1. Parties

This Data Processing Agreement applies between the respective customer as controller within the meaning of the GDPR and LeonLab UG (haftungsbeschränkt) as processor.

LeonLab UG (haftungsbeschränkt)
Cappelerstr. 130B
35039 Marburg
Germany
Email: [email protected]

Represented by: Navid Behnami

2. Subject Matter and Duration of Processing

The subject matter of the processing is the provision of the LeonLab.ai SaaS platform, in particular for connecting, analyzing, automating and managing WordPress projects, as well as for using AI-assisted functions.

The processing takes place for the duration of the contractual relationship between the customer and LeonLab. After termination of the contractual relationship, personal data will be deleted or returned in accordance with this DPA, the Privacy Policy and applicable statutory retention obligations.

3. Nature and Purpose of Processing

Processing is carried out to provide the LeonLab platform and the functions commissioned by the customer. This includes in particular:

• management and analysis of connected WordPress websites,
• technical evaluation of plugins, themes, configurations and website status,
• execution of actions and automations requested by the customer,
• creation and processing of AI-assisted recommendations, prompts, code, snippets and workflows,
• storage of project information, logs and system messages,
• provision of support, security and error analysis functions.

4. Types of Personal Data

Depending on the customer's use of the platform, the following types of personal data may be processed in particular:

• account and contact data, such as name, email address and user identifier,
• technical access data, such as IP addresses, log data, browser and device information,
• WordPress project data, such as website URL, plugin and theme information, configuration data and analysis results,
• credentials, tokens or application passwords provided by the customer, where required for the respective function,
• content, prompts, system messages, error reports and technical context data,
• where applicable, personal data from connected WordPress systems, such as user, customer, form, comment or order data, if the customer uses corresponding functions.

5. Categories of Data Subjects

Depending on the use of the platform, the following categories of data subjects may be affected in particular:

• users and employees of the customer,
• administrators and technical contacts,
• visitors and users of connected WordPress websites,
• customers, prospects or contact persons of the customer,
• persons whose data is processed in connected WordPress systems.

6. Processing Based on Instructions

LeonLab processes personal data only on documented instructions from the customer, unless there is a legal obligation to process the data otherwise.

The use of the platform, the configuration of projects, the execution of actions and the selection of functions are considered customer instructions within the agreed scope of services.

7. Confidentiality

LeonLab ensures that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

8. Technical and Organizational Measures

LeonLab implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk for personal data. These measures include in particular:

• access restrictions and role-based permissions,
• authentication and authorization mechanisms,
• encryption of data transmission, in particular through HTTPS/TLS,
• appropriate protection of credentials, tokens and API keys,
• logging of security-relevant events,
• backup, recovery and availability measures, where technically provided,
• regular maintenance, updates and improvement of security measures,
• separation of customer data, where technically required and appropriate,
• restriction of access to personal data to authorized persons only.

These measures may be adapted in line with technical development and risk, provided that the overall level of security is not materially reduced.

9. Sub-processors

LeonLab may use sub-processors where this is necessary to provide the platform. The customer grants a general authorization for this purpose. LeonLab will ensure that appropriate data protection agreements are in place with sub-processors.

The service providers used may include in particular:

• OVHcloud for hosting and infrastructure,
• Microsoft Azure OpenAI for AI functions in a European Azure region or EU Data Zone,
• Google for Google Login and Google Analytics,
• Stripe for payment processing.

Changes to sub-processors will be communicated to the customer in an appropriate manner. The customer may object to a change for important data protection reasons.

10. Assistance to the Customer

LeonLab will assist the customer, within reasonable limits, in fulfilling their data protection obligations, in particular with regard to requests from data subjects, security of processing, notification of personal data breaches and data protection impact assessments, insofar as the assistance relates to processing carried out by LeonLab.

11. Notification of Personal Data Breaches

LeonLab will inform the customer without undue delay if LeonLab becomes aware of a personal data breach related to the processing carried out on behalf of the customer.

LeonLab will provide the customer with the information required to assess and fulfill statutory notification obligations, to the extent such information is available to LeonLab.

12. Deletion and Return of Data

After termination of the contractual relationship or upon documented instruction from the customer, LeonLab will delete or return personal data, unless statutory retention obligations or legitimate security interests prevent deletion.

Connected WordPress projects and related project data can be deleted or disconnected by the customer in accordance with the technical functions of the platform.

13. Audit Rights and Evidence

LeonLab will provide the customer, upon request, with reasonable information required to demonstrate compliance with the obligations under Art. 28 GDPR.

Inspections or audits are possible by prior arrangement and within a reasonable scope, insofar as they are necessary and reasonable and do not disproportionately affect LeonLab's operational and security interests.

14. Final Provisions

In all other respects, LeonLab's Terms and Conditions apply, provided that they do not conflict with this DPA. In the event of contradictions between this DPA and the Terms and Conditions, the provisions of this DPA shall prevail with regard to commissioned processing.