Data Processing Agreement (DPA) pursuant to Art. 28 GDPR between Forge12 Interactive GmbH Josefstr. 37 78166 Donaueschingen – hereinafter referred to as the "Processor" – and the respective customer – hereinafter referred to as the "Controller" –

1. Subject Matter and Duration of Processing

(1) The Processor provides the Controller with services in the field of IT security and bot detection through the service "SilentShield.io".

(2) The subject matter of the processing is the automated analysis and filtering of data streams for the detection and prevention of attacks and abusive access.

(3) The duration of the processing corresponds to the term of the respective main contract.

2. Nature and Purpose of Processing

The processing is carried out in particular for the following purposes:

• Detection and prevention of automated access (bots)
• Protection against attacks (e.g., DDoS, spam)
• Ensuring system stability and availability
• Analysis of access patterns for threat prevention

Automated decisions (e.g., blocking of requests) may be made insofar as this is necessary for system security.

3. Types of Data

• IP addresses
• HTTP header data
• Browser and device information
• Access data (timestamp, URL, requests)
• Interaction and behavioral data

4. Categories of Data Subjects

• Visitors to the Controller's websites
• Users of the Controller's online services

5. Obligations of the Controller

(1) The Controller is responsible for the lawfulness of the data processing.

(2) The Controller ensures that they are authorized to transmit the data to the Processor.

(3) The Controller fulfills their information obligations towards data subjects.

6. Obligations of the Processor

The Processor:

• processes data exclusively based on documented instructions
• ensures appropriate technical and organizational measures
• ensures confidentiality
• assists with data subject rights
• assists with data protection impact assessments

7. Technical and Organizational Measures (TOMs)

The Processor implements the following measures in particular:

• TLS/SSL encryption
• Access controls and role models
• Logging and monitoring
• Protection against unauthorized access
• Regular security audits

8. Sub-processors

• Cloudflare, Inc. (USA) – CDN, WAF, proxy, DDoS protection
• STRATO AG (Germany) – Hosting and infrastructure

(2) The Processor ensures that all sub-processors are bound in accordance with Art. 28 GDPR.

(3) The Controller grants general authorization for the use of these sub-processors.

(4) A current list of sub-processors is provided upon request or via the website.

9. Third-Country Transfers

(1) A transfer of personal data to third countries (in particular the USA) may occur.

(2) Such transfers are carried out exclusively in compliance with the GDPR, in particular through:

• EU Standard Contractual Clauses (Art. 46 GDPR)
• Where applicable, EU-US Data Privacy Framework

10. Audit Rights

(1) The Controller is entitled to verify compliance with this agreement.

(2) The Processor provides suitable information for this purpose.

(3) Audits must be announced with reasonable notice and must not disproportionately interfere with operations.

11. Data Deletion

Upon termination of the contract, personal data shall be deleted or returned at the Controller's discretion, unless statutory retention obligations exist.

12. Liability

The liability provisions of the main contract apply.