Data Processing Agreement (DPA)

under Art. 28 GDPR · for the “alexsdev Sync” service · Last updated: 1 June 2026

This Data Processing Agreement (“DPA”) specifies the parties' obligations under the GDPR where the provider processes personal data on behalf of the customer within the alexsdev Sync service. The DPA takes effect upon booking or use of alexsdev Sync. A countersigned copy is available to customers on request at [email protected].

1. Parties

Controller (“Customer”): the customer using alexsdev Sync.
Processor (“Provider”): Alexander Sadomsky, c/o IP-Management #42121, Ludwig-Erhard-Str. 18, 20459 Hamburg, Germany — [email protected].

2. Subject matter and duration

The subject matter is the processing of personal data by the provider on behalf of the customer for the purpose of providing alexsdev Sync (one-way delivery of content to the devices of end users authorised by the customer). The duration matches the term of the underlying service contract.

3. Nature, scope and purpose

Processing comprises storing, providing and transmitting the content supplied by the customer and the data required for access control. The sole purpose is the contractual provision of the service. The provider processes the data only on the customer's documented instructions.

4. Types of data and categories of data subjects

Types of data:

  • Access tokens (hashed in the backend, encrypted on the device)
  • Connection/retrieval data (timestamp, channel, retrieved content or hashes, access label, “last active”)
  • Customer-provided content (may contain personal data where the customer includes such data)

Data subjects: employees and other end users authorised by the customer.

5. Obligations of the processor

  • Processing only on documented instructions; notice if an instruction infringes data protection law.
  • Confidentiality commitment of persons authorised to process.
  • Implementation of appropriate technical and organisational measures under Art. 32 GDPR (Section 6).
  • Assistance to the customer with data subject requests and the obligations under Art. 32–36 GDPR, as far as possible and reasonable.
  • Deletion or return of the data after termination (Section 10).
  • Provision of information required for evidence and enabling of audits (Section 11).

6. Technical and organisational measures (Art. 32)

  • Encryption: TLS for all transfers; access tokens stored only as a hash in the backend and encrypted on the device via Windows DPAPI.
  • Access control: token-based authentication per channel; blob access limited to content assigned to the channel; SSH-key server access, firewall.
  • Integrity: content-addressed storage using SHA-256; integrity check for every delivered file.
  • Tenant separation: logical separation of data per account/channel.
  • Availability: self-managed server in the EU, regular updates; server-side backups.
  • Data minimisation: no content is transmitted from the device to the provider.

7. Sub-processors

The customer consents to the use of the following sub-processors:

  • Server hosting (EU): a dedicated server within the European Union (storage of metadata and content).
  • Cloudflare, Inc. — CDN/proxy and DDoS protection for transport; certified under the EU-US Data Privacy Framework, DPA/SCC.
  • IONOS SE (Montabaur, DE) — email delivery where transactional emails apply; processing within the EU.

If the customer uses its own GitHub repository as a source, the provider fetches content from GitHub (GitHub B.V., Amsterdam / GitHub Inc.); in that respect the customer acts on its own initiative. Changes to the list of sub-processors are notified to the customer with reasonable notice; the customer may object for good cause.

8. Data subject rights

The provider assists the customer with appropriate technical and organisational measures in fulfilling data subject rights (Art. 15–22 GDPR). If a data subject contacts the provider directly, the provider forwards the request to the customer without undue delay.

9. Personal data breach notification

The provider notifies the customer without undue delay after becoming aware of a personal data breach occurring within the processing, and assists with the obligations under Art. 33 and 34 GDPR.

10. Deletion and return

After the end of processing, the provider deletes the data processed on behalf of the customer or returns it at the customer's choice, unless a statutory retention obligation applies. Content can be deleted by the customer at any time via the dashboard.

11. Evidence and audits

On request, the provider makes available the information required to demonstrate compliance with this DPA and enables reasonable audits, where applicable subject to prior coordination and protecting the confidentiality of other customers.

12. Place of processing

Processing and storage take place within the European Union. A transfer to a third country only occurs where required for transport (Cloudflare) and is safeguarded by appropriate guarantees (DPF/SCC).

13. Liability

Liability is governed by the underlying service contract (see Terms §37) and Art. 82 GDPR.

14. Final provisions

German law applies. If individual provisions are invalid, the remainder of the agreement remains effective. Amendments require text form. In the event of conflicts between this DPA and the service contract, the provisions of this DPA prevail in matters of data protection.

This version is provided before conclusion of the contract and becomes binding upon use of alexsdev Sync. A signed copy and a current list of sub-processors are available to customers on request. Related documents: Privacy Policy · Terms · Legal Notice.