Menü

Data Processing Agreement (DPA)

Version 1.2 | As of: February 2026

1. Subject Matter and Duration of the Agreement

This agreement regulates the rights and obligations of the parties in the context of the processing of personal data by PF IT Consult GmbH (Processor) on behalf of the Customer (Controller). It applies to the use of the cloud and synchronization services of the HITS App Series (Inventory Manager, Maintenance Manager). The duration corresponds to the term of the user relationship. This agreement applies in addition to the currently valid Terms of Use / GTC of PF IT Consult GmbH.

2. Nature and Purpose of Processing

The purpose of the processing is the provision of an app-based software solution for inventory and maintenance management.

  • Data Categories: Master data (name, email), inventory data, log data.
  • Categories of Data Subjects: Employees, customers, or clients of the Controller.

3. Location of Processing & Hosting

PF IT Consult GmbH operates its own server infrastructure at the location in Brandenburg an der Havel, Germany. Data storage takes place exclusively in Germany.

4. Technical and Organizational Measures (TOM)

The Processor implements a security concept according to BSI IT-Grundschutz++ (compliant with the requirements of the NIS2 Directive). Details include:

  • Confidentiality: TLS 1.3 encryption, role-based access control, password hashing.
  • Integrity & Availability: Monitoring via CheckMK, geo-redundant backups, UPS (Uninterruptible Power Supply) protection.
  • Physical Security: Alarm-secured server room within the company’s own building.

5. Sub-processing Relationships & Third-Country Transfer

The Customer consents to the use of the following sub-processors:

  • Google (Firebase): Exclusively for push services and crash reporting. If personal data is affected, the transfer is based on EU Standard Contractual Clauses as well as the EU-U.S. Data Privacy Framework.
  • Apple/Google: For the processing of app distribution and in-app purchases.

6. Obligations and Support of the Processor

  • Right to issue instructions: Processing takes place exclusively on documented instructions from the Controller. If the Processor considers an instruction to be unlawful, it shall inform the Controller immediately. Processing for the Processor’s own purposes does not take place.
  • Data Subject Rights: The Processor supports the Controller in fulfilling the rights of data subjects (Art. 12–22 GDPR).
  • Security & NIS2: Support in reporting breaches and in conducting data protection impact assessments.

7. Control and Audit Rights

The Controller is entitled to verify compliance with this agreement after reasonable prior notice during normal business hours, or to have it checked by an auditor bound by professional secrecy. The Processor shall provide the necessary information for this purpose.

8. Return and Deletion of Data

Upon termination of the agreement, the Processor shall delete the data or return it in a common machine-readable format upon the instruction of the Controller, provided that no statutory retention obligations exist.

9. Contact for Data Protection Matters

Central point of contact for instructions and incidents: datenschutz@pfitconsult.de