This agreement forms part of the General Terms and Conditions (GTC) of Wiedenroth Technologies GmbH and governs the rights and obligations of the contracting parties with regard to the processing of personal data in connection with the provision of services by Wiedenroth Technologies GmbH (hereinafter "Processor") for its customers (hereinafter "Controller").
1. Subject Matter and Duration of Processing
1.1
The subject matter of this agreement is the processing of personal data by the Processor for the performance of contractually owed services, in particular in the area of Software as a Service (SaaS), hosting, and support within the "Orbance" platform.
1.2
The duration of processing corresponds to the term of the underlying contractual relationship between the parties.
2. Nature and Purpose of Processing
2.1
Processing includes in particular the collection, storage, modification, transmission, blocking, deletion, and evaluation of personal data in connection with the use of the "Orbance" SaaS platform.
2.2
The purpose is the technical provision of the platform, including event management, participant communication, billing, user administration, and IT support.
3. Categories of Personal Data and Data Subjects
3.1
The types of personal data arise from use by the Controller. These include in particular:
- Master data (e.g. name, email, organisation)
- Event and usage data
- Billing data
3.2
Depending on use, data subjects may include, for example:
- Employees of the Controller
- Event participants
- External users (e.g. recipients of certificates)
4. Responsibility and Instruction Authority
4.1
The Controller remains solely responsible within the meaning of Art. 4(7) GDPR for the lawfulness of data processing.
4.2
The Processor processes personal data exclusively on documented instructions from the Controller. Changes or additions to instructions must be communicated in text form.
4.3
Processing outside the EU/EEA does not take place unless there is a legal obligation or express instruction. Hosting is carried out exclusively with Hetzner Online GmbH in Germany.
5. Obligations of the Processor
5.1
The Processor ensures that only persons authorised to process personal data have access to it and that they are bound to confidentiality.
5.2
It implements appropriate technical and organisational measures in accordance with Art. 32 GDPR.
5.3
It assists the Controller with:
- upholding data subject rights
- reporting and assessing data protection incidents
- conducting data protection impact assessments
5.4
Upon termination of the contract, the Processor deletes or returns the data at the Controller's choice.
5.5
The Processor shall notify the Controller without undue delay in the event of data breaches.
6. Obligations of the Controller
6.1
The Controller is obliged to process personal data exclusively in accordance with applicable data protection law and to provide truthful, complete data when using the platform.
6.2
The Controller shall designate a contact person for data protection matters.
6.3 Ticket Shop and End Customers
If the Controller uses ticket shops or ticket plugins, it is solely the controller within the meaning of the GDPR vis-à-vis ticket buyers. It ensures that the imprint, privacy policy, and terms and conditions in the ticket shop are complete, current, and legally compliant, and that processing (including tracking, payments, and ticket provision) is based on a valid legal basis.
6.4 Email Delivery (SMTP)
If the Controller stores a custom SMTP configuration, it is solely responsible for ensuring that the server, sender details, and content of emails sent via Orbance are lawful and that the required consents have been obtained. It ensures that use of the SMTP server is permitted and does not infringe the rights of third parties.
6.5 Payment Processing
If the Controller connects payment service providers (e.g. Stripe Connect, PayPal), it is responsible for the lawful setup and use of its accounts as well as for providing end customers with data protection-compliant information.
7. Sub-processing
7.1
The Processor uses the following sub-processors (as of June 2026):
- Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen — hosting, database, internal PDF service
- Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland — payment processing (incl. Stripe Connect, cards, SEPA, Klarna, PayPal via Stripe, Apple Pay, Google Pay, and others)
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg — payment processing via PayPal Commerce Platform
- Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA — Apple Maps (MapKit JS), Apple Wallet / Apple Push Notification Service (APNS); transfer under the EU-US Data Privacy Framework
- Cloudflare, Inc. / Cloudflare Germany GmbH, Rosental 7, 80331 Munich — Turnstile (bot protection), CDN/WAF and abuse protection; transfer under the EU-US Data Privacy Framework
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland — Google Wallet
Email delivery is carried out via SMTP operated by the Processor or optionally via SMTP servers configured by the organiser (no additional sub-processor where the organiser uses its own servers).
7.2
Further sub-processors may only be engaged after informing the Controller and in compliance with Art. 28 et seq. GDPR.
8. Audit Rights and Evidence
8.1
The Controller has the right to verify compliance with this agreement. The Processor shall provide all necessary information upon request.
8.2
Upon request, an on-site audit may be conducted where required under data protection law and with reasonable advance notice.
9. Final Provisions
9.1
This agreement is deemed an integral part of the GTC. In the event of conflicts, this Data Processing Agreement takes precedence over the other contractual terms.
9.2
The place of jurisdiction is Hildesheim. German law applies.
9.3
Should any provision of this agreement be wholly or partially invalid, the validity of the remaining provisions shall remain unaffected.