reonic logo
Umów demo

Umowa o przetwarzanie danych

Auftragsdatenverarbeitungsvertrag & Technisch-organisatorische Maßnahmen

Data Processing Agreement

between the

(“Controller”)

and the

Reonic GmbH, Provinostraße 52, Building A5, 86153 Augsburg

(“Processor”)

Preamble

The Parties have concluded a contract for the temporary provision of the software “Reonic” (“Software”) by the Processor as a cloud solution (“Main Contract”). Under the Software, the Processor processes personal data on behalf of the Controller.

To specify the mutual data protection rights and obligations, the Parties conclude this Data Processing Agreement pursuant to Art. 28 GDPR (“Agreement”).

1. Subject Matter and Duration of this Agreement

1.1 The subject matter of the commission arises from the Main Contract concluded between the Parties.

1.2 The Controller is a “controller” within the meaning of Art. 4(7) GDPR with regard to the data concerned. The Processor acts as a processor within the meaning of Art. 4(8) GDPR for the Controller.

1.3 The term of this Agreement corresponds to the term of the Main Contract.

2. Specification of the Commission Content

2.1 The purpose of the intended processing arises from the Main Contract concluded between the Parties and includes, in particular, the provision and maintenance of the Software that enables the simplification and streamlining of lead generation, sales, and operations in the field of renewable technologies such as photovoltaics, battery storage systems, heat pumps, and wallboxes.

2.2 The Processor may not use the data obtained in the course of the commissioned processing for any purposes other than those specified in this Agreement.

2.3 The categories of personal data of the categories of data subjects listed in Annex DPA 1 shall be processed.

2.4 The Controller is entitled to specify the data processing operations referred to in 2.1 and to issue instructions related thereto in accordance with the provisions under 3.

3. Instructions of the Controller

3.1 The Processor shall process personal data only on the documented instructions of the Controller, unless required to process by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 Oral instructions shall be confirmed by the Controller immediately in text form.

3.3 If the Processor considers that an instruction of the Controller violates data protection provisions, it shall inform the Controller thereof without undue delay. The Processor shall be entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Controller.

3.4 The Processor shall process the data in the territory of the Federal Republic of Germany, in a Member State of the European Union or in another state party to the Agreement on the European Economic Area, unless the Controller has given prior written consent to processing in a third country.

4. Types of Personal Data

The details of the data processing and in particular the types of personal data and the categories of data subjects are set out in Annex DPA 1 to this Agreement.

5. Confidentiality

5.1 The Processor undertakes to comply with the same rules for the protection of personal data as are known to the Controller or as applicable to the Controller by virtue of regulations governing the Controller. This applies in particular, but not exclusively, with regard to the duty of confidentiality of employees (Section 53 of the Federal Data Protection Act [BDSG]).

5.2 The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Technical and Organisational Measures

6.1 The Processor shall take the necessary technical and organisational measures to ensure the security of the data pursuant to Art. 28(3)(c), 32 GDPR, in particular, in conjunction with Art. 5(1), (2) GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR shall be taken into account.

6.2 The technical and organisational measures are described in Annex DPA 2. The Processor shall regularly review and, where necessary, adapt the technical and organisational measures to ensure data security, taking into account the state of the art, the nature of the data and the specific threat situation, without falling below the agreed level of protection.

7. Rectification, Restriction and Erasure of Data

7.1 The Processor may not rectify, erase or restrict the processing of data that is processed under commission on its own initiative, but only upon documented instruction of the Controller.

7.2 If a data subject contacts the Processor directly regarding the rectification, erasure or restriction of processing, the Processor shall forward this request to the Controller without undue delay.

7.3 The Processor shall, to the extent agreed, assist the Controller with appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for the exercise of data subject rights. Upon termination of this Agreement and/or upon request by the Controller, the Processor shall return all data, documents and processing and usage results related to the contractual relationship, or delete them after prior consent, unless there is an obligation to retain such data under Union or Member State law.

8. Sub-Processing

8.1 The Controller hereby grants general authorisation to the Processor to engage sub-processors. The Processor shall inform the Controller of any changes with regard to the engagement or replacement of sub-processors in text form with a reasonable notice period. The Controller may object to such changes.

8.2 An overview of the current sub-processors can be found in Annex DPA 3 to this Agreement.

8.3 In the event that a sub-processor is engaged, the Processor shall impose contractual obligations on the sub-processor that are comparable to those of the Processor under this Agreement. In particular, appropriate guarantees must be provided that the technical and organisational measures are suitable for the data processing to be carried out in compliance with the requirements of the GDPR.

8.4 The first and second tier of outsourcing of the data processing in the supply chain shall not be permitted without the explicit consent of the Controller. Any further outsourcing requires the express written consent of the Controller.

9. Control Rights of the Controller

9.1 The Controller is entitled to conduct inspections or to have them carried out by auditors appointed on a case-by-case basis, after reasonable advance notice and during normal business hours, to verify compliance with this Agreement. The Processor shall grant the Controller all necessary access rights, information and inspection opportunities.

9.2 The Processor undertakes to provide the Controller, upon oral or written request and within a reasonable period, with all information and evidence necessary to carry out an inspection.

10. Notification of Breaches by the Processor

10.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of any breach of the protection of personal data or a suspicion thereof.

10.2 The Processor shall also notify the Controller without undue delay if a supervisory authority takes action against the Processor within the meaning of Art. 58 GDPR.

11. Liability

Liability between the Parties shall be governed by Art. 82 GDPR. The liability of the Parties under the Main Contract shall remain unaffected.

12. Right to Termination

12.1 The Controller may terminate the Main Contract at any time in the event of a serious breach of data protection provisions or the provisions of this Agreement by the Processor, if the Processor is unable or unwilling to carry out an instruction of the Controller, or if the Processor refuses control rights of the Controller in breach of this Agreement.

12.2 In particular, a failure to implement the technical and organisational measures agreed in Annex DPA 2, or a significant failure to do so, constitutes a serious breach.

13. Final Provisions

13.1 In the event of any conflict between the provisions of this Agreement and other agreements between the Parties, the provisions of this Agreement shall prevail.

13.2 Should individual provisions of this Agreement be or become invalid, the validity of the remaining provisions shall not be affected.

13.3 This Agreement is subject to German law.

Signatures

Controller

Date: _______________

Name:

Position:

Date: _______________

Name:

Position:

Processor

Date: _______________

Name:

Position:

Date: _______________

Name:

Position:

Annex DPA 1

Data Categories and Data Subjects:

The subject matter of the processing of personal data comprises the following data categories of the following data subjects:

Employees of the Controller:

  • Last name, first name
  • Email address

Customers of the Controller:

  • Name
  • Address
  • Email address
  • Telephone number and/or mobile number
  • Bank details
  • Data on the customer's energy consumption, in particular consumption costs
  • Data on the customer's energy systems

APPENDIX 1: TECHNICAL AND ORGANISATIONAL MEASURES & SECURITY CONCEPT

According to Art. 32 GDPR, processors are obliged to take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. The measures shall be determined taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. Reonic fulfils this obligation through the measures described below.

1 Confidentiality

According to Art. 5(1)(f) GDPR, the principle of confidentiality requires that (personal) data is processed in a manner that ensures appropriate security of the data. This includes protecting personal data against unauthorised and unlawful processing. For this purpose, Reonic has taken extensive measures.

1.1 Physical Access Control

The following measures serve to prevent unauthorised persons from gaining access to data processing equipment used to process or use personal data.

  1. Access system with radio transponders and security locks.
  2. Documentation of access authorisations (including service providers).
  3. Careful selection of service providers (e.g. cleaning staff).
  4. Building access for guests/visitors and other external persons only when accompanied by company personnel.

Reonic primarily uses AWS for data storage and processing, which in turn implements comprehensive physical access control measures.

1.2 System Access Control

The following measures serve to prevent data processing systems from being used by unauthorised persons.

  1. The company network is protected by a hardware firewall (including updates by the provider).
  2. Remote access is only possible via VPN.
  3. Password complexity policy (12 characters, lowercase, uppercase and at least 1 special character).
  4. Hard drives of company-owned computers are encrypted.
  5. Automatic screen lock.
  6. Individual passwords for all employees.
  7. No shared passwords or multiple use of accounts.
  8. Mandatory multi-factor authentication in all systems that support it.

Reonic primarily uses AWS for data storage and processing, which in turn implements comprehensive system access control measures.

1.3 Data Access Control

The following measures serve to ensure that persons authorised to use a data processing system can only access data covered by their access authorisation, and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.

  1. Authorisation concepts are in place and documented; the organisation of authorisation assignment is documented.
  2. Assigned authorisations are continuously updated and changes documented. Revocation of access authorisations for individual employees takes place no later than the termination of employment.
  3. User rights are managed exclusively by administrators.
  4. The company network itself is protected against the internet by a firewall (see System Access Control, 1.).
  5. Remote access to infrastructure of Reonic's sub-service providers (e.g. AWS) is only possible via VPN.
  6. At AWS, Reonic uses a private-public subnet architecture with separate security groups. The private subnet is protected by extensive firewalls and is not publicly accessible. Data access is exclusively via the interfaces (APIs) provided and secured by Reonic.

Reonic primarily uses AWS for data storage and processing, which in turn implements comprehensive data access control measures.

1.4 Encryption, Pseudonymisation & Anonymisation

The following measures serve to protect data against unauthorised use.

  1. Encryption of files such as images or documents (with SSE-S3 encryption, based on AES-256).
  2. Encryption of all database instances and database backups (with AES-256 encryption).
  3. Certain data (e.g. usage data) is processed in an anonymised/pseudonymised manner. Data that enables identification is (where available) stored separately, secured and encrypted.

2 Integrity

According to Art. 5(1)(f) GDPR, the principle of integrity requires that (personal) data is processed in a manner that ensures appropriate security of the data. This includes protecting personal data against accidental loss, accidental destruction or accidental damage. For this purpose, Reonic has taken the following measures:

2.1 Data Transfer Control

The following measures serve to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during transport or storage on data carriers, and that it can be verified and established to which recipients personal data is intended to be transmitted by data transmission facilities.

  1. Data exchange between the controller and Reonic takes place via encrypted download (HTTPS).
  2. Protection of all controller data on Reonic computers through hard drive encryption and password protection.
  3. Mobile data carriers are not used.

2.2 Input Control

The following measures serve to ensure that it can be subsequently verified and established whether and by whom personal data has been entered into, modified or removed from data processing systems.

  1. Deletion of personal data is technically logged.
  2. Collection/modification of personal data is, where necessary and technically feasible, logged and records are stored in versioned form.

2.3 Order Control

The following measures serve to ensure that personal data processed on behalf of a controller is processed only in accordance with the controller's instructions.

  1. All Reonic employees are bound to data secrecy (Section 53 BDSG).
  2. Reonic concludes data processing agreements with all sub-processors that process the controller's data.

2.4 Separation Control

The following measures serve to ensure that data collected for different purposes is processed separately.

  1. All data generated by the customer during use of the tools provided by Reonic is stored exclusively in a technically separated and organised manner at AWS.
  2. Data storage is separated by purpose. All customer data is physically and technically separate from other data, e.g. internal communications.
  3. Authorisation assignment for all types of data is documented (see also Data Access Control subsection).
  4. Completely separate development, test and production systems.
  5. Employees are obligated in writing not to use information from the controller's data sets in other projects/purposes.

2.5 Data Deletion

The following measures serve to ensure that collected data is deleted or destroyed in compliance with data protection regulations.

  1. Personal data is only stored for as long as the purpose(s) for which it was collected/processed require. The standard deletion concept is based on Article 28 of the GDPR.
  2. Individual deletion concepts, particularly regarding retention periods, can be agreed upon individually between the controller and Reonic.

2.6 Multi-Tenancy Separation

The following measures serve to ensure that data collected from different customers and for different purposes is processed separately.

  1. Data collected for different purposes is always processed separately.
  2. Data from different controllers is processed, managed and logically separated within the scope of commissioned processing.

3 Availability

According to Art. 32(1)(b) and (c) GDPR, Reonic undertakes to permanently ensure the availability and resilience of systems and services in connection with processing, and to rapidly restore the availability of and access to personal data in the event of a physical or technical incident. For this purpose, Reonic has taken the following measures:

3.1 Resilience

The following measures serve to ensure the ongoing processing of data.

  1. The use of a Content Delivery Network (CDN) prevents Denial-of-Service attacks (DDoS) and ensures smooth operation.
  2. The backend of all applications provided by Reonic is based on a fully (and automatically) scalable IT architecture.

Reonic uses AWS for data storage and processing and Cloudflare for the provision and protection of APIs. Both service providers implement comprehensive measures to ensure high availability and resilience.

3.2 Recoverability

The following measures serve to restore systems in the event of a disruption.

  1. Daily, automated backups of all systems.
  2. Redundancy for databases and file storage systems.
  3. Monitoring.
  4. Plans for outage, emergency and recovery.

4 Review, Assessment and Evaluation

The following measures serve to comply with the procedure required by Art. 32(1)(d) GDPR for "regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing".

  1. A review of the effectiveness of technical protection measures is carried out at least semi-annually.
  2. The technical and organisational measures as well as the security and authorisation concept are reviewed at least annually.
  3. The revision of the risk analysis and assessment is carried out on an ongoing basis.

Annex DPA 3

List of Sub-Processors

Hetzner Online GmbH

For general data processing, Reonic uses the services of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (“Hetzner”).

  • Data type: Pre-processing of data (e.g. weather data), data analysis. No data relevant to the GDPR is processed on Hetzner servers.
  • Data storage: Nuremberg, Germany, EU.
  • Personal data: None.
  • Certifications: ISO 27001

Amazon Web Services EMEA SARL

For general data processing, Reonic uses Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg (“AWS”). A large part of the systems relevant for Reonic's services are hosted on AWS. These include the encrypted database, encrypted file storage, authentication, authorization and the general backend.

  • Data type: Various (user data, user data, customer data, metadata).
  • Personal data: Yes (see data type).
  • Data storage: Frankfurt, Germany, EU.
  • Reference companies: Capgemini, Toyota, Salesforce, RWE.
  • Certifications: ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, CSA STAR CCM v3.0.1.

Google Cloud EMEA Limited

For map services and geoservices, Reonic uses Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin, Ireland (“Google”).

  • Data type: AI, Map services, geoservices (user data, user data, customer data, metadata).
  • Personal data: No (address data / coordinates without name reference).
  • Reference companies: Commerzbank, E.ON, ENGIE.
  • Certifications: C5:2020, ISO 9001, ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 27701:2019.

Mixpanel, Inc.

Reonic uses the services of Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111 (“Mixpanel”) to analyze anonymized user data.

  • Data type: Anonymized usage data.
  • Data storage: Eemshaven, Netherlands, EU.
  • Personal data: None.
  • Reference companies: DocuSign, Uber, Yelp, Expedia.
  • Certifications: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP.
company logo

Lokalizacja Augsburg
Provinostraße 52
Gebäude A5
86153 Augsburg
Niemcy
Lokalizacja w Berlinie
Rosenstraße 17
10178 Berlin
Niemcy
Lokalizacja w São Paulo
400 Purpurina Street – Vila Madalena
São Paulo, SP, 05433-000
Brazylia

Reonic GmbH
Amtsgericht Augsburg
HRB 36147
DE342755511

+49 1573 5987101
Rozwiązania
Dla instalatorów systemów solarnych
Zasoby
Login
Więcej informacji
LinkedInInstagramFacebookTikTokYoutubeO nasZespółPraca
Kwestie prawne
NadrukOchrona danychCookiesZasady i warunkiUmowa o przetwarzanie danych
Copyright © 2026 / Reonic GmbH / All rights reserved.