Data Processing Agreement
Last updated: June 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer organization ("Controller") and Aron-Frederic Seiffert und Markus Ehret GbR (trading as Logistry GbR) ("Processor") concerning the use of SpecMCP.
This DPA applies where the Processor processes personal data on behalf of the Controller within the meaning of Art. 28 GDPR.
1. Subject Matter and Duration
The Processor provides the SpecMCP service and processes personal data as necessary to provide, secure, maintain, and support that service.
Processing lasts for the duration of the customer's use of the service, unless a shorter period results from deletion, return, or termination obligations under this DPA.
2. Nature and Purpose of Processing
Processing may include:
- hosting and storage,
- authentication and access control,
- organization and user administration,
- usage logging,
- support and troubleshooting,
- email delivery,
- billing administration,
- and technically necessary data transfers in the course of using the service.
The purpose of processing is to provide the SpecMCP service to the Controller and its authorized users.
3. Categories of Data Subjects
Data subjects may include:
- employees, contractors, and authorized users of the Controller,
- administrators and workspace owners,
- billing and contact persons,
- and, depending on use, persons whose data appears in customer-provided content.
4. Categories of Personal Data
Processed personal data may include:
- name,
- business email address,
- account identifiers,
- organization membership and role data,
- authentication and session data,
- usage and log data,
- support communications,
- billing contact data,
- and customer content or metadata submitted through the service.
Special categories of personal data under Art. 9 GDPR are not intended to be processed. The Controller remains responsible for determining whether such data is uploaded or submitted and whether that is lawful.
5. Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law.
The agreement, customer configuration, and use of the service constitute the Controller's documented instructions, supplemented by any written instructions agreed between the parties.
If the Processor believes an instruction infringes applicable data protection law, the Processor will inform the Controller unless prohibited by law.
6. Confidentiality
The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.
7. Security Measures
The Processor shall implement appropriate technical and organizational measures under Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
These measures may include, as appropriate:
- access controls,
- role-based authorization,
- encryption in transit,
- secure credential handling,
- logging and monitoring,
- backup procedures,
- and measures to restore availability and access in a timely manner after incidents.
The Processor may update and improve its security measures over time, provided the overall level of protection is not materially reduced.
8. Assistance to the Controller
Taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligations regarding:
- data subject rights,
- security of processing,
- personal data breaches,
- data protection impact assessments,
- and prior consultation obligations.
The Controller remains responsible for responding to data subject requests and regulatory obligations as Controller.
9. Personal Data Breaches
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
The notification shall include the information reasonably available to the Processor at the time and may be supplemented as further information becomes available.
10. Subprocessors
The Controller grants the Processor a general authorization to engage subprocessors.
The current subprocessors are listed on the Processor's public subprocessor page. The Processor may add or replace subprocessors where appropriate for the operation of the service.
Where required by Art. 28 GDPR, the Processor shall impose data protection obligations on subprocessors that are no less protective than those set out in this DPA, insofar as applicable to the nature of the services provided by the subprocessor.
11. International Transfers
Where personal data is transferred to recipients in third countries, the Processor shall ensure that an appropriate transfer mechanism is in place where required by applicable law, such as adequacy decisions, standard contractual clauses, or another lawful transfer mechanism.
12. Deletion and Return
Upon termination of the services, the Processor shall delete or return personal data to the Controller, unless Union or Member State law requires storage.
Operationally, data may remain in backups until the relevant backup cycle expires. Customer data is otherwise deleted in accordance with the Processor's retention and deletion practices.
13. Information and Audit
The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
Audits or inspections shall be exercised in a manner that is reasonable, proportionate, and does not unreasonably interfere with the Processor's operations, security, or obligations to other customers. The parties may agree on confidentiality, notice periods, scope limitations, and reimbursement of reasonable costs.
14. Priority
If there is a conflict between this DPA and other contractual terms between the parties concerning data protection processing on behalf of the Controller, this DPA shall prevail to the extent of the conflict.