Data processing agreement (DPA)

Status: June 2026

Information on incorporation into contracts

Please Note: This Data Processing Agreement (“DPA”) constitutes an integral part of the main contract (e.g., Software as a Service Agreement, Terms of Service, or individual order) concluded between syniotec GmbH (hereinafter referred to as the “Processor”) and the respective customer contracting party (hereinafter referred to as the “Controller”).

By concluding the main contract or utilizing our software and telematics services, this DPA is legally incorporated by reference. A separate signature is not required. The specific details regarding the identity of the Controller and the specific contact details are derived from the respective main contract.

Preamble

The Processor provides services to the Controller on a contractual basis in the areas of software provisioning, customization, maintenance, or similar services. Where agreed with the Controller, the Processor additionally provides services in the field of data processing and analysis in connection with telematics systems distributed by the Processor, which are integrated into construction machinery, equipment, or other vehicles and facilities used by the Controller.

Part of the execution of the respective contract involves the processing of personal data by the Processor as a data processor within the meaning of Art. 4(8) GDPR for the Controller as the data controller within the meaning of Art. 4(7) GDPR. In particular, Art. 28 GDPR sets out specific requirements for such data processing, to ensure compliance with which this Agreement is established.

1. Scope of Application

1.1 The following provisions apply to all data processing services within the meaning of Art. 28 GDPR provided by the Processor to the Controller.

1.2 This DPA specifies the data protection obligations of the contracting parties arising from the underlying agreement (hereinafter the “Main Contract”).

1.3 Wherever the term “data processing” or “processing” is used in this Agreement, it shall generally mean the use of personal data pursuant to Art. 4(2) GDPR. The use of personal data includes, in particular, the collection, storage, transmission, blocking, erasure, anonymization, pseudonymization, encryption, or any other use of data. Reference is made to the further definitions in Art. 4 GDPR.

2. Subject Matter and Duration of Processing

2.1 The Processor shall process personal data in connection with the Main Contract only on behalf of and in accordance with the instructions of the Controller.

2.2 The subject matter of the order is the provisioning of software for the disposition, tracking, relocation, and billing of the equipment used by the Controller, such as construction machinery, in accordance with the Main Contract. Where commissioned, the subject matter also includes the collection and transmission of telematics data by the Processor’s telematics units as well as the preparation and processing of such data on behalf of the Controller.

2.3 The duration of this Agreement shall correspond to the term of the Main Contract.

3. Scope, Nature, and Purpose of Data Collection, Processing, or Use

3.1 The scope, nature, and purpose of the collection, processing, and/or use of personal data by the Processor are set forth in the Main Contract. This includes, among others, the following activities and purposes for the software solutions “Ram” & “SAM” (hereinafter the “Software”) used by the Controller (subject to individual commissioning where applicable):

  • 3.1.1 Provisioning of the Software via remote, cloud-based access (SaaS).
  • 3.1.2 Consulting regarding the deployment of the Software.
  • 3.1.3 Implementation of adjustments and extensions to the Software according to the Controller’s specifications.
  • 3.1.4 Initial data migration from the Controller’s third-party systems.
  • 3.1.5 Execution of training sessions.
  • 3.1.6 Maintenance and administration of the Software.
  • 3.1.7 Use of personal data of the Controller’s employees or other users stored in the Software in accordance with the separate “Telematics Privacy Policy”, which is available from the Processor at any time upon request.
  • 3.1.8 Collection, transmission, and processing of data generated and captured by the Processor’s telematics units deployed at the Controller’s site, in accordance with the separate “Telematics Privacy Policy”, which is available from the Processor at any time upon request.

4. Categories of data subjects

4.1 The categories of data subjects affected by the handling of personal data within the framework of the underlying contract include:

  • 4.1.1 Suppliers / Subcontractors / Service Providers / Cooperation Partners of the Controller.
  • 4.1.2 System users.
  • 4.1.3 Employees of the Controller or other persons acting for or on behalf of the Controller who use the machinery and equipment managed via the Software.
  • 4.1.4 Employees of the Controller or other persons acting for or on behalf of the Controller whose personal data is entered into the Software by the Controller.

5. Types of Personal Data

5.1 Depending on the scope of use and the inputs made by the Controller, the following data/data categories may generally be subject to processing:

  • 5.1.1 Master/Contact Data of employees / users of the machinery and equipment: Name, date of birth, nationality, emergency contact (name, first name, phone number), business address, business email/phone, business position, employee vehicle, construction site-related qualifications, certificates, driving licenses, photographs (see separate “Telematics Privacy Policy”).
  • 5.1.2 Contractual Data
  • 5.1.3 Telematics Data of machinery and equipment (see separate “Telematics Privacy Policy”).
  • 5.1.4 Location/Tracking Data of machinery and equipment (see separate “Telematics Privacy Policy”).

6. Rights and Obligations of the Controller

6.1 The Controller shall be solely responsible for assessing the permissibility of the data collection, processing, and use, as well as for safeguarding the rights of the data subjects, and is thus the “Controller” within the meaning of Art. 4(7) GDPR.

6.2 The Controller is entitled to issue instructions regarding the nature, scope, and procedures of data processing. Instructions may be given and transmitted by the Controller in writing or in an electronic format (text form). Oral instructions must be confirmed in writing or text form without delay.

6.3 Soweit es der Controller für erforderlich hält, können weisungsberechtigte Personen benannt werden. Any changes to the authorized persons shall be communicated to the Processor in text form.

6.4 The Controller shall inform the Processor immediately if any errors or irregularities are detected in connection with the processing of personal data by the Processor.

6.5 In accordance with the provisions of Section 8, the Controller is entitled to verify compliance with the technical and organizational measures taken by the Processor prior to the start of data processing and regularly thereafter. Any costs incurred due to an audit shall be borne by the Controller.

7. Obligations of the Processor

7.1 Data Processing

  • 7.1.1 The Processor is obligated to process personal data exclusively within the framework of the agreements made and in accordance with the instructions of the Controller. Any processing of data deviating from this is prohibited.
  • 7.1.2 Copies or duplicates may not be created unless required by law or the Main Contract.

7.2 Assistance with Requests / Inquiries

  • 7.2.1 Taking into account the nature of the processing, the Processor shall assist the Controller as far as possible through appropriate technical and organizational measures in fulfilling the Controller’s obligation to respond to requests for exercising data subjects’ rights laid down in Chapter III of the GDPR.

7.3 Rectification, Erasure, and Restriction of Processing

  • 7.3.1 The Processor shall rectify, erase, or restrict the processing of personal data upon the instruction of the Controller.
  • 7.3.2 If a data subject contacts the Processor directly, the Processor shall forward this request to the Controller without delay.

7.4 Audit Obligations

  • 7.4.1 The Processor undertakes to ensure through appropriate checks that the processing is carried out exclusively in accordance with this Agreement and the instructions.
  • 7.4.2 The Processor confirms that it has appointed a Data Protection Officer where legally required.

7.5 Information Obligations

  • 7.5.1 The Processor shall immediately alert the Controller if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor is entitled to suspend the execution of the respective instruction until it is confirmed or amended by the responsible person at the Controller.
  • 7.5.2 The Processor is obligated to notify the Controller immediately of any breach of data protection regulations, of the contractual agreements concluded, and or of the instructions issued by the Controller that has occurred in the course of processing data by the Processor or other persons entrusted with the processing.

  • 7.5.3 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, in particular in ensuring an adequate level of protection, within the scope of its information obligations towards data subjects, in the event of a potential data protection impact assessment, and within the framework of prior consultations with the supervisory authorities.

7.6 Place of Data Processing

  • 7.6.1 The collection, processing, and use of the Controller’s data shall take place within Germany, another EU member state, or a contracting state to the EEA. Any transfer to a third country requires the prior consent of the Controller and may only occur if the requirements of Art. 44 et seq. GDPR are met.

7.7 Erasure upon Termination

  • 7.7.1 Upon termination of the contract, the Processor is obligated to return all personal data in its possession to the Controller or to erase them in a compliant and secure manner in accordance with the Controller’s instructions.

8. Data Protection Audits

8.1 The Processor grants the Controller the right to verify compliance with data protection regulations and contractual agreements to the necessary extent during regular business hours. The Controller shall not disrupt the operational processes of the Processor during this process. The Processor may make the inspection subject to prior notification with a reasonable lead time and to the signing of a confidentiality agreement regarding the data of other customers. If the auditor appointed by the Controller is in a competitive relationship with the Processor or if there are other weighty reasons against the inspection by the specific auditor, the Processor has a right of objection against them.

8.2 The Processor shall assist the Controller in conducting audits and cooperate in a full and swift processing. Any costs incurred due to an audit shall be borne by the Controller where applicable.

8.3 Upon written request, the Processor is obligated to provide information to the Controller within a reasonable period, insofar as this is necessary to carry out the audit.

8.4 The Processor must tolerate any audit measures taken by the data protection supervisory authority and shall inform the Controller immediately upon becoming aware of the execution of the audit measure.

8.5 Insofar as the Controller is subject to an audit by the supervisory authority, the Processor shall support the Controller to the best of its abilities.

9. Subcontracting Relationships

9.1 The engagement of subcontractors as further processors is permissible in accordance with the provisions of this Section 9. The Processor shall enter into agreements with these third parties to the necessary extent to ensure appropriate data protection and information security measures. The Processor currently engages the subcontractors specified in Annex 1 to this Agreement.

9.2 Before engaging or replacing subcontractors, the Processor is obligated to inform the Controller accordingly in writing. For this purpose, the Processor shall communicate to the Controller the name and address of the subcontractor as well as the service commissioned to them. The Controller has the right to object to the engagement or replacement of individual subcontractors within fourteen days of receiving the information. An objection must be objectively justified. If no objection is made within this period, the engagement or replacement of the subcontractor shall be deemed approved by the Controller. If the Processor does not comply with a timely and justified objection by the Controller, the Controller shall set a reasonable period of not less than fourteen days for the Processor to comply with the objection. If the Processor lets this period expire fruitlessly, the Controller has the right to prohibit the subcontracting by means of an instruction. If the engagement of the unapproved subcontractor is still not prohibited despite such an instruction by the Controller, the Controller is entitled to terminate this Agreement for good cause.

9.3 The engagement of subcontractors where the subcontractor merely utilizes an ancillary service to support the performance of services under the Main Contract does not require consent, even if access to the Controller data cannot be excluded in this process. This includes, in particular, transport services from postal or courier services as well as cash-in-transit services, telecommunication services, security services, and cleaning services, but not auditing and maintenance services.

9.4 The subcontracting agreement must feature an adequate level of protection that is comparable to that of this contract. The Controller must be granted its own audit rights in the subcontracting agreement towards the subcontractor, comparable to Section 8 of this Agreement.

9.5 The Processor shall regularly review compliance with the subcontractor’s obligations. In particular, the Processor must check in advance and regularly during the term of the contract that the subcontractor has taken the measures required under Article 32 of the GDPR to protect the security of personal data.

9.6 The commitment of the subcontractor must be made in writing. The written commitment must be transmitted to the Controller upon request.

10. Data Secrecy / Confidentiality

10.1 The Processor is obligated to maintain data secrecy when processing data for the Controller. The Processor assures that it is aware of the applicable data protection regulations and is familiar with their application.

10.2 The Processor undertakes to deploy only employees for the performance of the order who have been bound to data secrecy and have been appropriately familiarized with the requirements of data protection. The Processor and any person subordinated to the Processor who has access to personal data may process this data exclusively in accordance with the instructions of the Controller, including the powers granted in this contract, unless they are legally obligated to process the data.

11. Technical and Organizational Measures, Information Obligation

11.1 The technical and organizational measures described in Annex 2 to this appendix are established as binding. These are data security measures designed to ensure a level of protection appropriate to the risk regarding the confidentiality, integrity, availability, and resilience of the systems.

11.2 The Processor observes the principles of proper data processing. It guarantees the contractually agreed and legally prescribed data security measures and checks them regularly.

11.3 The technical and organizational measures may be adapted to technical and organizational developments over the course of the contractual relationship. In doing so, the security level of the established measures must not be reduced. Significant changes must be documented and communicated to the Controller.

11.4 The Processor shall immediately notify the Controller of any malfunctions, breaches by the Processor or the persons employed by it against data protection provisions or the stipulations made in this Agreement, as well as any suspicion of data protection violations or irregularities in the processing of personal data. This applies above all with regard to any potential information obligations of the Controller pursuant to Articles 33 and 34 of the GDPR. The Processor assures that it will support the Controller in its obligations pursuant to Articles 33 and 34 of the GDPR.

12. Final Provisions

12.1 In the event of conflicts between the provisions of this Agreement and the regulations of the contract and orders, the provisions of this Agreement shall prevail.

12.2 Amendments and supplements to this Agreement must be made in writing and require the express statement that the present provisions are thereby amended and or supplemented. This also applies to the waiver of this written form requirement. To satisfy the written form requirement, the exchange of scanned signatures or digital signatures such as DocuSign or similar is sufficient, but simple emails or messenger messages are not.

12.3 This Agreement is subject to German law. The place of jurisdiction for all disputes arising out of or in connection with this Agreement is Bremen.

12.4 Should a provision of this Agreement be or become invalid or unenforceable, the remaining provisions of this Agreement shall remain unaffected thereby. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the purpose of the provision being replaced.

ANNEX 1 – SUBCONTRACTORS

The Processor engages the subcontractors listed below within the meaning of Article 28 Paragraph 2 of the GDPR to perform the contractually agreed services in accordance with this Agreement.

The engagement occurs exclusively to the extent necessary for the performance of the services.

Not every subcontractor necessarily processes personal data of the Controller. The nature, scope, and purpose of the respective processing depend on the specific functionality utilized.

Insofar as subcontractors based outside the European Union or the European Economic Area are engaged, any transfer of personal data takes place exclusively in compliance with the requirements of Articles 44 et seq. of the GDPR, in particular through the conclusion of the respectively valid EU Standard Contractual Clauses as well as through supplementary technical and organizational measures.

1 Hosting and Infrastructure Services

1.1 Amazon Web Services EMEA SARL / Amazon Web Services, Inc.

1.1.1 Service: Cloud hosting, infrastructure, data center operations

1.1.2 Location: Luxembourg / USA

1.1.3 The processing of personal data takes place exclusively in data centers within the European Union, specifically in the AWS Region Frankfurt am Main, Germany.

2 Database and Platform Services

2.1 MongoDB, Inc.

2.1.1 Service: Database hosting and management via MongoDB Atlas

2.1.2 Location: USA

2.1.3 The processing of personal data takes place in data center regions selected by the Processor within the European Union.

The Processor has taken the following technical and organizational measures to ensure a level of protection for the affected personal data that is appropriate to the risk:

1 Physical Access Control

Measures designed to physically prevent unauthorized persons from gaining access to IT systems and data processing facilities with which personal data are processed, as well as confidential files and data carriers.

Physical access control is ensured by manual locking systems, security locks, key regulations, chip cards or transponder locking systems, alarm systems and security personnel, personal controls at the reception, the mandatory wearing of visitor badges, the logging of visitors, and biometric access restrictions.

2 System Access Control

Measures designed to prevent unauthorized persons from processing or using data protected under data protection law.

System access control is ensured by the regulation of user rights, password allocation, identification and authentication with username and password, the deployment of standard antivirus software, the use of hardware and software firewalls on clients from established manufacturers, the creation of user profiles in IT systems, the use of standard VPN technologies, personified user identifiers, the establishment of a master user record per user, the locking of workstations in case of inactivity via a time-out of the security token, the encryption of data carriers, the isolation of sensitive systems through separate network areas via logical segmentation, the logging of login attempts, regularly updated antivirus and spyware filters, and multiple hardware or software firewall shielding of client servers within a DMZ.

3 Data Access Control

Measures designed to ensure that persons authorized to use the data processing procedures can access exclusively the personal data subject to their access authorization, so that data cannot be unauthorizedly read, copied, modified, or removed during processing, use, and storage.

Description of the data access control system includes the regulation, creation, and implementation of authorization concepts, limiting the number of administrators to what is strictly necessary, the use of document shredders or established companies for document destruction as well as the proper destruction of data carriers and the logging of such destruction by established companies, the management of rights by those technically responsible for the application, a password policy with specifications regarding password length and rotational password changes, the logging of access and abuse attempts, user administration and rights concepts, PKI-based access authorizations, evaluation and logging procedures, data carrier management, authorization assignment at the level of roles, profiles, groups, and fields, as well as LDAP integration.

4 Transmission Control

Measures designed to ensure that personal data cannot be unauthorizedly read, copied, modified, or removed during electronic transmission or during transport or storage on data carriers, as well as measures to check and establish the locations to which a transfer of personal data is intended.

Description of transmission control includes the regulation of disclosure through guidelines, the establishment of dedicated leased lines, the establishment of VPN tunnels using standard technology, secure transport containers or packaging, the careful selection of transport personnel, the transmission of data via encrypted containers or tunnel connections, the engagement of disposal service providers for professional document destruction, transport processes with individual responsibility where there must always be a clear contact person and where it must be absolutely clear what the Processor is supposed to delete during data destruction, comprehensive logging procedures, firewall systems, HTTPS encryption, optional VPN access within a protected company network, and the preparation of database queries within the server and returning requests or search results in a processed form with a defined data volume to prevent SQL injections.

5 Input Control

Measures designed to ensure that it can be subsequently verified and established whether and by whom personal data have been entered, modified, or removed in data processing systems.

Description of the input control process features the assignment of rights for data entry, the modification and deletion of data based on authorization concepts, and system logging.

6 Job Control

Measures designed to ensure that, in a commissioned data processing relationship, any processing of personal data is carried out exclusively within the framework of the instructions and specifications issued by the Controller.

Description of the job control process indicates that job control is ensured by the Processor submitting evidence to the data protection officer of the Controller before commencing operations and subsequently on an incident-based basis, enabling the Controller to satisfy itself of compliance with the technical and organizational measures implemented by the Processor.

7 Availability Control

Measures designed to ensure that personal data are protected against accidental destruction or loss.

Description of the availability control system includes an uninterruptible power supply, air conditioning of server rooms and data centers where each server room is supplied via its own power feed from the public grid, fire and smoke alarm systems, fire extinguishers, testing of data recoveries, the partially outsourced storage of data backups at AS4U or otherwise separating data and backups across fire compartments or server rooms, regular testing of the availability of data backups through ongoing restorations as tests for functioning backups, standardized backup and recovery concepts, emergency and restart plans, data backup procedures, spatial separation of data backup procedures, regular tests of data restoration, storing data in a relational database, fire protection zones, water and early fire warning systems, highly available air conditioning technology in the data center, an oxygen-reduction extinguishing system in the data center, uninterruptible redundant power supplies and emergency generators in the data center, redundant dark fiber or wireless fiber optic connections in the data center, surge protection in the data center, and a direct connection to the local fire department in the data centers to accelerate response times in the event of a fire.

8 Separation Requirement

Measures designed to ensure that data collected for different purposes are processed separately and are separated from other data and systems in such a way that an unplanned use of these data for other purposes is excluded.

Description of the separation control process includes separate storage on separate databases which varies by system, the definition of database rights within each database, logical multi-tenant separation, the separation of production and test systems, authorization concepts, a system of read and write permissions for installation folders, a separate guest Wi-Fi network, and isolated access instances for clients within the AWS database utilized by the Processor.