Data Processing Agreement (DPA)

Preamble

This Data Processing Agreement ("DPA") concretises the obligations of the parties under Art. 28 GDPR with respect to the use of the raydaa platform. It is concluded between you — the customer using raydaa for your organization ("Controller") — and AiTrain GmbH, Gertigstraße 5, 22303 Hamburg, Germany, registered with the Commercial Register of Hamburg Local Court under HRB 191041 ("Processor" or "raydaa"). By accepting this DPA, the Controller agrees that raydaa will process personal data of the Controller's personnel exclusively on documented instructions under this agreement. — Note: in case of interpretation differences, the German version controls; this English version is a translation for information purposes only.

§ 1 Subject Matter, Duration, Nature and Purpose of Processing

Subject matter: Provision of the raydaa platform as a curated AI knowledge feed including personalization, the AI assistant Marble and related functions. Duration: for the term of the main agreement between the parties (usage / subscription contract). Nature of processing: collection, storage, structuring, modification, retrieval, querying, use, transmission within the agreed subprocessor chain, deletion. Purpose: provision of the contractually owed services and related personalization, security measures, product improvement and legal obligations.

§ 2 Types of Personal Data and Categories of Data Subjects

Categories of data subjects: employees, trainees, and other persons organizationally assigned to the Controller who use raydaa. Types of personal data: account data (name, email, avatar), profile and personalization data (role, industry, interview answers, profile summary), content interaction (clicked and saved assets, engagement signals), Marble conversations and related memories, and technical logs (IP, user agent, timestamp). A detailed listing is provided in the privacy policy (Section 3) and concretises this DPA.

§ 3 Controller's Right to Issue Instructions

raydaa processes personal data exclusively on documented instructions from the Controller. The main instruction follows from this DPA and the associated usage contract. Additional instructions must be issued in text form to info@ai-train.de and will be reviewed by raydaa for feasibility without undue delay. An instruction will be refused or its execution suspended if, in raydaa's opinion, the instruction violates applicable data protection law; raydaa will inform the Controller without undue delay in such case.

§ 4 Confidentiality Obligation

raydaa ensures that all persons entrusted with processing personal data are bound by confidentiality prior to commencing their activities or are subject to an appropriate statutory confidentiality obligation. The confidentiality obligation persists beyond termination of the engagement.

§ 5 Technical and Organizational Measures (TOMs)

The technical and organizational measures pursuant to Art. 32 GDPR taken by raydaa are set out in Annex 1 to this DPA. They may evolve during the term, provided that an equivalent or higher level of protection is maintained. Material reductions are excluded. raydaa demonstrates compliance, upon request of the Controller, by suitable evidence (self-audit report, platform certifications of subprocessors).

§ 6 Subprocessors

The Controller consents to the subprocessors listed in Annex 2 of this DPA (general authorisation pursuant to Art. 28 (2) sentence 2 GDPR). raydaa will inform the Controller of intended changes to the subprocessor list at least 30 days before they take effect, by email to the address on file in the customer account. The Controller may object to a change for material data protection reasons within this period; in such case both parties may extraordinarily terminate the main agreement. raydaa contractually obliges all subprocessors to an equivalent level of data protection.

§ 7 Assistance Obligations

Within the technically feasible scope, raydaa supports the Controller in fulfilling its own obligations under Art. 12 to 22 GDPR (data subject rights) and Art. 32 to 36 GDPR (security, notification obligation, data protection impact assessment, prior consultation). Requests from data subjects addressed directly to raydaa will be forwarded to the Controller without undue delay. For reasonable assistance services raydaa may, upon agreement, charge a fee based on effort to the extent the effort is not covered by raydaa's own obligations under this DPA.

§ 8 Notification of Personal Data Breaches

raydaa notifies the Controller of any breach of the protection of personal data (Art. 4 No. 12 GDPR) without undue delay after becoming aware, but no later than within 72 hours. The notification is sent by email to the main contact address on file in the customer account and contains a description of the nature of the breach, the likely affected categories and numbers, probable consequences, and measures taken or proposed. raydaa supports the Controller in notifying the supervisory authority and, where applicable, in notifying affected data subjects.

§ 9 Deletion and Return After Contract End

After termination of the main agreement, raydaa deletes all personal data processed on behalf within 30 days unless a statutory retention obligation applies. Upon request of the Controller, made in text form prior to deletion, raydaa provides the data in a structured, commonly used and machine-readable format (JSON export). For data subject to statutory retention (in particular invoices under § 147 of the German Fiscal Code) the respective statutory retention periods apply; during that period the data is protected and blocked from other uses.

§ 10 Evidence and Audit Rights

raydaa provides the Controller, upon request, with a current self-audit report documenting the implementation of the TOMs in Annex 1. If the self-audit report is insufficient, the Controller may, after prior written registration with reasonable notice (at least 14 days) and during normal business hours, conduct audits at raydaa's premises or have them conducted by a third party bound to confidentiality. raydaa may submit equivalent third-party certifications or audit reports of the platforms used (e.g. AWS SOC-2, Vercel SOC-2) as additional evidence.

§ 11 Liability

Liability between the parties follows the general provisions of the main agreement and Art. 82 GDPR. raydaa is liable to the Controller for damages arising from a culpable breach of this DPA attributable to raydaa. Vis-à-vis data subjects, the parties are jointly and severally liable pursuant to Art. 82 GDPR.

§ 12 Language and Interpretation

This DPA exists in German and English. In case of differences in interpretation, the German version controls. The English version serves information purposes only.

§ 13 Final Provisions

The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods. The place of jurisdiction for all disputes arising from or in connection with this DPA is Hamburg, provided the Controller is a merchant, legal entity under public law, or public-law special asset. Amendments and supplements to this DPA require text form. Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.

Annex 1 — Technical and Organizational Measures

raydaa takes the following measures to protect personal data. This list reflects the actual state as of the last update of this DPA. Material reductions will be announced to the Controller with appropriate lead time.

• Cloud-only architecture in certified EU data centers (AWS eu-central-1, Supabase EU, Vercel with EU regions). No own physical server rooms.
• Encryption in transit: TLS 1.2 or higher for all data transmission; HTTP connections are redirected server-side to HTTPS.
• Encryption at rest: AES-256 encryption of database and storage volumes by the cloud platforms used.
• Access control: authentication via bcrypt-hashed passwords or OAuth (Google). Multi-factor authentication is supported for administrative accounts on the platforms in use and can be enabled per account.
• Authorisation: row-level security at the database layer; server-side authorisation check per request; separation of user and administration roles.
• Multi-tenant separation: logical isolation via foreign keys and row-level security; fully separated staging and production environments.
• Pseudonymization: analytical third-party services receive only pseudonymous identifiers; embeddings are processed as anonymous numerical vectors.
• Backup and recovery: daily automated physical backups via the managed database (Supabase Pro). Point-in-time recovery is optional and can be activated depending on the booked tier and Controller's needs.
• Logging: platform-side logging of authentication events and request logs (typical retention up to 90 days); application-side structured logs for security-relevant events.
• Static code analysis via linters and type-checkers in the CI process; code reviews before merges to production.
• Confidentiality obligation of management and all persons entrusted with data processing prior to commencing activities.
• Defined escalation path for security-relevant incidents: detection via info@ai-train.de or internal monitoring signals, assessment by management, notification of Controllers without undue delay (within 72 hours).
• Subprocessor management: inventory of all subprocessors used, DPA per provider, annual review.

Annex 2 — Approved Subprocessors

raydaa engages the following subprocessors to provide the service. By accepting this DPA, the Controller consents to their engagement (general authorisation). A current list is always available at https://raydaa.com/avv.

Asset-processing services (Groq Inc., AssemblyAI Inc., ListenNotes Inc.) process exclusively publicly available content (podcasts, videos, web pages) and are therefore not subprocessors within the meaning of this DPA.