Data Processing Agreement

Preamble

This Data Processing Agreement (DPA) governs the rights and obligations of the parties in connection with the processing of personal data by BLOCQ on behalf of the user.

The user (hereinafter "Controller") commissions BLOCQ (hereinafter "Processor") to process personal data within the scope of the app publishing service.

§1 Subject Matter and Duration of Processing

The subject matter of this agreement is the processing of personal data by the Processor within the scope of app publishing through the BLOCQ Publishing Service.

Processing begins with the transmission of data for app publishing and ends with the complete deletion of all transmitted data upon request by the Controller or upon termination of the contractual relationship.

For subsequent updates, the data will continue to be stored in accordance with the Controller's specifications to enable future publications.

§2 Nature and Purpose of Processing

The Processor processes personal data exclusively for the following purposes:

• Compilation of the app configured by the Controller
• Signing of the app with the certificates provided by the Controller
• Publication of the app in the app stores (Apple App Store, Google Play Store) on behalf of the Controller
• Storage of data for future app updates

§3 Types of Personal Data

The following categories of personal data are processed:

• App configuration data (ISAR export): Contains the app configuration created by the Controller
• Media files: Logos, icons, background images, avatars, and banners
• Firebase configuration files: GoogleService-Info.plist and google-services.json (project IDs, no credentials)
• Apple Store signing files: API key (.p8), certificate (.p12), provisioning profile (.mobileprovision)
• Google Play signing files: Service account JSON

§4 Categories of Data Subjects

The following categories of persons are affected by the processing:

• The Controller themselves as a user of the BLOCQ Publishing Service

§5 Obligations of the Processor

The Processor commits to:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data have committed themselves to confidentiality
• Take all measures required pursuant to Art. 32 GDPR
• Not engage any sub-processors without prior authorization from the Controller
• Assist the Controller in fulfilling their obligations regarding data subject rights
• Notify the Controller without undue delay in case of data breaches
• Delete or return all personal data after the end of processing

§6 Technical and Organizational Measures (TOM)

The Processor implements the following measures pursuant to Art. 32 GDPR:

Server (WebGo, Germany)

• Access control: Data center in Germany with access restrictions
• Authentication control: SSH key-based authentication, no password logins
• Transfer control: Encrypted transmission via HTTPS/TLS
• Input control: Logging of all file uploads and accesses

Builder System (Mac, Germany)

• Physical security: Location in Germany with access restrictions
• Access control: Local system without external remote access
• Data separation: Separate directories for each Controller (by bundle ID)
• Availability control: Automatic backups of configuration data

General Measures

• Pseudonymization: Data is organized by bundle ID, not by personal identifiers
• Confidentiality: All employees are bound by confidentiality agreements
• Resilience: Redundant systems for critical processes
• Recoverability: Regular testing of backup procedures

§7 Sub-Processors

The Controller agrees to the use of the following sub-processors:

For data transfers to the USA, EU Standard Contractual Clauses (SCCs) are used. The Processor will inform the Controller of any changes to sub-processors.

§8 Obligations of the Controller

The Controller is obligated to:

• Ensure that the transmitted data was lawfully collected
• Provide their own Apple Developer and Google Play Developer accounts
• Guarantee the accuracy and currency of the transmitted data
• Provide the Processor with all information necessary for processing

§9 Support Obligations

The Processor supports the Controller with:

• Requests from data subjects (Art. 15-22 GDPR)
• Notification of data breaches (Art. 33-34 GDPR)
• Data protection impact assessments (Art. 35 GDPR)
• Prior consultation with the supervisory authority (Art. 36 GDPR)

§10 Audit Rights

The Controller has the right to verify compliance with this agreement. This may be done by requesting evidence, certificates, or self-assessments.

On-site audits are possible after prior notice (at least 14 days) and while maintaining business secrets.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

§11 Deletion and Return

Upon termination of processing or upon request by the Controller, all personal data will be deleted or returned.

The Controller may choose between:

• Complete deletion of all data (server and builder)
• Return of data in a common format before deletion
• Retention of data for future updates (default)

Deletion will be confirmed in writing. Statutory retention obligations remain unaffected.

§12 Liability

The liability of the parties is governed by Art. 82 GDPR. The Processor is liable for damages caused by processing that does not comply with this regulation.

The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

§13 Final Provisions

This DPA is part of the Terms of Service and becomes effective upon use of the BLOCQ Publishing Service.

Amendments and additions to this agreement must be made in writing. This also applies to the waiver of this written form requirement.

German law applies. The place of jurisdiction is the registered office of the Processor.

Contact

For questions about the Data Processing Agreement or to exercise your rights, contact us at: