Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the main agreement ("Main Agreement") between:

Controller: The Customer entering into the Main Agreement for the use of QuoteXelerator ("Controller")

Processor: Nomadyr UG (haftungsbeschränkt), Kolonnenstraße 8, 10827 Berlin, HRB 280266 B, Amtsgericht Charlottenburg, represented by Managing Director Benjamin S. Steinbüchel ("Processor")

This DPA specifies the data protection obligations of the contractual parties pursuant to Art. 28 GDPR. In the event of a conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to data protection matters.

Subject matter: The Processor provides the SaaS service "QuoteXelerator", a HubSpot Marketplace application operated by Nomadyr UG (haftungsbeschränkt), which enables the Controller to transform external vendor quotes into compliant deal line items within HubSpot CRM.

Duration: This DPA applies for the duration of the Main Agreement (SaaS subscription). After termination of the Main Agreement, this DPA remains in effect until all personal data has been deleted or returned pursuant to §11.

Nature and purpose of processing: The Processor processes personal data on behalf of the Controller exclusively for the provision of the QuoteXelerator service. Processing activities include:

• Transformation of external vendor quotes into customer-ready deal line items
• Currency conversion and margin calculation based on configured recipes
• Creation and updating of deal line items in the Controller's HubSpot portal via OAuth
• Audit logging of all processing operations, including snapshots, change detection, and compliance reports
• User authentication and authorization via HubSpot OAuth

The following categories of personal data may be subject to processing:

• Contact data (names, email addresses, company names) from vendor quotes uploaded by the Controller
• Business contact details of the Controller's users (name, email, HubSpot user ID)
• HubSpot portal IDs and deal owner identifiers
• Usage metadata (action timestamps, feature usage counters)

No special categories of personal data within the meaning of Art. 9 GDPR are processed. The Controller is responsible for ensuring that no special category data is included in uploaded quotes.

• Employees, representatives, and contact persons of the Controller who use QuoteXelerator
• End customers or contact persons of the Controller whose data is contained in vendor quotes
• Deal owners and other HubSpot users within the Controller's portal

The Processor assumes the following obligations pursuant to Art. 28(3) GDPR:

(1) Processing on instructions (Art. 28(3)(a)): The Processor shall process personal data only on documented instructions from the Controller. The Main Agreement, this DPA, and the Controller's use of QuoteXelerator features constitute such documented instructions. If the Processor believes that an instruction from the Controller infringes the GDPR or other EU or member state data protection provisions, it shall inform the Controller without delay.

(2) Confidentiality (Art. 28(3)(b)): The Processor shall ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(3) Technical and organizational measures (Art. 28(3)(c)): The Processor shall implement and maintain the technical and organizational measures required under Art. 32 GDPR. These measures are documented in the Technical and Organizational Measures (TOM) annex, which forms an integral part of this DPA.

(4) Sub-processors (Art. 28(3)(d)): The Processor shall not engage any other processor without complying with the conditions set out in §7 of this DPA.

(5) Data subject rights (Art. 28(3)(e)): The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Art. 15–22 GDPR.

(6) Security and notification obligations (Art. 28(3)(f)): The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Processor, in ensuring compliance with the obligations under Art. 32–36 GDPR. This includes assistance with data breach notifications (§8), security measures, and data protection impact assessments where applicable.

(7) Deletion and return (Art. 28(3)(g)): At the choice of the Controller, the Processor shall delete or return all personal data after the end of the provision of services and delete existing copies, unless EU or member state law requires storage of the personal data. Details in §11.

(8) Audit and demonstration (Art. 28(3)(h)): The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for audits. Details in §9.

(1) The Controller is responsible for ensuring that the processing of personal data complies with the GDPR and applicable data protection laws, including having a legal basis for the processing.

(2) The Controller shall provide documented instructions for the processing of personal data. Instructions beyond the scope of the Main Agreement require a separate written agreement.

(3) The Controller is responsible for fulfilling data subject rights. The Processor shall provide assistance pursuant to §5(5).

(4) The Controller shall inform the Processor without delay if it discovers errors or irregularities in the processing of personal data.

(1) The Controller grants general authorization for the use of sub-processors. The full, versioned list of approved sub-processors is set out in Annex 3 (v1.0; 17 May 2026) below. Subscribe to change notifications at legal@quotexelerator.com.

Annex 3; Approved Sub-processors · v1.0 · 17 May 2026

Note on US transfers. Your actual application data (quote contents, deal records, line items, audit logs, customer information) is processed exclusively in the EU (Frankfurt / Dublin) and is not sent to US servers. For US-based sub-processors, only the following data crosses to the United States:

• Vercel: only connection metadata (IP address, HTTP request headers, edge access logs) for DDoS protection and Web Application Firewall (WAF), i.e., defending against cyber-attacks.
• Resend: account data, logs and email metadata (recipient address, subject, delivery status) are stored in the US. Outbound SMTP egress region is EU (Ireland).
• Anthropic: only redacted technical incident metadata (error codes, PII-stripped stack traces, request paths) for the AI-assisted incident investigator; no customer data, no quote contents, no plaintext emails (see §7b).
• GitHub: repository contents and redacted workflow logs of the investigator workflow.

(2) The Processor shall notify the Controller at least 30 calendar days in advance by email to the Controller's designated administrator address before engaging or replacing a sub-processor.

(3) The Controller may object to the change in writing on substantive grounds within 10 business days of receiving the notification.

(4) On a sustained objection, the Controller may (a) terminate the affected service component or the Main Agreement effective at the end of the then-current billing period and (b) receive their data on written request to legal@quotexelerator.com within 30 days in a structured, commonly used, and machine-readable format. No refund of fees already paid (including pre-paid periods) shall be due.

(5) The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA, pursuant to Art. 28(4) GDPR. The Processor shall be liable to the Controller for the performance of each sub-processor's obligations within the scope of the liability limitation set out in Terms of Service §10, to the extent permissible under the GDPR. Mandatory GDPR liability rules (in particular Art. 82 GDPR), as well as intent and gross negligence, remain unaffected.

Certain processing operations connected to the Service are carried out not on Nomadyr's behalf but by independent controllers within the meaning of Art. 4(7) GDPR. These entities are not sub-processors and are not part of Annex 3:

Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Dublin D02 H210, Ireland; independent controller for payment processing, fraud and AML/KYC controls, and regulatory compliance. Caveat: additionally Stripe Technology Company Limited (STC) as a further EMEA/APAC controller entity from January 2026. Stripe's processing is governed by Stripe's own DPA at stripe.com/legal/dpa and is not subject to this DPA. Nomadyr UG transmits only data strictly necessary for payment (billing address, payment method, customer ID, amount, receipt) to Stripe.

For incident investigation, QuoteXelerator uses the large-language model Claude provided by Anthropic, PBC. Pursuant to Art. 50 of Regulation (EU) 2024/1689 (EU AI Act), users are notified of this through this DPA and the Privacy Policy. The investigator does not interact directly with end users; it processes only redacted technical incident metadata in the backend.

Anthropic does NOT use submitted inputs to train or improve its models, per Anthropic Commercial Terms. Standard retention: 30 days (API inference logs), 7 days (trust-and-safety logs).

Before transmission to Anthropic, incident details pass through a pattern-based redaction routine designed to catch common PII and secret patterns (email addresses, bearer tokens, Stripe keys, HubSpot PATs, JWTs, long hex strings). Redaction is implemented as a data-minimisation measure rather than a formal guarantee; residual risk of unusual token formats slipping through is acknowledged and mitigated by contractual no-training warranty, short vendor retention, and a documented Transfer Impact Assessment.

A Transfer Impact Assessment (TIA) per Schrems II is on file for the Anthropic transfer and available on request.

When the investigator runs: on a production error, redacted technical context (error stacks, incident metadata) is transmitted to Anthropic for automated diagnosis. No plaintext customer names, emails, quote contents, or deal/line-item data are intentionally transmitted.

(1) The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach within the meaning of Art. 4(12) GDPR, pursuant to Art. 33(2) GDPR.

(2) The notification shall contain, to the extent available:

• A description of the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of the Processor's point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and, where appropriate, to mitigate its possible adverse effects

(3) Where information cannot be provided simultaneously, the Processor shall provide the information in phases without undue further delay.

(4) The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, containment, and remediation of the breach.

(1) The Processor shall make available to the Controller, upon reasonable request, the Processor's own documentation necessary to demonstrate compliance with the obligations under this DPA and Art. 28 GDPR. This includes in particular the technical and organizational measures documented in the TOM annex.

(2) For certifications and reports of sub-processors (e.g., SOC 2 Type 2 reports), the Processor will refer the Controller to the public trust or compliance pages of the respective sub-processors. These reports are subject to the confidentiality terms of the respective vendor and are made available directly by the vendor; the Processor is not obligated to forward such reports where confidentiality agreements with the sub-processor preclude redistribution.

(3) The Processor shall respond to reasonable documentation requests from the Controller promptly, in any event within 30 days.

(1) The Processor's primary application infrastructure (database, serverless functions) is pinned to the European Union (Frankfurt, Germany). Application data (quote contents, deal records, line items, audit logs, customer information) is processed exclusively in the EU and never sent to US servers. Per-vendor transfer mechanisms for any metadata-level or service-level US transfer are listed for each row in Annex 3 (§7). Specifically: on Vercel, only connection metadata (IPs, request headers, edge access logs) traverses the US edge for DDoS protection and Web Application Firewall; no application data; at Resend, account data, logs, and email metadata are stored in the US even when sending region is EU; LLM inference at Anthropic processes redacted technical metadata only (US-default). See Annex 3 per-row transfer mechanism.

(2) Where a sub-processor is established in a third country without an adequacy decision, the Processor concludes the EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, Module Three (processor-to-sub-processor) with that sub-processor. A Schrems II Transfer Impact Assessment is on file and available on request.

(3) Residual risk acknowledgement: despite EU Standard Contractual Clauses and supplementary measures, a residual risk from US surveillance laws (in particular FISA 702, EO 12333, Cloud Act) on transfers to US sub-processors cannot be fully excluded. The Processor limits this risk through data minimisation, pattern-based redaction of personal data prior to transmission to external AI providers (see §7b), short vendor retention, contractual no-training warranties for AI inference, and a documented Transfer Impact Assessment available on request.

(4) The Controller may, upon reasonable written request, obtain copies of the relevant transfer safeguards (in particular EU Standard Contractual Clauses). The Processor shall respond to such requests within 30 days. Where the transfer safeguards are publicly available on the trust or compliance pages of the respective sub-processors, a reference to those pages is sufficient.

(1) After termination of the Main Agreement, the Processor shall delete all personal data processed on behalf of the Controller within 90 days, with the following exceptions due to mandatory statutory retention obligations:

• Payment and billing data: 10 years pursuant to § 147 AO and § 257 HGB (German tax and commercial law).
• Audit logs: subscription duration + 90 days, then automatic deletion.
• Any further mandatory retention obligations under EU or member state law applicable at the time of contract termination.

(2) Prior to contract termination, the Controller may request a data export in a structured, commonly used, and machine-readable format.

(3) The Processor shall confirm deletion in writing upon the Controller's request.

(1) Each party shall be liable for damages caused by processing that infringes the GDPR, pursuant to Art. 82 GDPR.

(2) The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed at processors, or where it has acted outside of or contrary to lawful instructions of the Controller.

(3) The liability provisions of the Main Agreement, in particular the liability cap set out in Terms of Service §10, apply supplementarily to the extent they do not conflict with the GDPR. The liability cap does not apply in cases of intent, gross negligence, breach of essential contractual obligations (cardinal obligations), or mandatory GDPR liability rules (in particular Art. 82 GDPR).

(1) This DPA enters into force upon conclusion of the Main Agreement and applies for the duration of the Main Agreement.

(2) This DPA cannot be terminated independently of the Main Agreement, except as provided in §7(4) (objection to sub-processor).

(3) Obligations under this DPA that by their nature survive termination (in particular §§ 8, 11, 12, and 14) shall remain in effect until all personal data has been fully deleted.

(1) This DPA is governed by the laws of the Federal Republic of Germany, excluding its conflict of law provisions.

(2) The exclusive jurisdiction for all disputes arising from or in connection with this DPA is Berlin, Germany.

The technical and organizational measures pursuant to Art. 32 GDPR are documented in the TOM annex, which forms an integral part of this DPA, is reviewed and updated regularly, and is publicly available. For questions: legal@quotexelerator.com.