Data Processing Agreement (DPA)
Pursuant to Art. 28 GDPR · Last updated: April 2025
Data Processor: ideployed UG (haftungsbeschränkt), Torgauer Straße 231-233, 04347 Leipzig — Controller: the respective business customer (client).
§ 1 Subject Matter and Duration
iDeployed processes personal data on behalf of the customer for the purpose of hosting a JTL-Shop instance. Processing occurs solely in accordance with the customer's documented instructions. The duration of processing corresponds to the term of the contract.
§ 2 Nature and Purpose of Processing
Hosting, storage, and technical operation of the customer's JTL-Shop instance. iDeployed processes data solely within the scope of the contractually agreed services and not for its own purposes.
§ 3 Categories of Personal Data and Data Subjects
Categories of data processed:
- Customer data of the client (name, address, email, order data, payment data)
Data subjects:
- End customers of the client (buyers in the customer's JTL-Shop)
§ 4 Obligations of the Processor (iDeployed)
iDeployed undertakes to:
- Process data only in accordance with the customer's documented instructions
- Ensure confidentiality of the data
- Engage sub-processors only with the customer's consent
- Assist the customer with data subject requests
- Delete or return data after the end of the contract
- Provide all information necessary to demonstrate compliance with Art. 28 GDPR
§ 5 Obligations of the Controller (Customer)
The customer is the controller within the meaning of the GDPR. The customer issues instructions to iDeployed and ensures that the processing of personal data has a lawful basis.
§ 6 Sub-Processors
Pre-approved sub-processors:
Google Cloud Platform (GCP)
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
Purpose: Infrastructure hosting — Region: europe-north2 (Stockholm, Sweden)
iDeployed will inform the customer of the addition or replacement of sub-processors. The customer has the right to object.
§ 7 Technical and Organisational Measures (TOMs)
iDeployed implements the following measures:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access control (role-based, least privilege)
- Regular automated backups
- Monitoring and alerting
- Tenant isolation (logical separation of customer environments)
- No transfer of customer data to third parties
§ 8 Rectification, Erasure, and Restriction
iDeployed deletes or returns data upon the customer's instruction. After the end of the contract, all customer data will be irreversibly deleted within 30 days unless a statutory retention obligation exists.
§ 9 Audit Rights
iDeployed shall make available to the customer all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the customer or a mandated auditor.
§ 10 Return and Deletion after Contract End
Upon termination of the contract, all customer data will be irreversibly deleted or returned upon the customer's request. Proof of deletion will be provided upon request.
Contact
For questions about the DPA or data processing, please contact: