DPA & SCC

Our Data Processing and SCC which applies when using
0CodeKit

Get Apps for your favorite automations:
  • make
  • n8n

Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs)

Last Updated: 12.03.2025

Between:

  • Controller: relyon AG
  • Processor: 0CodeKit by relyon AG

Preamble

This Agreement forms part of the Contract for Services under the 0CodeKit by relyon AG Terms and Conditions (the "Principal Agreement"). It is effective upon incorporation into the Principal Agreement. Archived versions of this DPA are available here.

Term: This Agreement follows the term of the Principal Agreement. Capitalized terms not defined herein retain their meaning under the Principal Agreement.

Purpose:

  • Controller (Your Company) subcontracts Services involving personal data processing to 0CodeKit by relyon AG (Processor).
  • The Parties commit to compliance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

1. Definitions

1.1 Key Terms:

  • "Company Personal Data": Personal Data Processed by Processor on Controller’s behalf.
  • "Data Protection Laws": GDPR, EU Directive 95/46/EC, and applicable national laws.
  • "Services": End-to-end encrypted email services (detailed in Schedule 1).
  • "Subprocessor": Third parties appointed by Processor to process Personal Data.

1.2 GDPR Terms: "Controller," "Data Subject," "Processing," etc., align with GDPR definitions.

2. Processing Obligations

2.1 Processor Responsibilities:

  • Process data only per Controller’s documented instructions.
  • Comply with GDPR (Articles 28, 32) and implement security measures.
  • Notify Controller of breaches within 72 hours.
  • Assist with Data Subject Rights (DSARs) and impact assessments.

2.2 Controller Instructions: Processing limited to providing Services and technical support.

3. Security & Personnel

3.1 Security Measures:

  • Implement technical/organizational safeguards (e.g., encryption, access controls) per Article 32 GDPR.
  • Conduct annual audits and system tests (penetration tests, code scans).

3.2 Personnel:

  • Ensure confidentiality via NDAs and role-based access.
  • Train employees on data protection and security protocols.

4. Subprocessing

4.1 Approval Required:

  • Processor uses Subprocessors (e.g., AWS, Stripe).
  • Controller may object to new Subprocessors within 14 days.

5. Data Transfers

5.1 International Compliance:

  • EU SCCs (2021): Apply to transfers outside the EEA (Modules 2/3).
  • UK Addendum: Incorporated for UK transfers post-Brexit.
  • Supplementary Measures: Encryption for transfers to non-adequate countries.

6. Data Subject Rights & Breach Management

6.1 DSAR Support:

  • Assist Controller in responding to requests (access, deletion, etc.).
  • Notify Controller of DSARs and act only on documented instructions.

6.2 Breach Protocol:

  • Notify Controller without undue delay.
  • Cooperate in investigation, mitigation, and remediation.

7. Data Retention & Deletion

  • Delete or return data within 10 business days after service termination.
  • Provide written certification of deletion.

8. Audits

  • Controller may audit Processor’s compliance annually with 30 days’ notice.

9. Governing Law & Jurisdiction

  • Governing Law: German Law.
  • Jurisdiction: Exclusive jurisdiction of courts in Stuttgart, with appeals to Amtsgericht Stuttgart.

Schedules

Schedule 1: Service Description

  • Service: 0CodeKit by relyon AG provides encrypted API services and SaaS tools.
  • Pricing & Details: Link to Service Terms.

Schedule 2: Data Processing & Security

  • Data Types: Contact details, IP addresses, usage data (see Privacy Policy).
  • Purposes: IT security, SaaS delivery, customer management.
  • Special Categories: Biometric, religious, or political data (processed only with explicit consent).

Technical & Organizational Measures (TOMs):

  • Access Controls: Multi-factor authentication, encrypted backups, role-based permissions.
  • ISMS: BSI-compliant security management, regular penetration testing.
  • Subprocessors: Microsoft Azure (USA), Stripe (Ireland).

Appendices

  • Contact Persons:
    • Controller: Ingmar Bayer.
    • Processor: Mirko Tochtermann

Signature:
By using 0CodeKit’s services, Controller agrees to this DPA.

Updates for Compliance

  • 2021 EU SCCs: Replaced outdated clauses.
  • UK Addendum: Addresses post-Brexit transfers.
  • Schrems II: Encryption for non-adequate countries.

Linked Policies: