© 2026 OSOS/Omega. All rights reserved.
Omega version: 0.1.0
pursuant to Art. 28 GDPR
between
[Licensee / Customer] ("Controller")
and
Osos AI GmbH, Cosimastraße 121, 81925 Munich, Germany, registered with the commercial register at Amtsgericht München under HRB 309796, represented by managing director Dr. Hải Vân Lê Jorks ("Processor")
(each also "Party", jointly "Parties")
Effective Date: 30.04.2026
Version: 1.0
Reference: Main Agreement (EULA) including Order Form dated [Order Form date] for the OSOS / Omega Software.
The subject matter of this agreement is the processing of personal data by the Processor in connection with the provision of the OSOS / Omega Software designated in the Main Agreement as Cloud Software (SaaS) and the related maintenance, support, and professional services.
This agreement is concluded with the entry into force of the Main Agreement and ends with its termination. Provisions that, by their nature, survive termination (e.g. deletion obligations, confidentiality) continue to apply.
In the case of Self-Hosted Software, the processing of personal data generally takes place in the environment controlled by the Controller. Processing on behalf within the meaning of this agreement exists in such cases only to the extent that the Processor has or may have access to personal data in the course of maintenance, support, remote diagnostics, or professional services.
The processing takes place for the purpose of providing, maintaining, securing, and improving the Software in accordance with the Main Agreement, including the provision of AI functions (see AI Data Policy), support and incident response services, and the fulfillment of statutory obligations.
Collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, querying, using, transmitting to subprocessors, aligning, combining, restricting, deleting, and destroying.
In particular:
In particular:
Processing of special categories of personal data within the meaning of Art. 9 GDPR and of data on criminal convictions and offences (Art. 10 GDPR) is not envisaged. To the extent the Controller introduces such data into the Software, this is done at the Controller's sole responsibility; processing is permitted only by separate written agreement.
In the relationship between the Parties, the Controller is solely responsible for the lawfulness of the processing and for safeguarding the rights of data subjects (Art. 24 GDPR).
The Controller alone is authorized to issue instructions regarding the nature, scope, and procedures of the data processing. Oral instructions must be confirmed in text form without delay. Persons authorized to issue instructions are those named in the Main Agreement or Order Form.
The Controller is obligated to notify the Processor without delay of any errors and irregularities identified in the processing.
If the Controller becomes aware of a personal data breach at the Controller's side that may be related to the processing on behalf, it shall inform the Processor to the extent necessary for the fulfillment of any cooperation obligations.
The Processor processes personal data exclusively on the documented instructions of the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law. In the latter case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Processor will inform the Controller without delay if, in its opinion, an instruction violates the GDPR or other data protection rules. The Processor may suspend execution until clarification.
The Processor obligates persons authorized to process to confidentiality (Art. 28(3)(b) GDPR) and ensures that they process the personal data only in accordance with the Controller's instructions.
If the Processor is required to designate a data protection officer pursuant to Art. 37 GDPR, it shall communicate the contact details. If the conditions are not met, the Processor designates a competent contact person for data protection.
The Processor implements the technical and organizational measures required pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. The measures are described in Annex 1 (TOM). The Processor may further develop the TOM, provided that the agreed level of protection is not undercut.
Taking into account the nature of the processing and the information available to it, the Processor assists the Controller with:
Assistance services beyond those included in the Main Agreement are remunerated at the Processor's standard rates as applicable.
The Processor maintains a record of processing activities pursuant to Art. 30(2) GDPR.
The Processor demonstrates compliance with its obligations to the Controller. Suitable evidence includes in particular current certifications (e.g. ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 42001, SOC 2 Type II, TISAX, BSI C5), current audit reports of independent third parties, and the answering of documented questionnaires of the Controller ("vendor assessments"). On-site audits at the Processor are permitted with prior notification with reasonable lead time (at least 30 days) during normal business hours, no more than once per year; they shall be carried out in such a way as not to disrupt business operations. The Processor may demand reasonable compensation to the extent the audit goes beyond review of existing reports and certificates.
The Controller grants the Processor general authorization to engage subprocessors pursuant to Art. 28(2) sentence 2 GDPR. The current list of subprocessors (incl. registered office, purpose, categories of processed data) is published at [Link Subprocessor List].
The Processor shall inform the Controller of intended changes regarding the addition or replacement of subprocessors with a lead time of at least 30 days. The Controller may object to the change within 14 days in writing on important data protection grounds. If the Parties cannot reach an amicable solution, the Controller has a right to extraordinary termination with regard to the affected service.
The Processor selects its subprocessors carefully and contractually obligates them to data protection obligations that essentially correspond to those of this DPA (Art. 28(4) GDPR). It remains responsible to the Controller for the fulfillment of data protection obligations by the subprocessor.
The provisions of the AI Data Policy additionally apply to AI subprocessors.
Pure telecommunications, maintenance, and cleaning services as well as the activities of auditors and lawyers do not constitute subprocessing within the meaning of this agreement.
Processing of personal data takes place generally within the European Economic Area (EEA). Where available, the Controller will be informed if an EU-only configuration can be requested in the Order Form.
A transfer of personal data to third countries takes place only if:
The Standard Contractual Clauses are concluded between the Processor and the respective subprocessor; the Controller may inspect them upon request.
If the Processor becomes aware of a personal data breach within the meaning of Art. 4(12) GDPR, it shall inform the Controller without delay, generally within 24 hours of becoming aware. The notification contains — to the extent available at the time of the notification — the information pursuant to Art. 33(3) GDPR. Missing information is supplemented to the Controller without delay once available.
The Processor assists the Controller in investigating, containing, and documenting the breach as well as, where applicable, in fulfilling its notification and communication obligations.
If a data subject contacts the Processor directly with a request concerning the exercise of its rights (Art. 15–22 GDPR), the Processor shall forward the request to the Controller without delay and shall not respond itself, to the extent legally permissible. The Processor assists the Controller, taking into account the nature of the processing, to a reasonable extent in fulfilling the corresponding obligations (cf. Section 4.6).
After completion of the processing activities, the Processor shall, at the choice of the Controller, either:
and delete existing copies, unless there is an obligation to retain the personal data under Union or Member State law.
By default, export functions are available to the Controller for 30 days after termination; thereafter, irrevocable deletion takes place in accordance with the documented deletion concepts (generally within a further 90 days, including backup rotations). Returns beyond the standard processes are remunerated according to effort.
The Processor documents the deletion.
The liability provisions of the Main Agreement (EULA), Section 12, apply accordingly, to the extent that mandatory provisions of data protection law (in particular Art. 82 GDPR) do not provide for a different allocation of liability.
In case of conflicts between the provisions of this DPA and the provisions of the Main Agreement on the processing of personal data, the provisions of this DPA take precedence.
Amendments and supplements to this DPA require text form (§ 126b BGB). This also applies to the cancellation of this text-form clause.
Should individual provisions of this DPA be invalid or unenforceable, the validity of the remaining provisions remains unaffected.
The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG). The exclusive place of jurisdiction is the registered office of the Processor, to the extent the Controller is a merchant.
The following measures are implemented as appropriate to the risk; the concrete design is documented in the Trust Center or security whitepaper.
Physical access control
Hosting in certified data centers (Tier III/IV) with controlled access (multi-factor authentication, biometric procedures, video surveillance, security personnel). The Processor's own premises are secured by access control systems, alarms, and visitor registration.
System access control
Authentication with individual user accounts, strong password policies, mandatory multi-factor authentication (MFA) for administrative access, automatic locking of inactive sessions, account lockout for failed attempts, central identity and access management.
Data access control
Role-based authorization concept (RBAC) on a need-to-know basis, separation of administrative and operational accounts, regular permission reviews, audit logging of all administrative access, prohibition of bring-your-own-device for privileged activities.
Separation control
Logical tenant separation (multi-tenant) or dedicated single-tenant instances depending on the deployment model; separated test, staging, and production environments; tenant-specific encryption keys, where agreed.
Pseudonymization and Encryption (Art. 32(1)(a) GDPR)
Encryption in transit (TLS 1.2+ with forward secrecy), encryption at rest (AES-256 or equivalent), key management in a Key Management System with separate authorizations, pseudonymization of telemetry and diagnostic data.
Transmission control
Secure transmission paths (TLS, VPN for administration), certificate-based API authentication, prohibition of transmission via unencrypted channels, secure key handover.
Input control
Complete audit trails for the creation, modification, and deletion of personal data, tamper-resistant log storage, system time synchronization (NTP).
Availability control
Redundant design of critical components, high-availability clusters, automatic failover, regular backup routines with defined RPO/RTO, geo-redundant storage of important data, protection against DDoS attacks, UPS / emergency power supply in data centers.
Recoverability
Regular restore tests, documented disaster recovery plans, business continuity management.
Data Protection Management
Established data protection management (record of processing activities, regular awareness training, commitment to data secrecy, data protection impact assessments for new processing activities).
Incident Response Management
Documented process for the detection, analysis, containment, and notification of security incidents, defined escalation and communication channels, forensic support.
Order Control
Written commitments of all subprocessors, regular assessments (risk and vendor management), inclusion in the subprocessor list.
Data Protection by Design and by Default (Art. 25 GDPR)
Privacy by Design / Privacy by Default in development processes, privacy-friendly default settings, threat modelling, Secure Software Development Lifecycle (SSDLC), regular penetration tests, vulnerability and patch management.
Certifications / Evidence
The current status of certifications (e.g. ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 42001, SOC 2, TISAX, BSI C5) is published in the Certificates and Security Notes and in the Trust Center.
The current list of subprocessors is available at [Link Subprocessor List]. For each subprocessor it contains:
The status at the time of contract conclusion is included as a snapshot in this DPA.
Controller:
Place, date: ________________________
Name: ________________________
Function: ________________________
Signature: ________________________
Processor:
Place, date: ________________________
Name: ________________________
Function: ________________________
Signature: ________________________