Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Agreement") between the Customer and Nexus – Automation & Implementation, operating as Solohaus ("Solohaus"), and applies whenever Solohaus processes Customer Personal Data on behalf of the Customer.

This DPA is incorporated into the Agreement by reference. By using the Solohaus service, the Customer accepts this DPA. No separate signature is required.

Order of precedence: In the event of a conflict, the following order applies: (1) the EU Standard Contractual Clauses, (2) this DPA, (3) the Agreement, (4) the Privacy Policy.

1. Definitions

• "Applicable Data Protection Laws" means the GDPR (Regulation (EU) 2016/679) and any other applicable data protection legislation in the European Economic Area, the United Kingdom, and Switzerland.
• "Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data, as defined in Art. 4(7) GDPR.
• "Customer" means the entity or individual that has agreed to the Agreement and uses the Solohaus service.
• "Customer Personal Data" means any Personal Data processed by Solohaus on behalf of the Customer in connection with the service.
• "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.
• "EU SCCs" means the Standard Contractual Clauses annexed to the European Commission's Implementing Decision (EU) 2021/914.
• "Personal Data" has the meaning given in Art. 4(1) GDPR.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data, as defined in Art. 4(12) GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, as defined in Art. 4(2) GDPR.
• "Processor" means a natural or legal person that processes Personal Data on behalf of the Controller, as defined in Art. 4(8) GDPR.
• "Subprocessor" means any third party engaged by Solohaus to process Customer Personal Data.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Art. 51 GDPR.

2. Roles and scope

The Customer acts as Controller (or Processor to a third-party Controller) of Customer Personal Data. Solohaus acts as Processor (or Sub-processor, as applicable) of Customer Personal Data.

The subject matter, nature, purpose, duration, and categories of Personal Data processed and Data Subjects concerned are described in Exhibit A.

3. Customer obligations

The Customer shall:

• Comply with Applicable Data Protection Laws regarding its use of the service and the processing of Customer Personal Data.
• Ensure the accuracy and legality of Customer Personal Data provided to Solohaus.
• Ensure that its processing instructions do not cause Solohaus to violate Applicable Data Protection Laws.
• Where the Customer acts as Processor on behalf of a third-party Controller, warrant that it has obtained all necessary authorisations from such Controller.

4. Solohaus obligations

Solohaus shall:

• Process Customer Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by EU or Member State law.
• Not sell, share, retain, use, or disclose Customer Personal Data for any purpose other than the provision of the service.
• Ensure that persons authorised to process Customer Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Promptly notify the Customer if, in Solohaus's opinion, an instruction infringes Applicable Data Protection Laws.

5. Data subject rights

Solohaus shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.

If Solohaus receives a request from a Data Subject directly, Solohaus shall promptly redirect the request to the Customer, unless Solohaus has been authorised by the Customer to respond.

Solohaus provides self-service tools for Customers to fulfil Data Subject requests, including data export (JSON) and account deletion from the account settings.

6. Subprocessors

The Customer grants Solohaus general authorisation to engage Subprocessors to process Customer Personal Data. The current list of Subprocessors is available at solohaus.io/legal/subprocessors.

Solohaus shall notify the Customer of any intended changes to the list of Subprocessors (additions or replacements) at least 10 days prior to the change by updating the subprocessors page.

The Customer may object to a new Subprocessor by sending a written notice to legal@solohaus.io within 30 days of notification, stating reasonable grounds for the objection. Solohaus shall make reasonable efforts to provide an alternative or, if no alternative is available, the Customer may terminate the affected part of the service.

Solohaus shall enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA. Solohaus remains fully liable to the Customer for the performance of each Subprocessor's obligations.

7. Security

Solohaus shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Exhibit B. These measures include, but are not limited to:

• Encryption of data in transit (TLS 1.2 or higher)
• Encryption of data at rest (AES-256 via Cloudflare)
• Access controls and session management
• Rate limiting and DDoS protection
• Regular security testing

8. Personal Data Breach

Solohaus shall notify the Customer of a Personal Data Breach without undue delay and no later than 72 hours after becoming aware of it. The notification shall include:

• The nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• The contact point for further information

Solohaus shall cooperate with the Customer and take reasonable steps to assist the Customer in meeting its breach notification obligations under Art. 33 and Art. 34 GDPR.

This section does not apply to breaches that are caused by the Customer or the Customer's users.

9. International data transfers

To the extent that the processing of Customer Personal Data involves a transfer of data to a country outside the European Economic Area that has not received an adequacy decision from the European Commission, Solohaus shall ensure that such transfers are subject to appropriate safeguards, including:

• The EU-US Data Privacy Framework (where the recipient is DPF-certified), or
• The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor) and Module Three (Processor to Sub-processor), as applicable.

Where EU SCCs apply, they are governed by the laws of Germany, and disputes shall be submitted to the courts of Berlin.

10. Data protection impact assessments

Solohaus shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities pursuant to Art. 35 and Art. 36 GDPR, taking into account the nature of the processing and the information available to Solohaus.

11. Audit

Solohaus shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor.

Audits shall be conducted at reasonable intervals (no more than once per calendar year), during normal business hours, with at least 30 days' prior written notice. The Customer shall bear the costs of any audit and shall ensure that the audit does not unreasonably disrupt Solohaus's operations.

12. Data deletion and return

Upon termination of the Agreement, Solohaus shall, at the Customer's choice, delete or return all Customer Personal Data within 30 days, unless EU or Member State law requires storage of the data.

Exception: Financial data subject to statutory retention obligations (e.g., Section 147 AO, Section 257 HGB in Germany) may be retained for the legally required period (up to 10 years for fiscal records). Such retained data shall continue to be protected in accordance with this DPA.

The Customer may export its data at any time before deletion via the self-service data export feature in the account settings.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in the Agreement shall limit a party's liability to Data Subjects under Applicable Data Protection Laws.

14. General provisions

• Precedence. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.
• Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced by a valid provision that achieves, to the extent possible, the original purpose.
• Governing law. This DPA is governed by and construed in accordance with the laws of Germany. The courts of Berlin shall have exclusive jurisdiction.
• Amendments. Solohaus may update this DPA from time to time. Material changes will be communicated to Customers via the service or email. Continued use of the service constitutes acceptance of the updated DPA.

Exhibit A: Description of processing

Exhibit B: Technical and organisational security measures

Solohaus implements the following security measures to protect Customer Personal Data:

Encryption

• Data in transit: TLS 1.2 or higher on all connections
• Data at rest: AES-256 encryption via Cloudflare infrastructure (D1, R2, KV)

Authentication and access control

• Password authentication with bcrypt hashing (via Better Auth)
• Two-factor authentication (TOTP) support
• Session management with secure cookies (HttpOnly, Secure, SameSite), 14-day expiry
• Role-based access controls and API-level authorisation
• Elevated session requirement for sensitive operations (password change, account deletion)

Network security

• Cloudflare Web Application Firewall (WAF)
• DDoS protection via Cloudflare
• Rate limiting on authentication and API endpoints
• CSRF protection on state-changing requests

Data minimisation

• AI features are consent-gated and optional
• Analytics (PostHog, Google Analytics) are consent-gated and optional
• No tracking or profiling beyond service functionality

Incident response

• Documented breach notification procedure (Section 8 of this DPA)
• Severity classification and response timelines

Business continuity

• Cloudflare global infrastructure with automated failover
• D1 database with automated backups and point-in-time recovery
• R2 object storage with built-in redundancy

Contact

For questions regarding this DPA, please contact legal@solohaus.io.