:

2. The Processor shall inform the Controller of any intended addition of new sub-processors or replacement of existing sub-processors in good time in advance (at least 30 days) by email to the Controller's registered contact address.
3. The Controller has a right to object to the change. If the Controller does not object within 30 days of receipt of the notification, the change is deemed approved. In the event of a justified objection, the Controller shall be granted a special right of termination. The Processor will in that case examine whether the relevant sub-processor can be replaced by an equivalent provider. In the event of termination following a justified objection, the Processor shall ensure that personal data of the Controller already processed by the new sub-processor is deleted or returned without delay in accordance with § 8 upon the effective date of termination.
4. The Processor shall contractually bind its sub-processors to the same data protection obligations as agreed in this Agreement, in particular regarding the implementation of adequate technical and organisational measures.
5. Note: GA4, Hotjar and LinkedIn Insight Tag are used by TRACE Electricity GmbH as independent controllers for marketing purposes on the website and are not subject to this DPA. Further details are contained in the Privacy Notice – TRACE.App.

§ 7 Data Subject Rights

1. The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects (employees) under Art. 15 to 22 GDPR, in particular requests for access, rectification, erasure, restriction, data portability and objection.
2. If employees of the Controller address requests regarding their data processed in TRACE.App directly to the Processor, the Processor shall forward these requests to the Controller without delay, without itself responding to the substance of the request. The Controller, as the data controller, is responsible for responding.
3. To the extent that data subject rights can be exercised directly via self-service functions in the app account (e.g. data deletion, profile update), the organisational implementation lies with the Controller. For additional technical assistance, please contact privacy@trace-electricity.com.
4. Support services that go beyond the contractually agreed scope of services will be compensated appropriately based on actual effort.

§ 8 Data Deletion and Data Return

1. After final termination or expiry of the TRACE.App enterprise subscription, the Processor shall irrevocably delete all personal data of the Controller (employee data) from all AWS systems and connected services within 30 days of the end of the contract.
2. At the Controller's request, the Processor shall make the processed data available in a machine-readable format (JSON or CSV) prior to deletion. The data export will be provided within 14 days of the request; the download link is valid for 30 days. After expiry of that period, or after the Controller confirms that no export is required, the 30-day deletion period commences.
3. Deletion extends to all copies created in the course of the processing, including backups, unless statutory retention obligations preclude this. Billing data will be retained in accordance with § 147 AO and § 257 HGB for up to 10 years; processing of such data will be restricted until expiry of the retention period.
4. Upon request, the Processor shall confirm the complete deletion in writing by email.
5. Deletion periods: Deletion takes place within 30 calendar days of the end of the contract or upon written request from the Controller. System log data is deleted after a maximum of 90 days; security audit logs are retained for 12 months (Art. 6(1)(c) GDPR in conjunction with §§ 147 AO, 257 HGB), unless a statutory retention obligation requires longer storage. TRACE Electricity will confirm complete deletion to the Controller in writing upon request.

§ 9 Documentation Obligations and Audit Rights

1. The Controller has the right to verify compliance with data protection provisions and the agreements in this Contract by the Processor and any sub-processors at any time.
2. Audits may be carried out by:
   • Requesting information and documentation (e.g. current Technical and Organisational Measures (TOM) – TRACE.App, sub-processor list)
   • Interviewing the responsible data protection officer or designated employees
   • On-site inspections (with reasonable prior notice of at least 14 calendar days, and where applicable after conclusion of a confidentiality agreement). Audits take place at most once per year; current certifications submitted [ISO 27001 — certification expected Q4 2026] are accepted as equivalent evidence.
3. Instead of an on-site inspection, the Processor may provide the Controller with current certifications, audit reports (e.g. ISO 27001 certification (in preparation, completion expected Q4 2026). Until certification, the essential requirements of ISO 27001 are applied as an internal security framework.), where available, or equivalent evidence (e.g. a self-declaration on the status of TOM), provided these cover the subject matter of the audit.
4. Costs for on-site inspections shall be borne by the Controller, unless the Processor is responsible for material contractual or data protection violations.
5. The Processor maintains a record of all categories of processing activities carried out on behalf of Controllers pursuant to Art. 30(2) GDPR. The record will be made available upon request by the Controller or a competent supervisory authority.

§ 10 Data Breaches and Notification Obligations

1. The Processor shall notify the Controller of personal data breaches pursuant to Art. 33(2) GDPR without undue delay, and in any event within 24 hours of becoming aware thereof. Notification shall be made by email to the contact address registered by the Controller. Responsibility for notification to the competent supervisory authority (Art. 33(1) GDPR, deadline: 72 hours) and for communication to affected data subjects (Art. 34 GDPR) lies with the Controller. Missing or not yet fully available information shall be provided without delay, at the latest within 72 hours of the initial notification (Art. 33(2) GDPR).
2. The initial notification must contain at least:
   • A description of the nature of the breach (where known), including the affected AWS services and SDKs used
   • The approximate number of affected persons (employees) and data records
   • The likely consequences of the breach
   • Measures already taken or proposed to address the breach and minimise the risk
3. Requests from supervisory authorities relating to processing carried out on behalf of the Controller shall be forwarded by the Processor to the Controller without delay, without itself responding to the substance of the request, unless it is required to do so by applicable law.
4. Material changes to this Agreement, in particular changes to the sub-processor list, shall be communicated to the Controller in accordance with § 6(2).

§ 11 End of the Contract

1. After termination of the contract, the Processor shall, at the choice of the Controller, return or delete all documents, data and processing and usage results in its possession relating to the contractual relationship (§ 8).
2. The Processor is obliged to maintain the confidentiality of the data entrusted to it even after termination of the Agreement.
3. Documentation serving as evidence of proper data processing shall be retained by the Processor in accordance with the statutory retention periods beyond the end of the Agreement and may be handed over to the Controller upon request.

§ 12 Final Provisions

1. This Agreement is governed by the law of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is Hamburg, Germany, unless mandatory statutory provisions provide otherwise.
2. Should individual provisions of this Agreement be or become wholly or partially invalid, this does not affect the validity of the remaining provisions. The parties undertake to replace the invalid provision with a valid one that comes as close as possible to the economic purpose of the invalid provision.
3. Amendments and supplements to this Agreement and its annexes require text form (email suffices). This also applies to the waiver of this formal requirement.
4. To the extent that provisions of this Agreement are incompatible with the requirements of the GDPR, the requirements of the GDPR take precedence.
5. Each party shall be liable for data protection violations attributable to it. To the extent that a data subject claims damages from one party pursuant to Art. 82 GDPR for harm that that party did not cause alone, the other party shall be obliged to indemnify the paying party proportionally in accordance with its respective degree of fault.
6. TRACE Electricity GmbH designates the following contact for data protection queries: privacy@trace-electricity.com. Further information is available in the Privacy Notice – TRACE.App and the general Privacy Policy.

§ 13 Third-Country Transfers

1. Primary data storage and processing takes place on AWS infrastructure in the eu-central-1 region (Frankfurt, Germany) and is therefore subject to the law of the European Union. A third-country transfer within the meaning of Art. 44 et seq. GDPR is not envisaged for normal operations.
2. Auth0 (Okta EMEA Limited) is operated exclusively on the EU tenant (eu.auth0.com, AWS eu-west-1, Ireland). No third-country transfer takes place for authentication processing.
3. Cloudflare Germany GmbH acts as an EU entity; a third-country transfer via Cloudflare is not required for the provision of CDN services. In the event that Cloudflare, Inc. (USA) as the parent company obtains access to data, EU Standard Contractual Clauses (SCCs) 2021/914 and the EU-U.S. Data Privacy Framework (Cloudflare, Inc. is certified) are also agreed as safeguards.
4. The Processor shall inform the Controller without delay of any material changes to the safeguards for third-country transfers.

Fallback provision (DPF adequacy decision): Where an adequacy decision of the European Commission exists for individual recipient countries (in particular the EU-U.S. Data Privacy Framework for the USA), transfer takes place on this basis as a priority. If an adequacy decision lapses, the Standard Contractual Clauses referred to above automatically apply as a fallback safeguard. The parties will in that case cooperate without delay to agree appropriate alternative transfer safeguards.

§ 14 Assistance with Data Protection Impact Assessment (DPIA)

1. Pursuant to Art. 28(3)(f) GDPR, the Processor shall assist the Controller in carrying out a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR, if the Controller considers one necessary for the business use of TRACE.App.
2. The assistance comprises in particular:
   • Provision of information on the processing operations in TRACE.App (including AWS infrastructure, data flows, sub-processors engaged)
   • Provision of the TOM documentation (Technical and Organisational Measures (TOM) – TRACE.App) as a basis for the risk assessment
   • Answering questions on the scope of processing, categories of data and processing infrastructure
   • Assistance in assessing the need for prior consultation of the supervisory authority pursuant to Art. 36 GDPR
3. Support services that go beyond simple provision of information will be compensated appropriately based on actual effort after prior agreement.
4. Requests for DPIA support should be addressed to: privacy@trace-electricity.com.

§ 15 — Technical and Organisational Measures (Annex B)

The technical and organisational measures (TOM) implemented by the Processor to protect personal data (Art. 32 GDPR) are fully described in Annex B to this Agreement. Annex B forms an integral part of this Data Processing Agreement. The Processor is entitled to further develop the measures provided that the agreed level of protection is not reduced. Material changes will be communicated to the Controller without delay. The current TOM are available at: trace-electricity.com/en/tom-app/

§ 16 — Cessation of Operations and Insolvency

(1) In the event of insolvency, liquidation or permanent cessation of operations of the Processor, all personal data of the Controller stored by the Processor shall be returned to the Controller without delay, and in any event within 30 calendar days, in a machine-readable format (JSON or CSV), or irrevocably deleted on documented instruction from the Controller.

(2) The Processor shall inform the Controller without delay of an impending cessation of operations in order to enable an orderly data migration.

(3) This provision supplements the Standard Contractual Clauses (Clause 8.5 of SCCs 2021/914).

§ 17 Liability

(1) The liability provisions of the main contract (Terms of Use TRACE.App) apply correspondingly to this DPA.

(2) If both parties are held liable for the same data protection violation (Art. 82 GDPR), each party bears liability in accordance with its respective degree of fault. The parties shall indemnify each other against excess liability.

(3) The Processor (TRACE) shall be liable to the Controller for damages caused by demonstrably negligent breach of the obligations under this DPA. The liability cap corresponds to the fees paid in the last 12 months.

Annex A — Description of the Processing Activity

This Annex describes, pursuant to Art. 28(3) GDPR, the subject matter of the processing carried out on behalf of the Controller in connection with TRACE.App (enterprise subscriptions).