Data Processing Agreement

Pursuant to Article 28 GDPR · Last updated: March 2026

Parties

The Controller:

(Client Name / Company Name, Street Address, City, Country)

The Processor:

Alexander Zalana

Zalana Mentaltraining

Am Steinbach 35, 84544 Aschau a. Inn, Germany

Email: info@zalana-mentaltraining.de

Phone: +49 8638 209 94 14

Preamble

The Controller and the Processor have entered into a service agreement for the provision of mental training services (the "Principal Agreement"). In the course of performing the Principal Agreement, the Processor processes personal data on behalf of the Controller.

This Data Processing Agreement ("DPA") sets out the Parties' obligations regarding the protection of personal data in accordance with Article 28 of the GDPR and the German Federal Data Protection Act (BDSG). This DPA is an integral part of the Principal Agreement.

Section 1: Subject Matter and Duration of Processing

1.1 Subject Matter

The Processor processes personal data on behalf of the Controller in connection with the provision of mental training coaching services, including session scheduling, session delivery, session documentation, AI-assisted transcription using the Whisper speech recognition model (where applicable and consented to), local Named Entity Recognition (NER) anonymization of transcripts, storage of anonymized session data in a Retrieval-Augmented Generation (RAG) vector database, and the management of the coaching relationship.

All processing is performed exclusively on infrastructure hosted by STACKIT (Schwarz IT KG) within data centers located in the Federal Republic of Germany.

1.2 Duration

This DPA shall remain in force for the duration of the Principal Agreement. Upon termination, this DPA shall continue to apply until all personal data has been deleted or returned in accordance with Section 10.

1.3 Applicable Law

This DPA is governed by the laws of the Federal Republic of Germany and the GDPR.

Section 2: Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of performing the obligations under the Principal Agreement, specifically:

  • (a) Administration and scheduling of mental training sessions;
  • (b) Delivery of mental training services, including remote coaching sessions;
  • (c) Audio recording of coaching sessions (where explicit consent is provided pursuant to Article 9(2)(a) GDPR);
  • (d) AI-assisted transcription using Whisper, operated entirely on the Processor's local server infrastructure hosted by STACKIT in Germany -- no audio data is transmitted to any external API;
  • (e) Local Named Entity Recognition (NER) anonymization of session transcripts to remove identifiable personal data;
  • (f) Storage of anonymized transcripts in a RAG vector database hosted on the same STACKIT infrastructure;
  • (g) Secure storage of client data in an encrypted SQLite database on STACKIT infrastructure;
  • (h) Hosting and operation of the web application;
  • (i) Processing of inquiries submitted via the lead capture form (email address, SHA-256 hashed IP address).

The Processor shall not process personal data for any purpose other than those described in this DPA and the Principal Agreement.

Section 3: Types of Personal Data

3.1 General Personal Data

  • Full name (first name, last name)
  • Email address
  • Telephone number
  • Business address and/or private address
  • Company name, job title, and position
  • IP address (stored only as irreversible SHA-256 hash)
  • User agent string, timestamps, and request metadata from server logs
  • Contract and invoicing data
  • Scheduling and session attendance data
  • Communication content (emails, messages, inquiry form submissions)

3.2 Special Categories of Personal Data (Article 9 GDPR)

Where the data subject has provided explicit consent pursuant to Article 9(2)(a) GDPR:

  • Audio recordings of mental training sessions, which may contain data concerning health or psychological state
  • Transcripts of mental training sessions (prior to anonymization)
  • Session notes and documentation that may reference the data subject's mental or emotional state

Section 4: Categories of Data Subjects

  • (a) Prospective clients (individuals who submit inquiries);
  • (b) Active clients (individuals currently receiving mental training services);
  • (c) Former clients (individuals whose data is retained for statutory retention periods);
  • (d) Contact persons of corporate clients;
  • (e) Website visitors (to the extent server log data constitutes personal data).

Section 5: Obligations of the Processor

5.1 Lawful Processing

The Processor shall process personal data only on the documented instructions of the Controller (Article 28(3)(a) GDPR).

5.2 Confidentiality

The Processor shall ensure that all persons authorized to process personal data have committed themselves to confidentiality (Article 28(3)(b) GDPR).

5.3 Technical and Organizational Measures

The Processor shall implement appropriate technical and organizational measures in accordance with Article 32 GDPR. The specific measures are set out in Annex 1.

5.4 Sub-Processing

The Processor shall not engage another processor without the prior authorization of the Controller. See Section 8.

5.5 Assistance with Data Subject Rights

The Processor shall assist the Controller for the fulfillment of the Controller's obligation to respond to data subject requests under Chapter III of the GDPR (Articles 15-22).

5.6 Assistance with Security, Breach Notification, and DPIAs

The Processor shall notify the Controller without undue delay, and within twenty-four (24) hours, after becoming aware of a personal data breach. The notification shall include:

  • A description of the nature of the breach;
  • The categories and approximate number of data subjects affected;
  • A description of the likely consequences;
  • A description of the measures taken or proposed to address the breach.

5.7 Deletion and Return of Data

Upon termination of the Principal Agreement, the Processor shall delete or return all personal data to the Controller. See Section 10.

5.8 Audit and Inspection

The Processor shall make available all information necessary to demonstrate compliance with Article 28 GDPR and shall allow for audits and inspections. See Section 11.

5.9 Information Obligations

The Processor shall immediately inform the Controller if an instruction infringes the GDPR or other data protection provisions.

Section 6: Obligations of the Controller

(6.1) The Controller is responsible for ensuring that the processing is lawful, including obtaining explicit consent for special category data under Article 9(2)(a) GDPR.

(6.2) The Controller shall provide documented instructions regarding the processing of personal data.

(6.3) The Controller shall inform the Processor of errors or irregularities without undue delay.

(6.4) The Controller remains responsible for fulfilling data subject rights requests and breach notifications.

Section 7: Instructions

(7.1) The Processor shall process personal data only on the basis of the Controller's documented instructions. Additional or amended instructions shall be issued in writing.

(7.2) The Processor shall keep a record of all instructions received from the Controller.

(7.3) If the Processor believes an instruction would infringe the GDPR, the Processor shall suspend execution and notify the Controller without undue delay.

Section 8: Sub-Processors

8.1 Authorized Sub-Processors

The following sub-processor is engaged:

STACKIT (Schwarz IT KG)

Stiftsbergstraße 1, 74172 Neckarsulm, Germany

Service: Cloud hosting infrastructure (compute, storage, network)

Data processed: All personal data stored on the Processor's servers

Location: Germany (data centers in Germany exclusively)

DPA concluded pursuant to Article 28 GDPR.

No sub-processors outside the Federal Republic of Germany are engaged.

8.2 Changes to Sub-Processors

The Processor shall inform the Controller in writing at least thirty (30) days before the engagement of any new sub-processor.

8.3 Right to Object

If the Controller objects on reasonable data protection grounds, the Parties shall discuss in good faith. If no solution is found within thirty (30) days, the Controller may terminate the affected parts of the Principal Agreement without penalty.

8.4 Obligations Regarding Sub-Processors

The Processor shall impose on sub-processors the same data protection obligations, remain fully liable for sub-processor performance, and ensure processing only within Germany.

Section 9: Transfers to Third Countries

(9.1) The Processor shall not transfer personal data to any country outside the EEA without the Controller's prior written authorization and appropriate safeguards.

(9.2) As of the date of this DPA, no third-country transfers occur. All processing takes place exclusively within Germany on STACKIT infrastructure. In particular:

  • The Whisper transcription model runs locally on STACKIT-hosted servers in Germany;
  • The NER anonymization pipeline runs locally on STACKIT-hosted servers in Germany;
  • The RAG vector database is hosted on STACKIT-hosted servers in Germany;
  • All website content is served from STACKIT-hosted servers in Germany;
  • No US-based cloud services (AWS, GCP, Azure, Cloudflare) are used.

(9.3) The Processor shall immediately notify the Controller if it becomes subject to any legal obligation requiring third-country disclosure.

Section 10: Deletion and Return of Personal Data

(10.1) Upon termination, the Processor shall, at the Controller's written election: (a) return all personal data in a structured, commonly used format; or (b) delete all personal data within thirty (30) days.

(10.2) If the Controller does not provide an instruction within thirty (30) days of termination, the Processor shall delete all personal data within a further thirty (30) days.

(10.3) The Processor shall provide written confirmation of deletion upon request.

(10.4) Statutory retention requirements override the deletion obligation; the Processor shall restrict processing to the mandatory retention purpose and delete upon expiration.

Specific Deletion Provisions for Special Category Data

  • Audio recordings: Deleted within forty-eight (48) hours after successful transcription and anonymization.
  • Transcripts (pre-anonymization): Deleted immediately after the NER anonymization process has been completed and verified.
  • Anonymized data: Data that has been fully and irreversibly anonymized is no longer personal data within the meaning of Article 4(1) GDPR and is not subject to deletion obligations.

Section 11: Audit Rights

(11.1) The Processor shall respond to written requests for information within fourteen (14) days.

(11.2) The Controller has the right to conduct audits, including on-site inspections, to verify compliance with this DPA.

(11.3) Audits shall be conducted with at least thirty (30) days written notice during normal business hours.

(11.4) The Processor may satisfy audit requirements by providing current independent third-party audit reports or certifications (e.g., ISO 27001, SOC 2 Type II).

(11.5) Audit costs shall be borne by the Controller, unless the audit reveals a material breach by the Processor.

(11.6) The Processor shall cooperate fully with any audit.

Section 12: Liability

(12.1) Liability shall be governed by Article 82 GDPR.

(12.2) The Processor shall be liable only where it has not complied with obligations specifically directed to processors or has acted outside the Controller's lawful instructions.

(12.3) Each Party shall indemnify the other against claims arising from the indemnifying Party's breach of this DPA.

(12.4) Liability for intentional or grossly negligent breaches shall not be limited. Administrative fines cannot be transferred between Parties.

(12.5) Where both Parties are responsible for processing damage, each shall be held liable for the entire damage to ensure effective compensation (Article 82(4) GDPR), with internal recourse rights.

Section 13: Final Provisions

(13.1) Amendments and supplements must be made in writing (email is sufficient).

(13.2) If any provision is or becomes invalid, the remaining provisions shall not be affected.

(13.3) This DPA shall be governed by the laws of the Federal Republic of Germany.

(13.4) The exclusive place of jurisdiction shall be Mühldorf am Inn, Germany, to the extent permitted by law.

(13.5) This DPA, together with its Annexes, constitutes the entire agreement with respect to the processing of personal data.

Annex 1: Technical and Organizational Measures (Article 32 GDPR)

A.1 Confidentiality

Physical Access Control: All server infrastructure is hosted by STACKIT in data centers located exclusively in Germany. Multi-layer physical security including perimeter fencing, 24/7 security personnel, CCTV surveillance, and electronic access control systems.

Logical Access Control: Access restricted to the Processor as the sole authorized administrator. SSH key-based authentication only. Password-based SSH access is disabled. MFA enabled where supported. IP allowlisting where feasible. All administrative actions are logged.

Data Access Control: SQLite database access restricted to the application process and sole administrator. Database files stored on encrypted storage volumes. Application-level access controls. IP addresses stored exclusively as irreversible SHA-256 hashes.

Separation of Environments: Production and development environments are logically separated. No personal data used in development or testing.

A.2 Integrity

Data Transfer Control: All data in transit encrypted using TLS 1.2 or higher via Caddy web server. mTLS authentication with Revolut Business API. Internal communication secured by network-level encryption. Outdated cipher suites disabled.

Data Input Control: All data inputs validated and sanitized. Parameterized database queries. Content sanitization against XSS and injection attacks. All changes logged with timestamps.

A.3 Availability and Resilience

Availability Control: STACKIT provides infrastructure-level redundancy. Regular automated backups stored on encrypted storage within Germany. Documented and tested backup restoration procedures.

Recoverability: Services can be restored from backups within a defined recovery time objective. Documented disaster recovery procedures.

A.4 Regular Testing and Evaluation

Data Protection Management: Annual review and update of technical and organizational measures. Monitoring of data protection developments. Documentation of all processing activities per Article 30 GDPR.

Incident Response: Documented incident response procedure. Breach reporting to Controller within twenty-four (24) hours.

Privacy by Design and by Default (Article 25 GDPR): Minimum data collection. IP hashing at point of collection. NER anonymization as integral pipeline step. Local Whisper AI and NER processing only. RAG vector database stores only anonymized content. All website content self-hosted.

A.5 Special Category Data -- Additional Measures

  • Audio recordings and transcripts stored in separate, access-restricted directories
  • Audio recordings auto-deleted within forty-eight (48) hours after transcription
  • Pre-anonymization transcripts deleted immediately upon NER completion
  • Access limited exclusively to the Processor and the automated pipeline
  • No special category data in backups unless encrypted and access-restricted
  • Explicit consent documented separately for each data subject and engagement

A.6 AI Processing Pipeline -- Specific Measures

  • Whisper transcription: Deployed locally on STACKIT GPU/CPU infrastructure. No audio data leaves the server environment. No third-party transcription API is used.
  • NER anonymization: Deployed locally on STACKIT infrastructure. Identifies and removes personal identifiers from transcripts.
  • RAG vector database: Stores only anonymized text embeddings. Original transcripts not stored in the vector database. Hosted on STACKIT in Germany.
  • Model updates: Performed using publicly available model weights downloaded to local infrastructure. No personal data used for training.
  • No external AI services: No OpenAI API, Google Vertex AI, AWS Bedrock, Azure OpenAI, or similar services are used.

Annex 2: Authorized Sub-Processors

1. STACKIT (Schwarz IT KG)

Stiftsbergstraße 1, 74172 Neckarsulm, Germany

Service: Cloud hosting infrastructure (compute, storage, network)

Location of Processing: Germany

No sub-processors outside the Federal Republic of Germany are authorized.

Signatures

Controller:

Name / Title / Date / Signature

Processor:

Alexander Zalana

Sole Proprietor, Zalana Mentaltraining

Date / Signature

This Data Processing Agreement is effective as of the date of the last signature above.