Data Processing Agreement (DPA)

pursuant to Art. 28 of the General Data Protection Regulation (GDPR)

Contracting Parties

Controller:

The customer pursuant to the underlying main contract for the use of the software "TheraTap" (hereinafter "Controller")

Processor:

TheraTap GbR
Grootkoppelstr. 56
22844 Norderstedt
Germany

Represented by: Jonas Imping, Maya Alina Imping
Email: info@theratap.de
Phone: +49 40 33 46 90 24-0
VAT ID: DE354295422

(hereinafter "Processor")

Controller and Processor are hereinafter individually referred to as "Party" and collectively as "Parties".

Preamble

The Processor provides the Controller with the cloud-based practice management software "TheraTap" (hereinafter "Software"). In the course of using the Software, the Processor processes personal data on behalf of the Controller. This Data Processing Agreement (hereinafter "DPA") specifies the data protection rights and obligations of the Parties in connection with this data processing pursuant to Art. 28 GDPR.

This DPA is an integral part of the main contract concluded between the Parties for the use of the Software (hereinafter "Main Contract") and takes effect upon conclusion of the Main Contract.

§ 1 Subject Matter and Duration of Processing

1.1 Subject Matter

The subject matter of the data processing arises from the Main Contract. The Processor processes personal data on behalf of the Controller in the context of providing and operating the cloud-based practice management software "TheraTap". The processing includes in particular:

• Storage and management of contact data (animal owners, veterinarians, other contacts)
• Storage and management of patient data (animal data and associated owner data)
• Documentation of treatments, medical histories, and therapy plans
• Appointment and calendar management
• Invoice creation and management
• Communication between the Controller and their clients (messages, reminders)
• Management of documents, media, and files
• Online appointment booking by the Controller's end customers

1.2 Duration

The duration of this DPA is governed by the term of the Main Contract. It begins with the conclusion of the Main Contract and ends upon its termination, unless obligations arising from the following provisions continue beyond termination.

§ 2 Nature and Purpose of Processing

2.1 Nature of Processing

The processing includes the following activities:

• Collection (insofar as entered by the Controller or their end customers via the Software)
• Recording
• Organisation and structuring
• Storage
• Adaptation and alteration
• Retrieval
• Consultation
• Use
• Disclosure by transmission (e.g., email and SMS dispatch on behalf of the Controller)
• Alignment and combination
• Restriction
• Erasure and destruction

2.2 Purpose of Processing

The processing serves exclusively the provision of the contractually agreed services within the scope of the practice management software pursuant to the Main Contract. Processing for other purposes does not take place.

§ 3 Types of Personal Data

The following types of personal data are subject to processing:

3.1 Master and Contact Data of the Controller's End Customers

• First and last name
• Email address
• Phone number, mobile phone number
• Address (street, postal code, city, country)
• Company, position, department
• Profile pictures
• Geodata (coordinates for route planning)

3.2 Patient-Related Data (Animal Data with Personal Reference)

• Animal name, species, breed, gender
• Age, date of birth, weight, height
• Chip number
• Location of the animal
• Assignment to the animal owner (personal data reference)

3.3 Treatment and Health Data

• Treatment documentation (findings, therapy progress, medical histories)
• Therapy plans (content, periods, frequency)
• Medication and feeding recommendations
• Health schedules (vaccinations, deworming)
• Gait analyses and posture findings
• Notes and remarks on treatments

3.4 Appointment and Communication Data

• Appointment details (date, time, status, description)
• Messages and chat histories between the Controller and end customers
• Email and SMS communication (reminders, confirmations)
• Booking requests

3.5 Billing and Payment Data

• Invoice numbers, invoice data, and amounts
• Tax information
• Payment status

3.6 Usage Data

• Activity logs
• File uploads (documents, images, videos)
• Consent declarations and signatures

§ 4 Categories of Data Subjects

The following categories of data subjects are affected by the processing:

• End customers of the Controller: Animal owners who use the services of the Controller
• Veterinarians and referrers: Veterinary contacts recorded in the context of practice management
• Other contacts: Other business contacts recorded by the Controller in the Software
• Employees and team members of the Controller: Insofar as their data is processed in the Software

§ 5 Obligations of the Processor

5.1 Instruction-Bound Processing

(a) The Processor shall process the personal data exclusively on documented instructions from the Controller, unless the Processor is required to do so by Union or Member State law to which it is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

(b) The Controller's instructions generally arise from this DPA and the Main Contract. Individual instructions that go beyond the services agreed in the Main Contract require text form (email is sufficient) and are to be issued by the Controller without delay. Oral instructions must be confirmed in text form without delay.

(c) The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes data protection provisions. The Processor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

5.2 Confidentiality

(a) The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) The Processor shall ensure that access to the personal data within the scope of the processing is limited to those employees who require it for the fulfilment of their contractual obligations.

5.3 Technical and Organisational Measures

(a) The Processor shall implement all technical and organisational measures required pursuant to Art. 32 GDPR for the protection of personal data. The measures in place at the time of contract conclusion are described in Annex 1 to this DPA.

(b) The Processor shall regularly review the technical and organisational measures and adapt them to the state of the art. The level of protection must not be reduced.

(c) The Processor is entitled to modify the technical and organisational measures during the term of the contract, provided that the contractually agreed level of protection is not reduced.

5.4 Assistance to the Controller

(a) The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling requests from data subjects exercising their rights under Chapter III of the GDPR (Art. 15–22 GDPR).

(b) The Processor shall assist the Controller, taking into account the nature of the processing and the information available to it, in ensuring compliance with the obligations set out in Art. 32–36 GDPR, in particular:

• Security of processing (Art. 32 GDPR)
• Notification of a personal data breach to the supervisory authority (Art. 33 GDPR)
• Communication of a personal data breach to the data subject (Art. 34 GDPR)
• Data protection impact assessment (Art. 35 GDPR)
• Prior consultation with the supervisory authority (Art. 36 GDPR)

5.5 Notification of Personal Data Breaches

The Processor shall notify the Controller without undue delay, and no later than 24 hours after becoming aware, of any personal data breach. The notification shall include at least:

• a description of the nature of the breach, including where possible the categories and approximate number of data subjects and data records affected
• the name and contact details of the data protection officer or other point of contact
• a description of the likely consequences of the breach
• a description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects

5.6 Deletion and Return of Data

(a) Upon termination of the Main Contract, the Processor shall delete all personal data processed on behalf of the Controller, unless statutory retention obligations exist.

(b) Prior to deletion, the Controller shall have the opportunity to export the data in a common, machine-readable format. The Processor shall provide suitable export functions within the Software for this purpose.

(c) Deletion shall take place no later than 30 days after termination of the Main Contract, unless the Controller has previously performed a data export or a different deadline has been agreed.

(d) The Processor shall confirm the deletion to the Controller upon request in text form.

5.7 Accountability and Audits

(a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

(b) The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall inform the Processor of audits with reasonable notice (at least 14 days) in advance in text form.

(c) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's business operations. The Controller shall ensure that mandated auditors are bound by confidentiality obligations.

(d) The Processor may also demonstrate compliance with its obligations by presenting suitable, current certifications or audit reports from independent bodies.

§ 6 Sub-Processors

6.1 Authorisation

(a) The Controller grants the Processor general written authorisation to engage further processors (sub-processors). The sub-processors engaged at the time of contract conclusion are listed in Annex 2. By concluding this DPA, these are deemed approved.

(b) The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors. The Controller shall have the opportunity to object to such changes within 14 days of receiving the information. The objection must be in text form and substantiated.

(c) If the Controller raises a justified objection and no amicable solution can be found, the Controller shall have a special right of termination with regard to the Main Contract.

6.2 Obligations Towards Sub-Processors

(a) The Processor shall carefully select sub-processors and ensure that they provide sufficient guarantees that appropriate technical and organisational measures are implemented such that processing is carried out in accordance with the requirements of the GDPR.

(b) The Processor shall conclude a contract with each sub-processor that imposes on the sub-processor the same data protection obligations as set out in this DPA. If the sub-processor fails to fulfil its data protection obligations, the Processor shall be liable to the Controller for the fulfilment of the sub-processor's obligations.

§ 7 Third-Country Transfers

7.1 Principle

A transfer of personal data to a third country (outside the EEA) or to an international organisation by the Processor shall only take place if the requirements of Art. 44–49 GDPR are met.

7.2 Safeguards

Where sub-processors in third countries are engaged, the Processor shall ensure that an adequate level of data protection is guaranteed, in particular through:

• Adequacy decision by the European Commission (Art. 45 GDPR)
• Standard contractual clauses (Art. 46(2)(c) GDPR)
• Binding corporate rules (Art. 47 GDPR)
• Other appropriate safeguards pursuant to Art. 46 GDPR

7.3 Information Obligation

The Processor shall inform the Controller about the engagement of sub-processors in third countries and the safeguards put in place in each case.

§ 8 Obligations of the Controller

8.1 Responsibility

(a) The Controller is responsible within the scope of this DPA for compliance with data protection provisions, in particular for the lawfulness of the data processing (Art. 4(7), Art. 24 GDPR).

(b) The Controller is responsible for ensuring that the processing of personal data via the Software is based on a valid legal basis and that data subjects are duly informed about the processing.

8.2 Right to Issue Instructions

(a) The Controller has the right and the obligation to issue instructions to the Processor regarding the nature, scope, and method of data processing.

(b) Instructions shall generally be issued in text form. Oral instructions must be confirmed in text form without delay.

8.3 Cooperation Obligations

The Controller shall immediately inform the Processor if it detects errors or irregularities in the processing of personal data.

§ 9 Liability

The liability of the Parties shall be governed by the general statutory provisions, in particular Art. 82 GDPR in conjunction with the provisions of the Main Contract. The liability provisions of the Main Contract shall apply supplementarily.

§ 10 Final Provisions

10.1 Priority

In the event of contradictions between this DPA and the Main Contract or other agreements between the Parties, the provisions of this DPA shall prevail insofar as data protection matters are concerned.

10.2 Severability Clause

Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall not be affected. The Parties undertake to replace the invalid provision with a valid provision that comes as close as possible to the economic purpose of the invalid provision.

10.3 Amendments

Amendments and additions to this DPA require text form. This also applies to the amendment of this text form clause.

10.4 Applicable Law and Jurisdiction

The law of the Federal Republic of Germany shall apply. The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA shall be – to the extent legally permissible – Norderstedt, Germany.

---

Annex 1: Technical and Organisational Measures (TOMs)

The Processor has implemented the following technical and organisational measures pursuant to Art. 32 GDPR:

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1 Physical Access Control

• Server infrastructure is operated on dedicated servers at Hetzner Online GmbH in German data centres with corresponding security certifications (ISO 27001)
• No physical access to servers by Processor employees is required

1.2 System Access Control

• Authentication via individual user accounts with password protection
• Encrypted data transmission using TLS/SSL (HTTPS)
• SSH key-based access to server systems
• Automatic lockout after multiple failed login attempts

1.3 Data Access Control

• Role-based authorisation concept (team-based data separation)
• Tenant separation: Each Controller has exclusive access to their own data
• Logging of administrative access
• Regular review of access rights

1.4 Separation Control

• Logical tenant separation at the database level
• Separate storage areas for files and media per tenant
• Development, testing, and production environments are separated from each other

2. Integrity (Art. 32(1)(b) GDPR)

2.1 Transfer Control

• Encrypted data transmission (TLS/SSL) for all external connections
• Use of secure interfaces (APIs) with authentication
• Logging of data transfers

2.2 Input Control

• Logging of inputs, changes, and deletions in the Software
• Traceability through activity logs

3. Availability and Resilience (Art. 32(1)(b) and (c) GDPR)

3.1 Availability Control

• Hosting on dedicated servers at Hetzner Online GmbH in German data centres
• Container orchestration using Kubernetes for automatic scaling and fault tolerance
• Regular automated database backups
• Data storage exclusively in Germany
• System monitoring and automatic notification in case of disruptions

3.2 Recoverability

• Documented recovery procedures
• Regular testing of backup restoration
• Automated deployment processes (CI/CD) for rapid recovery

4. Procedures for Regular Review (Art. 32(1)(d) GDPR)

• Regular review and updating of technical and organisational measures
• Timely installation of security updates
• Commitment of all employees to data secrecy
• Training of employees in data protection and IT security

---

Annex 2: Approved Sub-Processors

No.	Sub-Processor	Address	Processing Purpose	Processing Location
1	Hetzner Online GmbH	Industriestr. 25, 91710 Gunzenhausen, Germany	Dedicated servers, hosting, data storage, computing	Germany / EU
2	Stripe Payments Europe, Ltd.	1 Grand Canal Street Lower, Dublin 2, Ireland	Payment processing and billing management	EU / USA (adequacy decision)
3	Google Ireland Limited	Gordon House, Barrow Street, Dublin 4, Ireland	Calendar integration (Google Calendar API)	EU / USA (adequacy decision)
4	seven communications GmbH & Co. KG	Hafenweg 32, 48155 Münster, Germany	SMS dispatch (appointment reminders, notifications)	Germany / EU

This list is continuously updated. Changes will be communicated to the Controller in accordance with § 6 of this DPA.

---

As of: February 2026