Data Processing Agreement

Effective: March 1, 2026 · Pursuant to GDPR Article 28

This Data Processing Agreement (“DPA”) supplements the Terms of Service between you (“Controller”, “Customer”) and mamarx GmbH, Chodowieckistr. 15, 10405 Berlin, Germany (“Processor”, “mamarx”), governing the processing of personal data through the sota.io platform.

1. Subject & Duration

This DPA applies for the entire duration of the service relationship, beginning at account activation and concluding upon account deletion or service termination. The Processor processes personal data on behalf of the Controller as described in this agreement.

2. Nature & Purpose of Processing

The Processor provides Platform-as-a-Service (PaaS) for deploying and hosting web applications on EU-based infrastructure. Processing activities include:

  • Storage and execution of application code and data within containers
  • Managed PostgreSQL database hosting
  • Network routing and TLS termination
  • Collection of deployment metadata and build logs
  • Authentication and access control

3. Types of Personal Data

The following categories of personal data may be processed:

  • Any personal data stored within deployed applications and databases
  • IP addresses and connection metadata
  • Account data (email)
  • API keys (stored as SHA-256 hashes)

4. Categories of Data Subjects

Data subjects may include:

  • The Customer's employees and contractors
  • The Customer's end users and customers
  • Any other individuals whose data is processed through deployed applications

5. Controller Obligations

The Controller shall:

  • Ensure that all processing has a lawful basis and appropriate consents are obtained
  • Provide documented processing instructions to the Processor
  • Promptly notify the Processor about data subject requests
  • Maintain compliance with GDPR within deployed applications
  • Ensure that personal data transferred to the platform is collected lawfully

6. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational measures per GDPR Article 32
  • Not engage sub-processors without prior written consent of the Controller
  • Assist the Controller with data subject rights requests (access, rectification, erasure, portability)
  • Delete or return all personal data upon termination and provide written confirmation
  • Make available all information necessary to demonstrate compliance

7. Sub-processors

The following sub-processors are engaged:

Sub-processorPurposeLocation
Hetzner Online GmbHServer hosting, compute, storageGermany
Supabase Inc.Authentication (EU region)EU (Frankfurt)

The Processor will provide 30 days' written notice before engaging any new sub-processor. The Controller may object within this period.

8. Technical & Organizational Measures

The Processor implements the following security measures in accordance with GDPR Article 32:

  • Encryption in transit: TLS 1.2+ for all external connections
  • Encryption at rest: Encrypted storage volumes on Hetzner infrastructure
  • Network isolation: Container-level network isolation using Docker and gVisor sandboxing for user applications
  • Access control: Role-based access, API key authentication with SHA-256 hashing
  • Database security: Per-project PostgreSQL instances with PgBouncer connection pooling, dedicated credentials
  • Infrastructure updates: Regular patching of host operating system and container runtimes
  • Physical security: Hetzner data center security (ISO 27001 certified)
  • Monitoring: Health checks, deployment logging, access logging

9. Audit Rights

The Controller may conduct compliance audits or inspections with 30 days' written notice, during normal business hours, and at the Controller's expense. The Processor will cooperate with audits and provide access to relevant documentation. Audits shall not unreasonably disrupt operations.

10. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay (and in any case within 72 hours) after becoming aware of the breach. The notification shall include:

  • Nature of the breach, including categories and approximate number of data subjects affected
  • Contact details for further information
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

11. Data Return & Deletion

Upon termination of the service relationship, the Controller has 30 days to retrieve all data. After this period, the Processor will permanently delete all personal data unless retention is required by EU or member state law. Written confirmation of deletion will be provided upon request.

12. Data Transfers

All personal data is processed and stored exclusively within the European Union. The Processor does not transfer personal data to third countries. All sub-processors operate within the EU or EEA.

13. Liability

Each party is liable for damages caused by processing that infringes GDPR, in accordance with Article 82. The Processor is liable for damage caused by processing only where it has not complied with obligations specifically directed to processors, or has acted outside or contrary to the Controller's lawful instructions.

14. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction is Berlin, Germany.

15. Contact

mamarx GmbH

Chodowieckistr. 15, 10405 Berlin, Germany

Email: privacy@sota.io

For a countersigned copy of this DPA, please contact us at the email above.