Effective Date: May 15, 2026
This Data Processing Agreement ("DPA") forms part of the main service agreement (the "Agreement") between dltHub and the Subscriber ("Controller") for the provision of the dltHub data pipeline platform and related services. By subscribing to or using the Services, the Controller accepts the terms of this DPA. In the event of any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA shall take precedence.
Processor:
ScaleVector GmbH and its affiliates (doing business as "dltHub")
Rosenthaler Str. 36, Berlin 10178, Germany
hello@dlthub.com
Controller ("Subscriber"):
The entity that has entered into the Agreement with dltHub, as identified in the applicable Order Form or subscription registration.
Together referred to as the "Parties."
In this DPA, the following terms have the meaning assigned to them in the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"): "personal data", "data subject", "processing", "controller", "processor", "supervisory authority", "personal data breach".
"Controller" means the Subscriber as defined in the Agreement (i.e., the entity that has entered into the Agreement with dltHub and determines the purposes and means of processing of Subscriber Personal Data).
"Subscriber Personal Data" means any personal data (as defined under applicable data protection law, including the GDPR) that is contained within, or forms part of, the Subscriber Data (as defined in the Agreement) and that the Processor processes on behalf of the Controller in connection with the provision of the Services.
"Agreement" has the meaning given to it in the dltHub Terms of Use, being the Terms of Use and any applicable Supplemental Terms entered into between dltHub and the Subscriber. Capitalised terms used but not defined in this DPA shall have the meanings given to them in the Agreement.
2.1 The Processor provides a cloud-based data pipeline service (including the open-source "dlt" library and the dltHub Pro managed platform) that enables the Controller to extract, load, and transform data across systems ("Service").
2.2 In the course of providing the Service, the Processor may process personal data on behalf of the Controller. The specific categories of personal data, categories of data subjects, and the nature and purpose of processing are set out in Annex 1.
2.3 The Processor shall process personal data solely for the purposes set out in Annex 1 and only to the extent necessary to provide the Service to the Controller.
3.1 Instructions. The Processor shall process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller before processing, unless prohibited by law.
3.2 Confidentiality. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security. The Processor shall implement and maintain appropriate technical and organisational measures in accordance with Article 32 GDPR. See Annex 2 for the applicable measures.
3.4 Sub-processors. The Controller grants the Processor general written authorisation to engage sub-processors as listed in Annex 3. The Processor shall provide at least 14 days' prior written notice of any intended changes. If the Controller reasonably objects, the Parties shall work in good faith to resolve the issue. If unresolved within 30 days, the Controller may terminate the Main Agreement.
3.5 Data Subject Rights. The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to data subject rights requests under Chapter III GDPR.
3.6 Compliance Assistance. The Processor shall assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR, taking into account the nature of processing and information available.
3.7 Deletion or Return. At the Controller's choice, the Processor shall delete or return all personal data after the end of the provision of services, and shall delete existing copies, unless Union or Member State law requires storage.
3.8 Audit Rights. The Processor shall make available all information necessary to demonstrate compliance and allow for audits or inspections conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if any instruction infringes GDPR or other applicable data protection provisions.
3.9 Records. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller as required by Article 30(2) GDPR.
4.1 The Controller is responsible for the lawfulness of processing personal data prior to and after transmission to the Processor.
4.2 The Controller shall ensure it has a valid legal basis for each processing activity it instructs the Processor to carry out, including obtaining any necessary consents from data subjects.
4.3 The Controller shall provide the Processor with all information and assistance reasonably required to comply with applicable data protection law.
5.1 The Processor shall notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of a personal data breach affecting data processed on behalf of the Controller.
5.2 The notification shall include, to the extent available:
5.3 Where information cannot be provided simultaneously, it may be provided in phases without undue further delay.
6.1 Where processing involves a transfer of personal data outside the European Economic Area ("EEA"), the Processor shall ensure such transfer is subject to an appropriate safeguard under Chapter V GDPR, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.
6.2 To the extent the Processor or any sub-processor is located in a third country, the Parties shall execute the applicable module of the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA.
7.1 This DPA is effective from the date the Controller enters into the Agreement and shall remain in force for as long as the Processor processes personal data on behalf of the Controller under the Main Agreement.
7.2 Upon expiry or termination of the Agreement, the Controller shall have 30 days to export any Subscriber Personal Data stored on the dltHub Service. Following that 30-day period, the Processor shall, at the Controller's election, either:
unless applicable law requires retention. This clause is consistent with, and subject to, the data export and deletion provisions set out in the Agreement.
8.1 Each Party shall be liable for damages caused by processing that infringes GDPR in accordance with Article 82 GDPR and the liability provisions of the Agreement. As between the Parties, any such liability shall be subject to the limitations and caps set out in the Agreement (including the aggregate liability cap based on fees paid in the preceding 12 months), to the maximum extent permitted by applicable law. For the avoidance of doubt, nothing in this DPA limits either Party's liability to data subjects or supervisory authorities under Article 82 GDPR or applicable law.
8.2 The Processor shall be exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.
9.1 This DPA is governed by the laws of the Federal Republic of Germany, without regard to conflict of law provisions.
9.2 Any disputes shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany.
10.1 Should any provision of this DPA be invalid, the remaining provisions shall remain in full force. The invalid provision shall be replaced by one that best reflects the Parties' intentions.
10.2 This DPA constitutes the entire agreement between the Parties regarding the processing of personal data and supersedes all prior agreements on the same subject matter.
10.3 Amendments must be made in writing and signed by duly authorised representatives of both Parties.
Processor: ScaleVector GmbH and its affiliates (doing business as "dltHub"), 36 Rosenthaler Str., Berlin 10178, Germany
The Processor provides the dltHub data pipeline platform, enabling the Controller to build, deploy, and manage data extraction and loading pipelines. Processing continues for the duration of the Main Agreement.
Depending on the data sources configured by the Controller, processing may involve:
Note: The Controller is responsible for determining which personal data is transmitted through the Service.
The Parties do not anticipate the processing of special categories of personal data under Article 9 GDPR. Should the Controller intend to process such data, this must be agreed in writing in advance.
Personal data contained in pipeline runs is retained for the period configured by the Controller, subject to a default maximum retention of 90 days for pipeline logs, unless otherwise agreed.
As of the effective date of this DPA, the Processor uses the following sub-processors:
The Processor will provide the Controller with at least 14 days' prior written notice of any intended change to this list. If the Controller reasonably objects, the Parties shall work in good faith to resolve it within 30 days. If unresolved, the Controller may terminate the Main Agreement on written notice.
