Data Processing Agreement (DPA)

Agreement on the processing of data on behalf of Article 28 GDPR

 

Last Update: 04/12/2024


This Data Processing Agreement is between you

Client Name
– Data Controller –

and

done.by GmbH
Haimhauserstr. 8
80802 Munich
– Data Processor –
 

§ 1 Preamble, Subject Matter, and Order of Precedence

(1) General.
This agreement (the “Data Processing Agreement” or “DPA”) is part of the contract for the provision of our services between you and referenzen.com/done.by (the “Contract”).

(2) Subject Matter of the Agreement.
This DPA describes how referenzen.com/done.by processes project reference data and editor data that you provide to us in connection with your use of our services, in accordance with the requirements of data protection laws.

(3) Conflicts.
In case of conflict, the provisions of this DPA take precedence over provisions of earlier or future confidentiality agreements and other agreements concluded between the parties.
 

§ 2 Definitions

In this DPA, we will use certain words or phrases, and it is important that you understand their meaning. The list is not exhaustive, and no definition should be seen as binding if it contravenes the spirit of this DPA:

(1) “Client” or “You” refers to you, the person entering into the Contract (including this DPA) with done.by GmbH. If you use our services on behalf of an organization, you agree to these terms on behalf of the organization and you warrant that you are authorized to do so. In such a case, “Client” or “You” refers to that organization.

(2) “Data Protection Laws” means all laws and regulations, including those of the European Union, the European Economic Area and its member states, applicable to the processing of personal data (including data related to the provision of telecommunications services and conducting email marketing), in particular the GDPR, the German Act against Unfair Competition (UWG), the German Telecommunications Act (TKG), and the German Telemedia Act (TMG).

(3) “GDPR” refers to the European General Data Protection Regulation.

(4) “Individual Contract” is the SaaS contract concluded between the Client and referenzen.com/done.by for the provision of SaaS services and/or supplementary services.

(5) “Data Processing” or “Processing” refers to any operation or set of operations performed by referenzen.com/done.by as part of the services in relation to project reference data and editor data, whether or not by automated means, in particular collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction of data.

(6) “Services” means the services we make available through our sites, including our reference catalogue widget and digital signage solution services for clients.

(7) “Site” refers to both our websites, referenzen.com and done.by, as well as our platform.

(8) “Subcontractors” means a third party commissioned by done.by GmbH who processes project reference data and editor data within the scope of its commissioning.

(9) “Contract” refers to the Individual Contract, the Terms and Conditions, and this Data Processing Agreement.

(10) “User” means any identified or identifiable natural person who is a client, employee, or business contact of yours and who has been created by you as an editor via our site or has been or will be contacted as a service or solution provider.

(11) “Project Reference Data and Editor Data” means personal information of a user that you or one of your employees have provided to referenzen.com/done.by in connection with your use of the services.

(12) “Special Categories of Data” refers to data concerning racial and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation (cf. Art. 9 para. 1 GDPR).

Other terms have the meaning given to them under this agreement or in the Contract.
 

§ 3 Subject Matter and Duration of Processing, Types of Project Reference Data and Editor Data and Categories of Data Subjects

(1) General Subject Matter.
Under this DPA, referenzen.com/done.by processes project reference data, company profile, and editor data on behalf of the Client in accordance with Article 28 GDPR.

(2) Duration.
This DPA is valid as long as referenzen.com/done.by provides services under the Contract and terminates automatically with the expiration or termination of the Contract.

(3) Subject, Nature, and Purpose of Processing.
The subject of the processing is the collection and provision of the Client's project references. The nature of the processing of project reference data and editor data is defined in our General Terms and Conditions and in our Privacy Policy, and possibly additionally in the Individual Contract. The purpose of data processing is content management and process optimization at the Client.

(4) Types of Data.
The processing may include the following types of/categories of project reference data and editor data: basic personal data including name or email address, communication data, address data, contract data, location data, image and video data, identification numbers, metadata, e.g. participation in projects, editorial activities, IP address, usage data, device data, and information from cookies and page tags.

(5) Categories of Affected Individuals.
The individuals affected by the processing are assigned to the following categories: (i) Clients of the Client; (ii) Employees of the Client; (iii) Business contacts of the Client; In each of the aforementioned cases (i) to (iii) to the extent that such a client, employee, or business contact has been or will be contacted by you via our site.

(6) Exclusion of Processing Special Categories of Personal Data.
The processing of special categories of personal data is excluded.

(7) Legal Basis for Processing for the Data Controller under Art. 6 GDPR:
The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6 para. 1(a) GDPR). Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (Art. 6 para. 1(b) GDPR) Legal basis for processing for the data processor is Art. 28 GDPR.
 

§ 4 Instructions from the Client

(1) Instructions.
As long as we provide services for you, you may give us instructions regarding the processing of project reference data and editor data, in addition to the provisions set forth in this DPA, regarding the nature, extent, and method of data processing (each such instruction will hereafter be referred to as an “Instruction”). Instructions can be given in written or electronic form. We will process your project reference data and editor data according to the Instructions.

(2) Change Requests.
Any Instruction that modifies or deviates from this DPA represents a change request and is subject to the requirements described in § 14 (1). With regard to changes in the Services and/or fees resulting from your Instructions, we will negotiate with you in good faith.

(3) Compliance with Data Protection Laws.
You are responsible for ensuring that your Instructions comply with the Data Protection Laws.

(4) Notification.
If we believe that an Instruction violates the GDPR or other data protection provisions of the Union or the Member States, we will promptly inform you.
 

§ 5 Rights and Obligations of the Client

(1) Compliance of the Processing with Data Protection Laws.
You are responsible for ensuring that the processing of project reference data and editor data under this agreement complies with the requirements of the Data Protection Laws, in particular with regard to (i) the transfer of project reference data and editor data to referenzen.com/done.by (including providing any required notices and obtaining all necessary consents), (ii) the use of project reference data and editor data in connection with marketing or advertising conducted by you and (iii) your decisions and activities regarding the processing and use of the project reference data and editor data.

(2) The Client as Data Controller.
You are the data controller in accordance with Article 4 paragraph 7 GDPR. You alone are responsible for the accuracy, quality, and legality of the project reference data and editor data and the means by which you acquired the project reference data.

(3) Special Categories of Personal Data.
The data controller shall refrain from using the site or the services to process special categories of personal data.

(4) Record of Processing Activities.
You are responsible under Article 30 GDPR for maintaining a record of processing activities.

(5) Obligation to Notify.
You will promptly inform us of any errors you discover in our services and of any irregularities in the implementation of the data protection laws.
 

§ 6 Obligations of referenzen.com/done.by

(1) Processing Only to Provide the Services.
We will process your project reference data and editor data only according to your documented Instructions and only to provide our services in accordance with Article 28 paragraph 3 GDPR. We will (i) not process or use your project reference data and editor data for any other purposes than those set forth in the Contract including in this DPA, and (ii) not disclose your project reference data and editor data to third parties (except to subcontractors for the aforementioned purposes), unless required by Union law or the laws of the Member States to which we are subject. In such a case, we will inform you of this legal requirement before processing, unless the law prohibits such information for important reasons of public interest.

(2) Processing Within and Outside the EU/EEA.
In principle, the data processor processes data within the Federal Republic of Germany, a Member State of the European Union, or another signatory to the Agreement on the European Economic Area or in a country with an adequate level of data protection according to the decision of the European Commission. The servers for data processing are located exclusively within the scope of the EU GDPR. The data processor may transfer data to its subcontractors. In this case, the subcontractor ensures compliance with the obligations under Art. 44 et seq. GDPR.

(3) Employees of done.by GmbH.
We ensure that our employees involved in the processing of project reference data and user data and authorized for this purpose are informed about the confidentiality of the project reference data and user data and have either contractually agreed to keep this data secret or are subject to a corresponding legal obligation of secrecy.

(4) Remote Work.
(i) The data processor is entitled to offer its employees remote work. It concludes a company agreement on remote work with them, which ensures compliance with all regulations on data protection and data security.
(ii) The data must not be compromised. The security of the data is to be guaranteed in particular by a secure service computer and the establishment of an encrypted connection.

(5) Our Data Protection Officer. We have a data protection officer: Jens Hoppe, Haimhauserstr. 8, 80802 Munich. This can be reached by email at dpo@done.by.
 

§ 7 Technical and Organizational Measures

(1) referenzen.com/done.by TOM Measures.
When we process project reference data and user data on your behalf, we will take all necessary measures in accordance with Article 32 GDPR. We have implemented certain technical and organizational measures as specified in Annex 1 for the processing of such data and will maintain these measures. These measures are intended to protect project reference data and user data against accidental or unauthorized loss, destruction, alteration, disclosure, or access and against all other unlawful forms of processing.

(2) Changes to the TOMs.
All technical and organizational measures for data security are subject to technical progress and development. Accordingly, we may change our security measures and/or introduce alternative security measures, provided, however, that these do not fall below the security standard contractually agreed upon in Annex 1.
 

§ 8 Client's Control Rights

(1) The client may determine compliance with the provisions on data protection and the specifications of this contract by means of controls. The controls can also be carried out by third parties that the client determines at its discretion. The data processor has the right to reject the control by the third party in the presence of special circumstances (or, for example, if there is a competitive relationship between the contractor and the third party). The data processor is obliged to support the client in the controls to the best of his ability by, among other things, providing the necessary information, allowing access to its documents and admitting to its premises.

(2) The client must generally announce the controls at a reasonable time in advance. They are to be carried out within a reasonable framework and with due regard for the interests of the data processor. This includes that they take place during the ordinary business hours of the data processor and do not unduly disrupt the orderly business operations as much as possible.

(3) Report Instead of an Audit.
If the requested audit frame has been covered in an SSAE 16/ISAE Type 2, ISO, NIST or a similar audit report and was conducted by a qualified external auditor within the previous twelve months, the client agrees to accept the audit report instead of the requested audit of the systems.

(5) Use of Reports.
As a client, you will provide us with all audit reports generated under this section unless this is legally prohibited. You may only use the audit reports to confirm that our technical and organizational measures meet the requirements of this DPA. The audit reports are confidential information of the parties according to the terms of the contract.

(6) Audit Costs.
Each audit will be at your own expense. Any request to done.by GmbH for assistance in an audit will be considered a separate service if such audit support requires the use of other or additional resources. We will obtain your written approval and agreement to pay the associated fees before we provide such audit support. Support services to meet data protection requirements as they arise e.g., from the GDPR and the BDSG are covered by the main contract, and no additional fees will be charged for these services.

(7) External Auditors.
If a third party conducts the audit, the client and done.by GmbH must agree with the third party and, before the audit is conducted, a confidentiality agreement acceptable to done.by GmbH must be concluded.
 

§ 9 Subcontractors

(1) Subcontractors.
We may use subcontractors to assist us in processing your project reference data and user data. By concluding this DPA, you give us your general written authorization for the use of subcontractors in accordance with Article 28 paragraph 2 GDPR. The list of subcontractors can be found in Annex 2. If we intend to add or replace a subcontractor, we will inform you to give you the opportunity to object to such a change if there are justified concerns regarding the adequate protection of personal data. If you do not object within two weeks after our notification about the change of a subprocessor, it has the same effect as consent. If the client objects to a change, referenzen.com/done.by reserves the right to extraordinarily terminate the contractual relationship with a notice period of two weeks.

(2) Our Agreements with Subcontractors.
We ensure that our subcontractors adhere to the same obligations in this DPA as referenzen.com/done.by. This applies in particular to the requirements in § 4, § 7, § 8, and § 10 to § 13. referenzen.com/done.by remains responsible at all times for fulfilling the conditions of this DPA through all subcontractors involved in providing our services to you.

(3) To the extent that we work with freelancers who have access to your personal data, we ensure that we only work with such freelancers who implement technical and organizational measures to ensure that data processing complies with the requirements of the General Data Protection Regulation (GDPR) and ensures the protection of the rights of the data subject. The data processing by a freelancer is subject to a data processing contract that guarantees the same level of data protection that you and we have agreed upon. A list of freelancers will be provided to you upon request.

(4) Copies of the Relevant Provisions.
You are entitled to receive copies of the relevant provisions of agreements with our subcontractors that process your project reference data and user data if the agreement does not contain confidential content; if this is the case, done.by GmbH can provide a redacted version of the agreement.

(5) Additional Services.
This § 9 does not apply when we use third parties for additional services; these include in particular telecommunications services, postal and shipping services, building security services, building management services, and services related to the cleaning or disposal of data media.
 

§ 10 Data Subject Rights

(1) Forwarding Requests.
If a data subject requests us to correct, block, or delete project reference data, company profile, and editor data, we will forward the request to you. referenzen.com/done.by will not respond to requests from data subjects without your prior written authorization.

(2) Support.
If a data subject requests you to correct, block or delete project reference data, company profile and editor data, or if a data subject requests information about the collection, processing or use of data in connection with our service, and you are not able to handle the request via our site yourself, as well as in the cases of Art. 18, 20 and 21 GDPR, we will support you, to the extent possible, with suitable technical and organizational measures in responding to and handling the request, provided that (i) you provide us with a corresponding instruction in writing or in text form and (ii) you compensate us for the costs and expenses incurred in providing such support. Support services to meet data protection requirements as they arise e.g., from the GDPR and the BDSG are covered by the main contract, and no additional fees will be charged for these services.
 

§ 11 Data Deletion

(1) No Copies or Duplicates.
We will not create any copies or duplicates of your project reference data, company profile, and editor data without your prior knowledge. Notwithstanding the foregoing sentence, we are entitled to (i) create backup copies and replications of our databases as necessary to ensure proper processing of the data of the reference management system, the functionality of our platform, and product development (ii) create and retain copies of the project reference data, company profile, and editor data as necessary to comply with legal retention and storage obligations.

(2) Deleting Data.
After the deletion of your account, or upon your written request at an earlier date, we will delete all copies of your project reference data, company profile, and editor data from our systems within one month. We are not liable for any losses or damage resulting from such deletion. It is your responsibility to ensure that all project reference data, company profile, and editor data are secured by the export function before deletion.

(3) Further Use to Fulfill Legal Obligations.
Notwithstanding the above, we will retain only such project reference data, company profile, and editor data that are necessary to fulfill our legal obligations, resolve disputes, and enforce our agreements.
 

§ 12 Service Analytics and Data Anonymization

(1) Service Analytics. We may compile statistical and other information related to the performance, operation, and use of our services. Data from employees or contacts of the client will not be included in the service analytics in a form that could identify or be used to identify a person.

(2) Data Anonymization. As indicated in §11(1), we are entitled to create backup copies and replications of our databases. referenzen.com/done.by is also entitled to anonymize project reference data, company profiles, and editor data in such backup copies and replications and to perform the processing steps necessary for such anonymization. The original dataset is not affected by the anonymization.

(3) Anonymized or aggregated data is no longer considered personal data. Maintaining anonymity, referenzen.com/done.by may use all generated data for its own purposes, such as statistical analyses, industry comparisons, research and development, and other purposes. referenzen.com/done.by is entitled to use and retain these data beyond the end of the contract for its own purposes.
 

§ 13 Notification Obligations and Additional Support

(1) Notifications of (governmental) searches and seizures.
We will inform you promptly if your project reference data, company profile, and user data under our control are subject to a search or seizure, a garnishment order, confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties. In such a case, we will inform all parties involved in such an action that any data affected here are in your sole ownership and fall within your area of responsibility, that the data are at your sole disposal, and that you are the data controller within the meaning of the GDPR.

(2) Notification of Incidents and Legal Violations.
We will inform you promptly if we become aware that (i) your project reference data, company profile, and user data have been subject to a security incident (including by an employee of referenzen.com/done.by) or (ii) if referenzen.com/done.by has committed a legal violation (including by an employee of referenzen.com/done.by) against the data protection laws applicable to the performance of our services to you, or against any of the provisions set forth in this DPA. In such a case, we will immediately investigate the security incident or legal violation and take appropriate measures to identify the root cause and prevent a recurrence.

(3) Support.
If you need to satisfy disclosure obligations under Article 33 GDPR due to the security incident or legal violation, we will support you in fulfilling such obligations, provided that (i) you issue instructions to us in writing or in text form and (ii) you compensate us for our reasonable and documented costs and expenses incurred in providing such support. Support services to meet data protection requirements such as those arising from the GDPR and the BDSG are covered by the main contract and no additional fees will be charged for these services.

(4) Further Support.
In addition to our aforementioned support obligations, we will support you, taking into account the nature of the processing and the information available to us, in complying with the obligations mentioned in Articles 32-36 of the GDPR, provided that
(i) you issue instructions to us in writing or in text form and
(ii) you compensate us for our reasonable and documented costs and expenses incurred in providing such support.
 

§ 14 Changes

(1) Changes to these Terms.
referenzen.com/done.by may change these terms at any time for various reasons, provided that the level of data protection is maintained at least, for example, to reflect changes in applicable law, to reflect updates to our services or the technical and/or organizational measures we employ, or to consider new services or functionalities.

(2) Notification of Changes.
Normally, we will not inform you in advance about changes or updates to the terms of this agreement. However, if you log into our site for the first time after such a change or update, we will inform you electronically about the change. If you continue to use our services, you consent to such changes or adjustments unless referenzen.com/done.by receives timely objection from you.

(3) Current Version.
Changes to these terms become effective with entry on our site. It is your responsibility to familiarize yourself with the most current terms of our agreement. You can always find the most current version at https://done.by/en/services/dpa.htm.
 

§ 15 Miscellaneous

(1) Severability Clause.
If any provisions of this DPA are invalid or unenforceable, this shall not affect the validity and enforceability of the other provisions of this DPA. The same applies in cases of a gap in this DPA.

(2) Choice of Law and Jurisdiction.
This DPA is subject to German law. For disputes arising from or in connection with this DPA, the courts in Munich shall have exclusive jurisdiction.

Note: This Data Processing Agreement is effective without signature by concluding an individual contract with referenzen.com/done.by. However, for ease of proof, we recommend that the client print out the contract and add it to their own records.

Client Name:

Title:

Date:

Signature:
 

done.by GmbH

Name:

Title:

Date:

Signature:

 

Annex 1 to the Data Processing Agreement (DPA)

Technical and Organizational Measures

The data processor assures that it has taken the following technical and organizational measures:

1. Measures to Ensure Confidentiality

1.1. Access Control
Measures that physically prevent unauthorized persons from accessing IT systems and data processing facilities processing personal data, as well as confidential files and data carriers.

referenzen.com/done.by does not own a data center. All our servers and our hosting equipment are rented as a service from 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur. We refer to the TOMs of 1&1 IONOS SE (Annex 2). The server locations of 1&1 IONOS SE are located in Germany. Further data processing takes place in-house at the company's location.

The data centers used – unless otherwise agreed or otherwise documented, the data centers of IONOS, Germany – have extensive and modern access controls (e.g. electronic access control systems, video surveillance, burglar alarms, security personnel) and implement processes that sustainably protect against unauthorized access (e.g. defined security areas, individual access authorization issuance, role-based authorization concept). Further information about the protective measures can be found in the IONOS portal on cloud security.

1.2. Admission Control
Measures that prevent unauthorized persons from processing or using data protected under data protection laws. Description of the access control system:

  • System and data access are restricted to authorized users
  • Users must identify themselves with username and password
  • Users are granted only limited rights
  • Role-Based Access Control (RBAC)
  • Implementation of a central password policy
  • Use of a software firewall
  • Use of anti-virus software

1.3. Access Rights Control
Measures to ensure that those authorized to use data processing procedures can only access personal data that falls within their access rights, so that data cannot be read, copied, altered, or removed without authorization during processing, use, and storage. Description of the access control system:

  • System and data access are restricted to authorized users
  • Users must identify themselves with username and password
  • All data accesses are automatically recorded
  • Number of administrators reduced to the necessary minimum
  • Logging of accesses and attempted misuse

1.4. Separation Requirement
Measures that ensure that data collected for different purposes are processed separately and are therefore separated from other data and systems so that unintentional use of these data for other purposes is excluded. Description of the separation control process:

  • Logical tenant separation (software-based)
  • Authorization concept
  • Production and test systems are separate from each other
  • Data records are only accessible through pre-defined systems
  • Database user rights are centrally issued and managed

1.5. Pseudonymization
Measures for pseudonymization are intended to exclude or significantly complicate the determination of the data subject.

  • The storage and merging of personal data take place using a pseudonymized user identification number (User-ID).

1.6 Encryption

  • Website offers only with SSL/TLS encryption
  • Backups are encrypted
  • User passwords are not stored. Instead, a secure method based on cryptographic hash functions is used ("Salted Cryptographic Hash")
     

2. Measures to Ensure Integrity

2.1. Transmission Control
Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or during their transport or storage on data carriers, as well as measures with which it can be checked and determined to which places a transmission of personal data is intended. Description of the transmission control:

  • HTTPS
  • VPN
  • Documentation of the data recipients and the time spans of the planned transfer or agreed deletion periods
  • No use of physical data carriers
  • Comprehensive logging procedures
  • Private data carriers from personnel may not be used at work

2.2. Input Control
Measures to ensure that it can be subsequently checked and determined whether and by whom personal data have been entered, altered, or removed in IT systems. Description of the input control process:

  • Logging of all system activities and retention of logs for at least 6 months
  • Traceability of data entry/change/deletion by individual usernames (not user groups)
  • Assignment of rights to enter/change/delete data based on an authorization concept
     

3. Measures to Ensure Availability and Resilience

The measures for availability and resilience are intended to ensure the services and internal operational procedures, as well as their information security, even in the event of operational disruptions and unforeseen events.

  • The data centers used – unless otherwise agreed or otherwise documented, the data centers of IONOS SE – have extensive and modern fire detection and extinguishing facilities, air conditioning and temperature controls, as well as measures for surge protection and uninterrupted power supply (UPS). Further information can be found in the respective portals of IONOS on the topic of cloud security.
  • The commissioning of the provided production systems, their configuration, and the implementation of changes occur transparently and traceably through a largely automated deployment infrastructure.
  • Backups of the production data are performed hourly in an incremental form and daily as a full backup. All backups are redundantly held and distributed in encrypted form (AES256) across multiple devices and separate facilities – unless otherwise agreed or otherwise documented, at least 2 facilities at IONOS. Technical access restrictions, automatic historization and deletion policies, as well as strict organizational guidelines for handling backups are implemented.
  • Integrated protection against cyber security threats: This includes an anti-malware shield, Self Protection, and a vulnerability check.
  • Disaster recovery processes for data recovery and processes for random testing of recoverability are defined.
  • Procedures for handling and reporting disruptions (incident management), including detection and response to possible security incidents, are defined.
     

4. Measures for Regular Evaluation of Data Processing Security

The measures for effectiveness testing are intended for the regular control and evaluation of the effectiveness of all previously described technical and organizational measures.

  • referenzen.com/done.by trains its employees with respect to information security to ensure that they fulfill their obligation not to unlawfully collect, process, or use customer data. Thus, the confidentiality of customer data is to be maintained, even after termination of any functions involving customer data. Employees are instructed to report immediately any detected violations of data protection provisions, suspicion of possible violations, and other incidents related to information security.
  • Disciplinary measures exist for non-compliance with confidentiality obligations.
  • referenzen.com/done.by conducts an employment relationship review. Included is the verification of identity for new hires in positions requiring access to systems and applications that store customer data. When the employment relationship ends, whether voluntary or involuntary, referenzen.com/done.by immediately blocks access to all systems.
  • referenzen.com/done.by continuously assesses the risks associated with the processing of personal data and develops an action plan to mitigate the identified risks.
  • Automated and manual penetration tests are conducted regularly.
  • referenzen.com/done.by maintains measures to identify, manage, mitigate, and/or resolve vulnerabilities in the infrastructure of referenzen.com/done.by. Security measures include: Anti-Virus / Anti-Malware, vulnerability scanning, threat alerts, patch management.


Annex 2 to the Data Processing Agreement (DPA)

Subcontracting Relationships According to the Data Processing Agreement

The data processor currently works with the following other data processors in fulfilling the contract, with whose commissioning the controller agrees.

1&1 IONOS SE
Company name: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur
Country of registration: Germany
Function: Various servers for hosting, Matomo tracking, NextCloud collaboration
Storage location: Germany
https://www.ionos.de/terms-gtc/datenschutzerklaerung/
https://www.ionos.de/terms-gtc/avv/

Invite to Beta