1. Subject matter and duration
This data processing agreement (DPA) under Art. 28 GDPR governs the processing of personal data by Forge12 (processor) on behalf of the customer (controller) within the products and services commissioned by the customer under the main contract, including the respective agreed annexes. Processing takes place for the term of the main contract. The subject matter, categories of data subjects, data types and storage periods are set out in the product-specific annexes.
2. Instructions
Forge12 processes personal data exclusively on the documented instructions of the controller, unless a legal obligation requires otherwise. Instructions that go beyond the agreed scope of services may be charged separately by Forge12 as a change request. Forge12 is not obliged to carry out instructions that manifestly infringe applicable data-protection law and will inform the customer of this without undue delay.
3. Technical and organizational measures
Forge12 implements the appropriate technical and organizational measures under Art. 32 GDPR. The current technical and organizational measures are set out in Annex D – Technical and Organizational Measures (TOM), which forms part of this agreement. Forge12 may continuously adapt them to the state of the art, provided the agreed level of protection is not undercut.
4. Sub-processors
Forge12 may engage additional sub-processors or replace existing ones where necessary for the provision of services. The customer will be informed at least 14 calendar days before the planned use in text form (e.g. by email). The customer may object to the use on data-protection grounds within this period. If no objection is raised within the period, the use is deemed approved. If the customer raises a legitimate objection and the parties cannot find a reasonable solution, either party may extraordinarily terminate the affected part of the services with a 14-day notice period. Forge12 will ensure that an agreement pursuant to Art. 28(4) GDPR has been concluded with each sub-processor.
5. Transfers to third countries
Where sub-processors process personal data outside the European Economic Area, this is done exclusively on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR (in particular EU standard contractual clauses, an adequacy decision or other appropriate safeguards under the GDPR).
6. Assistance obligations
Forge12 assists the controller to a reasonable extent in fulfilling its data-protection obligations under Art. 28(3)(e) and (f) GDPR, in particular with data-subject requests, data breaches and data-protection impact assessments, insofar as the processing is concerned. Any additional effort arising from this may be charged separately, unless it results from a breach of duty by Forge12.
7. Deletion and return after contract end
After the end of processing, Forge12 deletes or returns all personal data at the controller's choice, insofar as this is technically possible and unless statutory retention obligations or legitimate evidentiary interests preclude this.
8. Audits and evidence
Forge12 makes available to the controller, on request, all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR. The controller is entitled to verify compliance with this DPA upon reasonable prior notice. Forge12 may provide suitable evidence (e.g. documentation, certifications or self-disclosures). On-site audits take place only where necessary and where equivalent evidence is insufficient. The customer bears the cost of an audit, unless a material breach of data-protection obligations by Forge12 is established.
9. Notification of personal data breaches
Forge12 informs the controller without undue delay after becoming aware of a personal data breach, insofar as it concerns the processing under this agreement, and assists the controller to a reasonable extent in fulfilling its statutory notification and communication obligations.
10. Retention of the agreement
Forge12 may retain evidence of the conclusion, content, version and time of conclusion of the agreement for as long as this is necessary to fulfil statutory documentation obligations or to assert, exercise or defend legal claims. Insofar as personal contact data is not required for this, it is deleted or anonymized after the end of the contract.
Annexes
Annex A — Plugins
Purpose: License and update checks for the Forge12 plugins in use.
Categories of data subjects: Administrators and website operators of the customer.
Storage period: For the duration of the active license; technical log data is generally deleted after no more than 30 days, unless statutory retention obligations or security-relevant reasons preclude this.
Categories of personal data
- installation domain/URL
- license key
- IP address
- technical metadata
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting / Rechenzentrum | Deutschland (EU) |
| Cloudflare, Inc. | CDN / DDoS-Schutz | EU/USA (SCC) |
Annex B — SilentChat
Purpose: Operation of the SilentChat system (chat communication) on the customer's website.
Categories of data subjects: Visitors, customers and prospects of the customer.
Storage period: According to the customer's settings, or until deletion by the customer.
Optional AI features: If the customer activates AI-assisted features, depending on the activated configuration one or more of the following sub-processors may be engaged — OpenAI (USA), Anthropic "Claude" (USA) or IONOS AI (Germany/EU). The concrete provider depends on the customer's selection; without activating the AI features no such transfer takes place. The AI provider used depends solely on the configuration actively selected by the customer. Activation or change of the AI provider is carried out by the customer in the account or on the customer's documented instructions. For providers outside the EEA, processing is carried out on the basis of appropriate safeguards pursuant to Art. 44 et seq. GDPR.
Categories of personal data
- chat content
- visitor identifier
- IP address
- browser/device data
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting / Rechenzentrum | Deutschland (EU) |
| Hetzner Online GmbH | E-Mail-Versand (SMTP) | Deutschland (EU) |
| Cloudflare, Inc. | CDN / DDoS-Schutz | EU/USA (SCC) |
| OpenAI, Inc. | optional AI features (only when activated) | USA |
| Anthropic PBC | optional AI features (only when activated) | USA |
| IONOS SE (IONOS AI) | optional AI features (only when activated) | Germany (EU) |
Annex C — SilentShield
Purpose: Protecting the customer's website from automated and abusive access (bot/spam mitigation).
Categories of data subjects: Visitors of the customer's website.
Storage period: Short-term processing for request scoring; no persistent profiling.
Categories of personal data
- IP address
- request metadata
- behavioral signals (anonymized)
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting / Rechenzentrum | Deutschland (EU) |
| Cloudflare, Inc. | CDN / DDoS-Schutz | EU/USA (SCC) |
Annex D — Technical and Organizational Measures (TOM)
This annex describes the technical and organizational measures under Art. 32 GDPR. Forge12 may continuously adapt them to the state of the art without falling below the agreed level of protection.
Confidentiality: role-based access control, need-to-know principle, encrypted authentication, multi-factor authentication for administrative access (where technically available), separated development and production environments.
Data segregation: logical separation of different controllers' data within the systems in use.
Integrity: transport encryption (TLS 1.2+), encryption of sensitive data at rest, auditable input and change logging.
Availability & resilience: regular data backups in accordance with the agreed services and the applicable backup concept, monitoring, DDoS/bot protection, protection against unauthorized physical access to server and office premises.
Recoverability: procedures to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
Processing on behalf: processing only on documented instructions, confidentiality commitment of staff, careful selection and control of sub-processors.
Review: regular evaluation of the effectiveness of the measures.
You conclude the data processing agreement in a legally binding way from your signed-in account.
Conclude in your account →