Data Processing Agreement (DPA)

📋 Summary according to Art. 28 GDPR

This agreement governs the processing of personal data on behalf between you (Controller) and SemanticFlow (Processor).

Contracting Parties

Client (Controller):
Customer (e.g. educational institution, company, care facility, self-employed educators, private individuals)

Service Provider (Processor):
Semantic Flow
Owner: Manfred Eppe
Schopbachweg 10c
22527 Hamburg
Germany
Email: info@semanticflow.de
Phone: +49 176 21532311

1. Subject Matter and Duration

This Data Processing Agreement governs the processing of personal data by SemanticFlow for the provision of the EduraFlow service and related services.

Duration: This agreement is valid for the duration of the main contract between Client and Service Provider. After contract termination, data will be deleted or returned according to Section 8.

2. Nature and Purpose of Processing

The Processor processes personal data as part of the following activities:

  • Collection: Upload of educational materials and documents by the Client
  • Storage: Storage of uploaded content on hosting provider servers
  • Transmission: Forwarding to AI services (OpenAI) for processing
  • Deletion: Automatic deletion after 24 months or upon request

Purpose: AI-assisted creation and editing of educational materials, including quizzes, presentation slides, and structured dossiers.

3. Categories of Data Subjects

🚫 Exclusion of Personal Data

The service is NOT designed for processing personal data.

The Client undertakes not to include any personal data of third parties (including names, contact details, health data, or other identifiable information) in the uploaded materials.

Permitted content: Anonymized educational content, professional literature, general educational materials without personal reference.

Responsibility: Should the Client nevertheless upload personal data, this is done at their sole responsibility. The Client warrants that they:

  • have the necessary legal basis (e.g., consent of data subjects according to Art. 6(1)(a) GDPR)
  • have fulfilled all required information obligations according to Art. 13/14 GDPR
  • have conducted a Data Protection Impact Assessment (DPIA) according to Art. 35 GDPR if applicable
  • indemnify SemanticFlow against any third-party claims resulting from unauthorized upload of personal data

4. Categories of Personal Data

Personal data of the Client:

  • Account data: Name, email address, billing address of the Client
  • Usage data: IP address (shortened/anonymized), browser information, timestamps
  • Payment data: Processed via Stripe (not stored by SemanticFlow)

Content data (uploaded by the Client):

  • Texts, documents, images in uploaded educational materials
  • Note: Should NOT contain personal data (see Section 3)

5. Obligations of the Processor

5.1 Processing under Instructions

The Processor processes personal data solely on documented instructions from the Client. Instructions are given through use of the platform and the functions provided therein.

5.2 Confidentiality

The Processor ensures that all persons authorized to process data are bound to confidentiality and have received appropriate training.

5.3 Technical and Organizational Measures (TOMs)

The Processor has implemented the following security measures:

  • Access control: Password-protected user accounts, role-based permissions
  • Encryption: TLS encryption for data transmission (HTTPS)
  • Logging: Logging of accesses and changes (7-30 days)
  • Updates: Regular security updates of software used
  • Data separation: Logical separation of customer data at platform level

5.4 Support for Data Subject Rights

The Processor supports the Client in fulfilling data subject rights (access, deletion, rectification, etc.) with appropriate technical and organizational measures.

Contact for data subject requests: info@semanticflow.de

5.5 Reporting Security Incidents

The Processor reports personal data breaches immediately, but no later than 72 hours after becoming aware, to the Client.

6. Sub-processors

The Client grants the Processor general authorization to engage the following sub-processors:

6.1 Clever Cloud SAS (Hosting)

  • Location: 3 rue de l'Allier, 44000 Nantes, France (EU)
  • Service: Platform hosting and data storage
  • Safeguards: Data Processing Agreement (DPA) in place

6.2 OpenAI, L.L.C. (AI Processing)

  • Location: 3180 18th Street, San Francisco, CA 94110, USA (with EU data centers)
  • Service: AI-assisted content processing and generation
  • Safeguards: Data Processing Agreement (DPA) concluded, data transfer based on EU-US Data Privacy Framework (Art. 45 GDPR) and Standard Contractual Clauses (SCCs)

6.3 Stripe, Inc. (Payment Processing)

  • Location: Ireland (EU) and USA
  • Service: Payment data processing
  • Safeguards: Own privacy policy and DPA, PCI-DSS certified

Changes: The Processor informs the Client about planned changes to sub-processors. The Client may object within 14 days.

7. International Data Transfer

The transfer of personal data to OpenAI in the USA is based on the EU-US Data Privacy Framework (Art. 45 GDPR), which ensures adequate data protection. Additionally, Standard Contractual Clauses (SCCs) are in place.

OpenAI also operates data centers in the EU, which can be used preferentially.

8. Deletion and Return of Data

8.1 Standard Procedure

Uploaded educational materials and generated results are automatically deleted 24 months after upload, unless the Client requests an extension.

8.2 After Contract Termination

After termination of the main contract, the Processor deletes all personal data of the Client or returns it upon request. Deletion occurs within 30 days.

8.3 Upon Request

The Client may request immediate deletion of their data at any time at: info@semanticflow.de

8.4 Legal Retention Obligations

Data subject to legal retention obligations (e.g., invoice data) will be retained according to statutory periods (6-10 years).

9. Control and Audit Rights

The Client has the right to verify the Processor's compliance with this DPA. This may be done through:

  • Obtaining information from the Processor
  • Reviewing relevant documents and certifications
  • Inspections (with prior notice, during business hours)

The Processor provides upon request information necessary to verify compliance with obligations under Art. 28 GDPR.

10. Liability and Compensation

Liability is governed by the provisions of the GDPR (Art. 82) and the agreements in the main contract. In case of GDPR violations, the Processor is liable to the Client according to statutory provisions.

11. Final Provisions

11.1 Applicable Law

The law of the Federal Republic of Germany applies.

11.2 Jurisdiction

The exclusive place of jurisdiction for all disputes arising from this contract is Hamburg.

11.3 Amendments

Amendments to this DPA require written form (email is sufficient). The Processor may make necessary adjustments (e.g., in case of legal changes) with a notice period of 30 days.

11.4 Severability Clause

Should individual provisions of this DPA be invalid, the validity of the remaining provisions shall remain unaffected.

Contact for DPA Questions

For questions or to exercise your rights as Client, please contact:

Manfred Eppe
Semantic Flow
Schopbachweg 10c
22527 Hamburg
Email: info@semanticflow.de
Phone: +49 176 21532311

Last updated: October 18, 2025
Version: 1.0