Data Processing Agreement (DPA)
Data Processing Agreement (DPA) pursuant to Article 28 of the GDPR
Effective as of: March 20, 2026
Between
the registered customer of Biscotti CMP —hereinafter referred to as the “Data Controller” or “Customer”—
and
Campcruisers GmbH Berliner Str. 21 B 14612 Falkensee Federal Republic of Germany
Registered court: Potsdam Local Court Registration number: HRB 40180 P VAT ID: DE368000447 Tax ID: 29/249/36095 Represented by: Daniel Bosch (CEO), Philipp André Marschall (Authorized Signatory) Email: info@biscotti-cmp.com Phone: +49 3322 50703301 Business hours: Mon–Fri, 9:00 AM – 5:00 PM – hereinafter referred to as the “Processor” or “Provider” –
– the Data Controller and the Data Processor hereinafter also jointly referred to as the “Parties” –
Preamble
Welcome to Campcruisers GmbH! We are delighted to welcome you as a customer. Transparency, the highest security standards, and a partnership based on mutual respect are our top priorities. Protecting your data and the data of your website visitors is not only a legal obligation for us, but also a central quality commitment of our company.
The Data Controller uses the cloud-based Software-as-a-Service (SaaS) solution “Biscotti CMP” (Consent Management Platform), which is developed, operated, and distributed by the Data Processor. In connection with the provision of these SaaS services, which are made available under the domain biscotti-cmp.com and the application app.biscotti-cmp.com, the processor processes personal data on behalf of and in accordance with the instructions of the controller. This agreement specifies the data protection obligations of the parties arising from the use of Biscotti CMP. It applies to all activities related to the main agreement (user agreement for the SaaS services) in which employees of the processor or third parties commissioned by the processor may come into contact with the controller’s personal data.
This agreement is mandatory to meet the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), in particular Art. 28 GDPR, as well as the supplementary provisions of the Federal Data Protection Act (BDSG) and the Telecommunications and Digital Services Data Protection Act (TDDDG).
[!NOTE] Conclusion of the Agreement in Electronic Commerce This agreement is concluded in electronic format in accordance with Article 28(9) of the GDPR. Upon registration by the data controller, it forms an integral part of the General Terms and Conditions (GTC) of Biscotti CMP. The contract is concluded through express electronic consent during registration (e.g., by clicking a confirmation button) and does not require a separate, handwritten signature to be valid and legally effective.
§ 1 Subject Matter and Duration of Processing
1.1 Subject Matter of Processing The processor provides services to the controller in the areas of consent management and the automation of data protection compliance. The subject matter of the processing of personal data is derived from the main contract concluded between the parties regarding the use of the Biscotti CMP. The processing encompasses all data-related operations necessary for the provision of the contractually agreed-upon software functionalities. These include, in particular, but are not limited to:
- The provision and display of consent banners (cookie banners) on the controller’s websites.
- The collection, storage, management, and documentation of consent decisions (acceptance/rejection) by the end users (website visitors) of the controller in accordance with Art. 7(1) GDPR and § 25(1) TDDDG.
- The performance of AI-supported cookie scans on the controller’s websites to identify and categorize tracking technologies and compare them with the IAB provider database.
- The processing of signals within the scope of Google Consent Mode v2, the IAB Transparency & Consent Framework (TCF 2.2), and Global Privacy Control (GPC).
- The IP-based determination of the website visitor’s jurisdiction for the dynamic display of legally compliant banner variants (e.g., GDPR, CCPA/CPRA).
- AI-powered generation of legal texts (legal notice, privacy policy, cookie policy) via the integrated Legal Suite Assistant using Google Gemini.
- The provision of audit logs, webhooks for real-time notifications, A/B testing functionalities, and data export functions to fulfill data subject rights under Art. 15 GDPR.
- The management of agency sub-accounts under the “Agency” plan, including client management and white-label branding.
1.2 Duration of Processing The term of this Data Processing Agreement is based on the term of the underlying main agreement regarding the use of the Biscotti CMP. The agreement takes effect upon the registration of the data controller and the activation of the account (for free plans) or upon payment confirmation (for paid plans such as Starter, Growth, Business, and Agency). It terminates automatically upon the termination of the main agreement, regardless of the legal basis (e.g., through ordinary termination, extraordinary termination, or deletion of the account). The notice period for the main contract is 1 day prior to the end of the respective billing period. Provisions of this contract that, by their nature, are intended to remain in effect beyond termination (in particular provisions regarding the deletion and return of data as well as liability issues) remain unaffected by the termination.
§ 2 Nature and Purpose of Processing
2.1 Nature of Processing The nature of processing includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data. Processing is primarily automated within the data processor’s cloud infrastructure (e.g., hosted on the Google Cloud Platform, with servers typically located in the European Union).
2.2 Purpose of Processing The purpose of processing is exclusively to fulfill the contractual obligations arising from the main contract. This includes:
- Proof of consent: Storage of consent data to fulfill the controller’s accountability obligations pursuant to Art. 5(2) in conjunction with Art. 7(1) of the GDPR.
- Technical provision: Display of the consent banner and ensuring the functionality of the controller’s website while taking user preferences into account.
- Compliance analysis: Automated review of the controller’s websites for data protection risks (cookie scanner).
- Legal text creation: Processing of the controller’s company and contact data for the AI-assisted creation of customized legal texts.
- Billing and account management: Management of user accounts, allocation of session limits (e.g., 5,000 sessions in the Free plan, 500,000 in the Business plan), and processing of session transfers.
- Agency management: Enabling the management of up to 25 sub-accounts in the Agency plan, including the provision of reseller pages and email sending functions.
Processing of the data for the data processor’s own purposes, in particular for its own advertising purposes or to create user profiles that go beyond the contractual provision of services, is strictly prohibited unless there is express legal permission or separate consent.
§ 3 Type of Personal Data
The following categories of personal data are processed within the scope of data processing. The controller determines the exact scope of the data through its use of the Biscotti CMP and the configuration of the software itself:
- Consent data: Decisions (consent/refusal for various categories such as Essential, Functional, Analytics, Marketing, AI Services), timestamps (date and exact time of consent), unique identification number (for pseudonymous assignment of the decision to the respective device/browser).
- Technical data: IP addresses (primarily processed for location-based jurisdiction detection and, as a rule, immediately anonymized/truncated unless the controller configures otherwise), browser information, device information, user-agent strings, session data.
- Cookie and tracker data: Scan results of the controller’s websites, including detected cookies, local storage contents, third-party trackers, and their classification.
- AI-generated content: Data that the controller enters into the Legal Suite Assistant to generate legal texts (Privacy Policy, Legal Notice, Terms and Conditions). This may include company data, names of authorized representatives, addresses, and specific processing activities that are processed via the Google Gemini API.
- Contact data (account holders): First and last name, email address, company name, mailing address, phone number, and VAT identification number (VAT ID) of customers or account holders.
- Usage data: Dashboard activities, banner statistics (views, interactions, acceptance rates), compliance reports, audit logs of account changes.
- Payment data: Billing information processed via the payment service provider Stripe (whereby credit card data is tokenized directly by Stripe and not stored in plain text by the processor).
§ 4 Categories of Data Subjects
The processing concerns the following categories of data subjects:
- Website visitors (end users): Natural persons who visit the controller’s websites and whose consent decisions are requested, processed, and stored via the Biscotti CMP banner.
- Customers (account holders): Natural persons, sole proprietors, or representatives of legal entities who have registered an account with Biscotti CMP as contractual partners of the data processor.
- Team members and employees: Individuals who have been invited by the account holder (controller) as additional users to the Biscotti CMP dashboard to manage the system.
- Agency customers (sub-account holders): End customers of agencies that use the “Agency” plan and for whom sub-accounts have been created.
§ 5 Obligations and Rights of the Data Controller
5.1 Lawfulness of Processing The controller is solely responsible for assessing the lawfulness of the commissioned processing and for safeguarding the rights of data subjects (Art. 4(7) GDPR). The controller ensures that there is a valid legal basis (e.g., consent pursuant to Art. 6(1)(a) GDPR or legitimate interest pursuant to Art. 6(1)(f) GDPR) for the processing of personal data by the processor. This applies in particular to the use of the Biscotti CMP for obtaining consent pursuant to § 25(1) TDDDG.
5.2 Information Obligations The controller is fully responsible for informing data subjects (in particular website visitors) about data processing in a transparent, precise, and timely manner in accordance with Articles 13 and 14 of the GDPR. To this end, the processor provides the controller with the necessary technical information regarding the functionality of the Biscotti CMP as well as sample texts via the Legal Suite Assistant. The legal review and integration of the privacy policy are the responsibility of the controller.
5.3 Agency and Reseller Use If the controller uses the “Agency” plan and creates sub-accounts for its own customers, the controller remains the sole contractual partner and data controller in relation to the processor. The controller guarantees that it has the necessary contractual agreements (including its own data processing agreements) in place with its end customers. If the controller sets up a reseller site or uses its own email servers under its own domain, it bears sole responsibility under data protection and competition law for this infrastructure. The processor assumes no liability in this regard.
5.4 Reporting of Errors The Data Controller must immediately and fully inform the Data Processor if, upon reviewing the results of the processing, it discovers errors or irregularities regarding data protection regulations.
§ 6 Right of the Controller to Issue Instructions
6.1 Nature and Scope of Instructions The processor shall process personal data exclusively on the documented instructions of the controller, unless required to do so by Union or Member State law to which the processor is subject (Art. 28(3)(a) GDPR). In such a case, the processor shall inform the controller of this legal requirement prior to processing, unless the relevant law prohibits such notification on grounds of an important public interest.
The main contract and these GTC constitute the initial documented instructions. The use of the Biscotti CMP functions (e.g., configuring the banner, starting a scan, generating texts) by the controller in the dashboard is considered a documented individual instruction.
6.2 Form of Instructions Instructions may generally be issued via the software’s user interface (application). Any additional instructions must be provided in writing (e.g., via email to support@biscotti-cmp.com). Verbal instructions must be confirmed in writing by the controller without delay.
6.3 Objections to Instructions The processor shall inform the controller immediately if it believes that an instruction violates the GDPR, the BDSG, or other data protection regulations of the Union or the Member States. The processor is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the controller. The processor may refuse instructions that are manifestly unlawful.
§ 7 Confidentiality Obligation
7.1 Obligation of Employees The processor confirms that it has bound all persons authorized to process the controller’s personal data (employees, freelancers, bodies) to confidentiality prior to the commencement of their activities (Art. 28(3)(b) GDPR) or that such persons are subject to an appropriate statutory duty of confidentiality. This obligation also includes data secrecy and remains in effect even after the termination of the activity or the employment relationship.
7.2 Training and Awareness The processor ensures that persons authorized to process data are regularly instructed and made aware of the provisions regarding data protection (GDPR, BDSG) and data security. The processor, represented by its management (Daniel Bosch, Philipp André Marschall), ensures a corporate culture compliant with data protection regulations.
7.3 Data Protection Officer The processor has appointed a competent and reliable data protection officer, provided this is required by law pursuant to Section 38(1) BDSG or Article 37 GDPR (e.g., where there are generally at least 20 persons permanently engaged in automated processing).
If there is no legal obligation to appoint a Data Protection Officer, the data processor nevertheless ensures that data protection obligations are fully monitored and complied with by the management.
§ 8 Technical and Organizational Measures (TOMs) pursuant to Art. 32 GDPR
8.1 Principle of security of processing The processor hereby declares that, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk (Art. 32 GDPR). These measures are based on recognized IT security standards (such as ISO 27001 and SOC 2).
8.2 Specific Measures The processor shall, in particular, implement the following measures and maintain them throughout the entire term of the contract:
a) Pseudonymization and encryption (Art. 32(1)(a) GDPR)
- Encryption during transmission: All data transmissions between the end user, the controller, and the Biscotti CMP infrastructure must use state-of-the-art encryption protocols (TLS 1.2 or TLS 1.3).
- Encryption at rest: All databases and storage media on the Google Cloud Platform (server location: NL) are encrypted at the disk level (AES-256).
- Pseudonymization: Consent decisions are not linked to real names, but to a randomly generated cryptographic identification number. IP addresses are truncated/anonymized by default as soon as location-based assignment is complete.
b) Confidentiality (Access Control)
- Access control: The physical security of the servers used is ensured by the external infrastructure service provider (e.g., Google Cloud). The data centers are subject to strict industry-standard access and security controls. Campcruisers GmbH’s own office premises are secured by appropriate physical access restrictions (e.g., security locks).
- Access control: Access to the data processor’s IT systems is secured through restrictive password policies, multi-factor authentication (MFA) for relevant administrative accounts, and session timeouts. Systems such as Cloudflare Turnstile are used to protect login attempts from bot attacks.
- Access control: The principle of least privilege (Role-Based Access Control – RBAC) applies. Employees of the data processor have access only to the data that is strictly necessary for their respective tasks. Customer data from the various plans is logically separated from one another (multi-tenancy).
c) Integrity (Disclosure, Input, and Segregation Controls)
- Disclosure control: Data is not transported on physical storage media. Transmission takes place exclusively via secure networks.
- Input control: Biscotti CMP features a comprehensive audit log. It is possible to trace at any time which user (customer, team member, agency) made which changes in the dashboard at what time (e.g., changes to banner texts, adjustments to cookie categories).
- Segregation control: Data collected for different purposes is processed separately. Production, test, and development environments are strictly isolated from one another.
d) Availability and resilience (Art. 32(1)(b) and (c) GDPR)
- Availability: The processor takes industry-standard, appropriate measures to ensure the availability of the systems (hosting on the Google Cloud Platform). However, no explicit SLA availability is guaranteed, and there is no full redundancy of the infrastructure.
- Resilience: The system architecture is designed so that the expected session volumes are generally processed reliably. However, dedicated load balancing or automatic scaling mechanisms (auto-scaling) are not used.
- Recoverability: The processor takes appropriate measures (e.g., regular backups of the databases) to enable data recovery in the event of a technical incident. However, there is no guarantee of loss-free recovery, which is why the controller is urged to use the export functions available to them on their own responsibility.
e) Procedures for regular review (Art. 32(1)(d) GDPR)
- The processor regularly reviews the effectiveness of the technical and organizational measures taken internally.
- Internal incident response processes are in place to address potential incidents within the legal framework.
- The TOMs are subject to a continuous improvement process.
8.3 Adaptation of the TOMs The technical and organizational measures are subject to technical progress and further development. The processor is entitled to implement alternative adequate measures, provided that the security level of the specified measures is not compromised. Significant changes must be communicated to the controller in writing.
§ 9 Subprocessors
9.1 Engagement of Subprocessors The Data Controller hereby grants the Data Processor general written authorization (Art. 28(2) GDPR) to engage additional data processors (subprocessors). The Data Processor shall ensure that it carefully selects sub-processors and contractually subjects them to the same data protection obligations as those set forth in this Agreement (Art. 28(4) GDPR).
9.2 Currently Authorized Subprocessors At the time of contract conclusion, the following subprocessors are active in the provision of Biscotti CMP services and are deemed authorized by the Controller. The Processor has ensured that, in the case of U.S. providers, the respective EU branch acts as the contractual partner in order to maintain the EU’s level of data protection:
| Service / Provider | Contractual Partner & Location | Purpose of processing | Place of processing |
|---|---|---|---|
| Google Cloud Platform (GCP) | Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland | Hosting, server infrastructure, databases | European Union |
| Google Gemini API | Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | AI-generated legal texts (Legal Suite) | EU / EEA |
| Google Analytics 4 & Google Ads | Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Analysis of user behavior, marketing | EU / EEA |
| Stripe | Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland | Payment processing, subscription management | EU / EEA |
| Resend | Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA [protected by SCCs] | Email delivery (transactional emails, password reset) | USA / EU |
| Cloudflare Turnstile | Cloudflare Germany GmbH, Rosental 7, 80331 Munich, Germany | Bot protection, DDoS defense, WAF | Global |
| WhatsApp Business | WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland | Customer service, support communication | EU / EEA |
9.3 Transfer to Third Countries If processing is carried out by subprocessors outside the European Union (EU) or the European Economic Area (EEA) (e.g., in the case of Resend), the processor ensures that the specific requirements of Art. 44 et seq. of the GDPR are met. This is generally achieved by entering into the current Standard Contractual Clauses (SCCs) of the European Commission in conjunction with a Transfer Impact Assessment and the implementation of additional technical measures (e.g., encryption).
9.4 Change or Engagement of New Subprocessors The processor shall inform the controller of any intended change regarding the engagement or replacement of subprocessors. The notification shall be provided in writing (e.g., via email to the address stored in the account) at least 30 days prior to the planned change. The controller may object to the change for a compelling reason related to data protection law within 14 days of receiving the notification. If no objection is raised, the change shall be deemed approved. In the event of a justified objection that the processor cannot resolve through reasonable measures, the controller is entitled to terminate the main contract extraordinarily as of the effective date of the change.
§ 10 Support Regarding Data Subject Rights
10.1 Duty to Assist The processor shall, to the extent possible, assist the controller with appropriate technical and organizational measures in fulfilling the controller’s obligation to respond to requests for the exercise of the rights of data subjects specified in Chapter III of the GDPR (Articles 15 through 22 of the GDPR) (Article 28(3)(e) of the GDPR).
10.2 Technical Implementation in Biscotti CMP The Biscotti CMP aims to provide technical support to the controller in fulfilling its obligations:
- Right of access (Art. 15 GDPR) & Right to data portability (Art. 20 GDPR): The software offers data export options (e.g., as CSV), or exports of specific consent IDs can be requested from support in compliance with data protection regulations.
- Right to withdraw consent (Art. 7(3) GDPR): The Biscotti CMP consent banner provides end users with the ability to view their settings and withdraw consent at any time.
- Right to erasure (Art. 17 GDPR): Collected data can be deleted by the controller using functions provided in the dashboard or, upon verifiable request, can be deleted by support.
10.3 Forwarding of Requests If a data subject asserts their rights directly against the processor, the processor will not respond to the request independently but will immediately refer the data subject to the controller, provided that the data subject can be identified based on the available data. The processor will forward the request to the controller without delay.
§ 11 Support for DPIA and Reporting Obligations
11.1 Data Protection Impact Assessment (Art. 35 GDPR) The processor shall assist the controller, taking into account the nature of the processing and the information available to it, in conducting a data protection impact assessment (DPIA) in accordance with Art. 35 GDPR, as well as in any prior consultation with the supervisory authority that may be required (Art. 36 GDPR).
11.2 Notification of Personal Data Breaches The processor is obligated to notify the controller in writing of any personal data breach (data breach) affecting the data processed under this agreement without undue delay, and in any event no later than 48 hours after becoming aware of it.
§ 12 Deletion and Return of Data
12.1 Erasure upon Termination of the Contract Upon completion of the provision of processing services (termination of the main contract), the processor is obligated, at the controller’s discretion, to either delete or return all personal data, unless there is an obligation to retain the personal data under Union law or the law of the Member States (e.g., commercial and tax retention obligations under the German Commercial Code (HGB) and the German Fiscal Code (AO)).
12.2 Standard Process of Biscotti CMP Unless the Data Controller issues different instructions, the following standard process applies: The Data Controller has the option to back up their data independently before the end of the contract using the export function (CSV). After the termination takes effect and the billing period expires, the Data Controller’s account will be deactivated. The personal data stored in the account is retained for a transitional period of 30 days (retention period) to enable restoration in the event of an accidental downgrade. After these 30 days have elapsed, the data is irrevocably and in compliance with data protection regulations deleted from the production systems.
12.3 Confirmation of Deletion Upon the controller’s express request, the processor shall confirm in writing to the controller that the data has been deleted in compliance with data protection regulations.
§ 13 Rights of Inspection and Audits
13.1 Right to Audit The processor shall provide the controller with all necessary information to demonstrate compliance with the obligations set forth in Art. 28 GDPR and in this contract. The processor shall facilitate and cooperate with audits—including inspections—conducted by the controller or an auditor appointed by the controller who is bound by confidentiality obligations.
13.2 Conduct of Audits In order not to jeopardize the security of the data centers and the confidentiality of other customers’ data (client segregation), the parties agree on the following procedure for audits:
- The Data Controller shall exercise its right of inspection primarily by requesting and evaluating relevant certificates (e.g., ISO 27001) or through detailed questionnaires on IT security.
- Should this information prove insufficient, the Data Controller is entitled to conduct an on-site inspection at the business premises of Campcruisers GmbH (Berliner Str. 21 B, 14612 Falkensee).
- On-site inspections must be announced with reasonable advance notice (generally at least 14 days).
§ 14 Liability and Damages
14.1 External Relationship (Toward Data Subjects) The controller and the processor shall be liable to the data subject for compensation for damages in accordance with Article 82 of the GDPR. The processor shall be liable for damage resulting from processing only if it has failed to fulfill its obligations under the GDPR or has acted contrary to the lawful instructions of the controller.
14.2 Internal Relationship (Between the Parties) In their internal relationship, the parties shall be exempt from liability if one party proves that it is in no way responsible for the circumstance that caused the damage.
14.3 Limitation of Liability under the Main Contract In addition, the liability provisions of the main contract (General Terms and Conditions) apply. Liability for slight negligence is excluded, unless it involves a breach of material contractual obligations (cardinal obligations). In this case, liability is limited to foreseeable damage typical for the contract.
§ 15 Final Provisions
15.1 Written Form and Amendments Amendments and supplements to this agreement must be in writing (e.g., email). The Data Processor reserves the right to amend this agreement to adapt it to changes in the legal situation or technical developments. The Data Controller will be informed of any amendments via email.
15.2 Order of Precedence Should individual provisions of this Data Processing Agreement conflict with the provisions of the main contract (Terms and Conditions), the provisions of this Data Processing Agreement shall take precedence with regard to data protection and data security.
15.3 Severability Clause Should individual provisions of this Agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. The parties undertake to replace the invalid or unenforceable provision with a valid and enforceable provision.
15.4 Governing Law and Jurisdiction This Agreement is governed exclusively by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is, to the extent permitted by law, the registered office of the Data Processor (Falkensee). The language of the Agreement is German.