Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between the Merchant ("Controller") and Comet Rocks GmbH ("Processor") as part of the Terms of Use for Merchants. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Comet Platform.
Section 1: Scope
This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the services provided under the Terms of Use. The details of the processing, including the nature, purpose, types of personal data, and categories of data subjects, are described in Annex 1.
Section 2: Definitions
Terms used in this DPA have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). In addition:
- "Controller" means the Merchant, who determines the purposes and means of the processing of personal data.
- "Processor" means Comet Rocks GmbH, who processes personal data on behalf of the Controller.
- "Subprocessor" means a third party engaged by the Processor to process personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
Section 3: Controller's Instructions
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. The Controller's instructions are set out in this DPA, the Terms of Use, and any additional written instructions provided by the Controller.
If the Processor believes that an instruction infringes the GDPR or other data protection provisions, it shall immediately inform the Controller.
Section 4: Confidentiality
The Processor shall ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation continues after the termination of the engagement.
Section 5: Security of Processing
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 3. These measures include, as appropriate:
- Pseudonymization and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
Section 6: International Data Transfers
The Processor shall not transfer personal data to a third country or international organization without the prior written consent of the Controller, unless required by Union or Member State law.
Where transfers are made to countries outside the EEA, the Processor shall ensure that appropriate safeguards are in place in accordance with Article 46 GDPR, including the EU Standard Contractual Clauses (SCCs). For transfers to subprocessors, Module 4 of the EU SCCs shall apply as set out in Annex 4.
Section 7: Subprocessors
The Controller grants the Processor general written authorization to engage subprocessors. The current list of subprocessors is set out in Annex 2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller the opportunity to object to such changes within 30 days.
The Processor shall impose the same data protection obligations as set out in this DPA on any subprocessor by way of a contract. The Processor remains fully liable to the Controller for the performance of the subprocessor's obligations.
Section 8: Review and Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations.
Section 9: Data Subject Requests
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any requests received directly from Data Subjects without responding to such requests unless authorized by the Controller.
Section 10: Assistance to the Controller
The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:
- Security of processing
- Notification of personal data breaches to the supervisory authority
- Communication of personal data breaches to Data Subjects
- Data protection impact assessments
- Prior consultation with supervisory authorities
Section 11: Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach.
- The categories and approximate number of Data Subjects and data records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
Section 12: Deletion and Return of Data
Upon termination of the agreement, the Processor shall, at the Controller's choice, delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data. The Controller must make this election within 30 days of termination. If no election is made, the Processor shall delete the data.
Section 13: Final Provisions
This DPA is an integral part of the Terms of Use for Merchants. In the event of a conflict between this DPA and the Terms of Use, the provisions of this DPA shall prevail with respect to data protection matters. This DPA is governed by the laws of the Federal Republic of Germany.
Section 14: Liability
The liability of the parties under this DPA is subject to the limitations set out in the Terms of Use, except where such limitations are prohibited by applicable data protection law.
Annex 1: Description of Processing
Nature and Purpose of Processing
The Processor processes personal data to provide the Comet Platform services to the Controller, including hosting and operating the Controller's online store, processing transactions, providing analytics, and supporting customer interactions.
Categories of Personal Data
- Contact information (name, email address, phone number, shipping and billing address)
- Transaction data (order details, purchase history, payment references)
- Technical data (IP address, browser information, device identifiers)
- Usage data (browsing behavior within the store, session data)
- Account data (Merchant and Authorized User registration data)
Categories of Data Subjects
- End Customers of the Controller's Store
- Merchant's employees and Authorized Users
- Visitors to the Controller's Store
Duration of Processing
Processing shall continue for the duration of the agreement between the Controller and the Processor, plus any retention period required for data deletion or return.
Annex 2: List of Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | Frankfurt, Germany (EU region) |
| Google Cloud Platform | Cloud services and AI processing | EU region |
| Cloudflare, Inc. | CDN, DDoS protection, edge computing | San Francisco, USA (EU processing) |
| Vercel, Inc. | Application hosting and deployment | San Francisco, USA |
| Stripe, Inc. | Payment processing infrastructure | Dublin, Ireland |
| Adyen N.V. | Payment processing infrastructure | Amsterdam, Netherlands |
| Datadog, Inc. | Application monitoring and security | New York, USA |
| Intercom, Inc. | Customer support and messaging | San Francisco, USA |
| HubSpot, Inc. | CRM and marketing automation | Cambridge, USA |
| Attio | CRM | London, UK |
| Microsoft Corporation | Clarity analytics | Dublin, Ireland |
| Google Ireland Limited | Analytics and authentication | Dublin, Ireland |
| LinkedIn Ireland Unlimited Company | Analytics | Dublin, Ireland |
| Osano, Inc. | Consent management | Austin, USA |
| Mintlify, Inc. | Documentation hosting | Ithaca, USA |
| Cloudinary Ltd. | Image optimization and delivery | Santa Clara, USA |
Annex 3: Technical and Organizational Measures
The Processor implements the following categories of technical and organizational measures:
1. Access Control (Physical)
Measures to prevent unauthorized persons from gaining access to data processing systems. Cloud infrastructure providers maintain SOC 2 Type II certified data centers with physical access controls, surveillance, and environmental protections.
2. Access Control (Logical)
Measures to prevent unauthorized use of data processing systems:
- Role-based access control (RBAC) with least privilege
- Multi-factor authentication for all production systems
- Regular access reviews and prompt deprovisioning
- Individual user accounts (no shared credentials)
- Automated session timeouts
3. Data Access Control
Measures to ensure that authorized users can only access data they are entitled to:
- Logical tenant isolation in multi-tenant architecture
- Granular permission systems
- Audit logging of data access
- Encryption of data at rest with unique keys per customer
4. Transfer Control
Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during transfer:
- TLS 1.2+ encryption for all data in transit
- Encrypted VPN connections for administrative access
- Secure API authentication using tokens and keys
5. Input Control
Measures to ensure that it is possible to check and establish whether and by whom personal data has been entered, modified, or removed:
- Comprehensive audit logging
- Traceability of data modifications
- Version control for configuration changes
6. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss:
- Automated backups with regular restoration testing
- Redundant infrastructure with failover capabilities
- Disaster recovery procedures
- 99.5% uptime SLA for platform availability
7. Separation Control
Measures to ensure that personal data collected for different purposes can be processed separately:
- Logical separation of customer data
- Separate environments for production, staging, and development
- Purpose limitation through access controls
Annex 4: EU Standard Contractual Clauses Matrix
Where personal data is transferred to subprocessors located outside the European Economic Area, the following EU SCC modules apply:
| Transfer Scenario | Applicable Module |
|---|---|
| Controller (EU) to Processor (non-EU) | Module 2: Controller to Processor |
| Processor (EU) to Subprocessor (non-EU) | Module 3: Processor to Processor |
| Processor (non-EU) to Controller (EU) | Module 4: Processor to Controller |
The parties agree that the competent supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte fuer Datenschutz und Informationsfreiheit).
The governing law for the SCCs is the law of the Federal Republic of Germany, and the courts of Berlin, Germany shall have jurisdiction.