Colly.io

Data Processing Agreement (DPA)

This Data Processing Agreement pursuant to Art. 28 GDPR supplements the usage contract for the Colly.io SaaS platform and governs the processing of personal data on behalf of the customer.

Preamble

This Data Processing Agreement (the "DPA") specifies the data protection obligations of the parties arising from the processing of personal data agreed in the usage contract for the Software-as-a-Service application Colly.io (the "Main Agreement"). It applies to all activities in which Colly Solutions GmbH i. G. (in formation) (the "Processor") processes personal data as a processor within the meaning of Art. 28 GDPR on behalf of the customer (the "Controller").

§ 1 Subject Matter, Nature and Purpose of Processing

(1) The subject matter of the assignment is the processing of personal data by the Processor on behalf of the Controller in the context of providing and operating the Colly.io Application in accordance with the Main Agreement.

(2) The nature and purpose of the processing, the categories of personal data processed and the categories of data subjects are set out conclusively in Annex 1 to this DPA.

(3) The duration of the processing corresponds to the term of the Main Agreement, unless obligations extending beyond this arise from the provisions of this DPA.

§ 2 Responsibility and Right to Issue Instructions

(1) The Controller is solely responsible, within the meaning of data protection law, for the lawfulness of the processing and for safeguarding the rights of data subjects. The Processor processes the personal data exclusively within the scope of the agreements made and in accordance with the documented instructions of the Controller, unless it is legally required to process the data.

(2) The instructions are initially defined by the Main Agreement and the Service Description and may subsequently be changed, supplemented or replaced by the Controller in text form (individual instructions). Oral instructions must be confirmed in text form without undue delay.

(3) If the Processor is of the opinion that an instruction violates data protection provisions, it must inform the Controller without undue delay. The Processor is entitled to suspend the execution of the instruction concerned until it is confirmed or amended by the Controller.

(4) Requests and instructions of the Controller are to be directed to the contact person designated at the Processor (§ 4 para. 6).

§ 3 Place of Processing

The processing of personal data takes place exclusively within the European Union or the European Economic Area. Any relocation of the processing to a third country requires the prior consent of the Controller and is only permitted if the special requirements of Art. 44 et seq. GDPR are met.

§ 4 Obligations of the Processor

The Processor undertakes in particular to:

  • process the personal data exclusively in accordance with the documented instructions of the Controller;
  • ensure that persons authorized to process the data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory obligation of confidentiality;
  • take and comply with the required technical and organizational measures pursuant to Art. 32 GDPR (§ 5, Annex 2);
  • assist the Controller, within its means, in fulfilling the rights of data subjects (Art. 12 to 23 GDPR) and in complying with the obligations under Art. 32 to 36 GDPR (data security, notification obligations, data protection impact assessment);
  • inform the Controller without undue delay if it becomes aware of any personal data breach (§ 8);
  • maintain a record of processing activities pursuant to Art. 30 para. 2 GDPR;
  • make available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR.

(6) The Processor designates a contact person for data protection, who can be reached at kontakt@colly.io. The Processor will inform the Controller of any designated data protection officer upon request.

§ 5 Technical and Organizational Measures

(1) The Processor takes the technical and organizational measures required to ensure a level of protection appropriate to the risk in accordance with Art. 32 GDPR. The measures in place at the time the contract is concluded are described in Annex 2.

(2) The technical and organizational measures are subject to technical progress and further development. The Processor is entitled to implement alternative, appropriate measures as long as the security level of the specified measures is not fallen below. Material changes must be documented.

§ 6 Sub-processors

(1) The Controller grants the Processor general authorization to engage further processors (sub-processors). The sub-processors engaged at the time the contract is concluded are listed in Annex 3.

(2) The Processor selects sub-processors carefully and contractually obligates them to data protection obligations that correspond to the obligations under this DPA (Art. 28 para. 4 GDPR).

(3) If the Processor intends to engage or replace a sub-processor, it will inform the Controller thereof in advance in text form. The Controller may object to the change within two weeks of receipt of the information for important reasons based on data protection law. In the event of a justified objection, the parties endeavor to find an amicable solution; if such a solution is not reached, the Processor is entitled not to provide the affected service and the Controller is entitled to extraordinary termination.

(4) Ancillary services used by the Processor to support its activities (e.g. telecommunications or cleaning services) do not constitute sub-processing within the meaning of this DPA. The Processor remains responsible for the security and protection of personal data in this respect as well.

§ 7 Assistance with Data Subject Rights

If a data subject contacts the Processor directly, the Processor forwards the request to the Controller without undue delay. The Processor supports the Controller, within its means, with appropriate technical and organizational measures in complying with requests from data subjects for access, rectification, erasure, restriction of processing, data portability or objection. The Processor only carries out rectifications, erasures or restrictions on the instruction of the Controller, unless it is legally obliged to do so.

§ 8 Notification of Personal Data Breaches

(1) The Processor notifies the Controller of any personal data breach affecting the data processed on its behalf that becomes known to it, without undue delay after becoming aware of it.

(2) The notification contains the information available to the Processor that the Controller requires to fulfill its notification and communication obligations under Art. 33 and 34 GDPR. The Processor supports the Controller to a reasonable extent in investigating, containing and remedying the incident.

§ 9 Evidence and Audit Rights

(1) The Processor demonstrates compliance with the obligations under this DPA to the Controller by suitable means. Evidence may be provided by means of current attestations, certifications (e.g. according to recognized standards) or reports from independent auditors.

(2) The Controller is entitled to satisfy itself of compliance with the technical and organizational measures. Audits are generally carried out no more than once a year, with reasonable advance notice, during normal business hours and without avoidable disruption to the Processor’s operations. In the event of a specific cause, an audit may also be carried out at shorter notice.

(3) For enabling audits that go beyond the provision of existing evidence, the Processor may demand reasonable remuneration for the effort incurred.

§ 10 Deletion and Return upon Termination

(1) After the end of the processing activities, the Processor shall, at the Controller’s choice, either delete or return all personal data, unless there is an obligation to store the data under Union or Member State law.

(2) For this purpose, the Processor makes the data available to the Controller for export in a common, machine-readable format for a period of 30 days after termination of the Main Agreement. After expiry of this period, the Processor deletes the personal data including any copies, subject to existing statutory retention obligations.

(3) The deletion of the data is confirmed to the Controller in a suitable form upon request.

§ 11 Liability

(1) Art. 82 GDPR applies to liability towards data subjects. In the internal relationship, the parties are liable in proportion to their respective share of responsibility for the circumstance that caused the damage.

(2) The limitations of liability agreed in the Main Agreement also apply to claims in connection with this DPA, insofar as this is legally permissible.

§ 12 Final Provisions

(1) Annexes 1 to 3 form part of this DPA.

(2) In the event of contradictions between the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA take precedence in data protection matters.

(3) Amendments and supplements to this DPA require at least text form. This also applies to any amendment of this form requirement.

(4) The law of the Federal Republic of Germany applies. The German version of this DPA is authoritative.

(5) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected.

Annex 1 – Subject Matter of Processing

Nature and purpose of processing

Provision and operation of the Colly.io SaaS application to consolidate, manage and automate orders from multiple sales channels as well as for warehouse and inventory management, shipping, returns handling and the preparation of accounting processes, including the connection to third-party systems required for this purpose (e.g. marketplaces, shop systems, shipping, payment and accounting systems).

Categories of personal data

  • master data (e.g. name, company, address),
  • contact data (e.g. email address, telephone number),
  • contract and order data (e.g. orders, order history, items),
  • payment and billing data (e.g. invoice data, payment status),
  • communication and shipping data (e.g. messages, shipment and returns data),
  • other personal data entered into the Application by the Controller.

Categories of data subjects

  • customers and end customers of the Controller,
  • prospects and business contacts of the Controller,
  • suppliers and service providers of the Controller,
  • employees and users of the Controller.

Annex 2 – Technical and Organizational Measures

The Processor takes the technical and organizational measures described below in accordance with Art. 32 GDPR. Their specific design is continuously adapted to the state of the art.

1. Confidentiality

  • Physical access control: operation in data centers within the EU/EEA with appropriate access safeguards; no unauthorized physical access to the processing facilities.
  • System access control: individual user accounts, authentication via secure passwords in accordance with the password policy, blocking in the event of suspected misuse.
  • Data access control: role-based authorization concept based on the principle of least privilege, logging of access.
  • Separation control: multi-tenant separated processing of customer data, logical separation of test and production environments.

2. Integrity

  • Transfer control: encrypted data transmission in accordance with the state of the art (e.g. TLS).
  • Input control: traceability of inputs and changes through logging.

3. Availability and resilience

  • regular data backups and documented recovery procedures,
  • protective measures against malware, use of firewalls as well as patch and vulnerability management,
  • redundant system design to increase resilience.

4. Pseudonymization and encryption

  • encryption of personal data during transmission and, where appropriate, during storage in accordance with the state of the art.

5. Procedures for regular review, assessment and evaluation

  • data protection management and commitment of employees to confidentiality,
  • awareness-raising and training of persons involved in the processing,
  • procedures for detecting and handling security incidents (incident response),
  • regular review of the effectiveness of the measures as well as consideration of privacy by design and privacy by default.

Annex 3 – Sub-processors

The Controller approves the use of the sub-processors listed below. The current version of this list is made available to the Controller upon request and communicated in the event of changes in accordance with § 6.

  • Hosting/data center – [provider, location, EU/EEA] – operation of the server and storage infrastructure,
  • Email dispatch – [provider, location, EU/EEA] – dispatch of transactional and system-related emails,
  • Monitoring and error analysis – [provider, location] – monitoring of operations and errors,
  • Customer support – [provider, location] – handling of support requests,
  • Payment processing – [provider, location] – processing of payments.

The placeholders indicated in square brackets are replaced by the sub-processors actually engaged before the contract is concluded.

Processor and contact

Colly Solutions GmbH i. G.

Wassergasse 12 B, 61200 Wölfersheim, Deutschland

E-Mail: kontakt@colly.io

Last updated: July 2026