Data Processing Addendum (DPA) – IronFlock (B2B)
Effective date: December 28, 2025
This Data Processing Addendum (DPA) forms part of the agreement between IronFlock GmbH ("Processor") and the business customer that enters into the IronFlock Terms/Order Form ("Customer" or "Controller").
This DPA applies to the extent IronFlock processes personal data on behalf of Customer in connection with the Service. Capitalized terms not defined in this DPA have the meaning given in the Terms/Order Form.
1. Definitions
- Applicable Data Protection Law means the GDPR and any other applicable data protection laws.
- GDPR means Regulation (EU) 2016/679.
- Personal Data, Processing, Controller, Processor, Supervisory Authority have the meanings given in GDPR.
- Customer Personal Data means Personal Data included in Customer Data processed by Processor on behalf of Customer.
- Subprocessor means a Processor engaged by Processor to process Customer Personal Data.
2. Roles and Scope
2.1 Controller/Processor. Customer is the Controller of Customer Personal Data. Processor processes Customer Personal Data as Processor on behalf of Customer.
2.2 Customer instructions. Processor will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by EU or member state law. In that case, Processor will inform Customer of that legal requirement before processing, unless the law prohibits such information.
2.3 Customer responsibilities. Customer is responsible for (a) determining the purposes and means of processing, (b) ensuring it has a valid legal basis for processing and sharing Customer Personal Data with Processor, and (c) providing required notices to and obtaining required consents from data subjects.
3. Confidentiality
Processor will ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security Measures (Art. 32)
4.1 Measures. Processor will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
4.2 Security statement. Additional security practices may be described in the IronFlock Security Statement (if published). If there is a conflict between such statement and this DPA, this DPA controls.
5. Subprocessing (Art. 28(2))
5.1 General authorization. Customer provides general authorization for Processor to engage Subprocessors.
5.2 Subprocessor obligations. Processor will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA, including implementing appropriate security measures.
5.3 Subprocessor list and changes. Processor will make available a list of Subprocessors (or the categories of Subprocessors) on request. Processor will notify Customer of material changes intended regarding the addition or replacement of Subprocessors, and Customer may object on reasonable grounds relating to data protection.
5.4 Liability for Subprocessors. Processor remains responsible for the performance of Subprocessors’ obligations.
6. Assistance to Customer
6.1 Data subject requests (Art. 28(3)(e)). Taking into account the nature of processing, Processor will provide reasonable assistance to Customer to help Customer respond to data subject requests under Applicable Data Protection Law. If a data subject submits a request directly to Processor, Processor will (to the extent legally permitted) direct the data subject to Customer.
6.2 Security, DPIA, consultations (Art. 28(3)(f)). Processor will provide reasonable assistance to Customer in ensuring compliance with obligations relating to security, breach notifications, data protection impact assessments (DPIAs), and prior consultations with Supervisory Authorities, taking into account the nature of processing and information available to Processor.
7. Personal Data Breach Notification (Art. 33)
Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Processor’s notification will include, to the extent available, information reasonably required by Customer to meet its breach reporting obligations.
8. Deletion or Return (Art. 28(3)(g))
Upon termination or expiration of the Service, Processor will, at Customer’s choice and as supported by the Service, delete or return Customer Personal Data, unless EU or member state law requires retention.
Processor may retain Customer Personal Data in backups for a limited period consistent with reasonable backup practices, provided such data remains protected and is deleted in accordance with Processor’s backup retention cycles.
9. Audits and Information (Art. 28(3)(h))
9.1 Information. Processor will make available information reasonably necessary to demonstrate compliance with this DPA.
9.2 Audit. Customer (or an independent auditor mandated by Customer) may audit Processor’s compliance with this DPA no more than once per year, upon reasonable prior notice, during normal business hours, and subject to reasonable confidentiality and security requirements.
9.3 Alternative evidence. Where available, Processor may satisfy audit obligations by providing third-party audit reports, certifications, or summaries (e.g., ISO 27001, SOC 2) in lieu of on-site audits.
10. International Transfers
10.1 Primary hosting. Processor aims to host and process Customer Personal Data primarily within the EU/EEA.
10.2 Transfers. Customer acknowledges that certain Subprocessors may process Customer Personal Data outside the EU/EEA depending on configuration, selected regions, and routing (for example, cloud infrastructure and communications services).
10.3 Transfer safeguards. Where Customer Personal Data is transferred outside the EU/EEA, Processor will ensure that an appropriate transfer mechanism is in place as required by Applicable Data Protection Law (for example, adequacy decisions, EU Standard Contractual Clauses, and/or other lawful mechanisms).
10.4 SCCs. If required for a transfer, the parties agree to incorporate the EU Standard Contractual Clauses (SCCs) by reference (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), with the following selections:
- Clause 7: optional docking clause not used unless agreed in writing
- Clause 9: Option 2 (general written authorization)
- Clause 11: optional redress mechanism not used
- Clause 17: governing law Germany
- Clause 18: forum Germany
The Annexes of this DPA will serve as Annex I–III to the SCCs.
11. Miscellaneous
11.1 Order of precedence. If there is a conflict between this DPA and the Terms/Order Form, this DPA controls with respect to data protection.
11.2 No third-party beneficiaries. This DPA does not create third-party beneficiary rights except where required by the SCCs.
11.3 Updates. Processor may update this DPA where required to comply with Applicable Data Protection Law, provided changes do not materially reduce protections.
Annex I – Processing Details (Art. 28(3))
A. Subject matter
Provision of the IronFlock Service (industrial IoT / edge device management), including device management, monitoring, fleet orchestration, software deployment, logging, and support.
B. Duration
For the term of the subscription/agreement, plus any limited period required for deletion/return and backups.
C. Nature and purpose of processing
Processing necessary to provide, secure, maintain, and support the Service in accordance with Customer’s configuration and instructions.
D. Categories of data subjects
- Customer’s employees and contractors (platform users)
- Customer’s end users or operators (if Customer configures the Service to collect such identifiers)
- Customer’s personnel represented in device logs/telemetry (where applicable)
E. Categories of personal data
Customer-configured; may include:
- account identifiers (name, username, email, role)
- authentication and security data (hashed credentials, session tokens)
- device and user activity logs (timestamps, actions, IP addresses)
- device telemetry that may relate to individuals (e.g., operator IDs) depending on Customer configuration
F. Special categories of data
Not intended. Customer will not provide special categories of personal data under GDPR Art. 9 unless expressly agreed in writing and appropriate safeguards are implemented.
G. Processing operations
- collection, storage, structuring, retrieval, consultation
- transmission and display in dashboards
- aggregation within Customer’s tenant
- deletion per Customer instruction and retention settings
- support access (only as necessary and authorized)
Annex II – Technical and Organizational Measures (TOMs)
Processor maintains a security program designed to protect Customer Personal Data. Measures may include, as appropriate:
- access controls (role-based access, least privilege)
- encryption in transit (TLS)
- encryption at rest for sensitive secrets/credentials where applicable
- logging and monitoring
- vulnerability management and patching
- backups and resilience controls
- incident response procedures
Customer acknowledges that security measures evolve over time and may be updated.
Annex III – Subprocessors
Processor maintains the following list of Subprocessors for the Service. This list may be updated in accordance with Section 5.3.
| Subprocessor | Purpose | Potential processing locations | Categories of Customer Personal Data |
|---|---|---|---|
| Google Cloud Platform (Google Cloud EMEA Limited / Google LLC and/or its affiliates) | Cloud infrastructure hosting and related platform services | EU/EEA (including Germany) and potentially other regions depending on Customer configuration and service routing | Customer Data processed in the Service, which may include platform user account data, device telemetry, logs, and related identifiers |
| Stripe (Stripe Payments Europe, Ltd. and/or its affiliates) | Payment processing and invoicing (if enabled for Customer) | EU/EEA and potentially other regions depending on Stripe configuration and payment flows | Billing contacts and invoicing data; limited payment-related metadata |
| Twilio (Twilio, Inc. and/or its affiliates) | SMS delivery / notifications (if enabled for Customer) | Global (SMS routing may involve processing outside the EU/EEA) | Recipient phone numbers and message delivery metadata |
| Google Workspace / Google (Google LLC and/or its affiliates) | SMTP email delivery (transactional/service email, if enabled) | EU/EEA and potentially other regions depending on configuration and routing | Recipient email addresses and email delivery metadata |