Data Processing Agreement

The following definitions apply to this Agreement:

• Pursuant to Art. 4(7) GDPR, the Controller is the entity that alone or jointly with other controllers determines the purposes and means of the processing of personal data.
• Pursuant to Art. 4(8) GDPR, a Data Processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the Controller.
• Pursuant to Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person (the "Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; personal data pursuant to Art. 10 GDPR on criminal convictions and offences or related security measures; and genetic data (Art. 4(13)), biometric data (Art. 4(14)) and health data (Art. 4(15)) GDPR, and data on the sex life or sexual orientation of a natural person.
• Pursuant to Art. 4(2) GDPR, processing is any operation or set of operations performed upon personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Pursuant to Art. 4(21) GDPR, the supervisory authority is an independent public authority established by a Member State pursuant to Art. 51 GDPR.

Subject

The Data Processor provides the services specified in the Main Contract for the Controller. In doing so, the Data Processor obtains access to personal data that the Data Processor processes for the Controller exclusively on behalf of and in accordance with the Controller's instructions. The scope and purpose of the data processing by the Data Processor are set out in the Main Contract and any associated service descriptions. The Controller shall be responsible for assessing the admissibility of the data processing.

The Parties conclude this Agreement to specify their mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Contract. The Agreement applies to all activities related to the Main Contract in which the Data Processor and its employees or persons authorised by it come into contact with personal data originating from the Controller or collected for the Controller. The term of this Agreement is governed by the term of the Main Contract unless the following provisions give rise to further obligations or termination rights.

Right of instruction

The Data Processor may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the Controller. If the Data Processor is required to carry out further processing by EU or Member State law to which it is subject, it shall notify the Controller of those legal requirements prior to the processing.

The instructions of the Controller are initially determined by this Agreement. Thereafter, they may be amended, supplemented or replaced by the Controller in writing or text form by individual instructions. The Controller may issue such instructions at any time, including instructions on the correction, deletion and blocking of data. All instructions shall be documented by the Controller. Instructions that go beyond the service agreed in the Main Contract shall be treated as a request for a change in service.

If the Data Processor considers that an instruction of the Controller infringes data protection provisions, it shall notify the Controller thereof without undue delay. The Data Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Data Processor may refuse to carry out an obviously unlawful instruction.

Within the scope of the implementation of the Main Contract, the Data Processor has access to the following categories of personal data (Annex 1 of the underlying contract):

Personal & contact data

• Names: seller's name (where publicly listed), buyer's first name (provided by broker), broker's name.
• Contact details: phone numbers (including WhatsApp numbers), email addresses (if present in a public listing or provided by the user).

Property & location data

• Location: full property address, neighbourhood or coordinates.
• Listing details: URL or ID of the online listing.
• Property characteristics: size, number of rooms, price, year built, condition and specific features.

User-provided content

• Media files: property photos uploaded by the user.
• Optional documents: snapshots of documents uploaded by the user (e.g. property tax bill / IBI).

Communication & consent data

• Communication content: message history (e.g. WhatsApp messages with our assistants); lead cards or messages sent to brokers.
• Consent & preferences: consent status (e.g. opt-in "YES", opt-out "STOP"); submitted requests (e.g. property valuation); indicated timeframe for intent to sell.

Technical log data and internal metadata

• Identifiers: WhatsApp user IDs, IP addresses (where applicable).
• Logs: timestamps, event and audit logs.
• Lead management: internal lead IDs, lead status (open, contacted, closed), lead source (e.g. source portal).
• Lead scoring: internal scoring or ranking (e.g. 0–100 scale, classification as hot/neutral/cold).
• Broker performance metrics: response rate, outreach frequency and outcomes (stored exclusively in aggregated and anonymised form).

Categories of Data Subjects (Annex 2)

• Real-estate brokers.
• Sellers.
• Buyers.

Third-country transfers

A transfer of personal data to a third country may take place only under the conditions of Art. 44 et seq. GDPR, in particular on the basis of an adequacy decision under Art. 45 GDPR or, in the absence of such a decision, on the basis of appropriate safeguards under Art. 46 GDPR — including the Standard Contractual Clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR — together with any supplementary measures required following a transfer impact assessment.

The Data Processor shall observe the statutory provisions on data protection and shall not disclose information obtained from the Controller's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorised persons, taking into account the state of the art.

The Data Processor shall organise its internal organisation in such a way that it meets the specific requirements of data protection. It has implemented the technical and organisational measures specified in Annex 3 to adequately protect the Controller's data pursuant to Art. 32 GDPR, which the Controller acknowledges as adequate. The Data Processor reserves the right to change the security measures taken while ensuring that the contractually agreed level of protection is not undercut.

The persons employed by the Data Processor in data processing are prohibited from collecting, processing or using personal data without authorisation. The Data Processor shall oblige all persons entrusted by it with the processing and performance of this Agreement (the "Employees") accordingly (obligation of confidentiality, Art. 28(3)(b) GDPR) and shall ensure compliance with this obligation with due care.

The Data Processor has appointed a data protection officer. The Data Processor's data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, datenschutz@heydata.eu, www.heydata.eu.

Technical and organisational measures (Annex 3)

The Data Processor implements appropriate technical and organisational measures pursuant to Art. 32(1) GDPR, covering the following areas:

• Confidentiality — entry control (locking systems, video surveillance of entrances where applicable, secure home-office practices); admission control (authentication with username and password, anti-virus software, firewalls, automatic desktop lock, encryption of notebooks and tablets, management of user permissions, central password rules, two-factor authentication, secure-password company policy); access control (logging of access to applications, authorisation concept, minimised number of administrators, management of user rights by system administrators); separation control (production/test separation, encryption of data sets, logical client separation, defined database rights, anonymisation/pseudonymisation where possible).
• Integrity — transfer control (encrypted connections such as SFTP/HTTPS, logging of access and retrievals); input control (logging of input, modification and deletion of data, traceability via individual usernames, rights assignment by authorisation concept, clear deletion responsibilities).
• Availability and resilience — regular backups, secure outsourced backup storage, professional hosting at least for the most important data.
• Procedures for regular review, assessment and evaluation (Art. 32(1)(d); Art. 25(1) GDPR) — use of the heyData platform for data protection management; appointment of heyData as the data protection officer; obligation of employees to data secrecy; regular employee training; record of processing activities (Art. 30 GDPR); incident-response management with documented reporting processes for Art. 33/34 GDPR; involvement of the data protection officer in security incidents and breaches.
• Privacy by design and by default (Art. 25(2) GDPR) — training of employees in privacy by design and by default; data minimisation; order control with written instructions, destruction confirmations, contractor confidentiality commitments and ongoing review of contractors.

The Data Processor shall inform the Controller of any significant changes to the security measures.

In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Data Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Data Processor, persons employed by it within the scope of the contract or by third parties, the Data Processor shall inform the Controller without undue delay. The same shall apply to audits of the Data Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

• a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;
• a description of the measures taken or proposed by the Data Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;
• a description of the likely consequences of the personal data breach.

The Data Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, shall inform the Controller thereof and shall request further instructions.

In addition, the Data Processor shall be obliged to provide the Controller with information at any time insofar as the Controller's data are affected by a breach. The Data Processor shall also inform the Controller of any significant changes to the security measures pursuant to Section 4.

The Controller may satisfy itself of the technical and organisational measures of the Data Processor prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, the Controller may, for example, obtain information from the Data Processor, obtain existing certificates from experts, certifications or internal audit reports, or — after timely coordination — personally inspect the technical and organisational measures of the Data Processor during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with the Data Processor. The Controller shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of the Data Processor in the process.

The Data Processor undertakes to provide the Controller, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of its technical and organisational measures.

The Controller shall document the results of the inspection and notify the Data Processor thereof. In the event of errors or irregularities discovered during the inspection, the Controller shall inform the Data Processor without undue delay. If facts are found during the control that require changes to the ordered procedure to avoid them in the future, the Controller shall notify the Data Processor of the necessary procedural changes without delay.

The contractually agreed services shall be performed with the involvement of the sub-processors listed in Annex 4 ("Sub-processors"). The Controller grants the Data Processor its general authorisation within the meaning of Article 28(2) sentence 1 GDPR to engage additional sub-processors within the scope of its contractual obligations or to replace sub-processors already engaged.

The Data Processor shall inform the Controller before any intended change in the involvement or replacement of a sub-processor. The Controller may object to the intended involvement or replacement of a sub-processor for an important reason under data protection law. The objection must be raised within two (2) weeks of receiving the information about the change. If no objection is raised, the involvement or replacement shall be deemed approved. If there is an important reason under data protection law and an amicable solution cannot be found between the Parties, the Controller shall have a special right of termination at the end of the month following the objection.

When engaging sub-processors, the Data Processor shall oblige them in accordance with the provisions of this Agreement.

A sub-processor relationship within the meaning of these provisions does not exist where the Data Processor commissions third parties with purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Data Processor to the Controller, and guarding services. Maintenance and testing services constitute sub-processor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the Controller.

The current list of sub-processors (Annex 4) is published and maintained at https://www.leonandvera.com/subprocessors. The list specifies the name, function and processing location of each sub-processor.

The Data Processor shall support the Controller with suitable technical and organisational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and 32 to 36 GDPR.

If a Data Subject asserts rights, such as the right of access, rectification or erasure, directly against the Data Processor, the Data Processor shall not react independently but shall refer the Data Subject to the Controller and await the Controller's instructions.

In the internal relationship between the Parties, the Controller alone shall be liable to the Data Subject for compensation for damage suffered by a Data Subject due to inadmissible or incorrect data processing under data protection laws or use within the scope of the commissioned processing.

The Data Processor shall have unlimited liability for damage insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Data Processor, its legal representative or vicarious agent.

The Data Processor shall only be liable for negligent conduct in the event of a breach of an obligation, the fulfilment of which is a prerequisite for the proper performance of the contract and the observance of which the Controller regularly relies on and may rely on, but limited to the average damage typical for the contract. In all other respects, the liability of the Data Processor — including for its vicarious agents — shall be excluded.

The limitation of liability above shall not apply to claims for damages arising from injury to life, body or health or from the assumption of a guarantee.

Termination

After termination of the Main Contract, the Data Processor shall return to the Controller all documents, data and data carriers provided to it or — at the request of the Controller, unless there is an obligation to store the personal data under Union law or other applicable national law — delete them. This shall also apply to any data backups at the Data Processor. The Data Processor shall on request provide documented proof of the proper deletion of any data.

The Controller shall have the right to control the complete and contractual return or deletion of the data at the Data Processor in an appropriate manner.

The Data Processor shall be obliged to keep confidential the data of which it has become aware in connection with the Main Contract even beyond the end of the Main Contract. This Agreement shall remain valid beyond the end of the Main Contract as long as the Data Processor has personal data at its disposal which have been forwarded to it by the Controller or which it has collected for the Controller.

Final provisions

To the extent that the Data Processor does not expressly perform support actions under this Agreement free of charge, it may charge the Controller a reasonable fee for them, unless the Data Processor's own actions or omissions have made such support directly necessary.

Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.

If individual provisions of this Agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.

This Agreement is subject to German law.